Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 08:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe
-
Size
453KB
-
MD5
53f9c062f1240d37518d3bd8f9315050
-
SHA1
aca5e95aa719d4557e67d129515d11c69e34a8e3
-
SHA256
5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314d
-
SHA512
a3f2b35bf1b876476599527614be0a1e718c1654a2ebd56deda028a27b5c62a7665c6f530a7dbe32aa5091adfa405b3ac093610424643af7f9351767a8cf0ecf
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/632-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-898-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-968-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-1032-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1680 lxxrllf.exe 1688 vppjd.exe 4068 nntnhb.exe 3480 vjdvp.exe 3080 04000.exe 3988 lfrllff.exe 3748 022600.exe 3292 0604404.exe 2932 nhhhbb.exe 1136 nthbbb.exe 2060 xlxlfrx.exe 1992 xfllxll.exe 3976 6004826.exe 1944 480488.exe 3012 862602.exe 4952 jdjdd.exe 3720 bhhbnn.exe 3948 s6442.exe 852 04260.exe 2848 dvpjd.exe 1520 06226.exe 2496 080484.exe 2132 thttnn.exe 2200 0840488.exe 4808 2882660.exe 2776 a4082.exe 1292 062600.exe 952 402604.exe 4720 062226.exe 448 vjppj.exe 3204 hhnhnn.exe 3060 26684.exe 5072 6820006.exe 2108 hhttbb.exe 4416 828822.exe 1172 04262.exe 4220 w44488.exe 2452 tbbtnn.exe 2468 7xrrrrl.exe 2768 nhhhbb.exe 2916 6682880.exe 2804 g2226.exe 620 284848.exe 3944 062600.exe 1452 bbnttn.exe 5096 6820662.exe 5084 1bttnn.exe 2672 rllfxrr.exe 2748 rflfxxx.exe 2284 hbbtnn.exe 1852 24208.exe 2892 fffrffr.exe 3616 ttthbb.exe 4068 66646.exe 3316 822260.exe 4188 8460882.exe 1240 c408422.exe 2840 nbbtnn.exe 3928 tnbnbt.exe 3292 4842082.exe 2356 64482.exe 2076 640824.exe 3348 06820.exe 372 vjvjv.exe -
resource yara_rule behavioral2/memory/632-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-898-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-968-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2820264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4844822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6022000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2026262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4660448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 666460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i022606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4088006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2466048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w44488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 632 wrote to memory of 1680 632 5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe 83 PID 632 wrote to memory of 1680 632 5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe 83 PID 632 wrote to memory of 1680 632 5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe 83 PID 1680 wrote to memory of 1688 1680 lxxrllf.exe 84 PID 1680 wrote to memory of 1688 1680 lxxrllf.exe 84 PID 1680 wrote to memory of 1688 1680 lxxrllf.exe 84 PID 1688 wrote to memory of 4068 1688 vppjd.exe 85 PID 1688 wrote to memory of 4068 1688 vppjd.exe 85 PID 1688 wrote to memory of 4068 1688 vppjd.exe 85 PID 4068 wrote to memory of 3480 4068 nntnhb.exe 86 PID 4068 wrote to memory of 3480 4068 nntnhb.exe 86 PID 4068 wrote to memory of 3480 4068 nntnhb.exe 86 PID 3480 wrote to memory of 3080 3480 vjdvp.exe 87 PID 3480 wrote to memory of 3080 3480 vjdvp.exe 87 PID 3480 wrote to memory of 3080 3480 vjdvp.exe 87 PID 3080 wrote to memory of 3988 3080 04000.exe 88 PID 3080 wrote to memory of 3988 3080 04000.exe 88 PID 3080 wrote to memory of 3988 3080 04000.exe 88 PID 3988 wrote to memory of 3748 3988 lfrllff.exe 89 PID 3988 wrote to memory of 3748 3988 lfrllff.exe 89 PID 3988 wrote to memory of 3748 3988 lfrllff.exe 89 PID 3748 wrote to memory of 3292 3748 022600.exe 90 PID 3748 wrote to memory of 3292 3748 022600.exe 90 PID 3748 wrote to memory of 3292 3748 022600.exe 90 PID 3292 wrote to memory of 2932 3292 0604404.exe 91 PID 3292 wrote to memory of 2932 3292 0604404.exe 91 PID 3292 wrote to memory of 2932 3292 0604404.exe 91 PID 2932 wrote to memory of 1136 2932 nhhhbb.exe 92 PID 2932 wrote to memory of 1136 2932 nhhhbb.exe 92 PID 2932 wrote to memory of 1136 2932 nhhhbb.exe 92 PID 1136 wrote to memory of 2060 1136 nthbbb.exe 93 PID 1136 wrote to memory of 2060 1136 nthbbb.exe 93 PID 1136 wrote to memory of 2060 1136 nthbbb.exe 93 PID 2060 wrote to memory of 1992 2060 xlxlfrx.exe 94 PID 2060 wrote to memory of 1992 2060 xlxlfrx.exe 94 PID 2060 wrote to memory of 1992 2060 xlxlfrx.exe 94 PID 1992 wrote to memory of 3976 1992 xfllxll.exe 95 PID 1992 wrote to memory of 3976 1992 xfllxll.exe 95 PID 1992 wrote to memory of 3976 1992 xfllxll.exe 95 PID 3976 wrote to memory of 1944 3976 6004826.exe 96 PID 3976 wrote to memory of 1944 3976 6004826.exe 96 PID 3976 wrote to memory of 1944 3976 6004826.exe 96 PID 1944 wrote to memory of 3012 1944 480488.exe 97 PID 1944 wrote to memory of 3012 1944 480488.exe 97 PID 1944 wrote to memory of 3012 1944 480488.exe 97 PID 3012 wrote to memory of 4952 3012 862602.exe 98 PID 3012 wrote to memory of 4952 3012 862602.exe 98 PID 3012 wrote to memory of 4952 3012 862602.exe 98 PID 4952 wrote to memory of 3720 4952 jdjdd.exe 99 PID 4952 wrote to memory of 3720 4952 jdjdd.exe 99 PID 4952 wrote to memory of 3720 4952 jdjdd.exe 99 PID 3720 wrote to memory of 3948 3720 bhhbnn.exe 100 PID 3720 wrote to memory of 3948 3720 bhhbnn.exe 100 PID 3720 wrote to memory of 3948 3720 bhhbnn.exe 100 PID 3948 wrote to memory of 852 3948 s6442.exe 101 PID 3948 wrote to memory of 852 3948 s6442.exe 101 PID 3948 wrote to memory of 852 3948 s6442.exe 101 PID 852 wrote to memory of 2848 852 04260.exe 102 PID 852 wrote to memory of 2848 852 04260.exe 102 PID 852 wrote to memory of 2848 852 04260.exe 102 PID 2848 wrote to memory of 1520 2848 dvpjd.exe 103 PID 2848 wrote to memory of 1520 2848 dvpjd.exe 103 PID 2848 wrote to memory of 1520 2848 dvpjd.exe 103 PID 1520 wrote to memory of 2496 1520 06226.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe"C:\Users\Admin\AppData\Local\Temp\5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\lxxrllf.exec:\lxxrllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\vppjd.exec:\vppjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\nntnhb.exec:\nntnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\vjdvp.exec:\vjdvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\04000.exec:\04000.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\lfrllff.exec:\lfrllff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\022600.exec:\022600.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\0604404.exec:\0604404.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\nhhhbb.exec:\nhhhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\nthbbb.exec:\nthbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\xlxlfrx.exec:\xlxlfrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\xfllxll.exec:\xfllxll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\6004826.exec:\6004826.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\480488.exec:\480488.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\862602.exec:\862602.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\jdjdd.exec:\jdjdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\bhhbnn.exec:\bhhbnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\s6442.exec:\s6442.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\04260.exec:\04260.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\dvpjd.exec:\dvpjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\06226.exec:\06226.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\080484.exec:\080484.exe23⤵
- Executes dropped EXE
PID:2496 -
\??\c:\thttnn.exec:\thttnn.exe24⤵
- Executes dropped EXE
PID:2132 -
\??\c:\0840488.exec:\0840488.exe25⤵
- Executes dropped EXE
PID:2200 -
\??\c:\2882660.exec:\2882660.exe26⤵
- Executes dropped EXE
PID:4808 -
\??\c:\a4082.exec:\a4082.exe27⤵
- Executes dropped EXE
PID:2776 -
\??\c:\062600.exec:\062600.exe28⤵
- Executes dropped EXE
PID:1292 -
\??\c:\402604.exec:\402604.exe29⤵
- Executes dropped EXE
PID:952 -
\??\c:\062226.exec:\062226.exe30⤵
- Executes dropped EXE
PID:4720 -
\??\c:\vjppj.exec:\vjppj.exe31⤵
- Executes dropped EXE
PID:448 -
\??\c:\hhnhnn.exec:\hhnhnn.exe32⤵
- Executes dropped EXE
PID:3204 -
\??\c:\26684.exec:\26684.exe33⤵
- Executes dropped EXE
PID:3060 -
\??\c:\6820006.exec:\6820006.exe34⤵
- Executes dropped EXE
PID:5072 -
\??\c:\hhttbb.exec:\hhttbb.exe35⤵
- Executes dropped EXE
PID:2108 -
\??\c:\828822.exec:\828822.exe36⤵
- Executes dropped EXE
PID:4416 -
\??\c:\04262.exec:\04262.exe37⤵
- Executes dropped EXE
PID:1172 -
\??\c:\w44488.exec:\w44488.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4220 -
\??\c:\tbbtnn.exec:\tbbtnn.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452 -
\??\c:\7xrrrrl.exec:\7xrrrrl.exe40⤵
- Executes dropped EXE
PID:2468 -
\??\c:\nhhhbb.exec:\nhhhbb.exe41⤵
- Executes dropped EXE
PID:2768 -
\??\c:\6682880.exec:\6682880.exe42⤵
- Executes dropped EXE
PID:2916 -
\??\c:\g2226.exec:\g2226.exe43⤵
- Executes dropped EXE
PID:2804 -
\??\c:\284848.exec:\284848.exe44⤵
- Executes dropped EXE
PID:620 -
\??\c:\062600.exec:\062600.exe45⤵
- Executes dropped EXE
PID:3944 -
\??\c:\bbnttn.exec:\bbnttn.exe46⤵
- Executes dropped EXE
PID:1452 -
\??\c:\6820662.exec:\6820662.exe47⤵
- Executes dropped EXE
PID:5096 -
\??\c:\1bttnn.exec:\1bttnn.exe48⤵
- Executes dropped EXE
PID:5084 -
\??\c:\rllfxrr.exec:\rllfxrr.exe49⤵
- Executes dropped EXE
PID:2672 -
\??\c:\rflfxxx.exec:\rflfxxx.exe50⤵
- Executes dropped EXE
PID:2748 -
\??\c:\hbbtnn.exec:\hbbtnn.exe51⤵
- Executes dropped EXE
PID:2284 -
\??\c:\24208.exec:\24208.exe52⤵
- Executes dropped EXE
PID:1852 -
\??\c:\fffrffr.exec:\fffrffr.exe53⤵
- Executes dropped EXE
PID:2892 -
\??\c:\ttthbb.exec:\ttthbb.exe54⤵
- Executes dropped EXE
PID:3616 -
\??\c:\66646.exec:\66646.exe55⤵
- Executes dropped EXE
PID:4068 -
\??\c:\822260.exec:\822260.exe56⤵
- Executes dropped EXE
PID:3316 -
\??\c:\8460882.exec:\8460882.exe57⤵
- Executes dropped EXE
PID:4188 -
\??\c:\c408422.exec:\c408422.exe58⤵
- Executes dropped EXE
PID:1240 -
\??\c:\nbbtnn.exec:\nbbtnn.exe59⤵
- Executes dropped EXE
PID:2840 -
\??\c:\tnbnbt.exec:\tnbnbt.exe60⤵
- Executes dropped EXE
PID:3928 -
\??\c:\4842082.exec:\4842082.exe61⤵
- Executes dropped EXE
PID:3292 -
\??\c:\64482.exec:\64482.exe62⤵
- Executes dropped EXE
PID:2356 -
\??\c:\640824.exec:\640824.exe63⤵
- Executes dropped EXE
PID:2076 -
\??\c:\06820.exec:\06820.exe64⤵
- Executes dropped EXE
PID:3348 -
\??\c:\vjvjv.exec:\vjvjv.exe65⤵
- Executes dropped EXE
PID:372 -
\??\c:\4862262.exec:\4862262.exe66⤵PID:2060
-
\??\c:\pdvpj.exec:\pdvpj.exe67⤵PID:4432
-
\??\c:\0060448.exec:\0060448.exe68⤵PID:3744
-
\??\c:\44400.exec:\44400.exe69⤵PID:432
-
\??\c:\nnhbhh.exec:\nnhbhh.exe70⤵PID:2020
-
\??\c:\vppjd.exec:\vppjd.exe71⤵PID:5052
-
\??\c:\dpjdp.exec:\dpjdp.exe72⤵PID:320
-
\??\c:\bttnbb.exec:\bttnbb.exe73⤵PID:2536
-
\??\c:\666460.exec:\666460.exe74⤵
- System Location Discovery: System Language Discovery
PID:3076 -
\??\c:\lrlxlxl.exec:\lrlxlxl.exe75⤵PID:4180
-
\??\c:\80604.exec:\80604.exe76⤵PID:1908
-
\??\c:\20026.exec:\20026.exe77⤵PID:852
-
\??\c:\4844822.exec:\4844822.exe78⤵
- System Location Discovery: System Language Discovery
PID:2488 -
\??\c:\244208.exec:\244208.exe79⤵PID:1520
-
\??\c:\frxrffr.exec:\frxrffr.exe80⤵PID:376
-
\??\c:\684482.exec:\684482.exe81⤵PID:2040
-
\??\c:\jvpdp.exec:\jvpdp.exe82⤵PID:4092
-
\??\c:\fxxrllr.exec:\fxxrllr.exe83⤵PID:2624
-
\??\c:\u624848.exec:\u624848.exe84⤵PID:4228
-
\??\c:\djjvj.exec:\djjvj.exe85⤵PID:3848
-
\??\c:\200644.exec:\200644.exe86⤵PID:2776
-
\??\c:\vdvjd.exec:\vdvjd.exe87⤵PID:2796
-
\??\c:\26888.exec:\26888.exe88⤵PID:916
-
\??\c:\9frfxrf.exec:\9frfxrf.exe89⤵PID:936
-
\??\c:\024488.exec:\024488.exe90⤵PID:4720
-
\??\c:\bntthh.exec:\bntthh.exe91⤵PID:5068
-
\??\c:\60486.exec:\60486.exe92⤵PID:648
-
\??\c:\0868268.exec:\0868268.exe93⤵PID:1672
-
\??\c:\6228888.exec:\6228888.exe94⤵PID:2928
-
\??\c:\jdddv.exec:\jdddv.exe95⤵PID:772
-
\??\c:\c844226.exec:\c844226.exe96⤵PID:2056
-
\??\c:\pdpjv.exec:\pdpjv.exe97⤵PID:2724
-
\??\c:\42800.exec:\42800.exe98⤵PID:3920
-
\??\c:\24042.exec:\24042.exe99⤵PID:1264
-
\??\c:\6220826.exec:\6220826.exe100⤵PID:4344
-
\??\c:\llxxfxf.exec:\llxxfxf.exe101⤵PID:3908
-
\??\c:\3nbbtt.exec:\3nbbtt.exe102⤵PID:3128
-
\??\c:\pdjpd.exec:\pdjpd.exe103⤵PID:2280
-
\??\c:\vpvpd.exec:\vpvpd.exe104⤵PID:4392
-
\??\c:\vjpdv.exec:\vjpdv.exe105⤵PID:2804
-
\??\c:\lffxxxr.exec:\lffxxxr.exe106⤵PID:1068
-
\??\c:\o282888.exec:\o282888.exe107⤵PID:2828
-
\??\c:\68444.exec:\68444.exe108⤵PID:1000
-
\??\c:\846422.exec:\846422.exe109⤵PID:1040
-
\??\c:\66648.exec:\66648.exe110⤵PID:5096
-
\??\c:\g0264.exec:\g0264.exe111⤵PID:4320
-
\??\c:\1rrlllf.exec:\1rrlllf.exe112⤵PID:2852
-
\??\c:\686004.exec:\686004.exe113⤵PID:2044
-
\??\c:\06860.exec:\06860.exe114⤵PID:4452
-
\??\c:\664482.exec:\664482.exe115⤵PID:4236
-
\??\c:\ppvpd.exec:\ppvpd.exe116⤵PID:4844
-
\??\c:\nbbthh.exec:\nbbthh.exe117⤵PID:5076
-
\??\c:\206088.exec:\206088.exe118⤵PID:3620
-
\??\c:\k00482.exec:\k00482.exe119⤵PID:2392
-
\??\c:\vpppp.exec:\vpppp.exe120⤵PID:4828
-
\??\c:\84046.exec:\84046.exe121⤵PID:2160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-