Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 20:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05270bc2674c8f7deb49aa1456d17f8a594215f17bab0ca2b2f3e57e6ee54dd8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
05270bc2674c8f7deb49aa1456d17f8a594215f17bab0ca2b2f3e57e6ee54dd8.exe
-
Size
454KB
-
MD5
3a3b29a9d42ab054c03118d320b88ad8
-
SHA1
828d4b5f22bb2275535d253f06c78f285388e4b8
-
SHA256
05270bc2674c8f7deb49aa1456d17f8a594215f17bab0ca2b2f3e57e6ee54dd8
-
SHA512
688d58d920bed0335fc9b2e4f96a2387673fa6f747080e5d53d48509afab22e2de079c0e683b09fc7c2ff705d42b9e9a9db0e2cfbf047771b5658dc8601092d1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeh:q7Tc2NYHUrAwfMp3CDh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2612-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-1292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-1509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-1586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4608 flrlxfr.exe 5024 nnbnnt.exe 3752 jdddd.exe 3968 1rlxxfx.exe 1500 thnhhh.exe 2532 llllrrx.exe 380 pddjj.exe 4812 lxflllr.exe 1108 jvjjj.exe 2028 xfffrxl.exe 2232 pjvvv.exe 3024 vpddd.exe 428 lxllrxx.exe 208 jvjjj.exe 4492 rxlrlxr.exe 100 llrlfrr.exe 4860 xrlllll.exe 4052 vpddd.exe 2892 llfrrxx.exe 3608 hnttnt.exe 4016 jjddp.exe 648 lxrllff.exe 1944 3jvdv.exe 2464 lfrlllf.exe 4864 xfrrxff.exe 2364 hnbhtb.exe 2288 9jdjv.exe 4792 llxffff.exe 4240 xllrrrr.exe 5016 pvdpd.exe 2408 3nttbh.exe 4360 pppjd.exe 4064 pdvvv.exe 5020 jvjjd.exe 4892 ffxrlff.exe 2236 vvjdv.exe 3032 5xxrxll.exe 2872 dpvvj.exe 2344 bbbbbh.exe 4468 xrffrrx.exe 540 ppppj.exe 1748 ddjdd.exe 4580 xrllrll.exe 1632 nbnbtn.exe 1988 dvdjj.exe 4516 llfxxrr.exe 3760 nthhht.exe 1328 nnnnnt.exe 888 jvddj.exe 4448 lrxffrx.exe 1784 tnbbbb.exe 5052 jvjjj.exe 2500 rfrllff.exe 452 htnntb.exe 4920 jjdjj.exe 3752 1rllxfr.exe 3980 bbtnnb.exe 1804 bbtttn.exe 3536 jdvvv.exe 4532 xrlxfxf.exe 3144 hbnntt.exe 2512 jjpvp.exe 620 llrfxxx.exe 1532 7thhnn.exe -
resource yara_rule behavioral2/memory/2612-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-726-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2612 wrote to memory of 4608 2612 05270bc2674c8f7deb49aa1456d17f8a594215f17bab0ca2b2f3e57e6ee54dd8.exe 83 PID 2612 wrote to memory of 4608 2612 05270bc2674c8f7deb49aa1456d17f8a594215f17bab0ca2b2f3e57e6ee54dd8.exe 83 PID 2612 wrote to memory of 4608 2612 05270bc2674c8f7deb49aa1456d17f8a594215f17bab0ca2b2f3e57e6ee54dd8.exe 83 PID 4608 wrote to memory of 5024 4608 flrlxfr.exe 84 PID 4608 wrote to memory of 5024 4608 flrlxfr.exe 84 PID 4608 wrote to memory of 5024 4608 flrlxfr.exe 84 PID 5024 wrote to memory of 3752 5024 nnbnnt.exe 85 PID 5024 wrote to memory of 3752 5024 nnbnnt.exe 85 PID 5024 wrote to memory of 3752 5024 nnbnnt.exe 85 PID 3752 wrote to memory of 3968 3752 jdddd.exe 86 PID 3752 wrote to memory of 3968 3752 jdddd.exe 86 PID 3752 wrote to memory of 3968 3752 jdddd.exe 86 PID 3968 wrote to memory of 1500 3968 1rlxxfx.exe 87 PID 3968 wrote to memory of 1500 3968 1rlxxfx.exe 87 PID 3968 wrote to memory of 1500 3968 1rlxxfx.exe 87 PID 1500 wrote to memory of 2532 1500 thnhhh.exe 88 PID 1500 wrote to memory of 2532 1500 thnhhh.exe 88 PID 1500 wrote to memory of 2532 1500 thnhhh.exe 88 PID 2532 wrote to memory of 380 2532 llllrrx.exe 89 PID 2532 wrote to memory of 380 2532 llllrrx.exe 89 PID 2532 wrote to memory of 380 2532 llllrrx.exe 89 PID 380 wrote to memory of 4812 380 pddjj.exe 90 PID 380 wrote to memory of 4812 380 pddjj.exe 90 PID 380 wrote to memory of 4812 380 pddjj.exe 90 PID 4812 wrote to memory of 1108 4812 lxflllr.exe 91 PID 4812 wrote to memory of 1108 4812 lxflllr.exe 91 PID 4812 wrote to memory of 1108 4812 lxflllr.exe 91 PID 1108 wrote to memory of 2028 1108 jvjjj.exe 92 PID 1108 wrote to memory of 2028 1108 jvjjj.exe 92 PID 1108 wrote to memory of 2028 1108 jvjjj.exe 92 PID 2028 wrote to memory of 2232 2028 xfffrxl.exe 93 PID 2028 wrote to memory of 2232 2028 xfffrxl.exe 93 PID 2028 wrote to memory of 2232 2028 xfffrxl.exe 93 PID 2232 wrote to memory of 3024 2232 pjvvv.exe 94 PID 2232 wrote to memory of 3024 2232 pjvvv.exe 94 PID 2232 wrote to memory of 3024 2232 pjvvv.exe 94 PID 3024 wrote to memory of 428 3024 vpddd.exe 95 PID 3024 wrote to memory of 428 3024 vpddd.exe 95 PID 3024 wrote to memory of 428 3024 vpddd.exe 95 PID 428 wrote to memory of 208 428 lxllrxx.exe 96 PID 428 wrote to memory of 208 428 lxllrxx.exe 96 PID 428 wrote to memory of 208 428 lxllrxx.exe 96 PID 208 wrote to memory of 4492 208 jvjjj.exe 97 PID 208 wrote to memory of 4492 208 jvjjj.exe 97 PID 208 wrote to memory of 4492 208 jvjjj.exe 97 PID 4492 wrote to memory of 100 4492 rxlrlxr.exe 98 PID 4492 wrote to memory of 100 4492 rxlrlxr.exe 98 PID 4492 wrote to memory of 100 4492 rxlrlxr.exe 98 PID 100 wrote to memory of 4860 100 llrlfrr.exe 99 PID 100 wrote to memory of 4860 100 llrlfrr.exe 99 PID 100 wrote to memory of 4860 100 llrlfrr.exe 99 PID 4860 wrote to memory of 4052 4860 xrlllll.exe 100 PID 4860 wrote to memory of 4052 4860 xrlllll.exe 100 PID 4860 wrote to memory of 4052 4860 xrlllll.exe 100 PID 4052 wrote to memory of 2892 4052 vpddd.exe 101 PID 4052 wrote to memory of 2892 4052 vpddd.exe 101 PID 4052 wrote to memory of 2892 4052 vpddd.exe 101 PID 2892 wrote to memory of 3608 2892 llfrrxx.exe 102 PID 2892 wrote to memory of 3608 2892 llfrrxx.exe 102 PID 2892 wrote to memory of 3608 2892 llfrrxx.exe 102 PID 3608 wrote to memory of 4016 3608 hnttnt.exe 103 PID 3608 wrote to memory of 4016 3608 hnttnt.exe 103 PID 3608 wrote to memory of 4016 3608 hnttnt.exe 103 PID 4016 wrote to memory of 648 4016 jjddp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\05270bc2674c8f7deb49aa1456d17f8a594215f17bab0ca2b2f3e57e6ee54dd8.exe"C:\Users\Admin\AppData\Local\Temp\05270bc2674c8f7deb49aa1456d17f8a594215f17bab0ca2b2f3e57e6ee54dd8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\flrlxfr.exec:\flrlxfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\nnbnnt.exec:\nnbnnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\jdddd.exec:\jdddd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\1rlxxfx.exec:\1rlxxfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\thnhhh.exec:\thnhhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\llllrrx.exec:\llllrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\pddjj.exec:\pddjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\lxflllr.exec:\lxflllr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\jvjjj.exec:\jvjjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\xfffrxl.exec:\xfffrxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\pjvvv.exec:\pjvvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\vpddd.exec:\vpddd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\lxllrxx.exec:\lxllrxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\jvjjj.exec:\jvjjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\rxlrlxr.exec:\rxlrlxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\llrlfrr.exec:\llrlfrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\xrlllll.exec:\xrlllll.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\vpddd.exec:\vpddd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\llfrrxx.exec:\llfrrxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\hnttnt.exec:\hnttnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\jjddp.exec:\jjddp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\lxrllff.exec:\lxrllff.exe23⤵
- Executes dropped EXE
PID:648 -
\??\c:\3jvdv.exec:\3jvdv.exe24⤵
- Executes dropped EXE
PID:1944 -
\??\c:\lfrlllf.exec:\lfrlllf.exe25⤵
- Executes dropped EXE
PID:2464 -
\??\c:\xfrrxff.exec:\xfrrxff.exe26⤵
- Executes dropped EXE
PID:4864 -
\??\c:\hnbhtb.exec:\hnbhtb.exe27⤵
- Executes dropped EXE
PID:2364 -
\??\c:\9jdjv.exec:\9jdjv.exe28⤵
- Executes dropped EXE
PID:2288 -
\??\c:\llxffff.exec:\llxffff.exe29⤵
- Executes dropped EXE
PID:4792 -
\??\c:\xllrrrr.exec:\xllrrrr.exe30⤵
- Executes dropped EXE
PID:4240 -
\??\c:\pvdpd.exec:\pvdpd.exe31⤵
- Executes dropped EXE
PID:5016 -
\??\c:\3nttbh.exec:\3nttbh.exe32⤵
- Executes dropped EXE
PID:2408 -
\??\c:\pppjd.exec:\pppjd.exe33⤵
- Executes dropped EXE
PID:4360 -
\??\c:\pdvvv.exec:\pdvvv.exe34⤵
- Executes dropped EXE
PID:4064 -
\??\c:\jvjjd.exec:\jvjjd.exe35⤵
- Executes dropped EXE
PID:5020 -
\??\c:\ffxrlff.exec:\ffxrlff.exe36⤵
- Executes dropped EXE
PID:4892 -
\??\c:\vvjdv.exec:\vvjdv.exe37⤵
- Executes dropped EXE
PID:2236 -
\??\c:\5xxrxll.exec:\5xxrxll.exe38⤵
- Executes dropped EXE
PID:3032 -
\??\c:\dpvvj.exec:\dpvvj.exe39⤵
- Executes dropped EXE
PID:2872 -
\??\c:\bbbbbh.exec:\bbbbbh.exe40⤵
- Executes dropped EXE
PID:2344 -
\??\c:\xrffrrx.exec:\xrffrrx.exe41⤵
- Executes dropped EXE
PID:4468 -
\??\c:\ppppj.exec:\ppppj.exe42⤵
- Executes dropped EXE
PID:540 -
\??\c:\ddjdd.exec:\ddjdd.exe43⤵
- Executes dropped EXE
PID:1748 -
\??\c:\xrllrll.exec:\xrllrll.exe44⤵
- Executes dropped EXE
PID:4580 -
\??\c:\nbnbtn.exec:\nbnbtn.exe45⤵
- Executes dropped EXE
PID:1632 -
\??\c:\dvdjj.exec:\dvdjj.exe46⤵
- Executes dropped EXE
PID:1988 -
\??\c:\llfxxrr.exec:\llfxxrr.exe47⤵
- Executes dropped EXE
PID:4516 -
\??\c:\nthhht.exec:\nthhht.exe48⤵
- Executes dropped EXE
PID:3760 -
\??\c:\nnnnnt.exec:\nnnnnt.exe49⤵
- Executes dropped EXE
PID:1328 -
\??\c:\jvddj.exec:\jvddj.exe50⤵
- Executes dropped EXE
PID:888 -
\??\c:\lrxffrx.exec:\lrxffrx.exe51⤵
- Executes dropped EXE
PID:4448 -
\??\c:\tnbbbb.exec:\tnbbbb.exe52⤵
- Executes dropped EXE
PID:1784 -
\??\c:\jvjjj.exec:\jvjjj.exe53⤵
- Executes dropped EXE
PID:5052 -
\??\c:\rfrllff.exec:\rfrllff.exe54⤵
- Executes dropped EXE
PID:2500 -
\??\c:\htnntb.exec:\htnntb.exe55⤵
- Executes dropped EXE
PID:452 -
\??\c:\jjdjj.exec:\jjdjj.exe56⤵
- Executes dropped EXE
PID:4920 -
\??\c:\1rllxfr.exec:\1rllxfr.exe57⤵
- Executes dropped EXE
PID:3752 -
\??\c:\bbtnnb.exec:\bbtnnb.exe58⤵
- Executes dropped EXE
PID:3980 -
\??\c:\bbtttn.exec:\bbtttn.exe59⤵
- Executes dropped EXE
PID:1804 -
\??\c:\jdvvv.exec:\jdvvv.exe60⤵
- Executes dropped EXE
PID:3536 -
\??\c:\xrlxfxf.exec:\xrlxfxf.exe61⤵
- Executes dropped EXE
PID:4532 -
\??\c:\hbnntt.exec:\hbnntt.exe62⤵
- Executes dropped EXE
PID:3144 -
\??\c:\jjpvp.exec:\jjpvp.exe63⤵
- Executes dropped EXE
PID:2512 -
\??\c:\llrfxxx.exec:\llrfxxx.exe64⤵
- Executes dropped EXE
PID:620 -
\??\c:\7thhnn.exec:\7thhnn.exe65⤵
- Executes dropped EXE
PID:1532 -
\??\c:\jpddv.exec:\jpddv.exe66⤵PID:2756
-
\??\c:\ffllfff.exec:\ffllfff.exe67⤵PID:1052
-
\??\c:\5bnnbh.exec:\5bnnbh.exe68⤵PID:3252
-
\??\c:\hhnhhh.exec:\hhnhhh.exe69⤵PID:1096
-
\??\c:\pvdjj.exec:\pvdjj.exe70⤵PID:212
-
\??\c:\llxxllf.exec:\llxxllf.exe71⤵PID:3656
-
\??\c:\bbhhhh.exec:\bbhhhh.exe72⤵PID:3444
-
\??\c:\vdppj.exec:\vdppj.exe73⤵PID:208
-
\??\c:\lfllfff.exec:\lfllfff.exe74⤵PID:4372
-
\??\c:\ntbbnn.exec:\ntbbnn.exe75⤵PID:436
-
\??\c:\hnttbt.exec:\hnttbt.exe76⤵PID:100
-
\??\c:\jjjpp.exec:\jjjpp.exe77⤵PID:4104
-
\??\c:\xflllll.exec:\xflllll.exe78⤵PID:4896
-
\??\c:\tnhthn.exec:\tnhthn.exe79⤵PID:1924
-
\??\c:\nntbbh.exec:\nntbbh.exe80⤵PID:3608
-
\??\c:\pjpjj.exec:\pjpjj.exe81⤵PID:3924
-
\??\c:\rlllxrl.exec:\rlllxrl.exe82⤵PID:4016
-
\??\c:\tthbbb.exec:\tthbbb.exe83⤵PID:648
-
\??\c:\dpppp.exec:\dpppp.exe84⤵PID:2396
-
\??\c:\fxlxxxl.exec:\fxlxxxl.exe85⤵PID:836
-
\??\c:\ttnntb.exec:\ttnntb.exe86⤵PID:3044
-
\??\c:\pjdvp.exec:\pjdvp.exe87⤵PID:2920
-
\??\c:\jjjjd.exec:\jjjjd.exe88⤵PID:2740
-
\??\c:\lrffxfr.exec:\lrffxfr.exe89⤵PID:2568
-
\??\c:\ttttnn.exec:\ttttnn.exe90⤵PID:2308
-
\??\c:\hbhhhn.exec:\hbhhhn.exe91⤵PID:464
-
\??\c:\ddppj.exec:\ddppj.exe92⤵PID:1996
-
\??\c:\lfffffl.exec:\lfffffl.exe93⤵PID:4464
-
\??\c:\nbtnnh.exec:\nbtnnh.exe94⤵PID:3816
-
\??\c:\dpjjp.exec:\dpjjp.exe95⤵PID:2476
-
\??\c:\9xlfrll.exec:\9xlfrll.exe96⤵PID:116
-
\??\c:\hnnttb.exec:\hnnttb.exe97⤵PID:4956
-
\??\c:\pjpjv.exec:\pjpjv.exe98⤵PID:2748
-
\??\c:\llfflrx.exec:\llfflrx.exe99⤵PID:2352
-
\??\c:\tthnbb.exec:\tthnbb.exe100⤵PID:3224
-
\??\c:\vpvvj.exec:\vpvvj.exe101⤵PID:3556
-
\??\c:\rfllrxx.exec:\rfllrxx.exe102⤵PID:1288
-
\??\c:\3tttbt.exec:\3tttbt.exe103⤵PID:2292
-
\??\c:\3dppp.exec:\3dppp.exe104⤵PID:3132
-
\??\c:\lxrrrxx.exec:\lxrrrxx.exe105⤵PID:1836
-
\??\c:\hbnthh.exec:\hbnthh.exe106⤵PID:2268
-
\??\c:\jjdvv.exec:\jjdvv.exe107⤵PID:1576
-
\??\c:\jdjdd.exec:\jdjdd.exe108⤵PID:1020
-
\??\c:\flfxxrl.exec:\flfxxrl.exe109⤵PID:3428
-
\??\c:\hthbtt.exec:\hthbtt.exe110⤵PID:3064
-
\??\c:\vjdvd.exec:\vjdvd.exe111⤵PID:2752
-
\??\c:\frrllxr.exec:\frrllxr.exe112⤵PID:4432
-
\??\c:\3bnhhh.exec:\3bnhhh.exe113⤵PID:5004
-
\??\c:\jjppv.exec:\jjppv.exe114⤵PID:4404
-
\??\c:\rrlllrf.exec:\rrlllrf.exe115⤵PID:2996
-
\??\c:\nbhbbb.exec:\nbhbbb.exe116⤵PID:4448
-
\??\c:\ppjvd.exec:\ppjvd.exe117⤵PID:3848
-
\??\c:\rxllffr.exec:\rxllffr.exe118⤵PID:4600
-
\??\c:\rxffxfx.exec:\rxffxfx.exe119⤵PID:2500
-
\??\c:\bhhhhh.exec:\bhhhhh.exe120⤵PID:452
-
\??\c:\jvddd.exec:\jvddd.exe121⤵PID:4920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-