Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 21:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3ad7075ae238f05ac3e8aae48d61560e6238521964f2811842760afef8b49134.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3ad7075ae238f05ac3e8aae48d61560e6238521964f2811842760afef8b49134.exe
-
Size
454KB
-
MD5
2933fd6e894772345f95ff5d709dcc60
-
SHA1
80813f0c723c38d6775207c64a9f7080ceea8c07
-
SHA256
3ad7075ae238f05ac3e8aae48d61560e6238521964f2811842760afef8b49134
-
SHA512
14f12bb6b7ae7c72e0c2f8d8fd6799e37c711ed71fe55f3dd3e4d9eef5a1b3f7c672a9c1ce8d770bc44999982adfc881be3e9adf1255300450b777ced6c72180
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4624-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-931-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-1109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-1145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3872 pppjj.exe 4044 lffxrlf.exe 3116 bbtnhh.exe 4248 1rxrxxf.exe 2356 hbhbtn.exe 4664 xrrrlrl.exe 3600 1djvp.exe 4688 9flfffx.exe 4820 1vvpp.exe 2252 7pvpp.exe 3532 pjpjd.exe 4916 hhnnnh.exe 5016 bnhhhh.exe 1116 1ddpj.exe 3856 flrlxrl.exe 1392 pddpp.exe 2512 vjdpp.exe 2592 xrrfrlx.exe 3692 nhbhht.exe 4968 dvpjv.exe 964 bntnnb.exe 4204 1xlflfr.exe 2788 7rxlxrl.exe 2952 xlfrfxr.exe 1496 djjvj.exe 1156 tbthbn.exe 4000 1jvjp.exe 4712 xxfrfrf.exe 2864 btttbb.exe 1160 dpvjp.exe 2552 rxlfrlx.exe 1716 bhhbtn.exe 3964 nttthn.exe 776 dpdvp.exe 1728 rffrlfr.exe 4396 bnbtbt.exe 1500 jdvvp.exe 3260 rxlxllf.exe 2236 rxffrlf.exe 2364 ppjdp.exe 2600 hhtntt.exe 464 hhnhtn.exe 2404 vjjvp.exe 1924 xrxxxff.exe 5092 fxxrrrr.exe 2820 bntnnh.exe 1120 3jjdp.exe 4240 lffrlff.exe 4516 hbbbnt.exe 4544 ddjdp.exe 3204 rxxlfxx.exe 4020 bbnhnh.exe 1316 hthbbb.exe 2548 vddpd.exe 4380 5xfrlfr.exe 1180 rrxlxrf.exe 1800 7ththh.exe 3800 dvdvd.exe 4032 rrfrrll.exe 1280 frxrffr.exe 2728 tnnhhh.exe 1552 9jpjd.exe 3576 lrfxlfx.exe 4780 nbbttt.exe -
resource yara_rule behavioral2/memory/4624-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-867-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4624 wrote to memory of 3872 4624 3ad7075ae238f05ac3e8aae48d61560e6238521964f2811842760afef8b49134.exe 83 PID 4624 wrote to memory of 3872 4624 3ad7075ae238f05ac3e8aae48d61560e6238521964f2811842760afef8b49134.exe 83 PID 4624 wrote to memory of 3872 4624 3ad7075ae238f05ac3e8aae48d61560e6238521964f2811842760afef8b49134.exe 83 PID 3872 wrote to memory of 4044 3872 pppjj.exe 84 PID 3872 wrote to memory of 4044 3872 pppjj.exe 84 PID 3872 wrote to memory of 4044 3872 pppjj.exe 84 PID 4044 wrote to memory of 3116 4044 lffxrlf.exe 85 PID 4044 wrote to memory of 3116 4044 lffxrlf.exe 85 PID 4044 wrote to memory of 3116 4044 lffxrlf.exe 85 PID 3116 wrote to memory of 4248 3116 bbtnhh.exe 86 PID 3116 wrote to memory of 4248 3116 bbtnhh.exe 86 PID 3116 wrote to memory of 4248 3116 bbtnhh.exe 86 PID 4248 wrote to memory of 2356 4248 1rxrxxf.exe 87 PID 4248 wrote to memory of 2356 4248 1rxrxxf.exe 87 PID 4248 wrote to memory of 2356 4248 1rxrxxf.exe 87 PID 2356 wrote to memory of 4664 2356 hbhbtn.exe 88 PID 2356 wrote to memory of 4664 2356 hbhbtn.exe 88 PID 2356 wrote to memory of 4664 2356 hbhbtn.exe 88 PID 4664 wrote to memory of 3600 4664 xrrrlrl.exe 89 PID 4664 wrote to memory of 3600 4664 xrrrlrl.exe 89 PID 4664 wrote to memory of 3600 4664 xrrrlrl.exe 89 PID 3600 wrote to memory of 4688 3600 1djvp.exe 90 PID 3600 wrote to memory of 4688 3600 1djvp.exe 90 PID 3600 wrote to memory of 4688 3600 1djvp.exe 90 PID 4688 wrote to memory of 4820 4688 9flfffx.exe 91 PID 4688 wrote to memory of 4820 4688 9flfffx.exe 91 PID 4688 wrote to memory of 4820 4688 9flfffx.exe 91 PID 4820 wrote to memory of 2252 4820 1vvpp.exe 92 PID 4820 wrote to memory of 2252 4820 1vvpp.exe 92 PID 4820 wrote to memory of 2252 4820 1vvpp.exe 92 PID 2252 wrote to memory of 3532 2252 7pvpp.exe 93 PID 2252 wrote to memory of 3532 2252 7pvpp.exe 93 PID 2252 wrote to memory of 3532 2252 7pvpp.exe 93 PID 3532 wrote to memory of 4916 3532 pjpjd.exe 94 PID 3532 wrote to memory of 4916 3532 pjpjd.exe 94 PID 3532 wrote to memory of 4916 3532 pjpjd.exe 94 PID 4916 wrote to memory of 5016 4916 hhnnnh.exe 95 PID 4916 wrote to memory of 5016 4916 hhnnnh.exe 95 PID 4916 wrote to memory of 5016 4916 hhnnnh.exe 95 PID 5016 wrote to memory of 1116 5016 bnhhhh.exe 96 PID 5016 wrote to memory of 1116 5016 bnhhhh.exe 96 PID 5016 wrote to memory of 1116 5016 bnhhhh.exe 96 PID 1116 wrote to memory of 3856 1116 1ddpj.exe 97 PID 1116 wrote to memory of 3856 1116 1ddpj.exe 97 PID 1116 wrote to memory of 3856 1116 1ddpj.exe 97 PID 3856 wrote to memory of 1392 3856 flrlxrl.exe 98 PID 3856 wrote to memory of 1392 3856 flrlxrl.exe 98 PID 3856 wrote to memory of 1392 3856 flrlxrl.exe 98 PID 1392 wrote to memory of 2512 1392 pddpp.exe 99 PID 1392 wrote to memory of 2512 1392 pddpp.exe 99 PID 1392 wrote to memory of 2512 1392 pddpp.exe 99 PID 2512 wrote to memory of 2592 2512 vjdpp.exe 100 PID 2512 wrote to memory of 2592 2512 vjdpp.exe 100 PID 2512 wrote to memory of 2592 2512 vjdpp.exe 100 PID 2592 wrote to memory of 3692 2592 xrrfrlx.exe 101 PID 2592 wrote to memory of 3692 2592 xrrfrlx.exe 101 PID 2592 wrote to memory of 3692 2592 xrrfrlx.exe 101 PID 3692 wrote to memory of 4968 3692 nhbhht.exe 102 PID 3692 wrote to memory of 4968 3692 nhbhht.exe 102 PID 3692 wrote to memory of 4968 3692 nhbhht.exe 102 PID 4968 wrote to memory of 964 4968 dvpjv.exe 103 PID 4968 wrote to memory of 964 4968 dvpjv.exe 103 PID 4968 wrote to memory of 964 4968 dvpjv.exe 103 PID 964 wrote to memory of 4204 964 bntnnb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ad7075ae238f05ac3e8aae48d61560e6238521964f2811842760afef8b49134.exe"C:\Users\Admin\AppData\Local\Temp\3ad7075ae238f05ac3e8aae48d61560e6238521964f2811842760afef8b49134.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\pppjj.exec:\pppjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\lffxrlf.exec:\lffxrlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\bbtnhh.exec:\bbtnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\1rxrxxf.exec:\1rxrxxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\hbhbtn.exec:\hbhbtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\xrrrlrl.exec:\xrrrlrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\1djvp.exec:\1djvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\9flfffx.exec:\9flfffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\1vvpp.exec:\1vvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\7pvpp.exec:\7pvpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\pjpjd.exec:\pjpjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\hhnnnh.exec:\hhnnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\bnhhhh.exec:\bnhhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\1ddpj.exec:\1ddpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\flrlxrl.exec:\flrlxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\pddpp.exec:\pddpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\vjdpp.exec:\vjdpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\xrrfrlx.exec:\xrrfrlx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\nhbhht.exec:\nhbhht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\dvpjv.exec:\dvpjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\bntnnb.exec:\bntnnb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\1xlflfr.exec:\1xlflfr.exe23⤵
- Executes dropped EXE
PID:4204 -
\??\c:\7rxlxrl.exec:\7rxlxrl.exe24⤵
- Executes dropped EXE
PID:2788 -
\??\c:\xlfrfxr.exec:\xlfrfxr.exe25⤵
- Executes dropped EXE
PID:2952 -
\??\c:\djjvj.exec:\djjvj.exe26⤵
- Executes dropped EXE
PID:1496 -
\??\c:\tbthbn.exec:\tbthbn.exe27⤵
- Executes dropped EXE
PID:1156 -
\??\c:\1jvjp.exec:\1jvjp.exe28⤵
- Executes dropped EXE
PID:4000 -
\??\c:\xxfrfrf.exec:\xxfrfrf.exe29⤵
- Executes dropped EXE
PID:4712 -
\??\c:\btttbb.exec:\btttbb.exe30⤵
- Executes dropped EXE
PID:2864 -
\??\c:\dpvjp.exec:\dpvjp.exe31⤵
- Executes dropped EXE
PID:1160 -
\??\c:\rxlfrlx.exec:\rxlfrlx.exe32⤵
- Executes dropped EXE
PID:2552 -
\??\c:\bhhbtn.exec:\bhhbtn.exe33⤵
- Executes dropped EXE
PID:1716 -
\??\c:\nttthn.exec:\nttthn.exe34⤵
- Executes dropped EXE
PID:3964 -
\??\c:\dpdvp.exec:\dpdvp.exe35⤵
- Executes dropped EXE
PID:776 -
\??\c:\rffrlfr.exec:\rffrlfr.exe36⤵
- Executes dropped EXE
PID:1728 -
\??\c:\bnbtbt.exec:\bnbtbt.exe37⤵
- Executes dropped EXE
PID:4396 -
\??\c:\jdvvp.exec:\jdvvp.exe38⤵
- Executes dropped EXE
PID:1500 -
\??\c:\rxlxllf.exec:\rxlxllf.exe39⤵
- Executes dropped EXE
PID:3260 -
\??\c:\rxffrlf.exec:\rxffrlf.exe40⤵
- Executes dropped EXE
PID:2236 -
\??\c:\ppjdp.exec:\ppjdp.exe41⤵
- Executes dropped EXE
PID:2364 -
\??\c:\hhtntt.exec:\hhtntt.exe42⤵
- Executes dropped EXE
PID:2600 -
\??\c:\hhnhtn.exec:\hhnhtn.exe43⤵
- Executes dropped EXE
PID:464 -
\??\c:\vjjvp.exec:\vjjvp.exe44⤵
- Executes dropped EXE
PID:2404 -
\??\c:\xrxxxff.exec:\xrxxxff.exe45⤵
- Executes dropped EXE
PID:1924 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe46⤵
- Executes dropped EXE
PID:5092 -
\??\c:\bntnnh.exec:\bntnnh.exe47⤵
- Executes dropped EXE
PID:2820 -
\??\c:\3jjdp.exec:\3jjdp.exe48⤵
- Executes dropped EXE
PID:1120 -
\??\c:\lffrlff.exec:\lffrlff.exe49⤵
- Executes dropped EXE
PID:4240 -
\??\c:\hbbbnt.exec:\hbbbnt.exe50⤵
- Executes dropped EXE
PID:4516 -
\??\c:\ddjdp.exec:\ddjdp.exe51⤵
- Executes dropped EXE
PID:4544 -
\??\c:\rxxlfxx.exec:\rxxlfxx.exe52⤵
- Executes dropped EXE
PID:3204 -
\??\c:\bbnhnh.exec:\bbnhnh.exe53⤵
- Executes dropped EXE
PID:4020 -
\??\c:\hthbbb.exec:\hthbbb.exe54⤵
- Executes dropped EXE
PID:1316 -
\??\c:\vddpd.exec:\vddpd.exe55⤵
- Executes dropped EXE
PID:2548 -
\??\c:\5xfrlfr.exec:\5xfrlfr.exe56⤵
- Executes dropped EXE
PID:4380 -
\??\c:\rrxlxrf.exec:\rrxlxrf.exe57⤵
- Executes dropped EXE
PID:1180 -
\??\c:\7ththh.exec:\7ththh.exe58⤵
- Executes dropped EXE
PID:1800 -
\??\c:\dvdvd.exec:\dvdvd.exe59⤵
- Executes dropped EXE
PID:3800 -
\??\c:\rrfrrll.exec:\rrfrrll.exe60⤵
- Executes dropped EXE
PID:4032 -
\??\c:\frxrffr.exec:\frxrffr.exe61⤵
- Executes dropped EXE
PID:1280 -
\??\c:\tnnhhh.exec:\tnnhhh.exe62⤵
- Executes dropped EXE
PID:2728 -
\??\c:\9jpjd.exec:\9jpjd.exe63⤵
- Executes dropped EXE
PID:1552 -
\??\c:\lrfxlfx.exec:\lrfxlfx.exe64⤵
- Executes dropped EXE
PID:3576 -
\??\c:\nbbttt.exec:\nbbttt.exe65⤵
- Executes dropped EXE
PID:4780 -
\??\c:\jdpdp.exec:\jdpdp.exe66⤵PID:2304
-
\??\c:\rxlrflr.exec:\rxlrflr.exe67⤵PID:4100
-
\??\c:\btbtht.exec:\btbtht.exe68⤵PID:4060
-
\??\c:\9hnhhh.exec:\9hnhhh.exe69⤵PID:3164
-
\??\c:\jdjjd.exec:\jdjjd.exe70⤵PID:1456
-
\??\c:\bnnhhh.exec:\bnnhhh.exe71⤵PID:1116
-
\??\c:\jjvjv.exec:\jjvjv.exe72⤵PID:1260
-
\??\c:\fxfrffx.exec:\fxfrffx.exe73⤵PID:1996
-
\??\c:\rflfxxx.exec:\rflfxxx.exe74⤵PID:4620
-
\??\c:\nthttn.exec:\nthttn.exe75⤵PID:2692
-
\??\c:\pjdvp.exec:\pjdvp.exe76⤵PID:3896
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe77⤵PID:2852
-
\??\c:\tnnhtn.exec:\tnnhtn.exe78⤵PID:3056
-
\??\c:\nhbtbb.exec:\nhbtbb.exe79⤵PID:4488
-
\??\c:\jppdj.exec:\jppdj.exe80⤵PID:1888
-
\??\c:\frrfrlx.exec:\frrfrlx.exe81⤵PID:964
-
\??\c:\hthbtb.exec:\hthbtb.exe82⤵PID:4064
-
\??\c:\dvpdv.exec:\dvpdv.exe83⤵PID:2020
-
\??\c:\pjdvv.exec:\pjdvv.exe84⤵PID:3404
-
\??\c:\7rlxlff.exec:\7rlxlff.exe85⤵PID:2648
-
\??\c:\htbtbt.exec:\htbtbt.exe86⤵PID:3564
-
\??\c:\hbnbtn.exec:\hbnbtn.exe87⤵PID:5084
-
\??\c:\dvpjv.exec:\dvpjv.exe88⤵PID:1156
-
\??\c:\9frlxxr.exec:\9frlxxr.exe89⤵PID:3868
-
\??\c:\nbnhnh.exec:\nbnhnh.exe90⤵PID:1828
-
\??\c:\nttthb.exec:\nttthb.exe91⤵PID:4412
-
\??\c:\vddvp.exec:\vddvp.exe92⤵PID:2152
-
\??\c:\fffrxfx.exec:\fffrxfx.exe93⤵PID:1248
-
\??\c:\nbhbtt.exec:\nbhbtt.exe94⤵PID:4880
-
\??\c:\vvpdj.exec:\vvpdj.exe95⤵PID:1692
-
\??\c:\xrrlffx.exec:\xrrlffx.exe96⤵PID:4984
-
\??\c:\ttnthh.exec:\ttnthh.exe97⤵PID:2784
-
\??\c:\bnhbth.exec:\bnhbth.exe98⤵PID:776
-
\??\c:\dvvjv.exec:\dvvjv.exe99⤵PID:1728
-
\??\c:\xlllflf.exec:\xlllflf.exe100⤵PID:4396
-
\??\c:\hbbtnn.exec:\hbbtnn.exe101⤵PID:1500
-
\??\c:\jvvpj.exec:\jvvpj.exe102⤵PID:3444
-
\??\c:\xfxrlff.exec:\xfxrlff.exe103⤵PID:852
-
\??\c:\1hnhhb.exec:\1hnhhb.exe104⤵PID:2364
-
\??\c:\1htnhh.exec:\1htnhh.exe105⤵PID:4952
-
\??\c:\ppvpj.exec:\ppvpj.exe106⤵PID:32
-
\??\c:\lrxlllf.exec:\lrxlllf.exe107⤵PID:2404
-
\??\c:\hhnhbh.exec:\hhnhbh.exe108⤵PID:3340
-
\??\c:\nhhhbb.exec:\nhhhbb.exe109⤵PID:1672
-
\??\c:\pdvvj.exec:\pdvvj.exe110⤵PID:5036
-
\??\c:\vvvpd.exec:\vvvpd.exe111⤵PID:2400
-
\??\c:\rffxrlr.exec:\rffxrlr.exe112⤵PID:4700
-
\??\c:\htthhb.exec:\htthhb.exe113⤵PID:4496
-
\??\c:\3pdjp.exec:\3pdjp.exe114⤵PID:4540
-
\??\c:\1rxxxxf.exec:\1rxxxxf.exe115⤵PID:2516
-
\??\c:\rfffxxx.exec:\rfffxxx.exe116⤵PID:2080
-
\??\c:\ttbtnn.exec:\ttbtnn.exe117⤵PID:3988
-
\??\c:\dddvv.exec:\dddvv.exe118⤵PID:4908
-
\??\c:\xrxrffx.exec:\xrxrffx.exe119⤵PID:3892
-
\??\c:\rlllffx.exec:\rlllffx.exe120⤵PID:208
-
\??\c:\nhhhnh.exec:\nhhhnh.exe121⤵PID:264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-