Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3a067a03dd22d5739b81960f17ea39c41274627e3d8c48f174a75fc68ed364d5N.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
3a067a03dd22d5739b81960f17ea39c41274627e3d8c48f174a75fc68ed364d5N.exe
-
Size
454KB
-
MD5
fc224304566d25384e8edcfc8405f090
-
SHA1
49932501d5596c3c6973cb4662472be21de94579
-
SHA256
3a067a03dd22d5739b81960f17ea39c41274627e3d8c48f174a75fc68ed364d5
-
SHA512
83bed7664387e29d7c964ba69fe0e251ebe1eb22216d4a40e1be8c880c763ae51782ef84fd48d22326213433276a2c94339f43f3a8b514956455eb4351ea73d8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/4584-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2016 ffffxff.exe 1988 5rfxrxl.exe 4564 7hhbth.exe 2392 vpddd.exe 4192 dvvvp.exe 4864 hnnhhh.exe 1152 fxxrrrr.exe 1396 hhnnnn.exe 4732 vpddj.exe 4548 lflfffx.exe 3592 hthhbn.exe 1580 flffxff.exe 512 llxllrx.exe 2828 hhttbb.exe 2080 jpdvv.exe 800 bhntnt.exe 2824 5xxxxff.exe 1168 vjvvv.exe 4376 rlfffff.exe 2396 bbbbbn.exe 3260 ffrfxfl.exe 5080 tnnttn.exe 4120 rrxxxxf.exe 4828 9rrrrxf.exe 4700 nbbnbn.exe 5012 dpddd.exe 2288 rrlfrrf.exe 4428 hhhhbh.exe 3912 tbhbbb.exe 1932 vvvpv.exe 2520 xxxflxr.exe 3932 fxrlffx.exe 2472 tnhbtn.exe 3248 1jdvv.exe 1392 xxxrllf.exe 2568 btbbbh.exe 4020 vdppd.exe 4940 lffxrlx.exe 2524 hbhbhh.exe 456 dppjd.exe 4188 rllrlll.exe 1084 5bbbnt.exe 2924 tnnhtt.exe 2248 vvvjp.exe 1808 flrlflf.exe 4536 frxrfxr.exe 1836 bbbbbb.exe 1728 jvdvj.exe 4032 xffxllf.exe 4620 bnnhtt.exe 2664 jvppd.exe 4588 ffrlxff.exe 1572 rlfxrfx.exe 2388 thnhtt.exe 4488 vdpjj.exe 3584 lfllffr.exe 4564 htbbtb.exe 4724 dvddv.exe 4312 lxfxllf.exe 4860 5thbnn.exe 1700 pvdvv.exe 2340 5lxrlff.exe 928 nbnnnt.exe 3904 vjpdv.exe -
resource yara_rule behavioral2/memory/4584-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-1091-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-1208-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4584 wrote to memory of 2016 4584 3a067a03dd22d5739b81960f17ea39c41274627e3d8c48f174a75fc68ed364d5N.exe 82 PID 4584 wrote to memory of 2016 4584 3a067a03dd22d5739b81960f17ea39c41274627e3d8c48f174a75fc68ed364d5N.exe 82 PID 4584 wrote to memory of 2016 4584 3a067a03dd22d5739b81960f17ea39c41274627e3d8c48f174a75fc68ed364d5N.exe 82 PID 2016 wrote to memory of 1988 2016 ffffxff.exe 83 PID 2016 wrote to memory of 1988 2016 ffffxff.exe 83 PID 2016 wrote to memory of 1988 2016 ffffxff.exe 83 PID 1988 wrote to memory of 4564 1988 5rfxrxl.exe 84 PID 1988 wrote to memory of 4564 1988 5rfxrxl.exe 84 PID 1988 wrote to memory of 4564 1988 5rfxrxl.exe 84 PID 4564 wrote to memory of 2392 4564 7hhbth.exe 85 PID 4564 wrote to memory of 2392 4564 7hhbth.exe 85 PID 4564 wrote to memory of 2392 4564 7hhbth.exe 85 PID 2392 wrote to memory of 4192 2392 vpddd.exe 86 PID 2392 wrote to memory of 4192 2392 vpddd.exe 86 PID 2392 wrote to memory of 4192 2392 vpddd.exe 86 PID 4192 wrote to memory of 4864 4192 dvvvp.exe 87 PID 4192 wrote to memory of 4864 4192 dvvvp.exe 87 PID 4192 wrote to memory of 4864 4192 dvvvp.exe 87 PID 4864 wrote to memory of 1152 4864 hnnhhh.exe 88 PID 4864 wrote to memory of 1152 4864 hnnhhh.exe 88 PID 4864 wrote to memory of 1152 4864 hnnhhh.exe 88 PID 1152 wrote to memory of 1396 1152 fxxrrrr.exe 89 PID 1152 wrote to memory of 1396 1152 fxxrrrr.exe 89 PID 1152 wrote to memory of 1396 1152 fxxrrrr.exe 89 PID 1396 wrote to memory of 4732 1396 hhnnnn.exe 90 PID 1396 wrote to memory of 4732 1396 hhnnnn.exe 90 PID 1396 wrote to memory of 4732 1396 hhnnnn.exe 90 PID 4732 wrote to memory of 4548 4732 vpddj.exe 91 PID 4732 wrote to memory of 4548 4732 vpddj.exe 91 PID 4732 wrote to memory of 4548 4732 vpddj.exe 91 PID 4548 wrote to memory of 3592 4548 lflfffx.exe 92 PID 4548 wrote to memory of 3592 4548 lflfffx.exe 92 PID 4548 wrote to memory of 3592 4548 lflfffx.exe 92 PID 3592 wrote to memory of 1580 3592 hthhbn.exe 93 PID 3592 wrote to memory of 1580 3592 hthhbn.exe 93 PID 3592 wrote to memory of 1580 3592 hthhbn.exe 93 PID 1580 wrote to memory of 512 1580 flffxff.exe 94 PID 1580 wrote to memory of 512 1580 flffxff.exe 94 PID 1580 wrote to memory of 512 1580 flffxff.exe 94 PID 512 wrote to memory of 2828 512 llxllrx.exe 95 PID 512 wrote to memory of 2828 512 llxllrx.exe 95 PID 512 wrote to memory of 2828 512 llxllrx.exe 95 PID 2828 wrote to memory of 2080 2828 hhttbb.exe 96 PID 2828 wrote to memory of 2080 2828 hhttbb.exe 96 PID 2828 wrote to memory of 2080 2828 hhttbb.exe 96 PID 2080 wrote to memory of 800 2080 jpdvv.exe 97 PID 2080 wrote to memory of 800 2080 jpdvv.exe 97 PID 2080 wrote to memory of 800 2080 jpdvv.exe 97 PID 800 wrote to memory of 2824 800 bhntnt.exe 98 PID 800 wrote to memory of 2824 800 bhntnt.exe 98 PID 800 wrote to memory of 2824 800 bhntnt.exe 98 PID 2824 wrote to memory of 1168 2824 5xxxxff.exe 99 PID 2824 wrote to memory of 1168 2824 5xxxxff.exe 99 PID 2824 wrote to memory of 1168 2824 5xxxxff.exe 99 PID 1168 wrote to memory of 4376 1168 vjvvv.exe 100 PID 1168 wrote to memory of 4376 1168 vjvvv.exe 100 PID 1168 wrote to memory of 4376 1168 vjvvv.exe 100 PID 4376 wrote to memory of 2396 4376 rlfffff.exe 101 PID 4376 wrote to memory of 2396 4376 rlfffff.exe 101 PID 4376 wrote to memory of 2396 4376 rlfffff.exe 101 PID 2396 wrote to memory of 3260 2396 bbbbbn.exe 102 PID 2396 wrote to memory of 3260 2396 bbbbbn.exe 102 PID 2396 wrote to memory of 3260 2396 bbbbbn.exe 102 PID 3260 wrote to memory of 5080 3260 ffrfxfl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a067a03dd22d5739b81960f17ea39c41274627e3d8c48f174a75fc68ed364d5N.exe"C:\Users\Admin\AppData\Local\Temp\3a067a03dd22d5739b81960f17ea39c41274627e3d8c48f174a75fc68ed364d5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\ffffxff.exec:\ffffxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\5rfxrxl.exec:\5rfxrxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\7hhbth.exec:\7hhbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\vpddd.exec:\vpddd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\dvvvp.exec:\dvvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\hnnhhh.exec:\hnnhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\hhnnnn.exec:\hhnnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\vpddj.exec:\vpddj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\lflfffx.exec:\lflfffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\hthhbn.exec:\hthhbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\flffxff.exec:\flffxff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\llxllrx.exec:\llxllrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\hhttbb.exec:\hhttbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\jpdvv.exec:\jpdvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\bhntnt.exec:\bhntnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\5xxxxff.exec:\5xxxxff.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\vjvvv.exec:\vjvvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\rlfffff.exec:\rlfffff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\bbbbbn.exec:\bbbbbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\ffrfxfl.exec:\ffrfxfl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\tnnttn.exec:\tnnttn.exe23⤵
- Executes dropped EXE
PID:5080 -
\??\c:\rrxxxxf.exec:\rrxxxxf.exe24⤵
- Executes dropped EXE
PID:4120 -
\??\c:\9rrrrxf.exec:\9rrrrxf.exe25⤵
- Executes dropped EXE
PID:4828 -
\??\c:\nbbnbn.exec:\nbbnbn.exe26⤵
- Executes dropped EXE
PID:4700 -
\??\c:\dpddd.exec:\dpddd.exe27⤵
- Executes dropped EXE
PID:5012 -
\??\c:\rrlfrrf.exec:\rrlfrrf.exe28⤵
- Executes dropped EXE
PID:2288 -
\??\c:\hhhhbh.exec:\hhhhbh.exe29⤵
- Executes dropped EXE
PID:4428 -
\??\c:\tbhbbb.exec:\tbhbbb.exe30⤵
- Executes dropped EXE
PID:3912 -
\??\c:\vvvpv.exec:\vvvpv.exe31⤵
- Executes dropped EXE
PID:1932 -
\??\c:\xxxflxr.exec:\xxxflxr.exe32⤵
- Executes dropped EXE
PID:2520 -
\??\c:\fxrlffx.exec:\fxrlffx.exe33⤵
- Executes dropped EXE
PID:3932 -
\??\c:\tnhbtn.exec:\tnhbtn.exe34⤵
- Executes dropped EXE
PID:2472 -
\??\c:\1jdvv.exec:\1jdvv.exe35⤵
- Executes dropped EXE
PID:3248 -
\??\c:\xxxrllf.exec:\xxxrllf.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1392 -
\??\c:\btbbbh.exec:\btbbbh.exe37⤵
- Executes dropped EXE
PID:2568 -
\??\c:\vdppd.exec:\vdppd.exe38⤵
- Executes dropped EXE
PID:4020 -
\??\c:\lffxrlx.exec:\lffxrlx.exe39⤵
- Executes dropped EXE
PID:4940 -
\??\c:\hbhbhh.exec:\hbhbhh.exe40⤵
- Executes dropped EXE
PID:2524 -
\??\c:\dppjd.exec:\dppjd.exe41⤵
- Executes dropped EXE
PID:456 -
\??\c:\rllrlll.exec:\rllrlll.exe42⤵
- Executes dropped EXE
PID:4188 -
\??\c:\5bbbnt.exec:\5bbbnt.exe43⤵
- Executes dropped EXE
PID:1084 -
\??\c:\tnnhtt.exec:\tnnhtt.exe44⤵
- Executes dropped EXE
PID:2924 -
\??\c:\vvvjp.exec:\vvvjp.exe45⤵
- Executes dropped EXE
PID:2248 -
\??\c:\flrlflf.exec:\flrlflf.exe46⤵
- Executes dropped EXE
PID:1808 -
\??\c:\frxrfxr.exec:\frxrfxr.exe47⤵
- Executes dropped EXE
PID:4536 -
\??\c:\bbbbbb.exec:\bbbbbb.exe48⤵
- Executes dropped EXE
PID:1836 -
\??\c:\jvdvj.exec:\jvdvj.exe49⤵
- Executes dropped EXE
PID:1728 -
\??\c:\xffxllf.exec:\xffxllf.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4032 -
\??\c:\bnnhtt.exec:\bnnhtt.exe51⤵
- Executes dropped EXE
PID:4620 -
\??\c:\jvppd.exec:\jvppd.exe52⤵
- Executes dropped EXE
PID:2664 -
\??\c:\ffrlxff.exec:\ffrlxff.exe53⤵
- Executes dropped EXE
PID:4588 -
\??\c:\rlfxrfx.exec:\rlfxrfx.exe54⤵
- Executes dropped EXE
PID:1572 -
\??\c:\thnhtt.exec:\thnhtt.exe55⤵
- Executes dropped EXE
PID:2388 -
\??\c:\vdpjj.exec:\vdpjj.exe56⤵
- Executes dropped EXE
PID:4488 -
\??\c:\lfllffr.exec:\lfllffr.exe57⤵
- Executes dropped EXE
PID:3584 -
\??\c:\htbbtb.exec:\htbbtb.exe58⤵
- Executes dropped EXE
PID:4564 -
\??\c:\dvddv.exec:\dvddv.exe59⤵
- Executes dropped EXE
PID:4724 -
\??\c:\lxfxllf.exec:\lxfxllf.exe60⤵
- Executes dropped EXE
PID:4312 -
\??\c:\5thbnn.exec:\5thbnn.exe61⤵
- Executes dropped EXE
PID:4860 -
\??\c:\pvdvv.exec:\pvdvv.exe62⤵
- Executes dropped EXE
PID:1700 -
\??\c:\5lxrlff.exec:\5lxrlff.exe63⤵
- Executes dropped EXE
PID:2340 -
\??\c:\nbnnnt.exec:\nbnnnt.exe64⤵
- Executes dropped EXE
PID:928 -
\??\c:\vjpdv.exec:\vjpdv.exe65⤵
- Executes dropped EXE
PID:3904 -
\??\c:\vjjdp.exec:\vjjdp.exe66⤵PID:4884
-
\??\c:\9fxlffx.exec:\9fxlffx.exe67⤵PID:1552
-
\??\c:\bbbtnn.exec:\bbbtnn.exe68⤵PID:3708
-
\??\c:\jdvjj.exec:\jdvjj.exe69⤵PID:228
-
\??\c:\dpvpv.exec:\dpvpv.exe70⤵PID:3636
-
\??\c:\xxfxlrl.exec:\xxfxlrl.exe71⤵PID:2816
-
\??\c:\htbtnb.exec:\htbtnb.exe72⤵PID:1780
-
\??\c:\vvpdp.exec:\vvpdp.exe73⤵PID:1580
-
\??\c:\vjpdv.exec:\vjpdv.exe74⤵PID:3844
-
\??\c:\lffxrlf.exec:\lffxrlf.exe75⤵PID:2828
-
\??\c:\thbttt.exec:\thbttt.exe76⤵PID:2168
-
\??\c:\pjpjd.exec:\pjpjd.exe77⤵PID:400
-
\??\c:\lfrllff.exec:\lfrllff.exe78⤵PID:800
-
\??\c:\5hhhbb.exec:\5hhhbb.exe79⤵PID:336
-
\??\c:\btbhbh.exec:\btbhbh.exe80⤵PID:216
-
\??\c:\vpjdj.exec:\vpjdj.exe81⤵PID:2868
-
\??\c:\llxxrxx.exec:\llxxrxx.exe82⤵PID:2064
-
\??\c:\fxrlllf.exec:\fxrlllf.exe83⤵PID:1128
-
\??\c:\ntbnhb.exec:\ntbnhb.exe84⤵PID:2864
-
\??\c:\jvppj.exec:\jvppj.exe85⤵PID:1104
-
\??\c:\rlxrrll.exec:\rlxrrll.exe86⤵PID:2284
-
\??\c:\rfflflf.exec:\rfflflf.exe87⤵PID:4924
-
\??\c:\bntnbb.exec:\bntnbb.exe88⤵PID:1568
-
\??\c:\dvdvp.exec:\dvdvp.exe89⤵PID:3596
-
\??\c:\fxlfxxf.exec:\fxlfxxf.exe90⤵PID:1032
-
\??\c:\lfrfxrl.exec:\lfrfxrl.exe91⤵PID:3328
-
\??\c:\bnbthb.exec:\bnbthb.exe92⤵PID:2208
-
\??\c:\jvdvp.exec:\jvdvp.exe93⤵PID:2264
-
\??\c:\djjjd.exec:\djjjd.exe94⤵PID:2596
-
\??\c:\frxrffx.exec:\frxrffx.exe95⤵PID:2512
-
\??\c:\hnnhbt.exec:\hnnhbt.exe96⤵PID:2036
-
\??\c:\ppjvp.exec:\ppjvp.exe97⤵PID:1932
-
\??\c:\ppjdv.exec:\ppjdv.exe98⤵PID:2484
-
\??\c:\rlllfxr.exec:\rlllfxr.exe99⤵PID:1848
-
\??\c:\3tbnbb.exec:\3tbnbb.exe100⤵PID:2024
-
\??\c:\vddvd.exec:\vddvd.exe101⤵PID:3452
-
\??\c:\xffrlfx.exec:\xffrlfx.exe102⤵PID:2088
-
\??\c:\1fxrffr.exec:\1fxrffr.exe103⤵PID:4336
-
\??\c:\hbnbtt.exec:\hbnbtt.exe104⤵PID:1616
-
\??\c:\jjpjp.exec:\jjpjp.exe105⤵PID:2140
-
\??\c:\fxflffx.exec:\fxflffx.exe106⤵PID:712
-
\??\c:\httnbn.exec:\httnbn.exe107⤵PID:2524
-
\??\c:\9htbnn.exec:\9htbnn.exe108⤵PID:3936
-
\??\c:\djpdp.exec:\djpdp.exe109⤵PID:4188
-
\??\c:\rxlfrrr.exec:\rxlfrrr.exe110⤵PID:1084
-
\??\c:\hbnhhn.exec:\hbnhhn.exe111⤵PID:2924
-
\??\c:\dvvjv.exec:\dvvjv.exe112⤵PID:5004
-
\??\c:\pdjpj.exec:\pdjpj.exe113⤵PID:1544
-
\??\c:\flrlfxl.exec:\flrlfxl.exe114⤵PID:3220
-
\??\c:\nnthbt.exec:\nnthbt.exe115⤵PID:1156
-
\??\c:\bnthhb.exec:\bnthhb.exe116⤵PID:1772
-
\??\c:\jvddv.exec:\jvddv.exe117⤵PID:1468
-
\??\c:\flfrllf.exec:\flfrllf.exe118⤵PID:3564
-
\??\c:\nbbbtt.exec:\nbbbtt.exe119⤵PID:4444
-
\??\c:\pjppj.exec:\pjppj.exe120⤵PID:3820
-
\??\c:\pjvvp.exec:\pjvvp.exe121⤵PID:4948
-
\??\c:\lfrllll.exec:\lfrllll.exe122⤵PID:3520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-