Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 07:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e3a26a4f7271a31bb4e81d70fdf19057a5ad2b9be94a2335d094d8bbabc1157bN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e3a26a4f7271a31bb4e81d70fdf19057a5ad2b9be94a2335d094d8bbabc1157bN.exe
-
Size
347KB
-
MD5
3279973f1dd1c020ebe9d87c9d3cb470
-
SHA1
579024560e61caad6d37b23e428ac9bfa52473f3
-
SHA256
e3a26a4f7271a31bb4e81d70fdf19057a5ad2b9be94a2335d094d8bbabc1157b
-
SHA512
5921788ab8b8ae4a336519cb8a92789ac7e33de0aa7f1b3a3454dcc919e25a953903cf8747a52857095429cc49bb639a5e0b32cedb71501225efcc7d5fc1c450
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAN:l7TcbWXZshJX2VGdN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4728-4-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/764-11-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/452-12-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3280-23-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3520-29-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2216-35-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4884-41-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1532-53-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1724-66-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/692-55-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5032-72-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1308-73-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1572-82-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3028-93-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3996-99-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/664-110-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5012-118-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3992-128-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/388-141-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3628-150-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4524-165-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4264-168-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2052-174-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4100-185-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1108-189-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3396-199-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1700-206-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3328-212-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2980-225-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2968-229-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2248-237-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1580-246-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4508-259-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3584-269-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1688-285-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4772-289-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3536-296-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1764-300-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3860-316-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4088-329-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1904-342-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4204-346-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3992-353-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4116-360-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2444-364-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3456-371-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4840-423-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4364-457-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2056-482-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2260-495-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1908-502-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/456-522-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2800-526-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3192-560-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/852-567-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/368-592-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/932-683-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/828-702-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3460-718-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/972-794-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4228-1212-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2420-1559-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 764 lflxlfr.exe 452 rfffxrf.exe 3280 bhtnhb.exe 3520 1hhtnb.exe 2216 jvvpj.exe 4884 hhnhnh.exe 3808 dpvpj.exe 1532 rllllll.exe 692 bhnhhn.exe 1724 jjjdv.exe 5032 fxxxxxx.exe 1308 jvjjd.exe 1572 fxxrxxf.exe 2168 fxxxxll.exe 3028 frfxfff.exe 3996 pjppp.exe 4720 rxrlffx.exe 664 lfffxxx.exe 5012 9tnntt.exe 5020 5pjdd.exe 3992 bhbthb.exe 4860 jdpjj.exe 1892 9fffrrr.exe 388 hbnhht.exe 1408 1hhbtt.exe 3628 dvjdj.exe 688 bntnnh.exe 4524 7xfxffx.exe 4264 lfffxxx.exe 2052 bhnhbt.exe 4100 vdvpj.exe 1108 ntttnn.exe 4400 rxxlxrl.exe 2276 bttnbt.exe 3396 9pvpp.exe 1752 lfxrrll.exe 1700 bthhnt.exe 2004 jvdvd.exe 3328 jddvd.exe 4504 lxffrrl.exe 3892 btnbtb.exe 5056 djppp.exe 2980 lrfxrrl.exe 2968 thnnhh.exe 2332 jvvpj.exe 2248 1lffxff.exe 1964 jvvpp.exe 5068 pvvpj.exe 1580 lffxrrl.exe 4368 1bnhnn.exe 540 3pjdd.exe 4716 lflxrrl.exe 4508 bhhbtn.exe 3036 ddddj.exe 5076 rrrfrlf.exe 3584 3ntnhn.exe 4784 bnhbtn.exe 4440 5djdv.exe 3152 xrrlfxx.exe 2260 nbtbtt.exe 1688 bthhnn.exe 4772 9vjdp.exe 1792 flrlllf.exe 3536 ffxxrrl.exe -
resource yara_rule behavioral2/memory/4728-4-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/764-11-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3280-18-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/452-12-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3280-23-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3520-29-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2216-35-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4884-41-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1532-53-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1724-66-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/692-55-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1724-59-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5032-72-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1308-73-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1572-82-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3028-93-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3996-99-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/664-110-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5012-118-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3992-128-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/388-141-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3628-150-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4524-165-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4264-168-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2052-174-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4100-185-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1108-189-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3396-199-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1700-206-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3328-212-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2980-225-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2968-229-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2248-237-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1580-246-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4508-259-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3584-269-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1688-285-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4772-289-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3536-296-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1764-300-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3860-316-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4088-329-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1904-342-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4204-346-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3992-353-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4116-360-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2444-364-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3456-371-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4840-423-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4364-457-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2056-482-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2260-495-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1908-502-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3924-506-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/456-522-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2800-526-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3192-560-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/852-567-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/368-592-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/932-683-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/828-702-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3460-718-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/972-794-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4392-1200-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4728 wrote to memory of 764 4728 e3a26a4f7271a31bb4e81d70fdf19057a5ad2b9be94a2335d094d8bbabc1157bN.exe 83 PID 4728 wrote to memory of 764 4728 e3a26a4f7271a31bb4e81d70fdf19057a5ad2b9be94a2335d094d8bbabc1157bN.exe 83 PID 4728 wrote to memory of 764 4728 e3a26a4f7271a31bb4e81d70fdf19057a5ad2b9be94a2335d094d8bbabc1157bN.exe 83 PID 764 wrote to memory of 452 764 lflxlfr.exe 84 PID 764 wrote to memory of 452 764 lflxlfr.exe 84 PID 764 wrote to memory of 452 764 lflxlfr.exe 84 PID 452 wrote to memory of 3280 452 rfffxrf.exe 85 PID 452 wrote to memory of 3280 452 rfffxrf.exe 85 PID 452 wrote to memory of 3280 452 rfffxrf.exe 85 PID 3280 wrote to memory of 3520 3280 bhtnhb.exe 86 PID 3280 wrote to memory of 3520 3280 bhtnhb.exe 86 PID 3280 wrote to memory of 3520 3280 bhtnhb.exe 86 PID 3520 wrote to memory of 2216 3520 1hhtnb.exe 87 PID 3520 wrote to memory of 2216 3520 1hhtnb.exe 87 PID 3520 wrote to memory of 2216 3520 1hhtnb.exe 87 PID 2216 wrote to memory of 4884 2216 jvvpj.exe 88 PID 2216 wrote to memory of 4884 2216 jvvpj.exe 88 PID 2216 wrote to memory of 4884 2216 jvvpj.exe 88 PID 4884 wrote to memory of 3808 4884 hhnhnh.exe 89 PID 4884 wrote to memory of 3808 4884 hhnhnh.exe 89 PID 4884 wrote to memory of 3808 4884 hhnhnh.exe 89 PID 3808 wrote to memory of 1532 3808 dpvpj.exe 90 PID 3808 wrote to memory of 1532 3808 dpvpj.exe 90 PID 3808 wrote to memory of 1532 3808 dpvpj.exe 90 PID 1532 wrote to memory of 692 1532 rllllll.exe 91 PID 1532 wrote to memory of 692 1532 rllllll.exe 91 PID 1532 wrote to memory of 692 1532 rllllll.exe 91 PID 692 wrote to memory of 1724 692 bhnhhn.exe 92 PID 692 wrote to memory of 1724 692 bhnhhn.exe 92 PID 692 wrote to memory of 1724 692 bhnhhn.exe 92 PID 1724 wrote to memory of 5032 1724 jjjdv.exe 93 PID 1724 wrote to memory of 5032 1724 jjjdv.exe 93 PID 1724 wrote to memory of 5032 1724 jjjdv.exe 93 PID 5032 wrote to memory of 1308 5032 fxxxxxx.exe 94 PID 5032 wrote to memory of 1308 5032 fxxxxxx.exe 94 PID 5032 wrote to memory of 1308 5032 fxxxxxx.exe 94 PID 1308 wrote to memory of 1572 1308 jvjjd.exe 95 PID 1308 wrote to memory of 1572 1308 jvjjd.exe 95 PID 1308 wrote to memory of 1572 1308 jvjjd.exe 95 PID 1572 wrote to memory of 2168 1572 fxxrxxf.exe 96 PID 1572 wrote to memory of 2168 1572 fxxrxxf.exe 96 PID 1572 wrote to memory of 2168 1572 fxxrxxf.exe 96 PID 2168 wrote to memory of 3028 2168 fxxxxll.exe 97 PID 2168 wrote to memory of 3028 2168 fxxxxll.exe 97 PID 2168 wrote to memory of 3028 2168 fxxxxll.exe 97 PID 3028 wrote to memory of 3996 3028 frfxfff.exe 98 PID 3028 wrote to memory of 3996 3028 frfxfff.exe 98 PID 3028 wrote to memory of 3996 3028 frfxfff.exe 98 PID 3996 wrote to memory of 4720 3996 pjppp.exe 99 PID 3996 wrote to memory of 4720 3996 pjppp.exe 99 PID 3996 wrote to memory of 4720 3996 pjppp.exe 99 PID 4720 wrote to memory of 664 4720 rxrlffx.exe 100 PID 4720 wrote to memory of 664 4720 rxrlffx.exe 100 PID 4720 wrote to memory of 664 4720 rxrlffx.exe 100 PID 664 wrote to memory of 5012 664 lfffxxx.exe 101 PID 664 wrote to memory of 5012 664 lfffxxx.exe 101 PID 664 wrote to memory of 5012 664 lfffxxx.exe 101 PID 5012 wrote to memory of 5020 5012 9tnntt.exe 102 PID 5012 wrote to memory of 5020 5012 9tnntt.exe 102 PID 5012 wrote to memory of 5020 5012 9tnntt.exe 102 PID 5020 wrote to memory of 3992 5020 5pjdd.exe 103 PID 5020 wrote to memory of 3992 5020 5pjdd.exe 103 PID 5020 wrote to memory of 3992 5020 5pjdd.exe 103 PID 3992 wrote to memory of 4860 3992 bhbthb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3a26a4f7271a31bb4e81d70fdf19057a5ad2b9be94a2335d094d8bbabc1157bN.exe"C:\Users\Admin\AppData\Local\Temp\e3a26a4f7271a31bb4e81d70fdf19057a5ad2b9be94a2335d094d8bbabc1157bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\lflxlfr.exec:\lflxlfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\rfffxrf.exec:\rfffxrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\bhtnhb.exec:\bhtnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\1hhtnb.exec:\1hhtnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\jvvpj.exec:\jvvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\hhnhnh.exec:\hhnhnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\dpvpj.exec:\dpvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\rllllll.exec:\rllllll.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\bhnhhn.exec:\bhnhhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\jjjdv.exec:\jjjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\jvjjd.exec:\jvjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\fxxrxxf.exec:\fxxrxxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\fxxxxll.exec:\fxxxxll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\frfxfff.exec:\frfxfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\pjppp.exec:\pjppp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\rxrlffx.exec:\rxrlffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\lfffxxx.exec:\lfffxxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\9tnntt.exec:\9tnntt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\5pjdd.exec:\5pjdd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\bhbthb.exec:\bhbthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\jdpjj.exec:\jdpjj.exe23⤵
- Executes dropped EXE
PID:4860 -
\??\c:\9fffrrr.exec:\9fffrrr.exe24⤵
- Executes dropped EXE
PID:1892 -
\??\c:\hbnhht.exec:\hbnhht.exe25⤵
- Executes dropped EXE
PID:388 -
\??\c:\1hhbtt.exec:\1hhbtt.exe26⤵
- Executes dropped EXE
PID:1408 -
\??\c:\dvjdj.exec:\dvjdj.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3628 -
\??\c:\bntnnh.exec:\bntnnh.exe28⤵
- Executes dropped EXE
PID:688 -
\??\c:\7xfxffx.exec:\7xfxffx.exe29⤵
- Executes dropped EXE
PID:4524 -
\??\c:\lfffxxx.exec:\lfffxxx.exe30⤵
- Executes dropped EXE
PID:4264 -
\??\c:\bhnhbt.exec:\bhnhbt.exe31⤵
- Executes dropped EXE
PID:2052 -
\??\c:\vdvpj.exec:\vdvpj.exe32⤵
- Executes dropped EXE
PID:4100 -
\??\c:\ntttnn.exec:\ntttnn.exe33⤵
- Executes dropped EXE
PID:1108 -
\??\c:\rxxlxrl.exec:\rxxlxrl.exe34⤵
- Executes dropped EXE
PID:4400 -
\??\c:\bttnbt.exec:\bttnbt.exe35⤵
- Executes dropped EXE
PID:2276 -
\??\c:\9pvpp.exec:\9pvpp.exe36⤵
- Executes dropped EXE
PID:3396 -
\??\c:\lfxrrll.exec:\lfxrrll.exe37⤵
- Executes dropped EXE
PID:1752 -
\??\c:\bthhnt.exec:\bthhnt.exe38⤵
- Executes dropped EXE
PID:1700 -
\??\c:\jvdvd.exec:\jvdvd.exe39⤵
- Executes dropped EXE
PID:2004 -
\??\c:\jddvd.exec:\jddvd.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3328 -
\??\c:\lxffrrl.exec:\lxffrrl.exe41⤵
- Executes dropped EXE
PID:4504 -
\??\c:\btnbtb.exec:\btnbtb.exe42⤵
- Executes dropped EXE
PID:3892 -
\??\c:\djppp.exec:\djppp.exe43⤵
- Executes dropped EXE
PID:5056 -
\??\c:\lrfxrrl.exec:\lrfxrrl.exe44⤵
- Executes dropped EXE
PID:2980 -
\??\c:\thnnhh.exec:\thnnhh.exe45⤵
- Executes dropped EXE
PID:2968 -
\??\c:\jvvpj.exec:\jvvpj.exe46⤵
- Executes dropped EXE
PID:2332 -
\??\c:\1lffxff.exec:\1lffxff.exe47⤵
- Executes dropped EXE
PID:2248 -
\??\c:\jvvpp.exec:\jvvpp.exe48⤵
- Executes dropped EXE
PID:1964 -
\??\c:\pvvpj.exec:\pvvpj.exe49⤵
- Executes dropped EXE
PID:5068 -
\??\c:\lffxrrl.exec:\lffxrrl.exe50⤵
- Executes dropped EXE
PID:1580 -
\??\c:\1bnhnn.exec:\1bnhnn.exe51⤵
- Executes dropped EXE
PID:4368 -
\??\c:\3pjdd.exec:\3pjdd.exe52⤵
- Executes dropped EXE
PID:540 -
\??\c:\lflxrrl.exec:\lflxrrl.exe53⤵
- Executes dropped EXE
PID:4716 -
\??\c:\bhhbtn.exec:\bhhbtn.exe54⤵
- Executes dropped EXE
PID:4508 -
\??\c:\ddddj.exec:\ddddj.exe55⤵
- Executes dropped EXE
PID:3036 -
\??\c:\rrrfrlf.exec:\rrrfrlf.exe56⤵
- Executes dropped EXE
PID:5076 -
\??\c:\3ntnhn.exec:\3ntnhn.exe57⤵
- Executes dropped EXE
PID:3584 -
\??\c:\bnhbtn.exec:\bnhbtn.exe58⤵
- Executes dropped EXE
PID:4784 -
\??\c:\5djdv.exec:\5djdv.exe59⤵
- Executes dropped EXE
PID:4440 -
\??\c:\xrrlfxx.exec:\xrrlfxx.exe60⤵
- Executes dropped EXE
PID:3152 -
\??\c:\nbtbtt.exec:\nbtbtt.exe61⤵
- Executes dropped EXE
PID:2260 -
\??\c:\bthhnn.exec:\bthhnn.exe62⤵
- Executes dropped EXE
PID:1688 -
\??\c:\9vjdp.exec:\9vjdp.exe63⤵
- Executes dropped EXE
PID:4772 -
\??\c:\flrlllf.exec:\flrlllf.exe64⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ffxxrrl.exec:\ffxxrrl.exe65⤵
- Executes dropped EXE
PID:3536 -
\??\c:\bhhbnh.exec:\bhhbnh.exe66⤵PID:1764
-
\??\c:\5pvvp.exec:\5pvvp.exe67⤵PID:5088
-
\??\c:\3rrlxxr.exec:\3rrlxxr.exe68⤵PID:1224
-
\??\c:\bttnhh.exec:\bttnhh.exe69⤵PID:1176
-
\??\c:\vpdvv.exec:\vpdvv.exe70⤵PID:2800
-
\??\c:\lrffffl.exec:\lrffffl.exe71⤵PID:3860
-
\??\c:\rflxxrl.exec:\rflxxrl.exe72⤵PID:1376
-
\??\c:\tbhhbt.exec:\tbhhbt.exe73⤵PID:3076
-
\??\c:\ttthbn.exec:\ttthbn.exe74⤵PID:2348
-
\??\c:\pvdvp.exec:\pvdvp.exe75⤵PID:4088
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe76⤵PID:4748
-
\??\c:\nhbbtn.exec:\nhbbtn.exe77⤵PID:4952
-
\??\c:\vvdvp.exec:\vvdvp.exe78⤵PID:664
-
\??\c:\jpjvj.exec:\jpjvj.exe79⤵PID:1904
-
\??\c:\xflfllr.exec:\xflfllr.exe80⤵PID:4204
-
\??\c:\tttnnn.exec:\tttnnn.exe81⤵PID:3560
-
\??\c:\7pjdv.exec:\7pjdv.exe82⤵PID:3992
-
\??\c:\dpvpp.exec:\dpvpp.exe83⤵PID:1600
-
\??\c:\xfxrllf.exec:\xfxrllf.exe84⤵PID:4116
-
\??\c:\hnhnbb.exec:\hnhnbb.exe85⤵PID:2444
-
\??\c:\vjjvp.exec:\vjjvp.exe86⤵PID:1412
-
\??\c:\lflffrl.exec:\lflffrl.exe87⤵PID:3456
-
\??\c:\5ffrffr.exec:\5ffrffr.exe88⤵PID:4392
-
\??\c:\tnnbth.exec:\tnnbth.exe89⤵PID:1836
-
\??\c:\dvdvj.exec:\dvdvj.exe90⤵PID:3716
-
\??\c:\lffxfxr.exec:\lffxfxr.exe91⤵PID:1188
-
\??\c:\xrflllr.exec:\xrflllr.exe92⤵PID:2240
-
\??\c:\thnhbt.exec:\thnhbt.exe93⤵PID:4008
-
\??\c:\vpvpv.exec:\vpvpv.exe94⤵PID:5116
-
\??\c:\vvjjd.exec:\vvjjd.exe95⤵PID:1664
-
\??\c:\lfrlllr.exec:\lfrlllr.exe96⤵PID:4332
-
\??\c:\xxxrrrr.exec:\xxxrrrr.exe97⤵PID:3740
-
\??\c:\nbhhhn.exec:\nbhhhn.exe98⤵PID:4572
-
\??\c:\tbhhbt.exec:\tbhhbt.exe99⤵PID:2200
-
\??\c:\jdvpj.exec:\jdvpj.exe100⤵PID:2196
-
\??\c:\ffrfxrl.exec:\ffrfxrl.exe101⤵PID:808
-
\??\c:\3lfxxxf.exec:\3lfxxxf.exe102⤵PID:748
-
\??\c:\3tbthh.exec:\3tbthh.exe103⤵PID:2920
-
\??\c:\pjjdv.exec:\pjjdv.exe104⤵PID:4840
-
\??\c:\dpvpj.exec:\dpvpj.exe105⤵PID:2960
-
\??\c:\fffrlff.exec:\fffrlff.exe106⤵PID:4504
-
\??\c:\bttnhb.exec:\bttnhb.exe107⤵PID:3892
-
\??\c:\5pvpp.exec:\5pvpp.exe108⤵PID:5056
-
\??\c:\pvddv.exec:\pvddv.exe109⤵PID:2500
-
\??\c:\1rlffxr.exec:\1rlffxr.exe110⤵PID:2560
-
\??\c:\nhnbtt.exec:\nhnbtt.exe111⤵PID:1424
-
\??\c:\bnhbnn.exec:\bnhbnn.exe112⤵PID:4424
-
\??\c:\jjdvp.exec:\jjdvp.exe113⤵PID:804
-
\??\c:\5rrrffx.exec:\5rrrffx.exe114⤵PID:2804
-
\??\c:\ffffxxx.exec:\ffffxxx.exe115⤵PID:4364
-
\??\c:\tnhbtn.exec:\tnhbtn.exe116⤵PID:4692
-
\??\c:\vjpjd.exec:\vjpjd.exe117⤵PID:552
-
\??\c:\dvvpp.exec:\dvvpp.exe118⤵PID:1244
-
\??\c:\xfrfxrr.exec:\xfrfxrr.exe119⤵PID:3692
-
\??\c:\nhthtt.exec:\nhthtt.exe120⤵PID:3916
-
\??\c:\dvjdd.exec:\dvjdd.exe121⤵PID:3280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-