Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 14:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3906dd09b4c1704052698e1ce7c1909f20dea368ed03f48e985274bdc4c6f584.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3906dd09b4c1704052698e1ce7c1909f20dea368ed03f48e985274bdc4c6f584.exe
-
Size
453KB
-
MD5
0f911d5f84490e287b8be2cf6701f589
-
SHA1
b408fa78f42f1b6fae4c15a1daa7a86acd2e2762
-
SHA256
3906dd09b4c1704052698e1ce7c1909f20dea368ed03f48e985274bdc4c6f584
-
SHA512
26d859ab8d4f0669394cc8b45dad06f74ab9cbaa53910c1580cb5ff0f28a8ea7e4f2171a9280f9201a8379fef4ec7f391fd99a7e56a3a8c606b87038968190cc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbev:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3604-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/584-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-742-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-1020-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-1412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3140 xlxrrll.exe 4828 5jjdv.exe 4112 lxxrlff.exe 3944 nhhbbb.exe 3888 lfllxfx.exe 4928 dvvvv.exe 2424 xxxrxxx.exe 884 9ttnnn.exe 3928 hnnhhh.exe 3092 rfxxxrl.exe 3984 bhnhnn.exe 1012 bbtntt.exe 3372 pdjdv.exe 2352 fffxlfx.exe 584 5ddvd.exe 1076 llrrllx.exe 2064 nhhbtt.exe 4680 lrrlxlf.exe 4372 vvvpp.exe 3144 ntnnnt.exe 3752 5xffrxl.exe 3612 7bthbn.exe 4864 dvdvd.exe 4152 7tnnhn.exe 2000 hbbthh.exe 4280 nbtthh.exe 64 xlxlxlx.exe 3996 1vvdv.exe 2668 1nhhbh.exe 1640 vjdpj.exe 4508 hthtnn.exe 3008 frxrrrl.exe 4016 btbhhh.exe 644 vdjdd.exe 2356 xxfxfxf.exe 1588 bhnntn.exe 2844 llxrllf.exe 2652 9lfrrll.exe 4356 ttnhbb.exe 2556 1vppj.exe 3048 fxfxxxx.exe 1620 tbnhhb.exe 4428 vdppj.exe 1084 vvvvp.exe 4244 bhtnhh.exe 2704 dvpjp.exe 4896 vjvpj.exe 4344 fxfrlfr.exe 2752 9tnhhb.exe 812 pppjp.exe 5060 rxrlrrl.exe 3528 btnnnt.exe 2792 pvjdd.exe 2928 xflllxr.exe 4424 bhbbtt.exe 4952 nnhbtn.exe 3668 rxlfxxr.exe 3888 9xllfxr.exe 244 httnht.exe 2424 7ddvp.exe 2932 rfxllrx.exe 884 9xlfllr.exe 1368 tttnhn.exe 3608 pjjvp.exe -
resource yara_rule behavioral2/memory/3604-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/584-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-782-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3604 wrote to memory of 3140 3604 3906dd09b4c1704052698e1ce7c1909f20dea368ed03f48e985274bdc4c6f584.exe 83 PID 3604 wrote to memory of 3140 3604 3906dd09b4c1704052698e1ce7c1909f20dea368ed03f48e985274bdc4c6f584.exe 83 PID 3604 wrote to memory of 3140 3604 3906dd09b4c1704052698e1ce7c1909f20dea368ed03f48e985274bdc4c6f584.exe 83 PID 3140 wrote to memory of 4828 3140 xlxrrll.exe 84 PID 3140 wrote to memory of 4828 3140 xlxrrll.exe 84 PID 3140 wrote to memory of 4828 3140 xlxrrll.exe 84 PID 4828 wrote to memory of 4112 4828 5jjdv.exe 85 PID 4828 wrote to memory of 4112 4828 5jjdv.exe 85 PID 4828 wrote to memory of 4112 4828 5jjdv.exe 85 PID 4112 wrote to memory of 3944 4112 lxxrlff.exe 86 PID 4112 wrote to memory of 3944 4112 lxxrlff.exe 86 PID 4112 wrote to memory of 3944 4112 lxxrlff.exe 86 PID 3944 wrote to memory of 3888 3944 nhhbbb.exe 87 PID 3944 wrote to memory of 3888 3944 nhhbbb.exe 87 PID 3944 wrote to memory of 3888 3944 nhhbbb.exe 87 PID 3888 wrote to memory of 4928 3888 lfllxfx.exe 88 PID 3888 wrote to memory of 4928 3888 lfllxfx.exe 88 PID 3888 wrote to memory of 4928 3888 lfllxfx.exe 88 PID 4928 wrote to memory of 2424 4928 dvvvv.exe 89 PID 4928 wrote to memory of 2424 4928 dvvvv.exe 89 PID 4928 wrote to memory of 2424 4928 dvvvv.exe 89 PID 2424 wrote to memory of 884 2424 xxxrxxx.exe 90 PID 2424 wrote to memory of 884 2424 xxxrxxx.exe 90 PID 2424 wrote to memory of 884 2424 xxxrxxx.exe 90 PID 884 wrote to memory of 3928 884 9ttnnn.exe 91 PID 884 wrote to memory of 3928 884 9ttnnn.exe 91 PID 884 wrote to memory of 3928 884 9ttnnn.exe 91 PID 3928 wrote to memory of 3092 3928 hnnhhh.exe 92 PID 3928 wrote to memory of 3092 3928 hnnhhh.exe 92 PID 3928 wrote to memory of 3092 3928 hnnhhh.exe 92 PID 3092 wrote to memory of 3984 3092 rfxxxrl.exe 93 PID 3092 wrote to memory of 3984 3092 rfxxxrl.exe 93 PID 3092 wrote to memory of 3984 3092 rfxxxrl.exe 93 PID 3984 wrote to memory of 1012 3984 bhnhnn.exe 94 PID 3984 wrote to memory of 1012 3984 bhnhnn.exe 94 PID 3984 wrote to memory of 1012 3984 bhnhnn.exe 94 PID 1012 wrote to memory of 3372 1012 bbtntt.exe 95 PID 1012 wrote to memory of 3372 1012 bbtntt.exe 95 PID 1012 wrote to memory of 3372 1012 bbtntt.exe 95 PID 3372 wrote to memory of 2352 3372 pdjdv.exe 96 PID 3372 wrote to memory of 2352 3372 pdjdv.exe 96 PID 3372 wrote to memory of 2352 3372 pdjdv.exe 96 PID 2352 wrote to memory of 584 2352 fffxlfx.exe 97 PID 2352 wrote to memory of 584 2352 fffxlfx.exe 97 PID 2352 wrote to memory of 584 2352 fffxlfx.exe 97 PID 584 wrote to memory of 1076 584 5ddvd.exe 98 PID 584 wrote to memory of 1076 584 5ddvd.exe 98 PID 584 wrote to memory of 1076 584 5ddvd.exe 98 PID 1076 wrote to memory of 2064 1076 llrrllx.exe 99 PID 1076 wrote to memory of 2064 1076 llrrllx.exe 99 PID 1076 wrote to memory of 2064 1076 llrrllx.exe 99 PID 2064 wrote to memory of 4680 2064 nhhbtt.exe 100 PID 2064 wrote to memory of 4680 2064 nhhbtt.exe 100 PID 2064 wrote to memory of 4680 2064 nhhbtt.exe 100 PID 4680 wrote to memory of 4372 4680 lrrlxlf.exe 101 PID 4680 wrote to memory of 4372 4680 lrrlxlf.exe 101 PID 4680 wrote to memory of 4372 4680 lrrlxlf.exe 101 PID 4372 wrote to memory of 3144 4372 vvvpp.exe 102 PID 4372 wrote to memory of 3144 4372 vvvpp.exe 102 PID 4372 wrote to memory of 3144 4372 vvvpp.exe 102 PID 3144 wrote to memory of 3752 3144 ntnnnt.exe 103 PID 3144 wrote to memory of 3752 3144 ntnnnt.exe 103 PID 3144 wrote to memory of 3752 3144 ntnnnt.exe 103 PID 3752 wrote to memory of 3612 3752 5xffrxl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3906dd09b4c1704052698e1ce7c1909f20dea368ed03f48e985274bdc4c6f584.exe"C:\Users\Admin\AppData\Local\Temp\3906dd09b4c1704052698e1ce7c1909f20dea368ed03f48e985274bdc4c6f584.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\xlxrrll.exec:\xlxrrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\5jjdv.exec:\5jjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\lxxrlff.exec:\lxxrlff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\nhhbbb.exec:\nhhbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\lfllxfx.exec:\lfllxfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\dvvvv.exec:\dvvvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\xxxrxxx.exec:\xxxrxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\9ttnnn.exec:\9ttnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\hnnhhh.exec:\hnnhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\rfxxxrl.exec:\rfxxxrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\bhnhnn.exec:\bhnhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\bbtntt.exec:\bbtntt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\pdjdv.exec:\pdjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\fffxlfx.exec:\fffxlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\5ddvd.exec:\5ddvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\llrrllx.exec:\llrrllx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\nhhbtt.exec:\nhhbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\lrrlxlf.exec:\lrrlxlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\vvvpp.exec:\vvvpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\ntnnnt.exec:\ntnnnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\5xffrxl.exec:\5xffrxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\7bthbn.exec:\7bthbn.exe23⤵
- Executes dropped EXE
PID:3612 -
\??\c:\dvdvd.exec:\dvdvd.exe24⤵
- Executes dropped EXE
PID:4864 -
\??\c:\7tnnhn.exec:\7tnnhn.exe25⤵
- Executes dropped EXE
PID:4152 -
\??\c:\hbbthh.exec:\hbbthh.exe26⤵
- Executes dropped EXE
PID:2000 -
\??\c:\nbtthh.exec:\nbtthh.exe27⤵
- Executes dropped EXE
PID:4280 -
\??\c:\xlxlxlx.exec:\xlxlxlx.exe28⤵
- Executes dropped EXE
PID:64 -
\??\c:\1vvdv.exec:\1vvdv.exe29⤵
- Executes dropped EXE
PID:3996 -
\??\c:\1nhhbh.exec:\1nhhbh.exe30⤵
- Executes dropped EXE
PID:2668 -
\??\c:\vjdpj.exec:\vjdpj.exe31⤵
- Executes dropped EXE
PID:1640 -
\??\c:\hthtnn.exec:\hthtnn.exe32⤵
- Executes dropped EXE
PID:4508 -
\??\c:\frxrrrl.exec:\frxrrrl.exe33⤵
- Executes dropped EXE
PID:3008 -
\??\c:\btbhhh.exec:\btbhhh.exe34⤵
- Executes dropped EXE
PID:4016 -
\??\c:\vdjdd.exec:\vdjdd.exe35⤵
- Executes dropped EXE
PID:644 -
\??\c:\xxfxfxf.exec:\xxfxfxf.exe36⤵
- Executes dropped EXE
PID:2356 -
\??\c:\bhnntn.exec:\bhnntn.exe37⤵
- Executes dropped EXE
PID:1588 -
\??\c:\llxrllf.exec:\llxrllf.exe38⤵
- Executes dropped EXE
PID:2844 -
\??\c:\9lfrrll.exec:\9lfrrll.exe39⤵
- Executes dropped EXE
PID:2652 -
\??\c:\ttnhbb.exec:\ttnhbb.exe40⤵
- Executes dropped EXE
PID:4356 -
\??\c:\1vppj.exec:\1vppj.exe41⤵
- Executes dropped EXE
PID:2556 -
\??\c:\fxfxxxx.exec:\fxfxxxx.exe42⤵
- Executes dropped EXE
PID:3048 -
\??\c:\tbnhhb.exec:\tbnhhb.exe43⤵
- Executes dropped EXE
PID:1620 -
\??\c:\vdppj.exec:\vdppj.exe44⤵
- Executes dropped EXE
PID:4428 -
\??\c:\vvvvp.exec:\vvvvp.exe45⤵
- Executes dropped EXE
PID:1084 -
\??\c:\bhtnhh.exec:\bhtnhh.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4244 -
\??\c:\dvpjp.exec:\dvpjp.exe47⤵
- Executes dropped EXE
PID:2704 -
\??\c:\vjvpj.exec:\vjvpj.exe48⤵
- Executes dropped EXE
PID:4896 -
\??\c:\fxfrlfr.exec:\fxfrlfr.exe49⤵
- Executes dropped EXE
PID:4344 -
\??\c:\9tnhhb.exec:\9tnhhb.exe50⤵
- Executes dropped EXE
PID:2752 -
\??\c:\pppjp.exec:\pppjp.exe51⤵
- Executes dropped EXE
PID:812 -
\??\c:\rxrlrrl.exec:\rxrlrrl.exe52⤵
- Executes dropped EXE
PID:5060 -
\??\c:\btnnnt.exec:\btnnnt.exe53⤵
- Executes dropped EXE
PID:3528 -
\??\c:\pvjdd.exec:\pvjdd.exe54⤵
- Executes dropped EXE
PID:2792 -
\??\c:\xflllxr.exec:\xflllxr.exe55⤵
- Executes dropped EXE
PID:2928 -
\??\c:\bhbbtt.exec:\bhbbtt.exe56⤵
- Executes dropped EXE
PID:4424 -
\??\c:\nnhbtn.exec:\nnhbtn.exe57⤵
- Executes dropped EXE
PID:4952 -
\??\c:\rxlfxxr.exec:\rxlfxxr.exe58⤵
- Executes dropped EXE
PID:3668 -
\??\c:\9xllfxr.exec:\9xllfxr.exe59⤵
- Executes dropped EXE
PID:3888 -
\??\c:\httnht.exec:\httnht.exe60⤵
- Executes dropped EXE
PID:244 -
\??\c:\7ddvp.exec:\7ddvp.exe61⤵
- Executes dropped EXE
PID:2424 -
\??\c:\rfxllrx.exec:\rfxllrx.exe62⤵
- Executes dropped EXE
PID:2932 -
\??\c:\9xlfllr.exec:\9xlfllr.exe63⤵
- Executes dropped EXE
PID:884 -
\??\c:\tttnhn.exec:\tttnhn.exe64⤵
- Executes dropped EXE
PID:1368 -
\??\c:\pjjvp.exec:\pjjvp.exe65⤵
- Executes dropped EXE
PID:3608 -
\??\c:\lrlrxrf.exec:\lrlrxrf.exe66⤵PID:4264
-
\??\c:\httntn.exec:\httntn.exe67⤵PID:3832
-
\??\c:\ntbntn.exec:\ntbntn.exe68⤵PID:632
-
\??\c:\pdjpj.exec:\pdjpj.exe69⤵PID:3120
-
\??\c:\rrffxlf.exec:\rrffxlf.exe70⤵PID:4688
-
\??\c:\hhnnhh.exec:\hhnnhh.exe71⤵PID:2252
-
\??\c:\vvjjd.exec:\vvjjd.exe72⤵PID:4480
-
\??\c:\xxxrlll.exec:\xxxrlll.exe73⤵PID:5012
-
\??\c:\frxrlrl.exec:\frxrlrl.exe74⤵PID:3712
-
\??\c:\hbtttt.exec:\hbtttt.exe75⤵PID:4984
-
\??\c:\djjdp.exec:\djjdp.exe76⤵PID:2732
-
\??\c:\vvvdv.exec:\vvvdv.exe77⤵PID:2448
-
\??\c:\llllfff.exec:\llllfff.exe78⤵PID:5088
-
\??\c:\1bhbtt.exec:\1bhbtt.exe79⤵PID:3572
-
\??\c:\jvvpp.exec:\jvvpp.exe80⤵PID:1336
-
\??\c:\lrxrffr.exec:\lrxrffr.exe81⤵PID:3256
-
\??\c:\bntnhh.exec:\bntnhh.exe82⤵PID:3612
-
\??\c:\5jvpj.exec:\5jvpj.exe83⤵PID:4580
-
\??\c:\xrflfxf.exec:\xrflfxf.exe84⤵PID:1616
-
\??\c:\nbnhbh.exec:\nbnhbh.exe85⤵PID:912
-
\??\c:\bhhbtt.exec:\bhhbtt.exe86⤵PID:2000
-
\??\c:\pvpjj.exec:\pvpjj.exe87⤵PID:3176
-
\??\c:\vvvpj.exec:\vvvpj.exe88⤵PID:3948
-
\??\c:\nntnbt.exec:\nntnbt.exe89⤵PID:3876
-
\??\c:\vvpjj.exec:\vvpjj.exe90⤵PID:1376
-
\??\c:\vvvpj.exec:\vvvpj.exe91⤵PID:2668
-
\??\c:\rxlffff.exec:\rxlffff.exe92⤵PID:4132
-
\??\c:\xxfxrlf.exec:\xxfxrlf.exe93⤵
- System Location Discovery: System Language Discovery
PID:5036 -
\??\c:\pjppj.exec:\pjppj.exe94⤵PID:4044
-
\??\c:\3ddvd.exec:\3ddvd.exe95⤵PID:2292
-
\??\c:\frxrllf.exec:\frxrllf.exe96⤵PID:3432
-
\??\c:\1tnhbb.exec:\1tnhbb.exe97⤵PID:1692
-
\??\c:\3pppj.exec:\3pppj.exe98⤵PID:3768
-
\??\c:\rrxxffl.exec:\rrxxffl.exe99⤵PID:1676
-
\??\c:\nhnhbt.exec:\nhnhbt.exe100⤵PID:60
-
\??\c:\jvvjd.exec:\jvvjd.exe101⤵PID:4724
-
\??\c:\1vpdv.exec:\1vpdv.exe102⤵PID:4448
-
\??\c:\lrrlffx.exec:\lrrlffx.exe103⤵PID:4164
-
\??\c:\nhnhbn.exec:\nhnhbn.exe104⤵PID:3048
-
\??\c:\5jpjv.exec:\5jpjv.exe105⤵PID:1620
-
\??\c:\1llfxrl.exec:\1llfxrl.exe106⤵PID:656
-
\??\c:\ttttnn.exec:\ttttnn.exe107⤵PID:2680
-
\??\c:\9bhbnn.exec:\9bhbnn.exe108⤵PID:4732
-
\??\c:\vddpd.exec:\vddpd.exe109⤵PID:2972
-
\??\c:\9lfxrlx.exec:\9lfxrlx.exe110⤵PID:4348
-
\??\c:\1nnhbb.exec:\1nnhbb.exe111⤵PID:2764
-
\??\c:\3dvpj.exec:\3dvpj.exe112⤵PID:416
-
\??\c:\rrlfxxr.exec:\rrlfxxr.exe113⤵PID:184
-
\??\c:\lxxrrrl.exec:\lxxrrrl.exe114⤵PID:2544
-
\??\c:\1nhbtt.exec:\1nhbtt.exe115⤵PID:4572
-
\??\c:\1vpjd.exec:\1vpjd.exe116⤵PID:1444
-
\??\c:\vvvjp.exec:\vvvjp.exe117⤵PID:756
-
\??\c:\rlxlxlr.exec:\rlxlxlr.exe118⤵PID:3944
-
\??\c:\nntnbb.exec:\nntnbb.exe119⤵PID:2168
-
\??\c:\9pvpv.exec:\9pvpv.exe120⤵PID:3396
-
\??\c:\1lffxxr.exec:\1lffxxr.exe121⤵PID:2016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-