Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 04:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe
-
Size
453KB
-
MD5
c5b5de336ea7eef236a9288b6b151c58
-
SHA1
cddfbc4f2a763e854eab6c59a006e5cfa9112f2b
-
SHA256
fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0
-
SHA512
5b5f8fc1d03318b05da3d5d3aefdc320d98a3c880f50c0706c66b404acb0bff96f13e590ea2ee19fd6af50f96dc5a81eec3f75add2e13913eb1667f1cbf8e81e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe+:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4456-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-837-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-913-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-989-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-1284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-1306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-1599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-1916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4720 3ttnhh.exe 3552 1rrllrx.exe 1104 ntttnn.exe 4888 jvppd.exe 2928 1pjdv.exe 2596 7flfxrx.exe 3616 nhnhbb.exe 1804 nhtbbh.exe 1772 tbnhtb.exe 32 vpvjv.exe 4968 flxrllx.exe 4312 btnhtt.exe 632 xrxllll.exe 1044 nhnnhh.exe 2220 bbbbbb.exe 3092 vvpdp.exe 5044 lxfxllf.exe 2348 hbnhnn.exe 4608 fxrlfll.exe 3588 ffxxllx.exe 2520 xrllflf.exe 4556 bbhbbb.exe 1528 7llrrfl.exe 3920 vvjjj.exe 2196 lffllrr.exe 1608 7lrrrxf.exe 2896 ppppp.exe 460 jpvpp.exe 4660 jdppd.exe 4268 hhbbbt.exe 2636 5hthtn.exe 3852 dddjj.exe 2592 1rxxflr.exe 3992 xrflllf.exe 1108 1tthbh.exe 1912 vppjv.exe 4184 rrxxrrr.exe 3124 fffflrr.exe 3520 thbbbb.exe 3148 jvdjj.exe 3724 frffffr.exe 3952 nbtnnn.exe 3556 ddvvj.exe 1960 lxlllll.exe 972 xfxxrrr.exe 820 bhbbbb.exe 4248 ppdjj.exe 1548 vpdjj.exe 4888 rrllxxr.exe 5100 htnnhb.exe 1712 pvppv.exe 1800 xrxxrff.exe 3036 frlllrr.exe 3196 1bnnnt.exe 4052 ppppp.exe 4564 jjpvd.exe 1804 bbttnt.exe 1292 tttnnt.exe 4952 5jvvv.exe 32 xxllllr.exe 1824 nnhhbh.exe 4876 pjdvd.exe 1516 7lxxrxx.exe 2512 xxllfrr.exe -
resource yara_rule behavioral2/memory/4456-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-913-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-989-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-1146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-1150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-1284-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rffrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrfff.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4456 wrote to memory of 4720 4456 fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe 82 PID 4456 wrote to memory of 4720 4456 fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe 82 PID 4456 wrote to memory of 4720 4456 fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe 82 PID 4720 wrote to memory of 3552 4720 3ttnhh.exe 83 PID 4720 wrote to memory of 3552 4720 3ttnhh.exe 83 PID 4720 wrote to memory of 3552 4720 3ttnhh.exe 83 PID 3552 wrote to memory of 1104 3552 1rrllrx.exe 84 PID 3552 wrote to memory of 1104 3552 1rrllrx.exe 84 PID 3552 wrote to memory of 1104 3552 1rrllrx.exe 84 PID 1104 wrote to memory of 4888 1104 ntttnn.exe 85 PID 1104 wrote to memory of 4888 1104 ntttnn.exe 85 PID 1104 wrote to memory of 4888 1104 ntttnn.exe 85 PID 4888 wrote to memory of 2928 4888 jvppd.exe 86 PID 4888 wrote to memory of 2928 4888 jvppd.exe 86 PID 4888 wrote to memory of 2928 4888 jvppd.exe 86 PID 2928 wrote to memory of 2596 2928 1pjdv.exe 87 PID 2928 wrote to memory of 2596 2928 1pjdv.exe 87 PID 2928 wrote to memory of 2596 2928 1pjdv.exe 87 PID 2596 wrote to memory of 3616 2596 7flfxrx.exe 88 PID 2596 wrote to memory of 3616 2596 7flfxrx.exe 88 PID 2596 wrote to memory of 3616 2596 7flfxrx.exe 88 PID 3616 wrote to memory of 1804 3616 nhnhbb.exe 89 PID 3616 wrote to memory of 1804 3616 nhnhbb.exe 89 PID 3616 wrote to memory of 1804 3616 nhnhbb.exe 89 PID 1804 wrote to memory of 1772 1804 nhtbbh.exe 90 PID 1804 wrote to memory of 1772 1804 nhtbbh.exe 90 PID 1804 wrote to memory of 1772 1804 nhtbbh.exe 90 PID 1772 wrote to memory of 32 1772 tbnhtb.exe 91 PID 1772 wrote to memory of 32 1772 tbnhtb.exe 91 PID 1772 wrote to memory of 32 1772 tbnhtb.exe 91 PID 32 wrote to memory of 4968 32 vpvjv.exe 92 PID 32 wrote to memory of 4968 32 vpvjv.exe 92 PID 32 wrote to memory of 4968 32 vpvjv.exe 92 PID 4968 wrote to memory of 4312 4968 flxrllx.exe 93 PID 4968 wrote to memory of 4312 4968 flxrllx.exe 93 PID 4968 wrote to memory of 4312 4968 flxrllx.exe 93 PID 4312 wrote to memory of 632 4312 btnhtt.exe 94 PID 4312 wrote to memory of 632 4312 btnhtt.exe 94 PID 4312 wrote to memory of 632 4312 btnhtt.exe 94 PID 632 wrote to memory of 1044 632 xrxllll.exe 95 PID 632 wrote to memory of 1044 632 xrxllll.exe 95 PID 632 wrote to memory of 1044 632 xrxllll.exe 95 PID 1044 wrote to memory of 2220 1044 nhnnhh.exe 96 PID 1044 wrote to memory of 2220 1044 nhnnhh.exe 96 PID 1044 wrote to memory of 2220 1044 nhnnhh.exe 96 PID 2220 wrote to memory of 3092 2220 bbbbbb.exe 97 PID 2220 wrote to memory of 3092 2220 bbbbbb.exe 97 PID 2220 wrote to memory of 3092 2220 bbbbbb.exe 97 PID 3092 wrote to memory of 5044 3092 vvpdp.exe 98 PID 3092 wrote to memory of 5044 3092 vvpdp.exe 98 PID 3092 wrote to memory of 5044 3092 vvpdp.exe 98 PID 5044 wrote to memory of 2348 5044 lxfxllf.exe 99 PID 5044 wrote to memory of 2348 5044 lxfxllf.exe 99 PID 5044 wrote to memory of 2348 5044 lxfxllf.exe 99 PID 2348 wrote to memory of 4608 2348 hbnhnn.exe 100 PID 2348 wrote to memory of 4608 2348 hbnhnn.exe 100 PID 2348 wrote to memory of 4608 2348 hbnhnn.exe 100 PID 4608 wrote to memory of 3588 4608 fxrlfll.exe 101 PID 4608 wrote to memory of 3588 4608 fxrlfll.exe 101 PID 4608 wrote to memory of 3588 4608 fxrlfll.exe 101 PID 3588 wrote to memory of 2520 3588 ffxxllx.exe 102 PID 3588 wrote to memory of 2520 3588 ffxxllx.exe 102 PID 3588 wrote to memory of 2520 3588 ffxxllx.exe 102 PID 2520 wrote to memory of 4556 2520 xrllflf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe"C:\Users\Admin\AppData\Local\Temp\fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\3ttnhh.exec:\3ttnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\1rrllrx.exec:\1rrllrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\ntttnn.exec:\ntttnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\jvppd.exec:\jvppd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\1pjdv.exec:\1pjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\7flfxrx.exec:\7flfxrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\nhnhbb.exec:\nhnhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\nhtbbh.exec:\nhtbbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\tbnhtb.exec:\tbnhtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\vpvjv.exec:\vpvjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\flxrllx.exec:\flxrllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\btnhtt.exec:\btnhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\xrxllll.exec:\xrxllll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\nhnnhh.exec:\nhnnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\bbbbbb.exec:\bbbbbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\vvpdp.exec:\vvpdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\lxfxllf.exec:\lxfxllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\hbnhnn.exec:\hbnhnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\fxrlfll.exec:\fxrlfll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\ffxxllx.exec:\ffxxllx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\xrllflf.exec:\xrllflf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\bbhbbb.exec:\bbhbbb.exe23⤵
- Executes dropped EXE
PID:4556 -
\??\c:\7llrrfl.exec:\7llrrfl.exe24⤵
- Executes dropped EXE
PID:1528 -
\??\c:\vvjjj.exec:\vvjjj.exe25⤵
- Executes dropped EXE
PID:3920 -
\??\c:\lffllrr.exec:\lffllrr.exe26⤵
- Executes dropped EXE
PID:2196 -
\??\c:\7lrrrxf.exec:\7lrrrxf.exe27⤵
- Executes dropped EXE
PID:1608 -
\??\c:\ppppp.exec:\ppppp.exe28⤵
- Executes dropped EXE
PID:2896 -
\??\c:\jpvpp.exec:\jpvpp.exe29⤵
- Executes dropped EXE
PID:460 -
\??\c:\jdppd.exec:\jdppd.exe30⤵
- Executes dropped EXE
PID:4660 -
\??\c:\hhbbbt.exec:\hhbbbt.exe31⤵
- Executes dropped EXE
PID:4268 -
\??\c:\5hthtn.exec:\5hthtn.exe32⤵
- Executes dropped EXE
PID:2636 -
\??\c:\dddjj.exec:\dddjj.exe33⤵
- Executes dropped EXE
PID:3852 -
\??\c:\1rxxflr.exec:\1rxxflr.exe34⤵
- Executes dropped EXE
PID:2592 -
\??\c:\xrflllf.exec:\xrflllf.exe35⤵
- Executes dropped EXE
PID:3992 -
\??\c:\1tthbh.exec:\1tthbh.exe36⤵
- Executes dropped EXE
PID:1108 -
\??\c:\vppjv.exec:\vppjv.exe37⤵
- Executes dropped EXE
PID:1912 -
\??\c:\rrxxrrr.exec:\rrxxrrr.exe38⤵
- Executes dropped EXE
PID:4184 -
\??\c:\fffflrr.exec:\fffflrr.exe39⤵
- Executes dropped EXE
PID:3124 -
\??\c:\thbbbb.exec:\thbbbb.exe40⤵
- Executes dropped EXE
PID:3520 -
\??\c:\jvdjj.exec:\jvdjj.exe41⤵
- Executes dropped EXE
PID:3148 -
\??\c:\frffffr.exec:\frffffr.exe42⤵
- Executes dropped EXE
PID:3724 -
\??\c:\nbtnnn.exec:\nbtnnn.exe43⤵
- Executes dropped EXE
PID:3952 -
\??\c:\ddvvj.exec:\ddvvj.exe44⤵
- Executes dropped EXE
PID:3556 -
\??\c:\lxlllll.exec:\lxlllll.exe45⤵
- Executes dropped EXE
PID:1960 -
\??\c:\xfxxrrr.exec:\xfxxrrr.exe46⤵
- Executes dropped EXE
PID:972 -
\??\c:\bhbbbb.exec:\bhbbbb.exe47⤵
- Executes dropped EXE
PID:820 -
\??\c:\ppdjj.exec:\ppdjj.exe48⤵
- Executes dropped EXE
PID:4248 -
\??\c:\vpdjj.exec:\vpdjj.exe49⤵
- Executes dropped EXE
PID:1548 -
\??\c:\rrllxxr.exec:\rrllxxr.exe50⤵
- Executes dropped EXE
PID:4888 -
\??\c:\htnnhb.exec:\htnnhb.exe51⤵
- Executes dropped EXE
PID:5100 -
\??\c:\pvppv.exec:\pvppv.exe52⤵
- Executes dropped EXE
PID:1712 -
\??\c:\xrxxrff.exec:\xrxxrff.exe53⤵
- Executes dropped EXE
PID:1800 -
\??\c:\frlllrr.exec:\frlllrr.exe54⤵
- Executes dropped EXE
PID:3036 -
\??\c:\1bnnnt.exec:\1bnnnt.exe55⤵
- Executes dropped EXE
PID:3196 -
\??\c:\ppppp.exec:\ppppp.exe56⤵
- Executes dropped EXE
PID:4052 -
\??\c:\jjpvd.exec:\jjpvd.exe57⤵
- Executes dropped EXE
PID:4564 -
\??\c:\bbttnt.exec:\bbttnt.exe58⤵
- Executes dropped EXE
PID:1804 -
\??\c:\tttnnt.exec:\tttnnt.exe59⤵
- Executes dropped EXE
PID:1292 -
\??\c:\5jvvv.exec:\5jvvv.exe60⤵
- Executes dropped EXE
PID:4952 -
\??\c:\xxllllr.exec:\xxllllr.exe61⤵
- Executes dropped EXE
PID:32 -
\??\c:\nnhhbh.exec:\nnhhbh.exe62⤵
- Executes dropped EXE
PID:1824 -
\??\c:\pjdvd.exec:\pjdvd.exe63⤵
- Executes dropped EXE
PID:4876 -
\??\c:\7lxxrxx.exec:\7lxxrxx.exe64⤵
- Executes dropped EXE
PID:1516 -
\??\c:\xxllfrr.exec:\xxllfrr.exe65⤵
- Executes dropped EXE
PID:2512 -
\??\c:\thtttb.exec:\thtttb.exe66⤵PID:232
-
\??\c:\5jdvp.exec:\5jdvp.exe67⤵PID:2544
-
\??\c:\vvddd.exec:\vvddd.exe68⤵PID:3300
-
\??\c:\9lllfll.exec:\9lllfll.exe69⤵PID:2688
-
\??\c:\nbbbth.exec:\nbbbth.exe70⤵PID:5040
-
\??\c:\5pjjj.exec:\5pjjj.exe71⤵PID:1724
-
\??\c:\xxrxllr.exec:\xxrxllr.exe72⤵PID:1984
-
\??\c:\bthbbh.exec:\bthbbh.exe73⤵
- System Location Discovery: System Language Discovery
PID:864 -
\??\c:\7htthb.exec:\7htthb.exe74⤵PID:4464
-
\??\c:\pvjjd.exec:\pvjjd.exe75⤵PID:2520
-
\??\c:\xxrrrxf.exec:\xxrrrxf.exe76⤵PID:1036
-
\??\c:\hbtbtt.exec:\hbtbtt.exe77⤵PID:4776
-
\??\c:\jvvdv.exec:\jvvdv.exe78⤵PID:2940
-
\??\c:\5pjjp.exec:\5pjjp.exe79⤵PID:4936
-
\??\c:\xrxxxrr.exec:\xrxxxrr.exe80⤵PID:2880
-
\??\c:\hnbtnn.exec:\hnbtnn.exe81⤵PID:2044
-
\??\c:\hbnnnn.exec:\hbnnnn.exe82⤵PID:3772
-
\??\c:\ddjdd.exec:\ddjdd.exe83⤵PID:2740
-
\??\c:\rllrfll.exec:\rllrfll.exe84⤵PID:1396
-
\??\c:\bbhnnn.exec:\bbhnnn.exe85⤵PID:1068
-
\??\c:\vjvvv.exec:\vjvvv.exe86⤵PID:4660
-
\??\c:\9lxrxrx.exec:\9lxrxrx.exe87⤵PID:1992
-
\??\c:\5lrlrlr.exec:\5lrlrlr.exe88⤵PID:2796
-
\??\c:\tnhbhh.exec:\tnhbhh.exe89⤵PID:1644
-
\??\c:\ppvpj.exec:\ppvpj.exe90⤵PID:1668
-
\??\c:\rffrrfr.exec:\rffrrfr.exe91⤵PID:3756
-
\??\c:\hhtttb.exec:\hhtttb.exe92⤵PID:3188
-
\??\c:\1nnbhh.exec:\1nnbhh.exe93⤵PID:1876
-
\??\c:\5xfxxxx.exec:\5xfxxxx.exe94⤵PID:1912
-
\??\c:\xxrrlrx.exec:\xxrrlrx.exe95⤵PID:3016
-
\??\c:\htnttt.exec:\htnttt.exe96⤵PID:2432
-
\??\c:\jpddv.exec:\jpddv.exe97⤵PID:3520
-
\??\c:\3xlllrf.exec:\3xlllrf.exe98⤵PID:4348
-
\??\c:\nnthhh.exec:\nnthhh.exe99⤵PID:2024
-
\??\c:\jvjdd.exec:\jvjdd.exe100⤵PID:4328
-
\??\c:\llrllrr.exec:\llrllrr.exe101⤵PID:4472
-
\??\c:\3ttnbn.exec:\3ttnbn.exe102⤵PID:4944
-
\??\c:\5bhbnn.exec:\5bhbnn.exe103⤵PID:1028
-
\??\c:\3jjjv.exec:\3jjjv.exe104⤵PID:1784
-
\??\c:\xrlllff.exec:\xrlllff.exe105⤵PID:5076
-
\??\c:\nnnhbt.exec:\nnnhbt.exe106⤵PID:3572
-
\??\c:\hbnhhh.exec:\hbnhhh.exe107⤵PID:2928
-
\??\c:\5pppp.exec:\5pppp.exe108⤵PID:1616
-
\??\c:\lrxxrxx.exec:\lrxxrxx.exe109⤵PID:1712
-
\??\c:\hbnnnn.exec:\hbnnnn.exe110⤵PID:4856
-
\??\c:\dvvpj.exec:\dvvpj.exe111⤵PID:2904
-
\??\c:\xxxxfff.exec:\xxxxfff.exe112⤵PID:3196
-
\??\c:\btnhbb.exec:\btnhbb.exe113⤵PID:2784
-
\??\c:\hhtnhb.exec:\hhtnhb.exe114⤵PID:1136
-
\??\c:\dpvjv.exec:\dpvjv.exe115⤵PID:3984
-
\??\c:\fxlllxx.exec:\fxlllxx.exe116⤵PID:1772
-
\??\c:\bbhbbt.exec:\bbhbbt.exe117⤵PID:1916
-
\??\c:\jddvj.exec:\jddvj.exe118⤵PID:4024
-
\??\c:\7pvpd.exec:\7pvpd.exe119⤵PID:4968
-
\??\c:\xfllxxr.exec:\xfllxxr.exe120⤵PID:1484
-
\??\c:\1ttttt.exec:\1ttttt.exe121⤵PID:4612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-