Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 22:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f5591fc74457178e0d6e66d0172058eb25380bfa49d908c03ef343545583ac10N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f5591fc74457178e0d6e66d0172058eb25380bfa49d908c03ef343545583ac10N.exe
-
Size
453KB
-
MD5
81df8aae425888d6e823b90176cf2bb0
-
SHA1
b6d170b1393b7f30baa3ae63424e4fd92c1e3dc0
-
SHA256
f5591fc74457178e0d6e66d0172058eb25380bfa49d908c03ef343545583ac10
-
SHA512
bfce54334d39b4450f9e1e07c0e1042a312a74c35c00185ed3162d98f10439a0f2a42fcf8560d0760dafd6f5caef1c840750336143724a0ce2693249fcdefe2b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4876-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/324-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-896-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-977-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-1796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5012 fxrrxxx.exe 1520 bnbnnh.exe 5060 hhhnnn.exe 3944 rllfxxl.exe 1380 dvddd.exe 2448 lffxxrr.exe 712 7ttnnn.exe 2576 1ttnnt.exe 1860 vpddp.exe 1036 3fxxrxr.exe 1496 hhtnhb.exe 1144 hbntnt.exe 4184 jpddj.exe 4072 llffxxx.exe 3232 7nnhbb.exe 316 3vvpp.exe 4500 xlfxrrr.exe 3268 lffxrlf.exe 2256 lrxxxrl.exe 3296 9jjdv.exe 4884 vvpjj.exe 2236 frxrlfx.exe 2216 lllxrrx.exe 1372 djpvp.exe 2832 dvddd.exe 1100 rlrlllx.exe 396 pddvp.exe 3160 1djdj.exe 4840 bbnbnn.exe 3044 jvddv.exe 4496 nhhhnn.exe 4888 lffxxrr.exe 2540 tbhttt.exe 2544 5vppp.exe 1464 fflfxrl.exe 2420 tnhbnh.exe 3284 jpvpv.exe 2944 3rxrxxx.exe 4124 hbbtnb.exe 232 nhhbbt.exe 4984 jvpjd.exe 4404 flrlxxr.exe 4028 ttbbtt.exe 4692 dpvvp.exe 4432 fxxlxrf.exe 2136 nbhbtn.exe 3580 nnbthh.exe 3312 1vjdp.exe 4860 1llrfxx.exe 5116 nhhhbt.exe 1380 jddvj.exe 3912 xrfxllr.exe 8 nhbnhb.exe 540 bbhbtn.exe 3016 jjjdp.exe 1200 nhnhnh.exe 3436 hnbbtt.exe 1488 7rlxlfr.exe 2292 fxxlfxr.exe 4800 tntnnn.exe 4184 vjpjp.exe 4436 fxrfrlx.exe 1048 bthtnh.exe 2128 vppjp.exe -
resource yara_rule behavioral2/memory/4876-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/324-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-801-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-896-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4876 wrote to memory of 5012 4876 f5591fc74457178e0d6e66d0172058eb25380bfa49d908c03ef343545583ac10N.exe 82 PID 4876 wrote to memory of 5012 4876 f5591fc74457178e0d6e66d0172058eb25380bfa49d908c03ef343545583ac10N.exe 82 PID 4876 wrote to memory of 5012 4876 f5591fc74457178e0d6e66d0172058eb25380bfa49d908c03ef343545583ac10N.exe 82 PID 5012 wrote to memory of 1520 5012 fxrrxxx.exe 83 PID 5012 wrote to memory of 1520 5012 fxrrxxx.exe 83 PID 5012 wrote to memory of 1520 5012 fxrrxxx.exe 83 PID 1520 wrote to memory of 5060 1520 bnbnnh.exe 84 PID 1520 wrote to memory of 5060 1520 bnbnnh.exe 84 PID 1520 wrote to memory of 5060 1520 bnbnnh.exe 84 PID 5060 wrote to memory of 3944 5060 hhhnnn.exe 85 PID 5060 wrote to memory of 3944 5060 hhhnnn.exe 85 PID 5060 wrote to memory of 3944 5060 hhhnnn.exe 85 PID 3944 wrote to memory of 1380 3944 rllfxxl.exe 86 PID 3944 wrote to memory of 1380 3944 rllfxxl.exe 86 PID 3944 wrote to memory of 1380 3944 rllfxxl.exe 86 PID 1380 wrote to memory of 2448 1380 dvddd.exe 87 PID 1380 wrote to memory of 2448 1380 dvddd.exe 87 PID 1380 wrote to memory of 2448 1380 dvddd.exe 87 PID 2448 wrote to memory of 712 2448 lffxxrr.exe 88 PID 2448 wrote to memory of 712 2448 lffxxrr.exe 88 PID 2448 wrote to memory of 712 2448 lffxxrr.exe 88 PID 712 wrote to memory of 2576 712 7ttnnn.exe 89 PID 712 wrote to memory of 2576 712 7ttnnn.exe 89 PID 712 wrote to memory of 2576 712 7ttnnn.exe 89 PID 2576 wrote to memory of 1860 2576 1ttnnt.exe 90 PID 2576 wrote to memory of 1860 2576 1ttnnt.exe 90 PID 2576 wrote to memory of 1860 2576 1ttnnt.exe 90 PID 1860 wrote to memory of 1036 1860 vpddp.exe 91 PID 1860 wrote to memory of 1036 1860 vpddp.exe 91 PID 1860 wrote to memory of 1036 1860 vpddp.exe 91 PID 1036 wrote to memory of 1496 1036 3fxxrxr.exe 92 PID 1036 wrote to memory of 1496 1036 3fxxrxr.exe 92 PID 1036 wrote to memory of 1496 1036 3fxxrxr.exe 92 PID 1496 wrote to memory of 1144 1496 hhtnhb.exe 93 PID 1496 wrote to memory of 1144 1496 hhtnhb.exe 93 PID 1496 wrote to memory of 1144 1496 hhtnhb.exe 93 PID 1144 wrote to memory of 4184 1144 hbntnt.exe 94 PID 1144 wrote to memory of 4184 1144 hbntnt.exe 94 PID 1144 wrote to memory of 4184 1144 hbntnt.exe 94 PID 4184 wrote to memory of 4072 4184 jpddj.exe 95 PID 4184 wrote to memory of 4072 4184 jpddj.exe 95 PID 4184 wrote to memory of 4072 4184 jpddj.exe 95 PID 4072 wrote to memory of 3232 4072 llffxxx.exe 96 PID 4072 wrote to memory of 3232 4072 llffxxx.exe 96 PID 4072 wrote to memory of 3232 4072 llffxxx.exe 96 PID 3232 wrote to memory of 316 3232 7nnhbb.exe 97 PID 3232 wrote to memory of 316 3232 7nnhbb.exe 97 PID 3232 wrote to memory of 316 3232 7nnhbb.exe 97 PID 316 wrote to memory of 4500 316 3vvpp.exe 98 PID 316 wrote to memory of 4500 316 3vvpp.exe 98 PID 316 wrote to memory of 4500 316 3vvpp.exe 98 PID 4500 wrote to memory of 3268 4500 xlfxrrr.exe 99 PID 4500 wrote to memory of 3268 4500 xlfxrrr.exe 99 PID 4500 wrote to memory of 3268 4500 xlfxrrr.exe 99 PID 3268 wrote to memory of 2256 3268 lffxrlf.exe 100 PID 3268 wrote to memory of 2256 3268 lffxrlf.exe 100 PID 3268 wrote to memory of 2256 3268 lffxrlf.exe 100 PID 2256 wrote to memory of 3296 2256 lrxxxrl.exe 101 PID 2256 wrote to memory of 3296 2256 lrxxxrl.exe 101 PID 2256 wrote to memory of 3296 2256 lrxxxrl.exe 101 PID 3296 wrote to memory of 4884 3296 9jjdv.exe 102 PID 3296 wrote to memory of 4884 3296 9jjdv.exe 102 PID 3296 wrote to memory of 4884 3296 9jjdv.exe 102 PID 4884 wrote to memory of 2236 4884 vvpjj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5591fc74457178e0d6e66d0172058eb25380bfa49d908c03ef343545583ac10N.exe"C:\Users\Admin\AppData\Local\Temp\f5591fc74457178e0d6e66d0172058eb25380bfa49d908c03ef343545583ac10N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\fxrrxxx.exec:\fxrrxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\bnbnnh.exec:\bnbnnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\hhhnnn.exec:\hhhnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\rllfxxl.exec:\rllfxxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\dvddd.exec:\dvddd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\lffxxrr.exec:\lffxxrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\7ttnnn.exec:\7ttnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\1ttnnt.exec:\1ttnnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\vpddp.exec:\vpddp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\3fxxrxr.exec:\3fxxrxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\hhtnhb.exec:\hhtnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\hbntnt.exec:\hbntnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\jpddj.exec:\jpddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\llffxxx.exec:\llffxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\7nnhbb.exec:\7nnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\3vvpp.exec:\3vvpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\xlfxrrr.exec:\xlfxrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\lffxrlf.exec:\lffxrlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\lrxxxrl.exec:\lrxxxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\9jjdv.exec:\9jjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\vvpjj.exec:\vvpjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\frxrlfx.exec:\frxrlfx.exe23⤵
- Executes dropped EXE
PID:2236 -
\??\c:\lllxrrx.exec:\lllxrrx.exe24⤵
- Executes dropped EXE
PID:2216 -
\??\c:\djpvp.exec:\djpvp.exe25⤵
- Executes dropped EXE
PID:1372 -
\??\c:\dvddd.exec:\dvddd.exe26⤵
- Executes dropped EXE
PID:2832 -
\??\c:\rlrlllx.exec:\rlrlllx.exe27⤵
- Executes dropped EXE
PID:1100 -
\??\c:\pddvp.exec:\pddvp.exe28⤵
- Executes dropped EXE
PID:396 -
\??\c:\1djdj.exec:\1djdj.exe29⤵
- Executes dropped EXE
PID:3160 -
\??\c:\bbnbnn.exec:\bbnbnn.exe30⤵
- Executes dropped EXE
PID:4840 -
\??\c:\jvddv.exec:\jvddv.exe31⤵
- Executes dropped EXE
PID:3044 -
\??\c:\nhhhnn.exec:\nhhhnn.exe32⤵
- Executes dropped EXE
PID:4496 -
\??\c:\lffxxrr.exec:\lffxxrr.exe33⤵
- Executes dropped EXE
PID:4888 -
\??\c:\tbhttt.exec:\tbhttt.exe34⤵
- Executes dropped EXE
PID:2540 -
\??\c:\5vppp.exec:\5vppp.exe35⤵
- Executes dropped EXE
PID:2544 -
\??\c:\fflfxrl.exec:\fflfxrl.exe36⤵
- Executes dropped EXE
PID:1464 -
\??\c:\tnhbnh.exec:\tnhbnh.exe37⤵
- Executes dropped EXE
PID:2420 -
\??\c:\jpvpv.exec:\jpvpv.exe38⤵
- Executes dropped EXE
PID:3284 -
\??\c:\3rxrxxx.exec:\3rxrxxx.exe39⤵
- Executes dropped EXE
PID:2944 -
\??\c:\hbbtnb.exec:\hbbtnb.exe40⤵
- Executes dropped EXE
PID:4124 -
\??\c:\nhhbbt.exec:\nhhbbt.exe41⤵
- Executes dropped EXE
PID:232 -
\??\c:\jvpjd.exec:\jvpjd.exe42⤵
- Executes dropped EXE
PID:4984 -
\??\c:\flrlxxr.exec:\flrlxxr.exe43⤵
- Executes dropped EXE
PID:4404 -
\??\c:\ttbbtt.exec:\ttbbtt.exe44⤵
- Executes dropped EXE
PID:4028 -
\??\c:\dpvvp.exec:\dpvvp.exe45⤵
- Executes dropped EXE
PID:4692 -
\??\c:\fxxlxrf.exec:\fxxlxrf.exe46⤵
- Executes dropped EXE
PID:4432 -
\??\c:\nbhbtn.exec:\nbhbtn.exe47⤵
- Executes dropped EXE
PID:2136 -
\??\c:\nnbthh.exec:\nnbthh.exe48⤵
- Executes dropped EXE
PID:3580 -
\??\c:\1vjdp.exec:\1vjdp.exe49⤵
- Executes dropped EXE
PID:3312 -
\??\c:\1llrfxx.exec:\1llrfxx.exe50⤵
- Executes dropped EXE
PID:4860 -
\??\c:\nhhhbt.exec:\nhhhbt.exe51⤵
- Executes dropped EXE
PID:5116 -
\??\c:\jddvj.exec:\jddvj.exe52⤵
- Executes dropped EXE
PID:1380 -
\??\c:\xrfxllr.exec:\xrfxllr.exe53⤵
- Executes dropped EXE
PID:3912 -
\??\c:\nhbnhb.exec:\nhbnhb.exe54⤵
- Executes dropped EXE
PID:8 -
\??\c:\bbhbtn.exec:\bbhbtn.exe55⤵
- Executes dropped EXE
PID:540 -
\??\c:\jjjdp.exec:\jjjdp.exe56⤵
- Executes dropped EXE
PID:3016 -
\??\c:\nhnhnh.exec:\nhnhnh.exe57⤵
- Executes dropped EXE
PID:1200 -
\??\c:\hnbbtt.exec:\hnbbtt.exe58⤵
- Executes dropped EXE
PID:3436 -
\??\c:\7rlxlfr.exec:\7rlxlfr.exe59⤵
- Executes dropped EXE
PID:1488 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2292 -
\??\c:\tntnnn.exec:\tntnnn.exe61⤵
- Executes dropped EXE
PID:4800 -
\??\c:\vjpjp.exec:\vjpjp.exe62⤵
- Executes dropped EXE
PID:4184 -
\??\c:\fxrfrlx.exec:\fxrfrlx.exe63⤵
- Executes dropped EXE
PID:4436 -
\??\c:\bthtnh.exec:\bthtnh.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1048 -
\??\c:\vppjp.exec:\vppjp.exe65⤵
- Executes dropped EXE
PID:2128 -
\??\c:\pjppj.exec:\pjppj.exe66⤵PID:316
-
\??\c:\xllfxrl.exec:\xllfxrl.exe67⤵PID:324
-
\??\c:\nhhthb.exec:\nhhthb.exe68⤵PID:1556
-
\??\c:\ppvpj.exec:\ppvpj.exe69⤵PID:920
-
\??\c:\fflfxfx.exec:\fflfxfx.exe70⤵PID:3080
-
\??\c:\rxffxxx.exec:\rxffxxx.exe71⤵PID:2900
-
\??\c:\7btnbt.exec:\7btnbt.exe72⤵PID:780
-
\??\c:\vjvvv.exec:\vjvvv.exe73⤵PID:2256
-
\??\c:\xlrxxrr.exec:\xlrxxrr.exe74⤵PID:3132
-
\??\c:\lfrlfff.exec:\lfrlfff.exe75⤵PID:552
-
\??\c:\hbhbbb.exec:\hbhbbb.exe76⤵PID:4472
-
\??\c:\ddvvp.exec:\ddvvp.exe77⤵PID:4988
-
\??\c:\frrfllr.exec:\frrfllr.exe78⤵PID:2216
-
\??\c:\tnbbnt.exec:\tnbbnt.exe79⤵PID:4444
-
\??\c:\nhtnhn.exec:\nhtnhn.exe80⤵
- System Location Discovery: System Language Discovery
PID:1268 -
\??\c:\9jjdv.exec:\9jjdv.exe81⤵PID:892
-
\??\c:\fxlfxlf.exec:\fxlfxlf.exe82⤵PID:1616
-
\??\c:\bbnthh.exec:\bbnthh.exe83⤵PID:396
-
\??\c:\hthbtn.exec:\hthbtn.exe84⤵PID:2444
-
\??\c:\djdpj.exec:\djdpj.exe85⤵PID:4652
-
\??\c:\fxxlfxr.exec:\fxxlfxr.exe86⤵PID:724
-
\??\c:\btbnhb.exec:\btbnhb.exe87⤵PID:2612
-
\??\c:\9hhnhn.exec:\9hhnhn.exe88⤵PID:2424
-
\??\c:\vpjdv.exec:\vpjdv.exe89⤵PID:4608
-
\??\c:\xrxrfff.exec:\xrxrfff.exe90⤵PID:4700
-
\??\c:\bnnhtn.exec:\bnnhtn.exe91⤵PID:4996
-
\??\c:\jdpjj.exec:\jdpjj.exe92⤵PID:3560
-
\??\c:\lfrllfl.exec:\lfrllfl.exe93⤵PID:3860
-
\??\c:\rxrlllf.exec:\rxrlllf.exe94⤵PID:2544
-
\??\c:\ttbhhh.exec:\ttbhhh.exe95⤵PID:1464
-
\??\c:\ppvpj.exec:\ppvpj.exe96⤵
- System Location Discovery: System Language Discovery
PID:628 -
\??\c:\llxxlrr.exec:\llxxlrr.exe97⤵PID:2420
-
\??\c:\rllfxrl.exec:\rllfxrl.exe98⤵PID:4152
-
\??\c:\thhbnh.exec:\thhbnh.exe99⤵PID:1864
-
\??\c:\jvddv.exec:\jvddv.exe100⤵PID:1112
-
\??\c:\xlxrlfx.exec:\xlxrlfx.exe101⤵PID:4588
-
\??\c:\9hhbhn.exec:\9hhbhn.exe102⤵PID:2392
-
\??\c:\vddvp.exec:\vddvp.exe103⤵PID:4408
-
\??\c:\djvpj.exec:\djvpj.exe104⤵PID:2184
-
\??\c:\fxxrffx.exec:\fxxrffx.exe105⤵PID:3892
-
\??\c:\3bhbtt.exec:\3bhbtt.exe106⤵PID:1572
-
\??\c:\3jdpj.exec:\3jdpj.exe107⤵PID:5100
-
\??\c:\rflffrr.exec:\rflffrr.exe108⤵PID:4344
-
\??\c:\xxxrlrr.exec:\xxxrlrr.exe109⤵PID:468
-
\??\c:\hnnbtt.exec:\hnnbtt.exe110⤵PID:3676
-
\??\c:\9vpjd.exec:\9vpjd.exe111⤵PID:4564
-
\??\c:\7llxrrl.exec:\7llxrrl.exe112⤵PID:4284
-
\??\c:\hhhhbb.exec:\hhhhbb.exe113⤵PID:2448
-
\??\c:\9djvj.exec:\9djvj.exe114⤵PID:1116
-
\??\c:\pppjd.exec:\pppjd.exe115⤵PID:3948
-
\??\c:\lllfxrl.exec:\lllfxrl.exe116⤵PID:5096
-
\??\c:\nnhbtt.exec:\nnhbtt.exe117⤵PID:4052
-
\??\c:\hhnhtt.exec:\hhnhtt.exe118⤵PID:1540
-
\??\c:\pvvjd.exec:\pvvjd.exe119⤵PID:2396
-
\??\c:\frxrlff.exec:\frxrlff.exe120⤵PID:4240
-
\??\c:\bhnhbh.exec:\bhnhbh.exe121⤵PID:3992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-