Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 20:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5e7ee6f77a16827e078a82e31cb05f18d1685cd2d193ae857660dc11c8445b78N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5e7ee6f77a16827e078a82e31cb05f18d1685cd2d193ae857660dc11c8445b78N.exe
-
Size
454KB
-
MD5
0edb67368dda364a94cc97881fdd1030
-
SHA1
c2a1f9b108243190381b55dc9675b9ab282d62e6
-
SHA256
5e7ee6f77a16827e078a82e31cb05f18d1685cd2d193ae857660dc11c8445b78
-
SHA512
fa2f71b58642dceee29b4043ae9496f112e76382de516acd55a3004b904920c85c5e3ee7dd1889448250a5284db08a614dadc2aaa8f96c9cd078e46346ad2736
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetf:q7Tc2NYHUrAwfMp3CDtf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/220-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-1278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 220 ffxxfff.exe 2068 thnntn.exe 4264 lxxrxxf.exe 4348 dpdvv.exe 1968 fxxrllf.exe 4752 rllfxxr.exe 3584 jjddv.exe 628 jjpjd.exe 1052 3rlfxxr.exe 4776 1rlrflf.exe 2156 3tbnhb.exe 4248 ddjdp.exe 3960 rlrlfff.exe 3028 nhtnht.exe 1656 vpdpp.exe 3988 7frlxxr.exe 760 xrffrfr.exe 4088 djjdj.exe 2976 dvvjd.exe 4908 frfrlfx.exe 1680 nhtnbb.exe 3172 vdvvp.exe 4628 xrxxxxx.exe 5048 jjjdv.exe 2752 bnhhhn.exe 1920 5hnnhn.exe 3040 jvppj.exe 3500 rlfxrlf.exe 4584 1nttbh.exe 4808 pdpjp.exe 2516 flffxfx.exe 1976 5rxxxff.exe 2932 tnbttb.exe 4548 dpddj.exe 1664 flllfll.exe 1476 ffxxrrl.exe 3624 bhbtbb.exe 4996 xlrrllr.exe 2600 7pvvd.exe 1036 lrrlffx.exe 4440 tbbbhn.exe 392 pvjdp.exe 3476 rllllll.exe 2992 tbbttn.exe 3772 jvdpv.exe 3012 7lxrlrr.exe 3760 thhhhh.exe 4748 9ddvv.exe 2636 frrrlrl.exe 4580 pvjjj.exe 1040 jvvvp.exe 2868 xlffxxr.exe 1188 vvdjj.exe 628 xfrflff.exe 908 xfrxllx.exe 1880 jpvdp.exe 1092 vpvvd.exe 4964 thttnt.exe 3628 tbthhh.exe 2460 jjjjp.exe 1068 rrfffff.exe 3540 nttttt.exe 3988 lxxxrrr.exe 760 bhtnnb.exe -
resource yara_rule behavioral2/memory/220-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-751-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lllrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhbh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1928 wrote to memory of 220 1928 5e7ee6f77a16827e078a82e31cb05f18d1685cd2d193ae857660dc11c8445b78N.exe 83 PID 1928 wrote to memory of 220 1928 5e7ee6f77a16827e078a82e31cb05f18d1685cd2d193ae857660dc11c8445b78N.exe 83 PID 1928 wrote to memory of 220 1928 5e7ee6f77a16827e078a82e31cb05f18d1685cd2d193ae857660dc11c8445b78N.exe 83 PID 220 wrote to memory of 2068 220 ffxxfff.exe 84 PID 220 wrote to memory of 2068 220 ffxxfff.exe 84 PID 220 wrote to memory of 2068 220 ffxxfff.exe 84 PID 2068 wrote to memory of 4264 2068 thnntn.exe 85 PID 2068 wrote to memory of 4264 2068 thnntn.exe 85 PID 2068 wrote to memory of 4264 2068 thnntn.exe 85 PID 4264 wrote to memory of 4348 4264 lxxrxxf.exe 86 PID 4264 wrote to memory of 4348 4264 lxxrxxf.exe 86 PID 4264 wrote to memory of 4348 4264 lxxrxxf.exe 86 PID 4348 wrote to memory of 1968 4348 dpdvv.exe 87 PID 4348 wrote to memory of 1968 4348 dpdvv.exe 87 PID 4348 wrote to memory of 1968 4348 dpdvv.exe 87 PID 1968 wrote to memory of 4752 1968 fxxrllf.exe 88 PID 1968 wrote to memory of 4752 1968 fxxrllf.exe 88 PID 1968 wrote to memory of 4752 1968 fxxrllf.exe 88 PID 4752 wrote to memory of 3584 4752 rllfxxr.exe 89 PID 4752 wrote to memory of 3584 4752 rllfxxr.exe 89 PID 4752 wrote to memory of 3584 4752 rllfxxr.exe 89 PID 3584 wrote to memory of 628 3584 jjddv.exe 90 PID 3584 wrote to memory of 628 3584 jjddv.exe 90 PID 3584 wrote to memory of 628 3584 jjddv.exe 90 PID 628 wrote to memory of 1052 628 jjpjd.exe 91 PID 628 wrote to memory of 1052 628 jjpjd.exe 91 PID 628 wrote to memory of 1052 628 jjpjd.exe 91 PID 1052 wrote to memory of 4776 1052 3rlfxxr.exe 92 PID 1052 wrote to memory of 4776 1052 3rlfxxr.exe 92 PID 1052 wrote to memory of 4776 1052 3rlfxxr.exe 92 PID 4776 wrote to memory of 2156 4776 1rlrflf.exe 93 PID 4776 wrote to memory of 2156 4776 1rlrflf.exe 93 PID 4776 wrote to memory of 2156 4776 1rlrflf.exe 93 PID 2156 wrote to memory of 4248 2156 3tbnhb.exe 94 PID 2156 wrote to memory of 4248 2156 3tbnhb.exe 94 PID 2156 wrote to memory of 4248 2156 3tbnhb.exe 94 PID 4248 wrote to memory of 3960 4248 ddjdp.exe 95 PID 4248 wrote to memory of 3960 4248 ddjdp.exe 95 PID 4248 wrote to memory of 3960 4248 ddjdp.exe 95 PID 3960 wrote to memory of 3028 3960 rlrlfff.exe 96 PID 3960 wrote to memory of 3028 3960 rlrlfff.exe 96 PID 3960 wrote to memory of 3028 3960 rlrlfff.exe 96 PID 3028 wrote to memory of 1656 3028 nhtnht.exe 97 PID 3028 wrote to memory of 1656 3028 nhtnht.exe 97 PID 3028 wrote to memory of 1656 3028 nhtnht.exe 97 PID 1656 wrote to memory of 3988 1656 vpdpp.exe 98 PID 1656 wrote to memory of 3988 1656 vpdpp.exe 98 PID 1656 wrote to memory of 3988 1656 vpdpp.exe 98 PID 3988 wrote to memory of 760 3988 7frlxxr.exe 99 PID 3988 wrote to memory of 760 3988 7frlxxr.exe 99 PID 3988 wrote to memory of 760 3988 7frlxxr.exe 99 PID 760 wrote to memory of 4088 760 xrffrfr.exe 100 PID 760 wrote to memory of 4088 760 xrffrfr.exe 100 PID 760 wrote to memory of 4088 760 xrffrfr.exe 100 PID 4088 wrote to memory of 2976 4088 djjdj.exe 101 PID 4088 wrote to memory of 2976 4088 djjdj.exe 101 PID 4088 wrote to memory of 2976 4088 djjdj.exe 101 PID 2976 wrote to memory of 4908 2976 dvvjd.exe 102 PID 2976 wrote to memory of 4908 2976 dvvjd.exe 102 PID 2976 wrote to memory of 4908 2976 dvvjd.exe 102 PID 4908 wrote to memory of 1680 4908 frfrlfx.exe 103 PID 4908 wrote to memory of 1680 4908 frfrlfx.exe 103 PID 4908 wrote to memory of 1680 4908 frfrlfx.exe 103 PID 1680 wrote to memory of 3172 1680 nhtnbb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7ee6f77a16827e078a82e31cb05f18d1685cd2d193ae857660dc11c8445b78N.exe"C:\Users\Admin\AppData\Local\Temp\5e7ee6f77a16827e078a82e31cb05f18d1685cd2d193ae857660dc11c8445b78N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\ffxxfff.exec:\ffxxfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\thnntn.exec:\thnntn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\lxxrxxf.exec:\lxxrxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\dpdvv.exec:\dpdvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\fxxrllf.exec:\fxxrllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\rllfxxr.exec:\rllfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\jjddv.exec:\jjddv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\jjpjd.exec:\jjpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\3rlfxxr.exec:\3rlfxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\1rlrflf.exec:\1rlrflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\3tbnhb.exec:\3tbnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\ddjdp.exec:\ddjdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\rlrlfff.exec:\rlrlfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\nhtnht.exec:\nhtnht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\vpdpp.exec:\vpdpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\7frlxxr.exec:\7frlxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\xrffrfr.exec:\xrffrfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\djjdj.exec:\djjdj.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\dvvjd.exec:\dvvjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\frfrlfx.exec:\frfrlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\nhtnbb.exec:\nhtnbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\vdvvp.exec:\vdvvp.exe23⤵
- Executes dropped EXE
PID:3172 -
\??\c:\xrxxxxx.exec:\xrxxxxx.exe24⤵
- Executes dropped EXE
PID:4628 -
\??\c:\jjjdv.exec:\jjjdv.exe25⤵
- Executes dropped EXE
PID:5048 -
\??\c:\bnhhhn.exec:\bnhhhn.exe26⤵
- Executes dropped EXE
PID:2752 -
\??\c:\5hnnhn.exec:\5hnnhn.exe27⤵
- Executes dropped EXE
PID:1920 -
\??\c:\jvppj.exec:\jvppj.exe28⤵
- Executes dropped EXE
PID:3040 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe29⤵
- Executes dropped EXE
PID:3500 -
\??\c:\1nttbh.exec:\1nttbh.exe30⤵
- Executes dropped EXE
PID:4584 -
\??\c:\pdpjp.exec:\pdpjp.exe31⤵
- Executes dropped EXE
PID:4808 -
\??\c:\flffxfx.exec:\flffxfx.exe32⤵
- Executes dropped EXE
PID:2516 -
\??\c:\5rxxxff.exec:\5rxxxff.exe33⤵
- Executes dropped EXE
PID:1976 -
\??\c:\tnbttb.exec:\tnbttb.exe34⤵
- Executes dropped EXE
PID:2932 -
\??\c:\dpddj.exec:\dpddj.exe35⤵
- Executes dropped EXE
PID:4548 -
\??\c:\flllfll.exec:\flllfll.exe36⤵
- Executes dropped EXE
PID:1664 -
\??\c:\ffxxrrl.exec:\ffxxrrl.exe37⤵
- Executes dropped EXE
PID:1476 -
\??\c:\bhbtbb.exec:\bhbtbb.exe38⤵
- Executes dropped EXE
PID:3624 -
\??\c:\xlrrllr.exec:\xlrrllr.exe39⤵
- Executes dropped EXE
PID:4996 -
\??\c:\7pvvd.exec:\7pvvd.exe40⤵
- Executes dropped EXE
PID:2600 -
\??\c:\lrrlffx.exec:\lrrlffx.exe41⤵
- Executes dropped EXE
PID:1036 -
\??\c:\tbbbhn.exec:\tbbbhn.exe42⤵
- Executes dropped EXE
PID:4440 -
\??\c:\pvjdp.exec:\pvjdp.exe43⤵
- Executes dropped EXE
PID:392 -
\??\c:\rllllll.exec:\rllllll.exe44⤵
- Executes dropped EXE
PID:3476 -
\??\c:\tbbttn.exec:\tbbttn.exe45⤵
- Executes dropped EXE
PID:2992 -
\??\c:\jvdpv.exec:\jvdpv.exe46⤵
- Executes dropped EXE
PID:3772 -
\??\c:\7lxrlrr.exec:\7lxrlrr.exe47⤵
- Executes dropped EXE
PID:3012 -
\??\c:\thhhhh.exec:\thhhhh.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3760 -
\??\c:\9ddvv.exec:\9ddvv.exe49⤵
- Executes dropped EXE
PID:4748 -
\??\c:\frrrlrl.exec:\frrrlrl.exe50⤵
- Executes dropped EXE
PID:2636 -
\??\c:\pvjjj.exec:\pvjjj.exe51⤵
- Executes dropped EXE
PID:4580 -
\??\c:\jvvvp.exec:\jvvvp.exe52⤵
- Executes dropped EXE
PID:1040 -
\??\c:\xlffxxr.exec:\xlffxxr.exe53⤵
- Executes dropped EXE
PID:2868 -
\??\c:\vvdjj.exec:\vvdjj.exe54⤵
- Executes dropped EXE
PID:1188 -
\??\c:\xfrflff.exec:\xfrflff.exe55⤵
- Executes dropped EXE
PID:628 -
\??\c:\xfrxllx.exec:\xfrxllx.exe56⤵
- Executes dropped EXE
PID:908 -
\??\c:\jpvdp.exec:\jpvdp.exe57⤵
- Executes dropped EXE
PID:1880 -
\??\c:\vpvvd.exec:\vpvvd.exe58⤵
- Executes dropped EXE
PID:1092 -
\??\c:\thttnt.exec:\thttnt.exe59⤵
- Executes dropped EXE
PID:4964 -
\??\c:\tbthhh.exec:\tbthhh.exe60⤵
- Executes dropped EXE
PID:3628 -
\??\c:\jjjjp.exec:\jjjjp.exe61⤵
- Executes dropped EXE
PID:2460 -
\??\c:\rrfffff.exec:\rrfffff.exe62⤵
- Executes dropped EXE
PID:1068 -
\??\c:\nttttt.exec:\nttttt.exe63⤵
- Executes dropped EXE
PID:3540 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe64⤵
- Executes dropped EXE
PID:3988 -
\??\c:\bhtnnb.exec:\bhtnnb.exe65⤵
- Executes dropped EXE
PID:760 -
\??\c:\jvpjj.exec:\jvpjj.exe66⤵PID:1636
-
\??\c:\1lffxrr.exec:\1lffxrr.exe67⤵PID:4936
-
\??\c:\btbbhh.exec:\btbbhh.exe68⤵PID:4508
-
\??\c:\vvpvp.exec:\vvpvp.exe69⤵PID:4764
-
\??\c:\1xlfxlf.exec:\1xlfxlf.exe70⤵PID:4784
-
\??\c:\tnnhth.exec:\tnnhth.exe71⤵PID:468
-
\??\c:\7tbbnt.exec:\7tbbnt.exe72⤵PID:892
-
\??\c:\pjppp.exec:\pjppp.exe73⤵PID:5088
-
\??\c:\xflllll.exec:\xflllll.exe74⤵PID:2412
-
\??\c:\hhhhhh.exec:\hhhhhh.exe75⤵PID:3376
-
\??\c:\vdppp.exec:\vdppp.exe76⤵PID:1728
-
\??\c:\1jpjj.exec:\1jpjj.exe77⤵PID:4160
-
\??\c:\fffxrrl.exec:\fffxrrl.exe78⤵PID:2424
-
\??\c:\3tnnnn.exec:\3tnnnn.exe79⤵PID:1520
-
\??\c:\dpppp.exec:\dpppp.exe80⤵PID:2712
-
\??\c:\vddvp.exec:\vddvp.exe81⤵PID:3224
-
\??\c:\frffxfl.exec:\frffxfl.exe82⤵PID:4856
-
\??\c:\nnhhnt.exec:\nnhhnt.exe83⤵PID:3132
-
\??\c:\dpvvv.exec:\dpvvv.exe84⤵PID:3196
-
\??\c:\rrrrlrx.exec:\rrrrlrx.exe85⤵PID:5036
-
\??\c:\bbnnbb.exec:\bbnnbb.exe86⤵PID:4860
-
\??\c:\3btnbn.exec:\3btnbn.exe87⤵PID:3020
-
\??\c:\ppdjj.exec:\ppdjj.exe88⤵PID:4832
-
\??\c:\9fllllf.exec:\9fllllf.exe89⤵PID:3428
-
\??\c:\bbbbhn.exec:\bbbbhn.exe90⤵PID:2852
-
\??\c:\hnbbtb.exec:\hnbbtb.exe91⤵PID:3216
-
\??\c:\pdjjj.exec:\pdjjj.exe92⤵PID:3708
-
\??\c:\vjdvd.exec:\vjdvd.exe93⤵PID:2012
-
\??\c:\fllxxff.exec:\fllxxff.exe94⤵PID:4756
-
\??\c:\9bhbbh.exec:\9bhbbh.exe95⤵PID:4168
-
\??\c:\9pppj.exec:\9pppj.exe96⤵PID:4428
-
\??\c:\9rlfffx.exec:\9rlfffx.exe97⤵PID:4424
-
\??\c:\lfxxxff.exec:\lfxxxff.exe98⤵PID:4440
-
\??\c:\hbhhbh.exec:\hbhhbh.exe99⤵PID:1928
-
\??\c:\5vdvv.exec:\5vdvv.exe100⤵PID:208
-
\??\c:\rfllrrf.exec:\rfllrrf.exe101⤵PID:1904
-
\??\c:\7htnbb.exec:\7htnbb.exe102⤵PID:2996
-
\??\c:\nbnhhh.exec:\nbnhhh.exe103⤵PID:3888
-
\??\c:\ddppv.exec:\ddppv.exe104⤵PID:3640
-
\??\c:\xrfffll.exec:\xrfffll.exe105⤵PID:3012
-
\??\c:\bhhntt.exec:\bhhntt.exe106⤵PID:4804
-
\??\c:\pvddv.exec:\pvddv.exe107⤵PID:3292
-
\??\c:\5rxxflf.exec:\5rxxflf.exe108⤵PID:4748
-
\??\c:\nnnnhn.exec:\nnnnhn.exe109⤵PID:2636
-
\??\c:\vdpjd.exec:\vdpjd.exe110⤵PID:4092
-
\??\c:\pjdvv.exec:\pjdvv.exe111⤵PID:1364
-
\??\c:\1fxrflf.exec:\1fxrflf.exe112⤵PID:852
-
\??\c:\hntbht.exec:\hntbht.exe113⤵PID:556
-
\??\c:\dpddj.exec:\dpddj.exe114⤵PID:1604
-
\??\c:\rxrlffl.exec:\rxrlffl.exe115⤵PID:5056
-
\??\c:\hnbhhh.exec:\hnbhhh.exe116⤵PID:2692
-
\??\c:\bbbbnn.exec:\bbbbnn.exe117⤵PID:2308
-
\??\c:\pdpdd.exec:\pdpdd.exe118⤵PID:3048
-
\??\c:\flxrfff.exec:\flxrfff.exe119⤵PID:4248
-
\??\c:\5xllllf.exec:\5xllllf.exe120⤵PID:3960
-
\??\c:\hnhhhh.exec:\hnhhhh.exe121⤵PID:3740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-