Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe
Resource
win7-20240708-en
7 signatures
120 seconds
General
-
Target
611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe
-
Size
455KB
-
MD5
c1e09b76c22bdd96548348aa8b020850
-
SHA1
a16534508dd7f6de1cdb0f41a3a0715329bcd139
-
SHA256
611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6
-
SHA512
cdafe84945d2f85a4da5ec272f27f81e205019c35aa46754b1ab25fee418c52731486cbb020183f22198726e760253f0088dd809119f7d3bdf9683c3ca83250a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTm:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1652-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-1095-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-1153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-1163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4352 5lxrllf.exe 1492 thnhnh.exe 4764 xlxfxfx.exe 2052 lfrfrfl.exe 3904 thhbtt.exe 4512 djdvp.exe 1592 3htnnn.exe 804 5xrrlrl.exe 864 fxxrrrl.exe 3444 vpddj.exe 4812 bbhnnh.exe 1844 5xxxxxx.exe 4984 xxlfxxx.exe 4952 jjdvj.exe 384 llrrrrr.exe 3572 nbhbnh.exe 5060 jjppj.exe 3136 rrxxrrl.exe 5100 tntbbt.exe 2336 ddjdv.exe 4772 nhttnn.exe 4032 lllllll.exe 3468 jjjdd.exe 2536 ffllxxx.exe 4480 jjppp.exe 3512 bthttt.exe 1104 pjjjj.exe 2684 1xxrlrr.exe 2384 tnnnnn.exe 4756 nthhnn.exe 3632 lxrlllf.exe 1456 vvdvv.exe 4528 1rxrlrl.exe 4272 xrrlffx.exe 1580 bttttt.exe 3912 pdddj.exe 1772 xxfrrll.exe 1068 jpppp.exe 4284 1xxrllf.exe 3056 btbtth.exe 4132 ppdvj.exe 2108 frlllll.exe 2292 lfllllf.exe 2480 nhbhnt.exe 4788 jpdvv.exe 2032 ffxxrrr.exe 3396 7flfffx.exe 4424 hhhbbb.exe 4308 djvvv.exe 4292 xrfxfxf.exe 1652 nttntt.exe 1160 jdpjj.exe 1376 fxxxxxf.exe 392 1ttbbn.exe 208 ppppj.exe 2052 jjpvj.exe 1172 xxxllxr.exe 1644 tbhhbt.exe 2676 tnnnnn.exe 2904 jvvjv.exe 3948 rfrlllf.exe 2996 hbbttt.exe 1560 3pvvv.exe 4908 rlxrlxl.exe -
resource yara_rule behavioral2/memory/4352-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-647-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1652 wrote to memory of 4352 1652 611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe 83 PID 1652 wrote to memory of 4352 1652 611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe 83 PID 1652 wrote to memory of 4352 1652 611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe 83 PID 4352 wrote to memory of 1492 4352 5lxrllf.exe 84 PID 4352 wrote to memory of 1492 4352 5lxrllf.exe 84 PID 4352 wrote to memory of 1492 4352 5lxrllf.exe 84 PID 1492 wrote to memory of 4764 1492 thnhnh.exe 85 PID 1492 wrote to memory of 4764 1492 thnhnh.exe 85 PID 1492 wrote to memory of 4764 1492 thnhnh.exe 85 PID 4764 wrote to memory of 2052 4764 xlxfxfx.exe 86 PID 4764 wrote to memory of 2052 4764 xlxfxfx.exe 86 PID 4764 wrote to memory of 2052 4764 xlxfxfx.exe 86 PID 2052 wrote to memory of 3904 2052 lfrfrfl.exe 87 PID 2052 wrote to memory of 3904 2052 lfrfrfl.exe 87 PID 2052 wrote to memory of 3904 2052 lfrfrfl.exe 87 PID 3904 wrote to memory of 4512 3904 thhbtt.exe 88 PID 3904 wrote to memory of 4512 3904 thhbtt.exe 88 PID 3904 wrote to memory of 4512 3904 thhbtt.exe 88 PID 4512 wrote to memory of 1592 4512 djdvp.exe 89 PID 4512 wrote to memory of 1592 4512 djdvp.exe 89 PID 4512 wrote to memory of 1592 4512 djdvp.exe 89 PID 1592 wrote to memory of 804 1592 3htnnn.exe 90 PID 1592 wrote to memory of 804 1592 3htnnn.exe 90 PID 1592 wrote to memory of 804 1592 3htnnn.exe 90 PID 804 wrote to memory of 864 804 5xrrlrl.exe 91 PID 804 wrote to memory of 864 804 5xrrlrl.exe 91 PID 804 wrote to memory of 864 804 5xrrlrl.exe 91 PID 864 wrote to memory of 3444 864 fxxrrrl.exe 92 PID 864 wrote to memory of 3444 864 fxxrrrl.exe 92 PID 864 wrote to memory of 3444 864 fxxrrrl.exe 92 PID 3444 wrote to memory of 4812 3444 vpddj.exe 93 PID 3444 wrote to memory of 4812 3444 vpddj.exe 93 PID 3444 wrote to memory of 4812 3444 vpddj.exe 93 PID 4812 wrote to memory of 1844 4812 bbhnnh.exe 94 PID 4812 wrote to memory of 1844 4812 bbhnnh.exe 94 PID 4812 wrote to memory of 1844 4812 bbhnnh.exe 94 PID 1844 wrote to memory of 4984 1844 5xxxxxx.exe 95 PID 1844 wrote to memory of 4984 1844 5xxxxxx.exe 95 PID 1844 wrote to memory of 4984 1844 5xxxxxx.exe 95 PID 4984 wrote to memory of 4952 4984 xxlfxxx.exe 96 PID 4984 wrote to memory of 4952 4984 xxlfxxx.exe 96 PID 4984 wrote to memory of 4952 4984 xxlfxxx.exe 96 PID 4952 wrote to memory of 384 4952 jjdvj.exe 97 PID 4952 wrote to memory of 384 4952 jjdvj.exe 97 PID 4952 wrote to memory of 384 4952 jjdvj.exe 97 PID 384 wrote to memory of 3572 384 llrrrrr.exe 98 PID 384 wrote to memory of 3572 384 llrrrrr.exe 98 PID 384 wrote to memory of 3572 384 llrrrrr.exe 98 PID 3572 wrote to memory of 5060 3572 nbhbnh.exe 99 PID 3572 wrote to memory of 5060 3572 nbhbnh.exe 99 PID 3572 wrote to memory of 5060 3572 nbhbnh.exe 99 PID 5060 wrote to memory of 3136 5060 jjppj.exe 100 PID 5060 wrote to memory of 3136 5060 jjppj.exe 100 PID 5060 wrote to memory of 3136 5060 jjppj.exe 100 PID 3136 wrote to memory of 5100 3136 rrxxrrl.exe 101 PID 3136 wrote to memory of 5100 3136 rrxxrrl.exe 101 PID 3136 wrote to memory of 5100 3136 rrxxrrl.exe 101 PID 5100 wrote to memory of 2336 5100 tntbbt.exe 102 PID 5100 wrote to memory of 2336 5100 tntbbt.exe 102 PID 5100 wrote to memory of 2336 5100 tntbbt.exe 102 PID 2336 wrote to memory of 4772 2336 ddjdv.exe 103 PID 2336 wrote to memory of 4772 2336 ddjdv.exe 103 PID 2336 wrote to memory of 4772 2336 ddjdv.exe 103 PID 4772 wrote to memory of 4032 4772 nhttnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe"C:\Users\Admin\AppData\Local\Temp\611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\5lxrllf.exec:\5lxrllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\thnhnh.exec:\thnhnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\xlxfxfx.exec:\xlxfxfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\lfrfrfl.exec:\lfrfrfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\thhbtt.exec:\thhbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\djdvp.exec:\djdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\3htnnn.exec:\3htnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\5xrrlrl.exec:\5xrrlrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\vpddj.exec:\vpddj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\bbhnnh.exec:\bbhnnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\5xxxxxx.exec:\5xxxxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\xxlfxxx.exec:\xxlfxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\jjdvj.exec:\jjdvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\llrrrrr.exec:\llrrrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\nbhbnh.exec:\nbhbnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\jjppj.exec:\jjppj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\rrxxrrl.exec:\rrxxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\tntbbt.exec:\tntbbt.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\ddjdv.exec:\ddjdv.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\nhttnn.exec:\nhttnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\lllllll.exec:\lllllll.exe23⤵
- Executes dropped EXE
PID:4032 -
\??\c:\jjjdd.exec:\jjjdd.exe24⤵
- Executes dropped EXE
PID:3468 -
\??\c:\ffllxxx.exec:\ffllxxx.exe25⤵
- Executes dropped EXE
PID:2536 -
\??\c:\jjppp.exec:\jjppp.exe26⤵
- Executes dropped EXE
PID:4480 -
\??\c:\bthttt.exec:\bthttt.exe27⤵
- Executes dropped EXE
PID:3512 -
\??\c:\pjjjj.exec:\pjjjj.exe28⤵
- Executes dropped EXE
PID:1104 -
\??\c:\1xxrlrr.exec:\1xxrlrr.exe29⤵
- Executes dropped EXE
PID:2684 -
\??\c:\tnnnnn.exec:\tnnnnn.exe30⤵
- Executes dropped EXE
PID:2384 -
\??\c:\nthhnn.exec:\nthhnn.exe31⤵
- Executes dropped EXE
PID:4756 -
\??\c:\lxrlllf.exec:\lxrlllf.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3632 -
\??\c:\vvdvv.exec:\vvdvv.exe33⤵
- Executes dropped EXE
PID:1456 -
\??\c:\1rxrlrl.exec:\1rxrlrl.exe34⤵
- Executes dropped EXE
PID:4528 -
\??\c:\xrrlffx.exec:\xrrlffx.exe35⤵
- Executes dropped EXE
PID:4272 -
\??\c:\bttttt.exec:\bttttt.exe36⤵
- Executes dropped EXE
PID:1580 -
\??\c:\pdddj.exec:\pdddj.exe37⤵
- Executes dropped EXE
PID:3912 -
\??\c:\xxfrrll.exec:\xxfrrll.exe38⤵
- Executes dropped EXE
PID:1772 -
\??\c:\jpppp.exec:\jpppp.exe39⤵
- Executes dropped EXE
PID:1068 -
\??\c:\1xxrllf.exec:\1xxrllf.exe40⤵
- Executes dropped EXE
PID:4284 -
\??\c:\btbtth.exec:\btbtth.exe41⤵
- Executes dropped EXE
PID:3056 -
\??\c:\ppdvj.exec:\ppdvj.exe42⤵
- Executes dropped EXE
PID:4132 -
\??\c:\frlllll.exec:\frlllll.exe43⤵
- Executes dropped EXE
PID:2108 -
\??\c:\lfllllf.exec:\lfllllf.exe44⤵
- Executes dropped EXE
PID:2292 -
\??\c:\nhbhnt.exec:\nhbhnt.exe45⤵
- Executes dropped EXE
PID:2480 -
\??\c:\jpdvv.exec:\jpdvv.exe46⤵
- Executes dropped EXE
PID:4788 -
\??\c:\ffxxrrr.exec:\ffxxrrr.exe47⤵
- Executes dropped EXE
PID:2032 -
\??\c:\7flfffx.exec:\7flfffx.exe48⤵
- Executes dropped EXE
PID:3396 -
\??\c:\hhhbbb.exec:\hhhbbb.exe49⤵
- Executes dropped EXE
PID:4424 -
\??\c:\djvvv.exec:\djvvv.exe50⤵
- Executes dropped EXE
PID:4308 -
\??\c:\xrfxfxf.exec:\xrfxfxf.exe51⤵
- Executes dropped EXE
PID:4292 -
\??\c:\nttntt.exec:\nttntt.exe52⤵
- Executes dropped EXE
PID:1652 -
\??\c:\jdpjj.exec:\jdpjj.exe53⤵
- Executes dropped EXE
PID:1160 -
\??\c:\fxxxxxf.exec:\fxxxxxf.exe54⤵
- Executes dropped EXE
PID:1376 -
\??\c:\1ttbbn.exec:\1ttbbn.exe55⤵
- Executes dropped EXE
PID:392 -
\??\c:\ppppj.exec:\ppppj.exe56⤵
- Executes dropped EXE
PID:208 -
\??\c:\jjpvj.exec:\jjpvj.exe57⤵
- Executes dropped EXE
PID:2052 -
\??\c:\xxxllxr.exec:\xxxllxr.exe58⤵
- Executes dropped EXE
PID:1172 -
\??\c:\tbhhbt.exec:\tbhhbt.exe59⤵
- Executes dropped EXE
PID:1644 -
\??\c:\tnnnnn.exec:\tnnnnn.exe60⤵
- Executes dropped EXE
PID:2676 -
\??\c:\jvvjv.exec:\jvvjv.exe61⤵
- Executes dropped EXE
PID:2904 -
\??\c:\rfrlllf.exec:\rfrlllf.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3948 -
\??\c:\hbbttt.exec:\hbbttt.exe63⤵
- Executes dropped EXE
PID:2996 -
\??\c:\3pvvv.exec:\3pvvv.exe64⤵
- Executes dropped EXE
PID:1560 -
\??\c:\rlxrlxl.exec:\rlxrlxl.exe65⤵
- Executes dropped EXE
PID:4908 -
\??\c:\bbtnbt.exec:\bbtnbt.exe66⤵PID:1756
-
\??\c:\dvdvd.exec:\dvdvd.exe67⤵PID:4632
-
\??\c:\lrlfxrf.exec:\lrlfxrf.exe68⤵PID:116
-
\??\c:\bbbbbb.exec:\bbbbbb.exe69⤵PID:2316
-
\??\c:\3djvp.exec:\3djvp.exe70⤵PID:2860
-
\??\c:\vpvvv.exec:\vpvvv.exe71⤵PID:2948
-
\??\c:\1fxrrfx.exec:\1fxrrfx.exe72⤵PID:4636
-
\??\c:\ffrlrxx.exec:\ffrlrxx.exe73⤵PID:4804
-
\??\c:\bhhhtt.exec:\bhhhtt.exe74⤵PID:4500
-
\??\c:\5pdvd.exec:\5pdvd.exe75⤵PID:3572
-
\??\c:\1lrrrff.exec:\1lrrrff.exe76⤵PID:4516
-
\??\c:\bbhhbb.exec:\bbhhbb.exe77⤵PID:4928
-
\??\c:\bbbttt.exec:\bbbttt.exe78⤵PID:4872
-
\??\c:\jjpjp.exec:\jjpjp.exe79⤵PID:220
-
\??\c:\lxlffxr.exec:\lxlffxr.exe80⤵PID:2336
-
\??\c:\tbhttt.exec:\tbhttt.exe81⤵PID:4504
-
\??\c:\1nnnnt.exec:\1nnnnt.exe82⤵PID:4772
-
\??\c:\jdpjj.exec:\jdpjj.exe83⤵PID:4032
-
\??\c:\xxlffff.exec:\xxlffff.exe84⤵PID:2936
-
\??\c:\9bbbbh.exec:\9bbbbh.exe85⤵PID:2120
-
\??\c:\7vdvv.exec:\7vdvv.exe86⤵PID:2536
-
\??\c:\xxffffr.exec:\xxffffr.exe87⤵PID:4220
-
\??\c:\nbbbtb.exec:\nbbbtb.exe88⤵PID:1076
-
\??\c:\jpvvp.exec:\jpvvp.exe89⤵PID:4204
-
\??\c:\lfrrrll.exec:\lfrrrll.exe90⤵PID:4892
-
\??\c:\fffrlll.exec:\fffrlll.exe91⤵PID:3524
-
\??\c:\btttnh.exec:\btttnh.exe92⤵PID:900
-
\??\c:\djddv.exec:\djddv.exe93⤵PID:1112
-
\??\c:\5jdvp.exec:\5jdvp.exe94⤵PID:4848
-
\??\c:\xxfrlxr.exec:\xxfrlxr.exe95⤵PID:4708
-
\??\c:\bnbbbt.exec:\bnbbbt.exe96⤵PID:1456
-
\??\c:\pvpdv.exec:\pvpdv.exe97⤵PID:3232
-
\??\c:\pvvpp.exec:\pvvpp.exe98⤵PID:2260
-
\??\c:\9fflfxx.exec:\9fflfxx.exe99⤵PID:1580
-
\??\c:\bbntht.exec:\bbntht.exe100⤵
- System Location Discovery: System Language Discovery
PID:5008 -
\??\c:\pvpjd.exec:\pvpjd.exe101⤵PID:2176
-
\??\c:\lxrffxl.exec:\lxrffxl.exe102⤵PID:2492
-
\??\c:\tbhhbb.exec:\tbhhbb.exe103⤵PID:3456
-
\??\c:\vjjdd.exec:\vjjdd.exe104⤵PID:1976
-
\??\c:\xrfrrxr.exec:\xrfrrxr.exe105⤵PID:3360
-
\??\c:\bbbthh.exec:\bbbthh.exe106⤵PID:4712
-
\??\c:\tnhhbb.exec:\tnhhbb.exe107⤵PID:3476
-
\??\c:\jdddd.exec:\jdddd.exe108⤵PID:1460
-
\??\c:\lfffffx.exec:\lfffffx.exe109⤵PID:3636
-
\??\c:\btnhht.exec:\btnhht.exe110⤵PID:444
-
\??\c:\jpvdj.exec:\jpvdj.exe111⤵PID:2864
-
\??\c:\frxxxxf.exec:\frxxxxf.exe112⤵PID:3464
-
\??\c:\nnttth.exec:\nnttth.exe113⤵PID:3020
-
\??\c:\7jjjp.exec:\7jjjp.exe114⤵PID:3920
-
\??\c:\dvddd.exec:\dvddd.exe115⤵PID:1340
-
\??\c:\1fxxllr.exec:\1fxxllr.exe116⤵PID:4452
-
\??\c:\nnbhnn.exec:\nnbhnn.exe117⤵PID:3612
-
\??\c:\9jjjd.exec:\9jjjd.exe118⤵PID:656
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe119⤵PID:4784
-
\??\c:\9hnhbh.exec:\9hnhbh.exe120⤵PID:3120
-
\??\c:\hbntnt.exec:\hbntnt.exe121⤵PID:3756
-
\??\c:\dvjdv.exec:\dvjdv.exe122⤵PID:2036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-