Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
706ee2a674518f82194d506b2ba0ece201219f5fba0cc80ad9fbed44898a5113.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
706ee2a674518f82194d506b2ba0ece201219f5fba0cc80ad9fbed44898a5113.exe
-
Size
456KB
-
MD5
6202190189b80f0e317461e4661e9f56
-
SHA1
228982d958245f5b621e06b5b56e4d444fff65a6
-
SHA256
706ee2a674518f82194d506b2ba0ece201219f5fba0cc80ad9fbed44898a5113
-
SHA512
f190374479817a933358baa734033439f2084fee0e3ea9dae154d3a9e3e2d77a5f5dce0afc44ab0eb31fd059a6614d7a78671d8c09005b0f927bc40c70636922
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRp:q7Tc2NYHUrAwfMp3CDRp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3028-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-1374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-1774-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-1928-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2276 3bnnhh.exe 740 xxlrlrf.exe 1228 9jjdd.exe 4584 xrlfxxx.exe 3816 dppjj.exe 3668 lflfxrl.exe 2436 jdpjp.exe 1452 rxfrlfr.exe 2304 hnnnht.exe 1312 jpvjd.exe 2300 lfffxxr.exe 4400 7thtnt.exe 3480 5jvpj.exe 3436 lflllfr.exe 3916 tnnbtt.exe 4776 3nnnbb.exe 3812 lrrrxrl.exe 4780 pjpdv.exe 1996 9vpdv.exe 3744 9rrlrrr.exe 1472 tbbtnh.exe 4292 9nthbh.exe 4464 9dvpv.exe 1104 5fllfff.exe 852 thtbnh.exe 3636 pjdvp.exe 3124 fflrfxx.exe 3012 1vjdv.exe 440 rrxxrrr.exe 4772 7thtnb.exe 3476 vjpvj.exe 3100 lxfrlll.exe 3680 5lxrlrl.exe 1160 pvpdv.exe 4216 rlxfxxr.exe 3144 hhtnnh.exe 4476 tbnnbb.exe 2800 tnhhbb.exe 2564 vpjvv.exe 1496 bbhttn.exe 3028 lxfxrrr.exe 2276 5hnbtb.exe 1364 ppvvv.exe 2348 xxxlxxr.exe 2640 dpdvv.exe 972 ffxlfll.exe 5000 nhhtnn.exe 540 hhnbht.exe 820 lfxlfxl.exe 3668 tthbtt.exe 2868 btbthb.exe 3952 jdvjv.exe 3412 9rxlfrl.exe 2560 rllfxfx.exe 5108 nhbthh.exe 976 bnnhbn.exe 3648 vdvpj.exe 4940 9rfxllf.exe 3964 bbbbtt.exe 4204 3nthtn.exe 624 pjpjd.exe 4408 xlxrxrr.exe 1480 3flrfxl.exe 4768 3tnbnh.exe -
resource yara_rule behavioral2/memory/3028-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-675-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2276 3028 706ee2a674518f82194d506b2ba0ece201219f5fba0cc80ad9fbed44898a5113.exe 84 PID 3028 wrote to memory of 2276 3028 706ee2a674518f82194d506b2ba0ece201219f5fba0cc80ad9fbed44898a5113.exe 84 PID 3028 wrote to memory of 2276 3028 706ee2a674518f82194d506b2ba0ece201219f5fba0cc80ad9fbed44898a5113.exe 84 PID 2276 wrote to memory of 740 2276 3bnnhh.exe 85 PID 2276 wrote to memory of 740 2276 3bnnhh.exe 85 PID 2276 wrote to memory of 740 2276 3bnnhh.exe 85 PID 740 wrote to memory of 1228 740 xxlrlrf.exe 86 PID 740 wrote to memory of 1228 740 xxlrlrf.exe 86 PID 740 wrote to memory of 1228 740 xxlrlrf.exe 86 PID 1228 wrote to memory of 4584 1228 9jjdd.exe 87 PID 1228 wrote to memory of 4584 1228 9jjdd.exe 87 PID 1228 wrote to memory of 4584 1228 9jjdd.exe 87 PID 4584 wrote to memory of 3816 4584 xrlfxxx.exe 88 PID 4584 wrote to memory of 3816 4584 xrlfxxx.exe 88 PID 4584 wrote to memory of 3816 4584 xrlfxxx.exe 88 PID 3816 wrote to memory of 3668 3816 dppjj.exe 89 PID 3816 wrote to memory of 3668 3816 dppjj.exe 89 PID 3816 wrote to memory of 3668 3816 dppjj.exe 89 PID 3668 wrote to memory of 2436 3668 lflfxrl.exe 90 PID 3668 wrote to memory of 2436 3668 lflfxrl.exe 90 PID 3668 wrote to memory of 2436 3668 lflfxrl.exe 90 PID 2436 wrote to memory of 1452 2436 jdpjp.exe 91 PID 2436 wrote to memory of 1452 2436 jdpjp.exe 91 PID 2436 wrote to memory of 1452 2436 jdpjp.exe 91 PID 1452 wrote to memory of 2304 1452 rxfrlfr.exe 92 PID 1452 wrote to memory of 2304 1452 rxfrlfr.exe 92 PID 1452 wrote to memory of 2304 1452 rxfrlfr.exe 92 PID 2304 wrote to memory of 1312 2304 hnnnht.exe 93 PID 2304 wrote to memory of 1312 2304 hnnnht.exe 93 PID 2304 wrote to memory of 1312 2304 hnnnht.exe 93 PID 1312 wrote to memory of 2300 1312 jpvjd.exe 94 PID 1312 wrote to memory of 2300 1312 jpvjd.exe 94 PID 1312 wrote to memory of 2300 1312 jpvjd.exe 94 PID 2300 wrote to memory of 4400 2300 lfffxxr.exe 95 PID 2300 wrote to memory of 4400 2300 lfffxxr.exe 95 PID 2300 wrote to memory of 4400 2300 lfffxxr.exe 95 PID 4400 wrote to memory of 3480 4400 7thtnt.exe 96 PID 4400 wrote to memory of 3480 4400 7thtnt.exe 96 PID 4400 wrote to memory of 3480 4400 7thtnt.exe 96 PID 3480 wrote to memory of 3436 3480 5jvpj.exe 97 PID 3480 wrote to memory of 3436 3480 5jvpj.exe 97 PID 3480 wrote to memory of 3436 3480 5jvpj.exe 97 PID 3436 wrote to memory of 3916 3436 lflllfr.exe 98 PID 3436 wrote to memory of 3916 3436 lflllfr.exe 98 PID 3436 wrote to memory of 3916 3436 lflllfr.exe 98 PID 3916 wrote to memory of 4776 3916 tnnbtt.exe 99 PID 3916 wrote to memory of 4776 3916 tnnbtt.exe 99 PID 3916 wrote to memory of 4776 3916 tnnbtt.exe 99 PID 4776 wrote to memory of 3812 4776 3nnnbb.exe 100 PID 4776 wrote to memory of 3812 4776 3nnnbb.exe 100 PID 4776 wrote to memory of 3812 4776 3nnnbb.exe 100 PID 3812 wrote to memory of 4780 3812 lrrrxrl.exe 101 PID 3812 wrote to memory of 4780 3812 lrrrxrl.exe 101 PID 3812 wrote to memory of 4780 3812 lrrrxrl.exe 101 PID 4780 wrote to memory of 1996 4780 pjpdv.exe 102 PID 4780 wrote to memory of 1996 4780 pjpdv.exe 102 PID 4780 wrote to memory of 1996 4780 pjpdv.exe 102 PID 1996 wrote to memory of 3744 1996 9vpdv.exe 103 PID 1996 wrote to memory of 3744 1996 9vpdv.exe 103 PID 1996 wrote to memory of 3744 1996 9vpdv.exe 103 PID 3744 wrote to memory of 1472 3744 9rrlrrr.exe 104 PID 3744 wrote to memory of 1472 3744 9rrlrrr.exe 104 PID 3744 wrote to memory of 1472 3744 9rrlrrr.exe 104 PID 1472 wrote to memory of 4292 1472 tbbtnh.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\706ee2a674518f82194d506b2ba0ece201219f5fba0cc80ad9fbed44898a5113.exe"C:\Users\Admin\AppData\Local\Temp\706ee2a674518f82194d506b2ba0ece201219f5fba0cc80ad9fbed44898a5113.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\3bnnhh.exec:\3bnnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\xxlrlrf.exec:\xxlrlrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\9jjdd.exec:\9jjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\xrlfxxx.exec:\xrlfxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\dppjj.exec:\dppjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\lflfxrl.exec:\lflfxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\jdpjp.exec:\jdpjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\rxfrlfr.exec:\rxfrlfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\hnnnht.exec:\hnnnht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\jpvjd.exec:\jpvjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\lfffxxr.exec:\lfffxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\7thtnt.exec:\7thtnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\5jvpj.exec:\5jvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\lflllfr.exec:\lflllfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\tnnbtt.exec:\tnnbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\3nnnbb.exec:\3nnnbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\lrrrxrl.exec:\lrrrxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\pjpdv.exec:\pjpdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\9vpdv.exec:\9vpdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\9rrlrrr.exec:\9rrlrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\tbbtnh.exec:\tbbtnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\9nthbh.exec:\9nthbh.exe23⤵
- Executes dropped EXE
PID:4292 -
\??\c:\9dvpv.exec:\9dvpv.exe24⤵
- Executes dropped EXE
PID:4464 -
\??\c:\5fllfff.exec:\5fllfff.exe25⤵
- Executes dropped EXE
PID:1104 -
\??\c:\thtbnh.exec:\thtbnh.exe26⤵
- Executes dropped EXE
PID:852 -
\??\c:\pjdvp.exec:\pjdvp.exe27⤵
- Executes dropped EXE
PID:3636 -
\??\c:\fflrfxx.exec:\fflrfxx.exe28⤵
- Executes dropped EXE
PID:3124 -
\??\c:\1vjdv.exec:\1vjdv.exe29⤵
- Executes dropped EXE
PID:3012 -
\??\c:\rrxxrrr.exec:\rrxxrrr.exe30⤵
- Executes dropped EXE
PID:440 -
\??\c:\7thtnb.exec:\7thtnb.exe31⤵
- Executes dropped EXE
PID:4772 -
\??\c:\vjpvj.exec:\vjpvj.exe32⤵
- Executes dropped EXE
PID:3476 -
\??\c:\lxfrlll.exec:\lxfrlll.exe33⤵
- Executes dropped EXE
PID:3100 -
\??\c:\5lxrlrl.exec:\5lxrlrl.exe34⤵
- Executes dropped EXE
PID:3680 -
\??\c:\pvpdv.exec:\pvpdv.exe35⤵
- Executes dropped EXE
PID:1160 -
\??\c:\rlxfxxr.exec:\rlxfxxr.exe36⤵
- Executes dropped EXE
PID:4216 -
\??\c:\hhtnnh.exec:\hhtnnh.exe37⤵
- Executes dropped EXE
PID:3144 -
\??\c:\tbnnbb.exec:\tbnnbb.exe38⤵
- Executes dropped EXE
PID:4476 -
\??\c:\tnhhbb.exec:\tnhhbb.exe39⤵
- Executes dropped EXE
PID:2800 -
\??\c:\vpjvv.exec:\vpjvv.exe40⤵
- Executes dropped EXE
PID:2564 -
\??\c:\bbhttn.exec:\bbhttn.exe41⤵
- Executes dropped EXE
PID:1496 -
\??\c:\rlfxrff.exec:\rlfxrff.exe42⤵PID:1980
-
\??\c:\lxfxrrr.exec:\lxfxrrr.exe43⤵
- Executes dropped EXE
PID:3028 -
\??\c:\5hnbtb.exec:\5hnbtb.exe44⤵
- Executes dropped EXE
PID:2276 -
\??\c:\ppvvv.exec:\ppvvv.exe45⤵
- Executes dropped EXE
PID:1364 -
\??\c:\xxxlxxr.exec:\xxxlxxr.exe46⤵
- Executes dropped EXE
PID:2348 -
\??\c:\dpdvv.exec:\dpdvv.exe47⤵
- Executes dropped EXE
PID:2640 -
\??\c:\ffxlfll.exec:\ffxlfll.exe48⤵
- Executes dropped EXE
PID:972 -
\??\c:\nhhtnn.exec:\nhhtnn.exe49⤵
- Executes dropped EXE
PID:5000 -
\??\c:\hhnbht.exec:\hhnbht.exe50⤵
- Executes dropped EXE
PID:540 -
\??\c:\lfxlfxl.exec:\lfxlfxl.exe51⤵
- Executes dropped EXE
PID:820 -
\??\c:\tthbtt.exec:\tthbtt.exe52⤵
- Executes dropped EXE
PID:3668 -
\??\c:\btbthb.exec:\btbthb.exe53⤵
- Executes dropped EXE
PID:2868 -
\??\c:\jdvjv.exec:\jdvjv.exe54⤵
- Executes dropped EXE
PID:3952 -
\??\c:\9rxlfrl.exec:\9rxlfrl.exe55⤵
- Executes dropped EXE
PID:3412 -
\??\c:\rllfxfx.exec:\rllfxfx.exe56⤵
- Executes dropped EXE
PID:2560 -
\??\c:\nhbthh.exec:\nhbthh.exe57⤵
- Executes dropped EXE
PID:5108 -
\??\c:\bnnhbn.exec:\bnnhbn.exe58⤵
- Executes dropped EXE
PID:976 -
\??\c:\vdvpj.exec:\vdvpj.exe59⤵
- Executes dropped EXE
PID:3648 -
\??\c:\9rfxllf.exec:\9rfxllf.exe60⤵
- Executes dropped EXE
PID:4940 -
\??\c:\bbbbtt.exec:\bbbbtt.exe61⤵
- Executes dropped EXE
PID:3964 -
\??\c:\3nthtn.exec:\3nthtn.exe62⤵
- Executes dropped EXE
PID:4204 -
\??\c:\pjpjd.exec:\pjpjd.exe63⤵
- Executes dropped EXE
PID:624 -
\??\c:\xlxrxrr.exec:\xlxrxrr.exe64⤵
- Executes dropped EXE
PID:4408 -
\??\c:\3flrfxl.exec:\3flrfxl.exe65⤵
- Executes dropped EXE
PID:1480 -
\??\c:\3tnbnh.exec:\3tnbnh.exe66⤵
- Executes dropped EXE
PID:4768 -
\??\c:\djjdj.exec:\djjdj.exe67⤵PID:3064
-
\??\c:\rffxrlf.exec:\rffxrlf.exe68⤵
- System Location Discovery: System Language Discovery
PID:3572 -
\??\c:\9btnhb.exec:\9btnhb.exe69⤵PID:1880
-
\??\c:\jdjvj.exec:\jdjvj.exe70⤵PID:904
-
\??\c:\rrxlrxx.exec:\rrxlrxx.exe71⤵PID:2996
-
\??\c:\3bhtbt.exec:\3bhtbt.exe72⤵PID:4688
-
\??\c:\htbbhb.exec:\htbbhb.exe73⤵PID:4652
-
\??\c:\1vpjv.exec:\1vpjv.exe74⤵PID:1308
-
\??\c:\llflffx.exec:\llflffx.exe75⤵PID:3032
-
\??\c:\9ntnnh.exec:\9ntnnh.exe76⤵PID:2760
-
\??\c:\pjjdj.exec:\pjjdj.exe77⤵PID:1760
-
\??\c:\rlffxrl.exec:\rlffxrl.exe78⤵PID:2880
-
\??\c:\7xffxlx.exec:\7xffxlx.exe79⤵PID:1664
-
\??\c:\thtnbt.exec:\thtnbt.exe80⤵PID:2216
-
\??\c:\ppvjd.exec:\ppvjd.exe81⤵PID:5048
-
\??\c:\5ddvp.exec:\5ddvp.exe82⤵PID:2372
-
\??\c:\5xlfrll.exec:\5xlfrll.exe83⤵PID:4176
-
\??\c:\nthbtt.exec:\nthbtt.exe84⤵PID:4840
-
\??\c:\jvdvp.exec:\jvdvp.exe85⤵PID:4856
-
\??\c:\rrfrllf.exec:\rrfrllf.exe86⤵PID:4664
-
\??\c:\bbhbhb.exec:\bbhbhb.exe87⤵PID:4896
-
\??\c:\nnnhnn.exec:\nnnhnn.exe88⤵PID:2608
-
\??\c:\vvjvv.exec:\vvjvv.exe89⤵PID:1548
-
\??\c:\rxxxffx.exec:\rxxxffx.exe90⤵PID:1160
-
\??\c:\lrxfxlf.exec:\lrxfxlf.exe91⤵
- System Location Discovery: System Language Discovery
PID:4960 -
\??\c:\btnhbt.exec:\btnhbt.exe92⤵PID:3144
-
\??\c:\ddvdv.exec:\ddvdv.exe93⤵PID:316
-
\??\c:\vvvjd.exec:\vvvjd.exe94⤵PID:3260
-
\??\c:\frlffxr.exec:\frlffxr.exe95⤵PID:1928
-
\??\c:\hhnhbt.exec:\hhnhbt.exe96⤵PID:4560
-
\??\c:\vvdpd.exec:\vvdpd.exe97⤵PID:2484
-
\??\c:\dpjjp.exec:\dpjjp.exe98⤵PID:3980
-
\??\c:\5xlfxrl.exec:\5xlfxrl.exe99⤵PID:4936
-
\??\c:\tbbthh.exec:\tbbthh.exe100⤵PID:2276
-
\??\c:\hhhhhh.exec:\hhhhhh.exe101⤵PID:1364
-
\??\c:\ddppv.exec:\ddppv.exe102⤵PID:2424
-
\??\c:\lffxrrr.exec:\lffxrrr.exe103⤵PID:2140
-
\??\c:\thhbtt.exec:\thhbtt.exe104⤵PID:4624
-
\??\c:\ddjvj.exec:\ddjvj.exe105⤵PID:2712
-
\??\c:\rxrllrl.exec:\rxrllrl.exe106⤵PID:540
-
\??\c:\lrrlxxl.exec:\lrrlxxl.exe107⤵PID:820
-
\??\c:\ntbtnn.exec:\ntbtnn.exe108⤵PID:1100
-
\??\c:\vjjjv.exec:\vjjjv.exe109⤵
- System Location Discovery: System Language Discovery
PID:2868 -
\??\c:\lxfxllf.exec:\lxfxllf.exe110⤵PID:3908
-
\??\c:\frlxxrl.exec:\frlxxrl.exe111⤵PID:3196
-
\??\c:\bnnhnh.exec:\bnnhnh.exe112⤵PID:2240
-
\??\c:\jdjdd.exec:\jdjdd.exe113⤵PID:2300
-
\??\c:\dvvpj.exec:\dvvpj.exe114⤵PID:4600
-
\??\c:\xfxlrff.exec:\xfxlrff.exe115⤵PID:3480
-
\??\c:\hhhbtt.exec:\hhhbtt.exe116⤵PID:4236
-
\??\c:\jpvjv.exec:\jpvjv.exe117⤵PID:3436
-
\??\c:\vvvvj.exec:\vvvvj.exe118⤵
- System Location Discovery: System Language Discovery
PID:3916 -
\??\c:\lffxrrl.exec:\lffxrrl.exe119⤵PID:3672
-
\??\c:\hhnhtt.exec:\hhnhtt.exe120⤵PID:3976
-
\??\c:\jvpjv.exec:\jvpjv.exe121⤵PID:228
-
\??\c:\5lfrxrx.exec:\5lfrxrx.exe122⤵PID:2400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-