Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 21:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3210c3918d8a2e5314503f462ae9452330b2b7eb91c70f7ffab4e5a0d00f9569.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3210c3918d8a2e5314503f462ae9452330b2b7eb91c70f7ffab4e5a0d00f9569.exe
-
Size
454KB
-
MD5
03db74dc8c7e7bdbe52708f3c26456dd
-
SHA1
4a93d11b06893b905e96550d5371e7d2e4e39c2e
-
SHA256
3210c3918d8a2e5314503f462ae9452330b2b7eb91c70f7ffab4e5a0d00f9569
-
SHA512
51c1e8fae242707ed0ff46a97b1de176e10cf4e61b104e5af6dde84c3ab96f412d60ade0980bdf924f0b4147bf26eca8cc5b86ec22443e441f33a2479bf3da80
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbebs:q7Tc2NYHUrAwfMp3CDbs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4008-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-1064-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-1270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2464 xxllfff.exe 2448 1jjjd.exe 5012 1lflfrl.exe 5044 ttnhbb.exe 2912 ttbttn.exe 2036 rrrlllf.exe 4080 thbbbb.exe 3796 vpvpp.exe 4508 pvvpj.exe 4864 llxrxxf.exe 2636 jvvvj.exe 2284 1xxlxxl.exe 1104 vppjd.exe 1932 lllffxf.exe 5068 nnhbnn.exe 880 tnnbnh.exe 2552 tttntt.exe 4944 ntttbb.exe 3092 fxxrfxf.exe 2692 dddvp.exe 1728 lxxrrrr.exe 1972 7jjdp.exe 2816 ttnthh.exe 3316 1vpjd.exe 2540 3rxlrrr.exe 3724 9hhbtn.exe 3488 vjjdv.exe 3148 1pjdj.exe 3348 rfrlfxr.exe 456 3llfxrx.exe 4036 jpdpp.exe 2016 7pvjj.exe 5028 bbbthb.exe 2928 dvpjd.exe 4788 frrlflf.exe 1864 jpvjv.exe 4712 frrlfxx.exe 3504 bhbthb.exe 4868 3xlxffl.exe 2312 5tnbbb.exe 1512 vddvp.exe 4808 7djpd.exe 4560 fxxfrlr.exe 4800 hbbthb.exe 1436 vvjdp.exe 556 1xrfxfx.exe 1944 lffxlfx.exe 768 bnnnhh.exe 1112 vddjd.exe 4344 xlfxrlx.exe 4980 thnnht.exe 1068 9jjdv.exe 2556 fllxrlx.exe 4208 3nhbtt.exe 2972 5vjdp.exe 3312 pvdvd.exe 4564 xffxxxr.exe 4004 7hnnbb.exe 60 vjjdv.exe 3808 3pjjd.exe 4048 lrxrlfx.exe 4496 1tnnbb.exe 844 jjpjp.exe 3968 9rfxrrx.exe -
resource yara_rule behavioral2/memory/4008-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-792-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4008 wrote to memory of 2464 4008 3210c3918d8a2e5314503f462ae9452330b2b7eb91c70f7ffab4e5a0d00f9569.exe 83 PID 4008 wrote to memory of 2464 4008 3210c3918d8a2e5314503f462ae9452330b2b7eb91c70f7ffab4e5a0d00f9569.exe 83 PID 4008 wrote to memory of 2464 4008 3210c3918d8a2e5314503f462ae9452330b2b7eb91c70f7ffab4e5a0d00f9569.exe 83 PID 2464 wrote to memory of 2448 2464 xxllfff.exe 84 PID 2464 wrote to memory of 2448 2464 xxllfff.exe 84 PID 2464 wrote to memory of 2448 2464 xxllfff.exe 84 PID 2448 wrote to memory of 5012 2448 1jjjd.exe 85 PID 2448 wrote to memory of 5012 2448 1jjjd.exe 85 PID 2448 wrote to memory of 5012 2448 1jjjd.exe 85 PID 5012 wrote to memory of 5044 5012 1lflfrl.exe 86 PID 5012 wrote to memory of 5044 5012 1lflfrl.exe 86 PID 5012 wrote to memory of 5044 5012 1lflfrl.exe 86 PID 5044 wrote to memory of 2912 5044 ttnhbb.exe 87 PID 5044 wrote to memory of 2912 5044 ttnhbb.exe 87 PID 5044 wrote to memory of 2912 5044 ttnhbb.exe 87 PID 2912 wrote to memory of 2036 2912 ttbttn.exe 88 PID 2912 wrote to memory of 2036 2912 ttbttn.exe 88 PID 2912 wrote to memory of 2036 2912 ttbttn.exe 88 PID 2036 wrote to memory of 4080 2036 rrrlllf.exe 89 PID 2036 wrote to memory of 4080 2036 rrrlllf.exe 89 PID 2036 wrote to memory of 4080 2036 rrrlllf.exe 89 PID 4080 wrote to memory of 3796 4080 thbbbb.exe 90 PID 4080 wrote to memory of 3796 4080 thbbbb.exe 90 PID 4080 wrote to memory of 3796 4080 thbbbb.exe 90 PID 3796 wrote to memory of 4508 3796 vpvpp.exe 91 PID 3796 wrote to memory of 4508 3796 vpvpp.exe 91 PID 3796 wrote to memory of 4508 3796 vpvpp.exe 91 PID 4508 wrote to memory of 4864 4508 pvvpj.exe 92 PID 4508 wrote to memory of 4864 4508 pvvpj.exe 92 PID 4508 wrote to memory of 4864 4508 pvvpj.exe 92 PID 4864 wrote to memory of 2636 4864 llxrxxf.exe 93 PID 4864 wrote to memory of 2636 4864 llxrxxf.exe 93 PID 4864 wrote to memory of 2636 4864 llxrxxf.exe 93 PID 2636 wrote to memory of 2284 2636 jvvvj.exe 94 PID 2636 wrote to memory of 2284 2636 jvvvj.exe 94 PID 2636 wrote to memory of 2284 2636 jvvvj.exe 94 PID 2284 wrote to memory of 1104 2284 1xxlxxl.exe 95 PID 2284 wrote to memory of 1104 2284 1xxlxxl.exe 95 PID 2284 wrote to memory of 1104 2284 1xxlxxl.exe 95 PID 1104 wrote to memory of 1932 1104 vppjd.exe 96 PID 1104 wrote to memory of 1932 1104 vppjd.exe 96 PID 1104 wrote to memory of 1932 1104 vppjd.exe 96 PID 1932 wrote to memory of 5068 1932 lllffxf.exe 97 PID 1932 wrote to memory of 5068 1932 lllffxf.exe 97 PID 1932 wrote to memory of 5068 1932 lllffxf.exe 97 PID 5068 wrote to memory of 880 5068 nnhbnn.exe 98 PID 5068 wrote to memory of 880 5068 nnhbnn.exe 98 PID 5068 wrote to memory of 880 5068 nnhbnn.exe 98 PID 880 wrote to memory of 2552 880 tnnbnh.exe 99 PID 880 wrote to memory of 2552 880 tnnbnh.exe 99 PID 880 wrote to memory of 2552 880 tnnbnh.exe 99 PID 2552 wrote to memory of 4944 2552 tttntt.exe 100 PID 2552 wrote to memory of 4944 2552 tttntt.exe 100 PID 2552 wrote to memory of 4944 2552 tttntt.exe 100 PID 4944 wrote to memory of 3092 4944 ntttbb.exe 101 PID 4944 wrote to memory of 3092 4944 ntttbb.exe 101 PID 4944 wrote to memory of 3092 4944 ntttbb.exe 101 PID 3092 wrote to memory of 2692 3092 fxxrfxf.exe 102 PID 3092 wrote to memory of 2692 3092 fxxrfxf.exe 102 PID 3092 wrote to memory of 2692 3092 fxxrfxf.exe 102 PID 2692 wrote to memory of 1728 2692 dddvp.exe 103 PID 2692 wrote to memory of 1728 2692 dddvp.exe 103 PID 2692 wrote to memory of 1728 2692 dddvp.exe 103 PID 1728 wrote to memory of 1972 1728 lxxrrrr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3210c3918d8a2e5314503f462ae9452330b2b7eb91c70f7ffab4e5a0d00f9569.exe"C:\Users\Admin\AppData\Local\Temp\3210c3918d8a2e5314503f462ae9452330b2b7eb91c70f7ffab4e5a0d00f9569.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\xxllfff.exec:\xxllfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\1jjjd.exec:\1jjjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\1lflfrl.exec:\1lflfrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\ttnhbb.exec:\ttnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\ttbttn.exec:\ttbttn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\rrrlllf.exec:\rrrlllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\thbbbb.exec:\thbbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\vpvpp.exec:\vpvpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
\??\c:\pvvpj.exec:\pvvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\llxrxxf.exec:\llxrxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\jvvvj.exec:\jvvvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\1xxlxxl.exec:\1xxlxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\vppjd.exec:\vppjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\lllffxf.exec:\lllffxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\nnhbnn.exec:\nnhbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\tnnbnh.exec:\tnnbnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\tttntt.exec:\tttntt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\ntttbb.exec:\ntttbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\fxxrfxf.exec:\fxxrfxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\dddvp.exec:\dddvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\lxxrrrr.exec:\lxxrrrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\7jjdp.exec:\7jjdp.exe23⤵
- Executes dropped EXE
PID:1972 -
\??\c:\ttnthh.exec:\ttnthh.exe24⤵
- Executes dropped EXE
PID:2816 -
\??\c:\1vpjd.exec:\1vpjd.exe25⤵
- Executes dropped EXE
PID:3316 -
\??\c:\3rxlrrr.exec:\3rxlrrr.exe26⤵
- Executes dropped EXE
PID:2540 -
\??\c:\9hhbtn.exec:\9hhbtn.exe27⤵
- Executes dropped EXE
PID:3724 -
\??\c:\vjjdv.exec:\vjjdv.exe28⤵
- Executes dropped EXE
PID:3488 -
\??\c:\1pjdj.exec:\1pjdj.exe29⤵
- Executes dropped EXE
PID:3148 -
\??\c:\rfrlfxr.exec:\rfrlfxr.exe30⤵
- Executes dropped EXE
PID:3348 -
\??\c:\3llfxrx.exec:\3llfxrx.exe31⤵
- Executes dropped EXE
PID:456 -
\??\c:\jpdpp.exec:\jpdpp.exe32⤵
- Executes dropped EXE
PID:4036 -
\??\c:\7pvjj.exec:\7pvjj.exe33⤵
- Executes dropped EXE
PID:2016 -
\??\c:\bbbthb.exec:\bbbthb.exe34⤵
- Executes dropped EXE
PID:5028 -
\??\c:\dvpjd.exec:\dvpjd.exe35⤵
- Executes dropped EXE
PID:2928 -
\??\c:\frrlflf.exec:\frrlflf.exe36⤵
- Executes dropped EXE
PID:4788 -
\??\c:\jpvjv.exec:\jpvjv.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864 -
\??\c:\frrlfxx.exec:\frrlfxx.exe38⤵
- Executes dropped EXE
PID:4712 -
\??\c:\bhbthb.exec:\bhbthb.exe39⤵
- Executes dropped EXE
PID:3504 -
\??\c:\3xlxffl.exec:\3xlxffl.exe40⤵
- Executes dropped EXE
PID:4868 -
\??\c:\5tnbbb.exec:\5tnbbb.exe41⤵
- Executes dropped EXE
PID:2312 -
\??\c:\vddvp.exec:\vddvp.exe42⤵
- Executes dropped EXE
PID:1512 -
\??\c:\7djpd.exec:\7djpd.exe43⤵
- Executes dropped EXE
PID:4808 -
\??\c:\fxxfrlr.exec:\fxxfrlr.exe44⤵
- Executes dropped EXE
PID:4560 -
\??\c:\hbbthb.exec:\hbbthb.exe45⤵
- Executes dropped EXE
PID:4800 -
\??\c:\vvjdp.exec:\vvjdp.exe46⤵
- Executes dropped EXE
PID:1436 -
\??\c:\1xrfxfx.exec:\1xrfxfx.exe47⤵
- Executes dropped EXE
PID:556 -
\??\c:\lffxlfx.exec:\lffxlfx.exe48⤵
- Executes dropped EXE
PID:1944 -
\??\c:\bnnnhh.exec:\bnnnhh.exe49⤵
- Executes dropped EXE
PID:768 -
\??\c:\vddjd.exec:\vddjd.exe50⤵
- Executes dropped EXE
PID:1112 -
\??\c:\xlfxrlx.exec:\xlfxrlx.exe51⤵
- Executes dropped EXE
PID:4344 -
\??\c:\thnnht.exec:\thnnht.exe52⤵
- Executes dropped EXE
PID:4980 -
\??\c:\9jjdv.exec:\9jjdv.exe53⤵
- Executes dropped EXE
PID:1068 -
\??\c:\fllxrlx.exec:\fllxrlx.exe54⤵
- Executes dropped EXE
PID:2556 -
\??\c:\3nhbtt.exec:\3nhbtt.exe55⤵
- Executes dropped EXE
PID:4208 -
\??\c:\5vjdp.exec:\5vjdp.exe56⤵
- Executes dropped EXE
PID:2972 -
\??\c:\pvdvd.exec:\pvdvd.exe57⤵
- Executes dropped EXE
PID:3312 -
\??\c:\xffxxxr.exec:\xffxxxr.exe58⤵
- Executes dropped EXE
PID:4564 -
\??\c:\7hnnbb.exec:\7hnnbb.exe59⤵
- Executes dropped EXE
PID:4004 -
\??\c:\vjjdv.exec:\vjjdv.exe60⤵
- Executes dropped EXE
PID:60 -
\??\c:\3pjjd.exec:\3pjjd.exe61⤵
- Executes dropped EXE
PID:3808 -
\??\c:\lrxrlfx.exec:\lrxrlfx.exe62⤵
- Executes dropped EXE
PID:4048 -
\??\c:\1tnnbb.exec:\1tnnbb.exe63⤵
- Executes dropped EXE
PID:4496 -
\??\c:\jjpjp.exec:\jjpjp.exe64⤵
- Executes dropped EXE
PID:844 -
\??\c:\9rfxrrx.exec:\9rfxrrx.exe65⤵
- Executes dropped EXE
PID:3968 -
\??\c:\1nbtnh.exec:\1nbtnh.exe66⤵PID:2260
-
\??\c:\vvvjd.exec:\vvvjd.exe67⤵PID:1976
-
\??\c:\9pvpp.exec:\9pvpp.exe68⤵PID:3780
-
\??\c:\lllflll.exec:\lllflll.exe69⤵PID:1212
-
\??\c:\hhnnnt.exec:\hhnnnt.exe70⤵PID:4468
-
\??\c:\jddvj.exec:\jddvj.exe71⤵PID:2020
-
\??\c:\frrlfrl.exec:\frrlfrl.exe72⤵PID:2576
-
\??\c:\7bttnb.exec:\7bttnb.exe73⤵PID:400
-
\??\c:\jvjvj.exec:\jvjvj.exe74⤵PID:1364
-
\??\c:\5fxrlfx.exec:\5fxrlfx.exe75⤵PID:1600
-
\??\c:\bnhnnn.exec:\bnhnnn.exe76⤵PID:3952
-
\??\c:\bnnthh.exec:\bnnthh.exe77⤵PID:1872
-
\??\c:\3vpjp.exec:\3vpjp.exe78⤵PID:388
-
\??\c:\5rxrlfx.exec:\5rxrlfx.exe79⤵PID:3912
-
\??\c:\3rflfxl.exec:\3rflfxl.exe80⤵PID:3092
-
\??\c:\9ttnhb.exec:\9ttnhb.exe81⤵PID:468
-
\??\c:\dvpdv.exec:\dvpdv.exe82⤵PID:1588
-
\??\c:\xllfxxr.exec:\xllfxxr.exe83⤵PID:1728
-
\??\c:\ntthbb.exec:\ntthbb.exe84⤵PID:3412
-
\??\c:\1vpjd.exec:\1vpjd.exe85⤵PID:1540
-
\??\c:\ddvpp.exec:\ddvpp.exe86⤵PID:1812
-
\??\c:\5xrfxxf.exec:\5xrfxxf.exe87⤵PID:4568
-
\??\c:\hnhhbh.exec:\hnhhbh.exe88⤵PID:2400
-
\??\c:\tnthnn.exec:\tnthnn.exe89⤵PID:2580
-
\??\c:\jppjj.exec:\jppjj.exe90⤵PID:5036
-
\??\c:\7xrrllf.exec:\7xrrllf.exe91⤵PID:672
-
\??\c:\bhhhnn.exec:\bhhhnn.exe92⤵PID:3148
-
\??\c:\1bthtt.exec:\1bthtt.exe93⤵PID:2456
-
\??\c:\jjjdd.exec:\jjjdd.exe94⤵PID:2512
-
\??\c:\rxfffff.exec:\rxfffff.exe95⤵PID:1072
-
\??\c:\ntbtbb.exec:\ntbtbb.exe96⤵PID:1388
-
\??\c:\djppj.exec:\djppj.exe97⤵
- System Location Discovery: System Language Discovery
PID:2016 -
\??\c:\rrfxrrl.exec:\rrfxrrl.exe98⤵PID:1664
-
\??\c:\lxxrllx.exec:\lxxrllx.exe99⤵PID:1536
-
\??\c:\httntn.exec:\httntn.exe100⤵PID:1520
-
\??\c:\pdvjd.exec:\pdvjd.exe101⤵PID:4128
-
\??\c:\9dvvj.exec:\9dvvj.exe102⤵PID:1424
-
\??\c:\lrfflrx.exec:\lrfflrx.exe103⤵PID:1860
-
\??\c:\tntnnn.exec:\tntnnn.exe104⤵PID:2708
-
\??\c:\rfrrxfr.exec:\rfrrxfr.exe105⤵PID:3532
-
\??\c:\xxfrxrx.exec:\xxfrxrx.exe106⤵PID:3776
-
\??\c:\1hnbtn.exec:\1hnbtn.exe107⤵PID:4280
-
\??\c:\jddvp.exec:\jddvp.exe108⤵PID:2560
-
\??\c:\flllffx.exec:\flllffx.exe109⤵PID:1516
-
\??\c:\rflfxxr.exec:\rflfxxr.exe110⤵PID:348
-
\??\c:\5hnhbh.exec:\5hnhbh.exe111⤵PID:3020
-
\??\c:\3pdvj.exec:\3pdvj.exe112⤵PID:2208
-
\??\c:\frrxrff.exec:\frrxrff.exe113⤵PID:1944
-
\??\c:\tbtthh.exec:\tbtthh.exe114⤵PID:4356
-
\??\c:\bbtnbt.exec:\bbtnbt.exe115⤵PID:640
-
\??\c:\dpvpj.exec:\dpvpj.exe116⤵PID:4360
-
\??\c:\dppjd.exec:\dppjd.exe117⤵PID:708
-
\??\c:\fxrlffx.exec:\fxrlffx.exe118⤵PID:2464
-
\??\c:\htnnhh.exec:\htnnhh.exe119⤵PID:4804
-
\??\c:\vvppj.exec:\vvppj.exe120⤵PID:5012
-
\??\c:\frfxffr.exec:\frfxffr.exe121⤵PID:5032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-