Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2024, 22:45
Behavioral task
behavioral1
Sample
5937caad0b58a1d3374f0aa1c5671874ff972bef6245e96422c3f1cca78b0ffd.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5937caad0b58a1d3374f0aa1c5671874ff972bef6245e96422c3f1cca78b0ffd.exe
-
Size
97KB
-
MD5
01fa27dde01ea5f76ed1dbabf83524d4
-
SHA1
fe2cbd96dd8027dd3e1f2c250eadf1c8651a515e
-
SHA256
5937caad0b58a1d3374f0aa1c5671874ff972bef6245e96422c3f1cca78b0ffd
-
SHA512
1bc7d841afe6ddb1cf4e05f0b80cd933402a5effbc30da853af227b5f679442d26a605cad59b992357f2a1fbb853d66537255af1ca6bf6d76e37c688bafe989e
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgP:8cm4FmowdHoSgWrXUgP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4528-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/940-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4332-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2120-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1980-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1684-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1772-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2716-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3384-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1792-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4960-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/536-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3428-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4596-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1596-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4944-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4668-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1168-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5088-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3192-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1148-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3884-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1424-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4344-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/456-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3384-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3740-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4324-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2300-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2876-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/648-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2180-370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3828-469-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-496-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4720-535-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1668-576-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-589-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/32-608-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3360-780-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 940 lllfrxr.exe 2172 nhhbtt.exe 4564 lrffffr.exe 4332 rrrlfxx.exe 3948 vjppd.exe 4412 hnbbbn.exe 2120 nnnhnn.exe 1980 vjpvv.exe 844 ttbnnb.exe 208 jpvdj.exe 5108 lxxlflf.exe 1684 hhnnbb.exe 1772 dvddv.exe 2716 9rfflxx.exe 3384 tntbtb.exe 1792 djppp.exe 4960 1rrrlrl.exe 536 9xlflrr.exe 100 vvvvd.exe 4440 9pppp.exe 3428 lllllrr.exe 1328 thttbb.exe 2456 dvjvj.exe 4596 rrrrfxx.exe 1596 fffffll.exe 4944 hntbbn.exe 1736 9frrlrr.exe 4448 htbbtb.exe 4428 ddvdd.exe 3088 btthnn.exe 3752 fflrrrr.exe 4668 xxflrrl.exe 4576 ntthtt.exe 3624 5vvjj.exe 1168 tthbbb.exe 5088 thnhbh.exe 3192 1vddd.exe 4372 lxffxff.exe 3196 tbbnbt.exe 1148 nnttnn.exe 1436 vvjdd.exe 4432 rlfxxlr.exe 860 9djdv.exe 3884 7rrlllf.exe 4204 vdjpd.exe 1424 xlxrrxf.exe 2996 dpjjd.exe 4540 1llfffl.exe 1380 hnbbbh.exe 228 vvjdd.exe 2348 dppdv.exe 2024 rfffxff.exe 1248 3nnnhh.exe 4560 1nbttt.exe 4344 jjvdd.exe 1084 llxrrfl.exe 2076 7pjdv.exe 1000 xxlfrrf.exe 2132 frxrflf.exe 728 ttbnbh.exe 5000 pvpjd.exe 3612 pdjjj.exe 3476 rllfffr.exe 1660 tbbttt.exe -
resource yara_rule behavioral2/memory/4528-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c59-3.dat upx behavioral2/memory/4528-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c65-8.dat upx behavioral2/memory/940-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c66-13.dat upx behavioral2/memory/2172-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c67-18.dat upx behavioral2/memory/4332-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4564-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4332-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c68-25.dat upx behavioral2/files/0x0007000000023c69-29.dat upx behavioral2/memory/3948-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6a-34.dat upx behavioral2/memory/2120-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4412-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1980-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6b-41.dat upx behavioral2/files/0x0007000000023c6c-45.dat upx behavioral2/memory/1980-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6d-50.dat upx behavioral2/files/0x0007000000023c6e-54.dat upx behavioral2/memory/208-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6f-59.dat upx behavioral2/memory/5108-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c70-64.dat upx behavioral2/memory/1684-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c71-69.dat upx behavioral2/memory/1772-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c72-74.dat upx behavioral2/memory/2716-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c73-79.dat upx behavioral2/memory/3384-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1792-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c74-85.dat upx behavioral2/files/0x0007000000023c75-89.dat upx behavioral2/memory/4960-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c76-94.dat upx behavioral2/memory/536-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c5a-99.dat upx behavioral2/files/0x0007000000023c77-103.dat upx behavioral2/memory/3428-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c78-107.dat upx behavioral2/files/0x0007000000023c79-112.dat upx behavioral2/files/0x0007000000023c7a-116.dat upx behavioral2/files/0x0007000000023c7b-120.dat upx behavioral2/memory/4596-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7c-125.dat upx behavioral2/memory/1596-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4944-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7d-130.dat upx behavioral2/files/0x0007000000023c7e-136.dat upx behavioral2/memory/1736-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7f-140.dat upx behavioral2/memory/4428-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c80-144.dat upx behavioral2/memory/3088-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c81-150.dat upx behavioral2/files/0x0007000000023c82-154.dat upx behavioral2/memory/4668-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1168-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5088-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3192-171-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4528 wrote to memory of 940 4528 5937caad0b58a1d3374f0aa1c5671874ff972bef6245e96422c3f1cca78b0ffd.exe 85 PID 4528 wrote to memory of 940 4528 5937caad0b58a1d3374f0aa1c5671874ff972bef6245e96422c3f1cca78b0ffd.exe 85 PID 4528 wrote to memory of 940 4528 5937caad0b58a1d3374f0aa1c5671874ff972bef6245e96422c3f1cca78b0ffd.exe 85 PID 940 wrote to memory of 2172 940 lllfrxr.exe 86 PID 940 wrote to memory of 2172 940 lllfrxr.exe 86 PID 940 wrote to memory of 2172 940 lllfrxr.exe 86 PID 2172 wrote to memory of 4564 2172 nhhbtt.exe 87 PID 2172 wrote to memory of 4564 2172 nhhbtt.exe 87 PID 2172 wrote to memory of 4564 2172 nhhbtt.exe 87 PID 4564 wrote to memory of 4332 4564 lrffffr.exe 88 PID 4564 wrote to memory of 4332 4564 lrffffr.exe 88 PID 4564 wrote to memory of 4332 4564 lrffffr.exe 88 PID 4332 wrote to memory of 3948 4332 rrrlfxx.exe 89 PID 4332 wrote to memory of 3948 4332 rrrlfxx.exe 89 PID 4332 wrote to memory of 3948 4332 rrrlfxx.exe 89 PID 3948 wrote to memory of 4412 3948 vjppd.exe 90 PID 3948 wrote to memory of 4412 3948 vjppd.exe 90 PID 3948 wrote to memory of 4412 3948 vjppd.exe 90 PID 4412 wrote to memory of 2120 4412 hnbbbn.exe 91 PID 4412 wrote to memory of 2120 4412 hnbbbn.exe 91 PID 4412 wrote to memory of 2120 4412 hnbbbn.exe 91 PID 2120 wrote to memory of 1980 2120 nnnhnn.exe 92 PID 2120 wrote to memory of 1980 2120 nnnhnn.exe 92 PID 2120 wrote to memory of 1980 2120 nnnhnn.exe 92 PID 1980 wrote to memory of 844 1980 vjpvv.exe 93 PID 1980 wrote to memory of 844 1980 vjpvv.exe 93 PID 1980 wrote to memory of 844 1980 vjpvv.exe 93 PID 844 wrote to memory of 208 844 ttbnnb.exe 94 PID 844 wrote to memory of 208 844 ttbnnb.exe 94 PID 844 wrote to memory of 208 844 ttbnnb.exe 94 PID 208 wrote to memory of 5108 208 jpvdj.exe 95 PID 208 wrote to memory of 5108 208 jpvdj.exe 95 PID 208 wrote to memory of 5108 208 jpvdj.exe 95 PID 5108 wrote to memory of 1684 5108 lxxlflf.exe 96 PID 5108 wrote to memory of 1684 5108 lxxlflf.exe 96 PID 5108 wrote to memory of 1684 5108 lxxlflf.exe 96 PID 1684 wrote to memory of 1772 1684 hhnnbb.exe 97 PID 1684 wrote to memory of 1772 1684 hhnnbb.exe 97 PID 1684 wrote to memory of 1772 1684 hhnnbb.exe 97 PID 1772 wrote to memory of 2716 1772 dvddv.exe 98 PID 1772 wrote to memory of 2716 1772 dvddv.exe 98 PID 1772 wrote to memory of 2716 1772 dvddv.exe 98 PID 2716 wrote to memory of 3384 2716 9rfflxx.exe 99 PID 2716 wrote to memory of 3384 2716 9rfflxx.exe 99 PID 2716 wrote to memory of 3384 2716 9rfflxx.exe 99 PID 3384 wrote to memory of 1792 3384 tntbtb.exe 100 PID 3384 wrote to memory of 1792 3384 tntbtb.exe 100 PID 3384 wrote to memory of 1792 3384 tntbtb.exe 100 PID 1792 wrote to memory of 4960 1792 djppp.exe 101 PID 1792 wrote to memory of 4960 1792 djppp.exe 101 PID 1792 wrote to memory of 4960 1792 djppp.exe 101 PID 4960 wrote to memory of 536 4960 1rrrlrl.exe 102 PID 4960 wrote to memory of 536 4960 1rrrlrl.exe 102 PID 4960 wrote to memory of 536 4960 1rrrlrl.exe 102 PID 536 wrote to memory of 100 536 9xlflrr.exe 103 PID 536 wrote to memory of 100 536 9xlflrr.exe 103 PID 536 wrote to memory of 100 536 9xlflrr.exe 103 PID 100 wrote to memory of 4440 100 vvvvd.exe 104 PID 100 wrote to memory of 4440 100 vvvvd.exe 104 PID 100 wrote to memory of 4440 100 vvvvd.exe 104 PID 4440 wrote to memory of 3428 4440 9pppp.exe 105 PID 4440 wrote to memory of 3428 4440 9pppp.exe 105 PID 4440 wrote to memory of 3428 4440 9pppp.exe 105 PID 3428 wrote to memory of 1328 3428 lllllrr.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\5937caad0b58a1d3374f0aa1c5671874ff972bef6245e96422c3f1cca78b0ffd.exe"C:\Users\Admin\AppData\Local\Temp\5937caad0b58a1d3374f0aa1c5671874ff972bef6245e96422c3f1cca78b0ffd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\lllfrxr.exec:\lllfrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\nhhbtt.exec:\nhhbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\lrffffr.exec:\lrffffr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\rrrlfxx.exec:\rrrlfxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\vjppd.exec:\vjppd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\hnbbbn.exec:\hnbbbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\nnnhnn.exec:\nnnhnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\vjpvv.exec:\vjpvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\ttbnnb.exec:\ttbnnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\jpvdj.exec:\jpvdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\lxxlflf.exec:\lxxlflf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\hhnnbb.exec:\hhnnbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\dvddv.exec:\dvddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\9rfflxx.exec:\9rfflxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\tntbtb.exec:\tntbtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\djppp.exec:\djppp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\1rrrlrl.exec:\1rrrlrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\9xlflrr.exec:\9xlflrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\vvvvd.exec:\vvvvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\9pppp.exec:\9pppp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\lllllrr.exec:\lllllrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\thttbb.exec:\thttbb.exe23⤵
- Executes dropped EXE
PID:1328 -
\??\c:\dvjvj.exec:\dvjvj.exe24⤵
- Executes dropped EXE
PID:2456 -
\??\c:\rrrrfxx.exec:\rrrrfxx.exe25⤵
- Executes dropped EXE
PID:4596 -
\??\c:\fffffll.exec:\fffffll.exe26⤵
- Executes dropped EXE
PID:1596 -
\??\c:\hntbbn.exec:\hntbbn.exe27⤵
- Executes dropped EXE
PID:4944 -
\??\c:\9frrlrr.exec:\9frrlrr.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1736 -
\??\c:\htbbtb.exec:\htbbtb.exe29⤵
- Executes dropped EXE
PID:4448 -
\??\c:\ddvdd.exec:\ddvdd.exe30⤵
- Executes dropped EXE
PID:4428 -
\??\c:\btthnn.exec:\btthnn.exe31⤵
- Executes dropped EXE
PID:3088 -
\??\c:\fflrrrr.exec:\fflrrrr.exe32⤵
- Executes dropped EXE
PID:3752 -
\??\c:\xxflrrl.exec:\xxflrrl.exe33⤵
- Executes dropped EXE
PID:4668 -
\??\c:\ntthtt.exec:\ntthtt.exe34⤵
- Executes dropped EXE
PID:4576 -
\??\c:\5vvjj.exec:\5vvjj.exe35⤵
- Executes dropped EXE
PID:3624 -
\??\c:\tthbbb.exec:\tthbbb.exe36⤵
- Executes dropped EXE
PID:1168 -
\??\c:\thnhbh.exec:\thnhbh.exe37⤵
- Executes dropped EXE
PID:5088 -
\??\c:\1vddd.exec:\1vddd.exe38⤵
- Executes dropped EXE
PID:3192 -
\??\c:\lxffxff.exec:\lxffxff.exe39⤵
- Executes dropped EXE
PID:4372 -
\??\c:\tbbnbt.exec:\tbbnbt.exe40⤵
- Executes dropped EXE
PID:3196 -
\??\c:\nnttnn.exec:\nnttnn.exe41⤵
- Executes dropped EXE
PID:1148 -
\??\c:\vvjdd.exec:\vvjdd.exe42⤵
- Executes dropped EXE
PID:1436 -
\??\c:\rlfxxlr.exec:\rlfxxlr.exe43⤵
- Executes dropped EXE
PID:4432 -
\??\c:\9djdv.exec:\9djdv.exe44⤵
- Executes dropped EXE
PID:860 -
\??\c:\7rrlllf.exec:\7rrlllf.exe45⤵
- Executes dropped EXE
PID:3884 -
\??\c:\vdjpd.exec:\vdjpd.exe46⤵
- Executes dropped EXE
PID:4204 -
\??\c:\xlxrrxf.exec:\xlxrrxf.exe47⤵
- Executes dropped EXE
PID:1424 -
\??\c:\dpjjd.exec:\dpjjd.exe48⤵
- Executes dropped EXE
PID:2996 -
\??\c:\1llfffl.exec:\1llfffl.exe49⤵
- Executes dropped EXE
PID:4540 -
\??\c:\hnbbbh.exec:\hnbbbh.exe50⤵
- Executes dropped EXE
PID:1380 -
\??\c:\vvjdd.exec:\vvjdd.exe51⤵
- Executes dropped EXE
PID:228 -
\??\c:\dppdv.exec:\dppdv.exe52⤵
- Executes dropped EXE
PID:2348 -
\??\c:\rfffxff.exec:\rfffxff.exe53⤵
- Executes dropped EXE
PID:2024 -
\??\c:\3nnnhh.exec:\3nnnhh.exe54⤵
- Executes dropped EXE
PID:1248 -
\??\c:\1nbttt.exec:\1nbttt.exe55⤵
- Executes dropped EXE
PID:4560 -
\??\c:\jjvdd.exec:\jjvdd.exe56⤵
- Executes dropped EXE
PID:4344 -
\??\c:\llxrrfl.exec:\llxrrfl.exe57⤵
- Executes dropped EXE
PID:1084 -
\??\c:\7pjdv.exec:\7pjdv.exe58⤵
- Executes dropped EXE
PID:2076 -
\??\c:\xxlfrrf.exec:\xxlfrrf.exe59⤵
- Executes dropped EXE
PID:1000 -
\??\c:\frxrflf.exec:\frxrflf.exe60⤵
- Executes dropped EXE
PID:2132 -
\??\c:\ttbnbh.exec:\ttbnbh.exe61⤵
- Executes dropped EXE
PID:728 -
\??\c:\pvpjd.exec:\pvpjd.exe62⤵
- Executes dropped EXE
PID:5000 -
\??\c:\pdjjj.exec:\pdjjj.exe63⤵
- Executes dropped EXE
PID:3612 -
\??\c:\rllfffr.exec:\rllfffr.exe64⤵
- Executes dropped EXE
PID:3476 -
\??\c:\tbbttt.exec:\tbbttt.exe65⤵
- Executes dropped EXE
PID:1660 -
\??\c:\djjjp.exec:\djjjp.exe66⤵PID:3948
-
\??\c:\vvpvj.exec:\vvpvj.exe67⤵PID:2976
-
\??\c:\9flllrl.exec:\9flllrl.exe68⤵PID:3012
-
\??\c:\tnttnt.exec:\tnttnt.exe69⤵PID:4748
-
\??\c:\tttnhn.exec:\tttnhn.exe70⤵PID:780
-
\??\c:\pjpjp.exec:\pjpjp.exe71⤵PID:224
-
\??\c:\lxlrrrr.exec:\lxlrrrr.exe72⤵PID:1608
-
\??\c:\3rfxrrl.exec:\3rfxrrl.exe73⤵PID:532
-
\??\c:\bhhnnt.exec:\bhhnnt.exe74⤵PID:3200
-
\??\c:\vjpvv.exec:\vjpvv.exe75⤵PID:1968
-
\??\c:\1pjjj.exec:\1pjjj.exe76⤵PID:456
-
\??\c:\ffllrrf.exec:\ffllrrf.exe77⤵PID:3528
-
\??\c:\bbttnh.exec:\bbttnh.exe78⤵PID:1668
-
\??\c:\nnhhnt.exec:\nnhhnt.exe79⤵PID:5068
-
\??\c:\vvjpd.exec:\vvjpd.exe80⤵PID:3244
-
\??\c:\rlrllll.exec:\rlrllll.exe81⤵PID:3384
-
\??\c:\frxffrx.exec:\frxffrx.exe82⤵PID:2208
-
\??\c:\hhttbh.exec:\hhttbh.exe83⤵PID:1860
-
\??\c:\nhnbnn.exec:\nhnbnn.exe84⤵PID:3376
-
\??\c:\ppdjv.exec:\ppdjv.exe85⤵PID:4868
-
\??\c:\lrffflr.exec:\lrffflr.exe86⤵PID:536
-
\??\c:\9bhbtb.exec:\9bhbtb.exe87⤵PID:100
-
\??\c:\7jvpp.exec:\7jvpp.exe88⤵PID:4440
-
\??\c:\xflfxrf.exec:\xflfxrf.exe89⤵PID:3684
-
\??\c:\xfxfrlf.exec:\xfxfrlf.exe90⤵PID:3740
-
\??\c:\bbhbtt.exec:\bbhbtt.exe91⤵PID:2252
-
\??\c:\bnnhhh.exec:\bnnhhh.exe92⤵PID:4324
-
\??\c:\pjpjj.exec:\pjpjj.exe93⤵PID:2124
-
\??\c:\9xfffll.exec:\9xfffll.exe94⤵PID:4672
-
\??\c:\pjvdj.exec:\pjvdj.exe95⤵PID:1276
-
\??\c:\ffxlrxx.exec:\ffxlrxx.exe96⤵PID:2580
-
\??\c:\htbnhb.exec:\htbnhb.exe97⤵PID:4944
-
\??\c:\1dvpd.exec:\1dvpd.exe98⤵PID:2300
-
\??\c:\jvdvv.exec:\jvdvv.exe99⤵PID:4820
-
\??\c:\3hnntb.exec:\3hnntb.exe100⤵PID:2876
-
\??\c:\hnbbnh.exec:\hnbbnh.exe101⤵PID:2884
-
\??\c:\dppvv.exec:\dppvv.exe102⤵PID:4844
-
\??\c:\xrxfflf.exec:\xrxfflf.exe103⤵PID:3088
-
\??\c:\bntnhn.exec:\bntnhn.exe104⤵PID:3752
-
\??\c:\3pdjj.exec:\3pdjj.exe105⤵PID:4760
-
\??\c:\xrlfxff.exec:\xrlfxff.exe106⤵PID:4644
-
\??\c:\btbbbb.exec:\btbbbb.exe107⤵PID:5092
-
\??\c:\bbbbtt.exec:\bbbbtt.exe108⤵PID:3400
-
\??\c:\djpvj.exec:\djpvj.exe109⤵PID:3500
-
\??\c:\fxrrxfr.exec:\fxrrxfr.exe110⤵PID:4932
-
\??\c:\nhnhhh.exec:\nhnhhh.exe111⤵PID:648
-
\??\c:\hhttnn.exec:\hhttnn.exe112⤵PID:3036
-
\??\c:\jjdpj.exec:\jjdpj.exe113⤵PID:4296
-
\??\c:\9llfxxx.exec:\9llfxxx.exe114⤵PID:5056
-
\??\c:\hhbhhn.exec:\hhbhhn.exe115⤵PID:2720
-
\??\c:\djvpv.exec:\djvpv.exe116⤵PID:4432
-
\??\c:\lllllll.exec:\lllllll.exe117⤵PID:3008
-
\??\c:\nhbttn.exec:\nhbttn.exe118⤵PID:1964
-
\??\c:\bhnthn.exec:\bhnthn.exe119⤵PID:5060
-
\??\c:\dvvjj.exec:\dvvjj.exe120⤵PID:692
-
\??\c:\5rrxxlr.exec:\5rrxxlr.exe121⤵PID:908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-