Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 02:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe
-
Size
454KB
-
MD5
dd5f3562e096ce311223bfa4e024dbd6
-
SHA1
62b4b9bbcceba5841787aed711f98208c9845152
-
SHA256
f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74
-
SHA512
c8dd9e4601f3e44c2eb6a07d9bccfbee3e97096233a7000704aca4bdf26a6a8c29c6cd12e985b10c4599ce03067fa6d27c5cfd23eb6ae450330ff04240465409
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5096-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-802-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-920-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-981-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-1422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-1908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1872 3hnbnb.exe 1864 xrrrlll.exe 3872 vvdpd.exe 2264 ntnnbh.exe 4296 xxfrffx.exe 1804 dvjdv.exe 1612 rxxllll.exe 2164 rxfxllf.exe 4032 hhnnnn.exe 1992 5nhbhn.exe 2852 ppvdd.exe 4444 rlxrfrx.exe 3464 frxrllf.exe 1756 jpddd.exe 4156 7rxrxfl.exe 1296 5vvjj.exe 1412 9tttnn.exe 3488 jpjdv.exe 1172 rrxxrrl.exe 2436 pvvvj.exe 624 xfllllf.exe 2168 pvdpv.exe 3044 xxrrxfx.exe 2448 fflfxfx.exe 1776 ppjdd.exe 996 bttnnn.exe 4664 dvjdp.exe 1708 flflfff.exe 5076 nnnnhn.exe 3440 vddvp.exe 1724 xfrlllf.exe 3532 5nhhhh.exe 1020 llxrxff.exe 2864 5hbbtt.exe 2228 ddddd.exe 1652 rrlrrrr.exe 2172 1bbhnn.exe 3788 1jddv.exe 2452 rxrrxxf.exe 3512 nbhbtb.exe 1548 bbhbtb.exe 1016 7dvjd.exe 3516 1xrrlll.exe 4708 hhhhbb.exe 64 nbhhhh.exe 112 xxffrlf.exe 2292 hhtttb.exe 2096 vvppv.exe 1976 vvjjj.exe 3668 lllrlrx.exe 4364 bhhtbb.exe 2220 pvddv.exe 1340 lfllfff.exe 2988 tbbttt.exe 5088 tbnntt.exe 4564 pppdd.exe 4104 xxlfllf.exe 3920 ttbbbb.exe 4296 jvddd.exe 3576 3vppj.exe 4940 7lllflf.exe 2568 nhhhbb.exe 5060 fxfffff.exe 1608 flfffxx.exe -
resource yara_rule behavioral2/memory/5096-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-789-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xlxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnttn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5096 wrote to memory of 1872 5096 f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe 83 PID 5096 wrote to memory of 1872 5096 f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe 83 PID 5096 wrote to memory of 1872 5096 f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe 83 PID 1872 wrote to memory of 1864 1872 3hnbnb.exe 84 PID 1872 wrote to memory of 1864 1872 3hnbnb.exe 84 PID 1872 wrote to memory of 1864 1872 3hnbnb.exe 84 PID 1864 wrote to memory of 3872 1864 xrrrlll.exe 85 PID 1864 wrote to memory of 3872 1864 xrrrlll.exe 85 PID 1864 wrote to memory of 3872 1864 xrrrlll.exe 85 PID 3872 wrote to memory of 2264 3872 vvdpd.exe 86 PID 3872 wrote to memory of 2264 3872 vvdpd.exe 86 PID 3872 wrote to memory of 2264 3872 vvdpd.exe 86 PID 2264 wrote to memory of 4296 2264 ntnnbh.exe 87 PID 2264 wrote to memory of 4296 2264 ntnnbh.exe 87 PID 2264 wrote to memory of 4296 2264 ntnnbh.exe 87 PID 4296 wrote to memory of 1804 4296 xxfrffx.exe 88 PID 4296 wrote to memory of 1804 4296 xxfrffx.exe 88 PID 4296 wrote to memory of 1804 4296 xxfrffx.exe 88 PID 1804 wrote to memory of 1612 1804 dvjdv.exe 89 PID 1804 wrote to memory of 1612 1804 dvjdv.exe 89 PID 1804 wrote to memory of 1612 1804 dvjdv.exe 89 PID 1612 wrote to memory of 2164 1612 rxxllll.exe 90 PID 1612 wrote to memory of 2164 1612 rxxllll.exe 90 PID 1612 wrote to memory of 2164 1612 rxxllll.exe 90 PID 2164 wrote to memory of 4032 2164 rxfxllf.exe 91 PID 2164 wrote to memory of 4032 2164 rxfxllf.exe 91 PID 2164 wrote to memory of 4032 2164 rxfxllf.exe 91 PID 4032 wrote to memory of 1992 4032 hhnnnn.exe 92 PID 4032 wrote to memory of 1992 4032 hhnnnn.exe 92 PID 4032 wrote to memory of 1992 4032 hhnnnn.exe 92 PID 1992 wrote to memory of 2852 1992 5nhbhn.exe 93 PID 1992 wrote to memory of 2852 1992 5nhbhn.exe 93 PID 1992 wrote to memory of 2852 1992 5nhbhn.exe 93 PID 2852 wrote to memory of 4444 2852 ppvdd.exe 94 PID 2852 wrote to memory of 4444 2852 ppvdd.exe 94 PID 2852 wrote to memory of 4444 2852 ppvdd.exe 94 PID 4444 wrote to memory of 3464 4444 rlxrfrx.exe 95 PID 4444 wrote to memory of 3464 4444 rlxrfrx.exe 95 PID 4444 wrote to memory of 3464 4444 rlxrfrx.exe 95 PID 3464 wrote to memory of 1756 3464 frxrllf.exe 96 PID 3464 wrote to memory of 1756 3464 frxrllf.exe 96 PID 3464 wrote to memory of 1756 3464 frxrllf.exe 96 PID 1756 wrote to memory of 4156 1756 jpddd.exe 97 PID 1756 wrote to memory of 4156 1756 jpddd.exe 97 PID 1756 wrote to memory of 4156 1756 jpddd.exe 97 PID 4156 wrote to memory of 1296 4156 7rxrxfl.exe 98 PID 4156 wrote to memory of 1296 4156 7rxrxfl.exe 98 PID 4156 wrote to memory of 1296 4156 7rxrxfl.exe 98 PID 1296 wrote to memory of 1412 1296 5vvjj.exe 99 PID 1296 wrote to memory of 1412 1296 5vvjj.exe 99 PID 1296 wrote to memory of 1412 1296 5vvjj.exe 99 PID 1412 wrote to memory of 3488 1412 9tttnn.exe 100 PID 1412 wrote to memory of 3488 1412 9tttnn.exe 100 PID 1412 wrote to memory of 3488 1412 9tttnn.exe 100 PID 3488 wrote to memory of 1172 3488 jpjdv.exe 101 PID 3488 wrote to memory of 1172 3488 jpjdv.exe 101 PID 3488 wrote to memory of 1172 3488 jpjdv.exe 101 PID 1172 wrote to memory of 2436 1172 rrxxrrl.exe 102 PID 1172 wrote to memory of 2436 1172 rrxxrrl.exe 102 PID 1172 wrote to memory of 2436 1172 rrxxrrl.exe 102 PID 2436 wrote to memory of 624 2436 pvvvj.exe 103 PID 2436 wrote to memory of 624 2436 pvvvj.exe 103 PID 2436 wrote to memory of 624 2436 pvvvj.exe 103 PID 624 wrote to memory of 2168 624 xfllllf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe"C:\Users\Admin\AppData\Local\Temp\f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\3hnbnb.exec:\3hnbnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\xrrrlll.exec:\xrrrlll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\vvdpd.exec:\vvdpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\ntnnbh.exec:\ntnnbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\xxfrffx.exec:\xxfrffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\dvjdv.exec:\dvjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\rxxllll.exec:\rxxllll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\rxfxllf.exec:\rxfxllf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\hhnnnn.exec:\hhnnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\5nhbhn.exec:\5nhbhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\ppvdd.exec:\ppvdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\rlxrfrx.exec:\rlxrfrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\frxrllf.exec:\frxrllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\jpddd.exec:\jpddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\7rxrxfl.exec:\7rxrxfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\5vvjj.exec:\5vvjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\9tttnn.exec:\9tttnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\jpjdv.exec:\jpjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\rrxxrrl.exec:\rrxxrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\pvvvj.exec:\pvvvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\xfllllf.exec:\xfllllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\pvdpv.exec:\pvdpv.exe23⤵
- Executes dropped EXE
PID:2168 -
\??\c:\xxrrxfx.exec:\xxrrxfx.exe24⤵
- Executes dropped EXE
PID:3044 -
\??\c:\fflfxfx.exec:\fflfxfx.exe25⤵
- Executes dropped EXE
PID:2448 -
\??\c:\ppjdd.exec:\ppjdd.exe26⤵
- Executes dropped EXE
PID:1776 -
\??\c:\bttnnn.exec:\bttnnn.exe27⤵
- Executes dropped EXE
PID:996 -
\??\c:\dvjdp.exec:\dvjdp.exe28⤵
- Executes dropped EXE
PID:4664 -
\??\c:\flflfff.exec:\flflfff.exe29⤵
- Executes dropped EXE
PID:1708 -
\??\c:\nnnnhn.exec:\nnnnhn.exe30⤵
- Executes dropped EXE
PID:5076 -
\??\c:\vddvp.exec:\vddvp.exe31⤵
- Executes dropped EXE
PID:3440 -
\??\c:\xfrlllf.exec:\xfrlllf.exe32⤵
- Executes dropped EXE
PID:1724 -
\??\c:\5nhhhh.exec:\5nhhhh.exe33⤵
- Executes dropped EXE
PID:3532 -
\??\c:\llxrxff.exec:\llxrxff.exe34⤵
- Executes dropped EXE
PID:1020 -
\??\c:\5hbbtt.exec:\5hbbtt.exe35⤵
- Executes dropped EXE
PID:2864 -
\??\c:\ddddd.exec:\ddddd.exe36⤵
- Executes dropped EXE
PID:2228 -
\??\c:\rrlrrrr.exec:\rrlrrrr.exe37⤵
- Executes dropped EXE
PID:1652 -
\??\c:\1bbhnn.exec:\1bbhnn.exe38⤵
- Executes dropped EXE
PID:2172 -
\??\c:\1jddv.exec:\1jddv.exe39⤵
- Executes dropped EXE
PID:3788 -
\??\c:\rxrrxxf.exec:\rxrrxxf.exe40⤵
- Executes dropped EXE
PID:2452 -
\??\c:\nbhbtb.exec:\nbhbtb.exe41⤵
- Executes dropped EXE
PID:3512 -
\??\c:\bbhbtb.exec:\bbhbtb.exe42⤵
- Executes dropped EXE
PID:1548 -
\??\c:\7dvjd.exec:\7dvjd.exe43⤵
- Executes dropped EXE
PID:1016 -
\??\c:\1xrrlll.exec:\1xrrlll.exe44⤵
- Executes dropped EXE
PID:3516 -
\??\c:\hhhhbb.exec:\hhhhbb.exe45⤵
- Executes dropped EXE
PID:4708 -
\??\c:\nbhhhh.exec:\nbhhhh.exe46⤵
- Executes dropped EXE
PID:64 -
\??\c:\xxffrlf.exec:\xxffrlf.exe47⤵
- Executes dropped EXE
PID:112 -
\??\c:\hhtttb.exec:\hhtttb.exe48⤵
- Executes dropped EXE
PID:2292 -
\??\c:\vvppv.exec:\vvppv.exe49⤵
- Executes dropped EXE
PID:2096 -
\??\c:\vvjjj.exec:\vvjjj.exe50⤵
- Executes dropped EXE
PID:1976 -
\??\c:\lllrlrx.exec:\lllrlrx.exe51⤵
- Executes dropped EXE
PID:3668 -
\??\c:\bhhtbb.exec:\bhhtbb.exe52⤵
- Executes dropped EXE
PID:4364 -
\??\c:\pvddv.exec:\pvddv.exe53⤵
- Executes dropped EXE
PID:2220 -
\??\c:\lfllfff.exec:\lfllfff.exe54⤵
- Executes dropped EXE
PID:1340 -
\??\c:\tbbttt.exec:\tbbttt.exe55⤵
- Executes dropped EXE
PID:2988 -
\??\c:\tbnntt.exec:\tbnntt.exe56⤵
- Executes dropped EXE
PID:5088 -
\??\c:\pppdd.exec:\pppdd.exe57⤵
- Executes dropped EXE
PID:4564 -
\??\c:\xxlfllf.exec:\xxlfllf.exe58⤵
- Executes dropped EXE
PID:4104 -
\??\c:\ttbbbb.exec:\ttbbbb.exe59⤵
- Executes dropped EXE
PID:3920 -
\??\c:\jvddd.exec:\jvddd.exe60⤵
- Executes dropped EXE
PID:4296 -
\??\c:\3vppj.exec:\3vppj.exe61⤵
- Executes dropped EXE
PID:3576 -
\??\c:\7lllflf.exec:\7lllflf.exe62⤵
- Executes dropped EXE
PID:4940 -
\??\c:\nhhhbb.exec:\nhhhbb.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568 -
\??\c:\fxfffff.exec:\fxfffff.exe64⤵
- Executes dropped EXE
PID:5060 -
\??\c:\flfffxx.exec:\flfffxx.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608 -
\??\c:\nnnhnn.exec:\nnnhnn.exe66⤵PID:4064
-
\??\c:\dddvp.exec:\dddvp.exe67⤵PID:1732
-
\??\c:\rlllllf.exec:\rlllllf.exe68⤵PID:1056
-
\??\c:\ffrfrlx.exec:\ffrfrlx.exe69⤵PID:2116
-
\??\c:\ntttnn.exec:\ntttnn.exe70⤵PID:2252
-
\??\c:\ddddv.exec:\ddddv.exe71⤵PID:1492
-
\??\c:\rrxxrrl.exec:\rrxxrrl.exe72⤵PID:3272
-
\??\c:\7lrrlrl.exec:\7lrrlrl.exe73⤵PID:2076
-
\??\c:\btnbtt.exec:\btnbtt.exe74⤵PID:4964
-
\??\c:\pjppj.exec:\pjppj.exe75⤵PID:2432
-
\??\c:\lxlxfxf.exec:\lxlxfxf.exe76⤵PID:660
-
\??\c:\nthbtn.exec:\nthbtn.exe77⤵PID:4076
-
\??\c:\pjppj.exec:\pjppj.exe78⤵PID:896
-
\??\c:\pvjdp.exec:\pvjdp.exe79⤵PID:220
-
\??\c:\lfffxfx.exec:\lfffxfx.exe80⤵PID:2216
-
\??\c:\1ttbbb.exec:\1ttbbb.exe81⤵PID:4120
-
\??\c:\pdjdv.exec:\pdjdv.exe82⤵
- System Location Discovery: System Language Discovery
PID:4068 -
\??\c:\vvvvp.exec:\vvvvp.exe83⤵PID:5016
-
\??\c:\rrxrlll.exec:\rrxrlll.exe84⤵PID:1416
-
\??\c:\9bbbbb.exec:\9bbbbb.exe85⤵PID:4464
-
\??\c:\dvjdp.exec:\dvjdp.exe86⤵PID:4404
-
\??\c:\3vpjv.exec:\3vpjv.exe87⤵
- System Location Discovery: System Language Discovery
PID:3768 -
\??\c:\rrfxxxx.exec:\rrfxxxx.exe88⤵PID:4592
-
\??\c:\bnbnnt.exec:\bnbnnt.exe89⤵PID:1696
-
\??\c:\7vppp.exec:\7vppp.exe90⤵PID:3392
-
\??\c:\llffrrf.exec:\llffrrf.exe91⤵PID:4752
-
\??\c:\nnnbbb.exec:\nnnbbb.exe92⤵PID:4036
-
\??\c:\tnnbtn.exec:\tnnbtn.exe93⤵PID:1888
-
\??\c:\dvvvp.exec:\dvvvp.exe94⤵PID:2748
-
\??\c:\1lrrrrx.exec:\1lrrrrx.exe95⤵PID:3644
-
\??\c:\3rrrlrl.exec:\3rrrlrl.exe96⤵PID:2636
-
\??\c:\bbhttt.exec:\bbhttt.exe97⤵PID:1760
-
\??\c:\1jjjd.exec:\1jjjd.exe98⤵PID:1484
-
\??\c:\9ffxlrr.exec:\9ffxlrr.exe99⤵PID:1728
-
\??\c:\nntnbb.exec:\nntnbb.exe100⤵PID:4128
-
\??\c:\btnhhh.exec:\btnhhh.exe101⤵PID:1716
-
\??\c:\vvvpj.exec:\vvvpj.exe102⤵PID:2296
-
\??\c:\3dddv.exec:\3dddv.exe103⤵PID:3232
-
\??\c:\llfrllf.exec:\llfrllf.exe104⤵PID:2028
-
\??\c:\thnnbh.exec:\thnnbh.exe105⤵PID:1972
-
\??\c:\hbbthh.exec:\hbbthh.exe106⤵PID:1636
-
\??\c:\pjddv.exec:\pjddv.exe107⤵PID:720
-
\??\c:\9xlxxxx.exec:\9xlxxxx.exe108⤵
- System Location Discovery: System Language Discovery
PID:704 -
\??\c:\rrlfrrl.exec:\rrlfrrl.exe109⤵PID:2720
-
\??\c:\9tttnn.exec:\9tttnn.exe110⤵PID:3056
-
\??\c:\jpppj.exec:\jpppj.exe111⤵PID:2100
-
\??\c:\llxrlll.exec:\llxrlll.exe112⤵PID:1984
-
\??\c:\fffffff.exec:\fffffff.exe113⤵PID:944
-
\??\c:\nbtbnh.exec:\nbtbnh.exe114⤵PID:4400
-
\??\c:\dddjj.exec:\dddjj.exe115⤵PID:4364
-
\??\c:\rrlfrlf.exec:\rrlfrlf.exe116⤵PID:5096
-
\??\c:\nhhtnn.exec:\nhhtnn.exe117⤵PID:1480
-
\??\c:\hhhttn.exec:\hhhttn.exe118⤵PID:3872
-
\??\c:\9dvvp.exec:\9dvvp.exe119⤵PID:1224
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe120⤵PID:4564
-
\??\c:\7hbnbt.exec:\7hbnbt.exe121⤵PID:3648
-
\??\c:\5ddvd.exec:\5ddvd.exe122⤵PID:3920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-