Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 08:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
36624dbffc154942c4f1c06c003b9f99acc4e1d40973f67e9d0a51237d9264a2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
36624dbffc154942c4f1c06c003b9f99acc4e1d40973f67e9d0a51237d9264a2.exe
-
Size
455KB
-
MD5
5a74dab6f88cfa0c99e739bc2802e2b4
-
SHA1
a5701cd3b62d2c5a40068e0b574ac65b885869e6
-
SHA256
36624dbffc154942c4f1c06c003b9f99acc4e1d40973f67e9d0a51237d9264a2
-
SHA512
1c8d1f03de8a8c8f8ae0a3fe64317979b6c3c3020cc1920be54d92a3bb3a35a48ac87dc3d76572a71458d9338f07b2a0393535db291ea93cfb609ab3eb507617
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbej:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3016-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-1061-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-1317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-1333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2464 jvjpp.exe 1688 9lxflrf.exe 4764 hbbbbh.exe 2396 flllflf.exe 4740 3dvvj.exe 3808 ttbhnt.exe 4048 flffflf.exe 2108 jvjpd.exe 4920 tbnbnn.exe 1920 tbhbnn.exe 1180 9rxrllf.exe 2608 jpppj.exe 5052 nnnhtt.exe 548 dpjjd.exe 4172 flrxrlf.exe 4488 rlxrrlf.exe 2480 btbttn.exe 3332 pvvpj.exe 2988 bhnbnn.exe 3092 ddjdv.exe 3912 lxfxrrr.exe 1324 fxxlrxr.exe 2748 9hnhht.exe 2816 7bhtbn.exe 2384 tnnnbb.exe 1912 jjdvv.exe 3724 xrrlfrl.exe 3488 rfxrrrx.exe 3148 tthhhh.exe 3348 9rxllxx.exe 456 3rrlrxf.exe 924 vpvvd.exe 2016 nhnbbn.exe 1548 djjjj.exe 1684 5hhhbb.exe 5008 hnnttb.exe 4780 pvvvv.exe 4128 fffffll.exe 1424 bthhbh.exe 1620 jvddd.exe 2312 7frrrrr.exe 1108 bbbbbb.exe 3008 pvvpd.exe 208 fxrrrxx.exe 1632 7bhhhn.exe 3012 dvddv.exe 1504 xflflll.exe 3240 bbnnnt.exe 1604 7nntnn.exe 2348 vdvpp.exe 4596 fffffxl.exe 5116 jjppj.exe 2464 rlxxrxf.exe 2448 flrrrrr.exe 4208 thhnnb.exe 4816 ddjjd.exe 3232 flxxlrx.exe 3540 xxfllfl.exe 3808 5pjdd.exe 3384 3vjjj.exe 4048 lflffff.exe 4508 1hhnnt.exe 3964 1vvpj.exe 4864 xxfxrrr.exe -
resource yara_rule behavioral2/memory/3016-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-760-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2464 3016 36624dbffc154942c4f1c06c003b9f99acc4e1d40973f67e9d0a51237d9264a2.exe 83 PID 3016 wrote to memory of 2464 3016 36624dbffc154942c4f1c06c003b9f99acc4e1d40973f67e9d0a51237d9264a2.exe 83 PID 3016 wrote to memory of 2464 3016 36624dbffc154942c4f1c06c003b9f99acc4e1d40973f67e9d0a51237d9264a2.exe 83 PID 2464 wrote to memory of 1688 2464 jvjpp.exe 84 PID 2464 wrote to memory of 1688 2464 jvjpp.exe 84 PID 2464 wrote to memory of 1688 2464 jvjpp.exe 84 PID 1688 wrote to memory of 4764 1688 9lxflrf.exe 85 PID 1688 wrote to memory of 4764 1688 9lxflrf.exe 85 PID 1688 wrote to memory of 4764 1688 9lxflrf.exe 85 PID 4764 wrote to memory of 2396 4764 hbbbbh.exe 86 PID 4764 wrote to memory of 2396 4764 hbbbbh.exe 86 PID 4764 wrote to memory of 2396 4764 hbbbbh.exe 86 PID 2396 wrote to memory of 4740 2396 flllflf.exe 87 PID 2396 wrote to memory of 4740 2396 flllflf.exe 87 PID 2396 wrote to memory of 4740 2396 flllflf.exe 87 PID 4740 wrote to memory of 3808 4740 3dvvj.exe 88 PID 4740 wrote to memory of 3808 4740 3dvvj.exe 88 PID 4740 wrote to memory of 3808 4740 3dvvj.exe 88 PID 3808 wrote to memory of 4048 3808 ttbhnt.exe 89 PID 3808 wrote to memory of 4048 3808 ttbhnt.exe 89 PID 3808 wrote to memory of 4048 3808 ttbhnt.exe 89 PID 4048 wrote to memory of 2108 4048 flffflf.exe 90 PID 4048 wrote to memory of 2108 4048 flffflf.exe 90 PID 4048 wrote to memory of 2108 4048 flffflf.exe 90 PID 2108 wrote to memory of 4920 2108 jvjpd.exe 91 PID 2108 wrote to memory of 4920 2108 jvjpd.exe 91 PID 2108 wrote to memory of 4920 2108 jvjpd.exe 91 PID 4920 wrote to memory of 1920 4920 tbnbnn.exe 92 PID 4920 wrote to memory of 1920 4920 tbnbnn.exe 92 PID 4920 wrote to memory of 1920 4920 tbnbnn.exe 92 PID 1920 wrote to memory of 1180 1920 tbhbnn.exe 93 PID 1920 wrote to memory of 1180 1920 tbhbnn.exe 93 PID 1920 wrote to memory of 1180 1920 tbhbnn.exe 93 PID 1180 wrote to memory of 2608 1180 9rxrllf.exe 94 PID 1180 wrote to memory of 2608 1180 9rxrllf.exe 94 PID 1180 wrote to memory of 2608 1180 9rxrllf.exe 94 PID 2608 wrote to memory of 5052 2608 jpppj.exe 95 PID 2608 wrote to memory of 5052 2608 jpppj.exe 95 PID 2608 wrote to memory of 5052 2608 jpppj.exe 95 PID 5052 wrote to memory of 548 5052 nnnhtt.exe 96 PID 5052 wrote to memory of 548 5052 nnnhtt.exe 96 PID 5052 wrote to memory of 548 5052 nnnhtt.exe 96 PID 548 wrote to memory of 4172 548 dpjjd.exe 97 PID 548 wrote to memory of 4172 548 dpjjd.exe 97 PID 548 wrote to memory of 4172 548 dpjjd.exe 97 PID 4172 wrote to memory of 4488 4172 flrxrlf.exe 98 PID 4172 wrote to memory of 4488 4172 flrxrlf.exe 98 PID 4172 wrote to memory of 4488 4172 flrxrlf.exe 98 PID 4488 wrote to memory of 2480 4488 rlxrrlf.exe 99 PID 4488 wrote to memory of 2480 4488 rlxrrlf.exe 99 PID 4488 wrote to memory of 2480 4488 rlxrrlf.exe 99 PID 2480 wrote to memory of 3332 2480 btbttn.exe 100 PID 2480 wrote to memory of 3332 2480 btbttn.exe 100 PID 2480 wrote to memory of 3332 2480 btbttn.exe 100 PID 3332 wrote to memory of 2988 3332 pvvpj.exe 101 PID 3332 wrote to memory of 2988 3332 pvvpj.exe 101 PID 3332 wrote to memory of 2988 3332 pvvpj.exe 101 PID 2988 wrote to memory of 3092 2988 bhnbnn.exe 102 PID 2988 wrote to memory of 3092 2988 bhnbnn.exe 102 PID 2988 wrote to memory of 3092 2988 bhnbnn.exe 102 PID 3092 wrote to memory of 3912 3092 ddjdv.exe 103 PID 3092 wrote to memory of 3912 3092 ddjdv.exe 103 PID 3092 wrote to memory of 3912 3092 ddjdv.exe 103 PID 3912 wrote to memory of 1324 3912 lxfxrrr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\36624dbffc154942c4f1c06c003b9f99acc4e1d40973f67e9d0a51237d9264a2.exe"C:\Users\Admin\AppData\Local\Temp\36624dbffc154942c4f1c06c003b9f99acc4e1d40973f67e9d0a51237d9264a2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\jvjpp.exec:\jvjpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\9lxflrf.exec:\9lxflrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\hbbbbh.exec:\hbbbbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\flllflf.exec:\flllflf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\3dvvj.exec:\3dvvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\ttbhnt.exec:\ttbhnt.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\flffflf.exec:\flffflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\jvjpd.exec:\jvjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\tbnbnn.exec:\tbnbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\tbhbnn.exec:\tbhbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\9rxrllf.exec:\9rxrllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\jpppj.exec:\jpppj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\nnnhtt.exec:\nnnhtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\dpjjd.exec:\dpjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\flrxrlf.exec:\flrxrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\rlxrrlf.exec:\rlxrrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\btbttn.exec:\btbttn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\pvvpj.exec:\pvvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\bhnbnn.exec:\bhnbnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\ddjdv.exec:\ddjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\fxxlrxr.exec:\fxxlrxr.exe23⤵
- Executes dropped EXE
PID:1324 -
\??\c:\9hnhht.exec:\9hnhht.exe24⤵
- Executes dropped EXE
PID:2748 -
\??\c:\7bhtbn.exec:\7bhtbn.exe25⤵
- Executes dropped EXE
PID:2816 -
\??\c:\tnnnbb.exec:\tnnnbb.exe26⤵
- Executes dropped EXE
PID:2384 -
\??\c:\jjdvv.exec:\jjdvv.exe27⤵
- Executes dropped EXE
PID:1912 -
\??\c:\xrrlfrl.exec:\xrrlfrl.exe28⤵
- Executes dropped EXE
PID:3724 -
\??\c:\rfxrrrx.exec:\rfxrrrx.exe29⤵
- Executes dropped EXE
PID:3488 -
\??\c:\tthhhh.exec:\tthhhh.exe30⤵
- Executes dropped EXE
PID:3148 -
\??\c:\9rxllxx.exec:\9rxllxx.exe31⤵
- Executes dropped EXE
PID:3348 -
\??\c:\3rrlrxf.exec:\3rrlrxf.exe32⤵
- Executes dropped EXE
PID:456 -
\??\c:\vpvvd.exec:\vpvvd.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:924 -
\??\c:\nhnbbn.exec:\nhnbbn.exe34⤵
- Executes dropped EXE
PID:2016 -
\??\c:\djjjj.exec:\djjjj.exe35⤵
- Executes dropped EXE
PID:1548 -
\??\c:\5hhhbb.exec:\5hhhbb.exe36⤵
- Executes dropped EXE
PID:1684 -
\??\c:\hnnttb.exec:\hnnttb.exe37⤵
- Executes dropped EXE
PID:5008 -
\??\c:\pvvvv.exec:\pvvvv.exe38⤵
- Executes dropped EXE
PID:4780 -
\??\c:\fffffll.exec:\fffffll.exe39⤵
- Executes dropped EXE
PID:4128 -
\??\c:\bthhbh.exec:\bthhbh.exe40⤵
- Executes dropped EXE
PID:1424 -
\??\c:\jvddd.exec:\jvddd.exe41⤵
- Executes dropped EXE
PID:1620 -
\??\c:\7frrrrr.exec:\7frrrrr.exe42⤵
- Executes dropped EXE
PID:2312 -
\??\c:\bbbbbb.exec:\bbbbbb.exe43⤵
- Executes dropped EXE
PID:1108 -
\??\c:\pvvpd.exec:\pvvpd.exe44⤵
- Executes dropped EXE
PID:3008 -
\??\c:\fxrrrxx.exec:\fxrrrxx.exe45⤵
- Executes dropped EXE
PID:208 -
\??\c:\7bhhhn.exec:\7bhhhn.exe46⤵
- Executes dropped EXE
PID:1632 -
\??\c:\dvddv.exec:\dvddv.exe47⤵
- Executes dropped EXE
PID:3012 -
\??\c:\xflflll.exec:\xflflll.exe48⤵
- Executes dropped EXE
PID:1504 -
\??\c:\bbnnnt.exec:\bbnnnt.exe49⤵
- Executes dropped EXE
PID:3240 -
\??\c:\7nntnn.exec:\7nntnn.exe50⤵
- Executes dropped EXE
PID:1604 -
\??\c:\vdvpp.exec:\vdvpp.exe51⤵
- Executes dropped EXE
PID:2348 -
\??\c:\fffffxl.exec:\fffffxl.exe52⤵
- Executes dropped EXE
PID:4596 -
\??\c:\jjppj.exec:\jjppj.exe53⤵
- Executes dropped EXE
PID:5116 -
\??\c:\rlxxrxf.exec:\rlxxrxf.exe54⤵
- Executes dropped EXE
PID:2464 -
\??\c:\flrrrrr.exec:\flrrrrr.exe55⤵
- Executes dropped EXE
PID:2448 -
\??\c:\thhnnb.exec:\thhnnb.exe56⤵
- Executes dropped EXE
PID:4208 -
\??\c:\ddjjd.exec:\ddjjd.exe57⤵
- Executes dropped EXE
PID:4816 -
\??\c:\flxxlrx.exec:\flxxlrx.exe58⤵
- Executes dropped EXE
PID:3232 -
\??\c:\xxfllfl.exec:\xxfllfl.exe59⤵
- Executes dropped EXE
PID:3540 -
\??\c:\5pjdd.exec:\5pjdd.exe60⤵
- Executes dropped EXE
PID:3808 -
\??\c:\3vjjj.exec:\3vjjj.exe61⤵
- Executes dropped EXE
PID:3384 -
\??\c:\lflffff.exec:\lflffff.exe62⤵
- Executes dropped EXE
PID:4048 -
\??\c:\1hhnnt.exec:\1hhnnt.exe63⤵
- Executes dropped EXE
PID:4508 -
\??\c:\1vvpj.exec:\1vvpj.exe64⤵
- Executes dropped EXE
PID:3964 -
\??\c:\xxfxrrr.exec:\xxfxrrr.exe65⤵
- Executes dropped EXE
PID:4864 -
\??\c:\nhhbnb.exec:\nhhbnb.exe66⤵PID:2572
-
\??\c:\3tttnn.exec:\3tttnn.exe67⤵PID:1920
-
\??\c:\pjddv.exec:\pjddv.exe68⤵PID:1180
-
\??\c:\ddpjd.exec:\ddpjd.exe69⤵PID:1104
-
\??\c:\7xfflfl.exec:\7xfflfl.exe70⤵PID:4880
-
\??\c:\tntttb.exec:\tntttb.exe71⤵PID:4572
-
\??\c:\jjppj.exec:\jjppj.exe72⤵PID:3044
-
\??\c:\lxfrflr.exec:\lxfrflr.exe73⤵PID:880
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe74⤵PID:404
-
\??\c:\bbbtnn.exec:\bbbtnn.exe75⤵PID:2552
-
\??\c:\vvppj.exec:\vvppj.exe76⤵PID:1600
-
\??\c:\rflrxfl.exec:\rflrxfl.exe77⤵PID:1444
-
\??\c:\3bbbbh.exec:\3bbbbh.exe78⤵PID:1372
-
\??\c:\3nnhbb.exec:\3nnhbb.exe79⤵PID:2988
-
\??\c:\djppj.exec:\djppj.exe80⤵PID:1320
-
\??\c:\rrllrrl.exec:\rrllrrl.exe81⤵PID:1784
-
\??\c:\nbhhnt.exec:\nbhhnt.exe82⤵PID:1380
-
\??\c:\djvvj.exec:\djvvj.exe83⤵
- System Location Discovery: System Language Discovery
PID:1752 -
\??\c:\9fxxrlr.exec:\9fxxrlr.exe84⤵PID:3412
-
\??\c:\nnbbnt.exec:\nnbbnt.exe85⤵PID:3316
-
\??\c:\pjjdj.exec:\pjjdj.exe86⤵PID:1092
-
\??\c:\vvpjd.exec:\vvpjd.exe87⤵PID:3728
-
\??\c:\fxllfff.exec:\fxllfff.exe88⤵PID:3584
-
\??\c:\hntnhh.exec:\hntnhh.exe89⤵PID:1508
-
\??\c:\pppjd.exec:\pppjd.exe90⤵PID:4772
-
\??\c:\rrlrlxr.exec:\rrlrlxr.exe91⤵PID:3864
-
\??\c:\tnnthh.exec:\tnnthh.exe92⤵PID:760
-
\??\c:\3djvv.exec:\3djvv.exe93⤵PID:3348
-
\??\c:\ppvvp.exec:\ppvvp.exe94⤵PID:456
-
\??\c:\7lfxrlf.exec:\7lfxrlf.exe95⤵PID:892
-
\??\c:\ppvvj.exec:\ppvvj.exe96⤵PID:1132
-
\??\c:\vvvvp.exec:\vvvvp.exe97⤵PID:1368
-
\??\c:\xlrrrxx.exec:\xlrrrxx.exe98⤵PID:3200
-
\??\c:\tnnbtn.exec:\tnnbtn.exe99⤵PID:1864
-
\??\c:\1htbbn.exec:\1htbbn.exe100⤵PID:3436
-
\??\c:\9vpjd.exec:\9vpjd.exe101⤵PID:1748
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe102⤵PID:4908
-
\??\c:\nnnhbt.exec:\nnnhbt.exe103⤵PID:1424
-
\??\c:\7vddv.exec:\7vddv.exe104⤵PID:1620
-
\??\c:\5xrrlrr.exec:\5xrrlrr.exe105⤵PID:1948
-
\??\c:\ntbbhh.exec:\ntbbhh.exe106⤵PID:1108
-
\??\c:\vdjpj.exec:\vdjpj.exe107⤵PID:452
-
\??\c:\jjvdv.exec:\jjvdv.exe108⤵PID:1980
-
\??\c:\rrrlfrf.exec:\rrrlfrf.exe109⤵PID:3280
-
\??\c:\nhntnn.exec:\nhntnn.exe110⤵PID:692
-
\??\c:\jpvvv.exec:\jpvvv.exe111⤵PID:4512
-
\??\c:\fllfxxr.exec:\fllfxxr.exe112⤵PID:2308
-
\??\c:\5bbttt.exec:\5bbttt.exe113⤵PID:4988
-
\??\c:\hbhtnn.exec:\hbhtnn.exe114⤵PID:4356
-
\??\c:\vvddv.exec:\vvddv.exe115⤵PID:1264
-
\??\c:\fllfxxx.exec:\fllfxxx.exe116⤵PID:2440
-
\??\c:\3ttnhh.exec:\3ttnhh.exe117⤵PID:696
-
\??\c:\dpjdp.exec:\dpjdp.exe118⤵PID:4804
-
\??\c:\rlxrllf.exec:\rlxrllf.exe119⤵PID:3556
-
\??\c:\xfffffr.exec:\xfffffr.exe120⤵PID:4208
-
\??\c:\pjjdv.exec:\pjjdv.exe121⤵PID:4764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-