Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe
-
Size
454KB
-
MD5
114e100b2c654b36c590d8ce7c024311
-
SHA1
ff2061252792bb59729fd0ac1b1c4fd63cf04842
-
SHA256
77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46
-
SHA512
789affbea2bb088847b8a189fad3cf6f54bc46f704bdee9fd9671422f19142d7203c9ffb934fbbe891f1a049fadf02d78a3f0fe337fb7a77dfc077a98b84cc6e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeq:q7Tc2NYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3412-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3412 rrxxfxl.exe 3968 nbnbtt.exe 4372 nnbbth.exe 2092 hnnhbb.exe 3612 9lflffx.exe 3344 nbnhhh.exe 3416 7nhnhh.exe 3708 lxxxrrl.exe 2248 llffxfx.exe 396 xrrfxlf.exe 4516 jdvpj.exe 3240 thnhbn.exe 1500 ddddv.exe 1912 5llrrxx.exe 4852 vjpdd.exe 3472 rfffffx.exe 3428 tnbnhb.exe 1476 7rrfxxr.exe 2732 nhnntn.exe 4488 jvdvj.exe 2804 dvjdv.exe 4256 lffxfxf.exe 4888 fxrlffl.exe 4492 jjpjd.exe 3992 ttbnhb.exe 4608 9jjvv.exe 4916 5rlfrlf.exe 4996 xlfxxrr.exe 2580 7ffxrlf.exe 2028 lxxrlfx.exe 4780 dvdvv.exe 3364 lrrrflx.exe 3448 vjjdj.exe 5020 lxflffr.exe 2224 nnhtbb.exe 4368 pjpjd.exe 1444 frrfrlx.exe 436 9hhbbt.exe 1904 bhnbbh.exe 1388 vjvpj.exe 3688 llxrrll.exe 2892 llffxrr.exe 3920 3vpjd.exe 4644 jdvdj.exe 840 fxlxfrf.exe 2460 bthhbn.exe 4280 vpddv.exe 1396 lflxxrx.exe 1752 tnbttt.exe 2560 jdjdv.exe 4060 ffrrllf.exe 1844 bhnttt.exe 1120 3vpjd.exe 1076 frlfxfx.exe 4788 nbbttt.exe 4980 btnnhh.exe 2108 dppdv.exe 2908 xrfxxxx.exe 5080 7btbth.exe 3880 hbnnbb.exe 868 9jjdv.exe 3960 9jppj.exe 4872 5xrlflf.exe 1492 lffrlff.exe -
resource yara_rule behavioral2/memory/3412-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-538-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 3412 2708 77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe 83 PID 2708 wrote to memory of 3412 2708 77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe 83 PID 2708 wrote to memory of 3412 2708 77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe 83 PID 3412 wrote to memory of 3968 3412 rrxxfxl.exe 84 PID 3412 wrote to memory of 3968 3412 rrxxfxl.exe 84 PID 3412 wrote to memory of 3968 3412 rrxxfxl.exe 84 PID 3968 wrote to memory of 4372 3968 nbnbtt.exe 85 PID 3968 wrote to memory of 4372 3968 nbnbtt.exe 85 PID 3968 wrote to memory of 4372 3968 nbnbtt.exe 85 PID 4372 wrote to memory of 2092 4372 nnbbth.exe 86 PID 4372 wrote to memory of 2092 4372 nnbbth.exe 86 PID 4372 wrote to memory of 2092 4372 nnbbth.exe 86 PID 2092 wrote to memory of 3612 2092 hnnhbb.exe 87 PID 2092 wrote to memory of 3612 2092 hnnhbb.exe 87 PID 2092 wrote to memory of 3612 2092 hnnhbb.exe 87 PID 3612 wrote to memory of 3344 3612 9lflffx.exe 88 PID 3612 wrote to memory of 3344 3612 9lflffx.exe 88 PID 3612 wrote to memory of 3344 3612 9lflffx.exe 88 PID 3344 wrote to memory of 3416 3344 nbnhhh.exe 89 PID 3344 wrote to memory of 3416 3344 nbnhhh.exe 89 PID 3344 wrote to memory of 3416 3344 nbnhhh.exe 89 PID 3416 wrote to memory of 3708 3416 7nhnhh.exe 90 PID 3416 wrote to memory of 3708 3416 7nhnhh.exe 90 PID 3416 wrote to memory of 3708 3416 7nhnhh.exe 90 PID 3708 wrote to memory of 2248 3708 lxxxrrl.exe 91 PID 3708 wrote to memory of 2248 3708 lxxxrrl.exe 91 PID 3708 wrote to memory of 2248 3708 lxxxrrl.exe 91 PID 2248 wrote to memory of 396 2248 llffxfx.exe 92 PID 2248 wrote to memory of 396 2248 llffxfx.exe 92 PID 2248 wrote to memory of 396 2248 llffxfx.exe 92 PID 396 wrote to memory of 4516 396 xrrfxlf.exe 93 PID 396 wrote to memory of 4516 396 xrrfxlf.exe 93 PID 396 wrote to memory of 4516 396 xrrfxlf.exe 93 PID 4516 wrote to memory of 3240 4516 jdvpj.exe 94 PID 4516 wrote to memory of 3240 4516 jdvpj.exe 94 PID 4516 wrote to memory of 3240 4516 jdvpj.exe 94 PID 3240 wrote to memory of 1500 3240 thnhbn.exe 95 PID 3240 wrote to memory of 1500 3240 thnhbn.exe 95 PID 3240 wrote to memory of 1500 3240 thnhbn.exe 95 PID 1500 wrote to memory of 1912 1500 ddddv.exe 96 PID 1500 wrote to memory of 1912 1500 ddddv.exe 96 PID 1500 wrote to memory of 1912 1500 ddddv.exe 96 PID 1912 wrote to memory of 4852 1912 5llrrxx.exe 97 PID 1912 wrote to memory of 4852 1912 5llrrxx.exe 97 PID 1912 wrote to memory of 4852 1912 5llrrxx.exe 97 PID 4852 wrote to memory of 3472 4852 vjpdd.exe 98 PID 4852 wrote to memory of 3472 4852 vjpdd.exe 98 PID 4852 wrote to memory of 3472 4852 vjpdd.exe 98 PID 3472 wrote to memory of 3428 3472 rfffffx.exe 99 PID 3472 wrote to memory of 3428 3472 rfffffx.exe 99 PID 3472 wrote to memory of 3428 3472 rfffffx.exe 99 PID 3428 wrote to memory of 1476 3428 tnbnhb.exe 100 PID 3428 wrote to memory of 1476 3428 tnbnhb.exe 100 PID 3428 wrote to memory of 1476 3428 tnbnhb.exe 100 PID 1476 wrote to memory of 2732 1476 7rrfxxr.exe 101 PID 1476 wrote to memory of 2732 1476 7rrfxxr.exe 101 PID 1476 wrote to memory of 2732 1476 7rrfxxr.exe 101 PID 2732 wrote to memory of 4488 2732 nhnntn.exe 102 PID 2732 wrote to memory of 4488 2732 nhnntn.exe 102 PID 2732 wrote to memory of 4488 2732 nhnntn.exe 102 PID 4488 wrote to memory of 2804 4488 jvdvj.exe 103 PID 4488 wrote to memory of 2804 4488 jvdvj.exe 103 PID 4488 wrote to memory of 2804 4488 jvdvj.exe 103 PID 2804 wrote to memory of 4256 2804 dvjdv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe"C:\Users\Admin\AppData\Local\Temp\77a0fdc436dbbcb0d46afb213872950557685968064a87e8de8d001704876c46.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\rrxxfxl.exec:\rrxxfxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\nbnbtt.exec:\nbnbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\nnbbth.exec:\nnbbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\hnnhbb.exec:\hnnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\9lflffx.exec:\9lflffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\nbnhhh.exec:\nbnhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\7nhnhh.exec:\7nhnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\lxxxrrl.exec:\lxxxrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\llffxfx.exec:\llffxfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\xrrfxlf.exec:\xrrfxlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\jdvpj.exec:\jdvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\thnhbn.exec:\thnhbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\ddddv.exec:\ddddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\5llrrxx.exec:\5llrrxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\vjpdd.exec:\vjpdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\rfffffx.exec:\rfffffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\tnbnhb.exec:\tnbnhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\7rrfxxr.exec:\7rrfxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\nhnntn.exec:\nhnntn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\jvdvj.exec:\jvdvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\dvjdv.exec:\dvjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\lffxfxf.exec:\lffxfxf.exe23⤵
- Executes dropped EXE
PID:4256 -
\??\c:\fxrlffl.exec:\fxrlffl.exe24⤵
- Executes dropped EXE
PID:4888 -
\??\c:\jjpjd.exec:\jjpjd.exe25⤵
- Executes dropped EXE
PID:4492 -
\??\c:\ttbnhb.exec:\ttbnhb.exe26⤵
- Executes dropped EXE
PID:3992 -
\??\c:\9jjvv.exec:\9jjvv.exe27⤵
- Executes dropped EXE
PID:4608 -
\??\c:\5rlfrlf.exec:\5rlfrlf.exe28⤵
- Executes dropped EXE
PID:4916 -
\??\c:\xlfxxrr.exec:\xlfxxrr.exe29⤵
- Executes dropped EXE
PID:4996 -
\??\c:\7ffxrlf.exec:\7ffxrlf.exe30⤵
- Executes dropped EXE
PID:2580 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe31⤵
- Executes dropped EXE
PID:2028 -
\??\c:\dvdvv.exec:\dvdvv.exe32⤵
- Executes dropped EXE
PID:4780 -
\??\c:\lrrrflx.exec:\lrrrflx.exe33⤵
- Executes dropped EXE
PID:3364 -
\??\c:\vjjdj.exec:\vjjdj.exe34⤵
- Executes dropped EXE
PID:3448 -
\??\c:\lxflffr.exec:\lxflffr.exe35⤵
- Executes dropped EXE
PID:5020 -
\??\c:\nnhtbb.exec:\nnhtbb.exe36⤵
- Executes dropped EXE
PID:2224 -
\??\c:\pjpjd.exec:\pjpjd.exe37⤵
- Executes dropped EXE
PID:4368 -
\??\c:\frrfrlx.exec:\frrfrlx.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1444 -
\??\c:\9hhbbt.exec:\9hhbbt.exe39⤵
- Executes dropped EXE
PID:436 -
\??\c:\bhnbbh.exec:\bhnbbh.exe40⤵
- Executes dropped EXE
PID:1904 -
\??\c:\vjvpj.exec:\vjvpj.exe41⤵
- Executes dropped EXE
PID:1388 -
\??\c:\llxrrll.exec:\llxrrll.exe42⤵
- Executes dropped EXE
PID:3688 -
\??\c:\llffxrr.exec:\llffxrr.exe43⤵
- Executes dropped EXE
PID:2892 -
\??\c:\3vpjd.exec:\3vpjd.exe44⤵
- Executes dropped EXE
PID:3920 -
\??\c:\jdvdj.exec:\jdvdj.exe45⤵
- Executes dropped EXE
PID:4644 -
\??\c:\fxlxfrf.exec:\fxlxfrf.exe46⤵
- Executes dropped EXE
PID:840 -
\??\c:\bthhbn.exec:\bthhbn.exe47⤵
- Executes dropped EXE
PID:2460 -
\??\c:\vpddv.exec:\vpddv.exe48⤵
- Executes dropped EXE
PID:4280 -
\??\c:\lflxxrx.exec:\lflxxrx.exe49⤵
- Executes dropped EXE
PID:1396 -
\??\c:\7rxrffr.exec:\7rxrffr.exe50⤵PID:2708
-
\??\c:\tnbttt.exec:\tnbttt.exe51⤵
- Executes dropped EXE
PID:1752 -
\??\c:\jdjdv.exec:\jdjdv.exe52⤵
- Executes dropped EXE
PID:2560 -
\??\c:\ffrrllf.exec:\ffrrllf.exe53⤵
- Executes dropped EXE
PID:4060 -
\??\c:\bhnttt.exec:\bhnttt.exe54⤵
- Executes dropped EXE
PID:1844 -
\??\c:\3vpjd.exec:\3vpjd.exe55⤵
- Executes dropped EXE
PID:1120 -
\??\c:\frlfxfx.exec:\frlfxfx.exe56⤵
- Executes dropped EXE
PID:1076 -
\??\c:\nbbttt.exec:\nbbttt.exe57⤵
- Executes dropped EXE
PID:4788 -
\??\c:\btnnhh.exec:\btnnhh.exe58⤵
- Executes dropped EXE
PID:4980 -
\??\c:\dppdv.exec:\dppdv.exe59⤵
- Executes dropped EXE
PID:2108 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe60⤵
- Executes dropped EXE
PID:2908 -
\??\c:\7btbth.exec:\7btbth.exe61⤵
- Executes dropped EXE
PID:5080 -
\??\c:\hbnnbb.exec:\hbnnbb.exe62⤵
- Executes dropped EXE
PID:3880 -
\??\c:\9jjdv.exec:\9jjdv.exe63⤵
- Executes dropped EXE
PID:868 -
\??\c:\9jppj.exec:\9jppj.exe64⤵
- Executes dropped EXE
PID:3960 -
\??\c:\5xrlflf.exec:\5xrlflf.exe65⤵
- Executes dropped EXE
PID:4872 -
\??\c:\lffrlff.exec:\lffrlff.exe66⤵
- Executes dropped EXE
PID:1492 -
\??\c:\hbtnhb.exec:\hbtnhb.exe67⤵PID:1224
-
\??\c:\djpjd.exec:\djpjd.exe68⤵PID:3496
-
\??\c:\llxlffx.exec:\llxlffx.exe69⤵PID:4336
-
\??\c:\7nbnhh.exec:\7nbnhh.exe70⤵PID:3500
-
\??\c:\vdddv.exec:\vdddv.exe71⤵PID:3760
-
\??\c:\fflfxxx.exec:\fflfxxx.exe72⤵PID:3428
-
\??\c:\bttnhh.exec:\bttnhh.exe73⤵PID:2388
-
\??\c:\vvjpd.exec:\vvjpd.exe74⤵PID:2904
-
\??\c:\jvjpp.exec:\jvjpp.exe75⤵PID:1012
-
\??\c:\flrxlll.exec:\flrxlll.exe76⤵PID:2672
-
\??\c:\tbthbt.exec:\tbthbt.exe77⤵PID:3544
-
\??\c:\5pdpj.exec:\5pdpj.exe78⤵PID:3804
-
\??\c:\pddpj.exec:\pddpj.exe79⤵PID:4844
-
\??\c:\xlxrlll.exec:\xlxrlll.exe80⤵PID:1852
-
\??\c:\btbnhb.exec:\btbnhb.exe81⤵PID:736
-
\??\c:\jjjdv.exec:\jjjdv.exe82⤵PID:2856
-
\??\c:\3ffffll.exec:\3ffffll.exe83⤵PID:3224
-
\??\c:\nthbtt.exec:\nthbtt.exe84⤵PID:4444
-
\??\c:\pjpjj.exec:\pjpjj.exe85⤵PID:4292
-
\??\c:\jvvjv.exec:\jvvjv.exe86⤵PID:4916
-
\??\c:\xxlllrl.exec:\xxlllrl.exe87⤵PID:4108
-
\??\c:\tttnhn.exec:\tttnhn.exe88⤵PID:892
-
\??\c:\jdvpj.exec:\jdvpj.exe89⤵PID:4616
-
\??\c:\rxlfxrr.exec:\rxlfxrr.exe90⤵PID:4352
-
\??\c:\9nnhtn.exec:\9nnhtn.exe91⤵PID:2512
-
\??\c:\jvvdp.exec:\jvvdp.exe92⤵PID:224
-
\??\c:\fffxrrl.exec:\fffxrrl.exe93⤵PID:3364
-
\??\c:\hhhbtt.exec:\hhhbtt.exe94⤵PID:4880
-
\??\c:\5bbttn.exec:\5bbttn.exe95⤵PID:1588
-
\??\c:\5vjdv.exec:\5vjdv.exe96⤵PID:5096
-
\??\c:\5ffrffx.exec:\5ffrffx.exe97⤵PID:4132
-
\??\c:\rfffxxl.exec:\rfffxxl.exe98⤵PID:1860
-
\??\c:\1nhbnn.exec:\1nhbnn.exe99⤵PID:3912
-
\??\c:\nhnhbh.exec:\nhnhbh.exe100⤵PID:4076
-
\??\c:\5pvpp.exec:\5pvpp.exe101⤵PID:2024
-
\??\c:\xflxrlf.exec:\xflxrlf.exe102⤵PID:4180
-
\??\c:\lfffxxx.exec:\lfffxxx.exe103⤵PID:2884
-
\??\c:\dvvpj.exec:\dvvpj.exe104⤵PID:2868
-
\??\c:\pvvjd.exec:\pvvjd.exe105⤵PID:4716
-
\??\c:\lffrllf.exec:\lffrllf.exe106⤵PID:2652
-
\??\c:\nbnbtn.exec:\nbnbtn.exe107⤵PID:1536
-
\??\c:\dvvpd.exec:\dvvpd.exe108⤵PID:4304
-
\??\c:\jjjdp.exec:\jjjdp.exe109⤵PID:1972
-
\??\c:\7lxxrxl.exec:\7lxxrxl.exe110⤵PID:2736
-
\??\c:\bnbbbh.exec:\bnbbbh.exe111⤵PID:1256
-
\??\c:\9jvpd.exec:\9jvpd.exe112⤵PID:3924
-
\??\c:\pjvjp.exec:\pjvjp.exe113⤵PID:2604
-
\??\c:\lrxrrff.exec:\lrxrrff.exe114⤵PID:4392
-
\??\c:\hhhbtn.exec:\hhhbtn.exe115⤵PID:3552
-
\??\c:\nnnhbn.exec:\nnnhbn.exe116⤵PID:4284
-
\??\c:\vvjdv.exec:\vvjdv.exe117⤵PID:4632
-
\??\c:\rlrrflf.exec:\rlrrflf.exe118⤵PID:2852
-
\??\c:\nhnnbb.exec:\nhnnbb.exe119⤵PID:1744
-
\??\c:\pjvpj.exec:\pjvpj.exe120⤵PID:3416
-
\??\c:\lfxrlrr.exec:\lfxrlrr.exe121⤵PID:4560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-