Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 06:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6d1de2c3ec769ef701911115812635fbe1a3efd290afacbe7134dcc4a8bc7a79.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6d1de2c3ec769ef701911115812635fbe1a3efd290afacbe7134dcc4a8bc7a79.exe
-
Size
454KB
-
MD5
faa0a835c341a1f316ad2584bc330dc0
-
SHA1
4cf6222d4dc5ea590ae8b7a37b366eed0575915d
-
SHA256
6d1de2c3ec769ef701911115812635fbe1a3efd290afacbe7134dcc4a8bc7a79
-
SHA512
3ba1bfbdab5c0314c3d55054550cd55579b514f2ef5ee76bda7de701246ad63526c8901ae0278e862b9e4f5083fa223c7bd1eb0c8212248e52653bb3351f9957
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2356-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-934-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-1019-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-1054-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-1702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2356 rrxrxrx.exe 2276 nbbtbb.exe 3204 bnnnhh.exe 2768 vjjdd.exe 960 bnnhbt.exe 4516 7jpjd.exe 3236 ffxxrrx.exe 2704 lllfxfx.exe 3200 hhhhbb.exe 2740 lxxxrlf.exe 1400 htbtnn.exe 2496 lfxrllf.exe 208 nhtnbt.exe 4500 5jjdp.exe 4920 llllfxx.exe 2716 nnnbtt.exe 3280 3xxrrlf.exe 1688 fxlxxrx.exe 4424 thhtnb.exe 3988 jjvpj.exe 2344 pvdvp.exe 4820 1flfrrl.exe 4720 bhhtnh.exe 3692 tbhbtn.exe 456 djpdv.exe 4200 1rrlxxr.exe 2536 rxfxrlx.exe 3704 bnbtnh.exe 2852 dvdvv.exe 1132 jjvjd.exe 4260 9xxxrrl.exe 2228 1nbthh.exe 3580 bttnbb.exe 2008 1vvpp.exe 4040 vjjvp.exe 1636 7lfxrxr.exe 1544 tnnhbb.exe 3484 tbhbtn.exe 1224 jdddv.exe 1696 lrxllll.exe 1324 lrlxllx.exe 1576 htthnn.exe 408 5dddd.exe 2788 7vdvp.exe 3568 llxrlfx.exe 4848 hhbbtt.exe 1312 ntbttn.exe 3904 5pvpd.exe 3560 rlrxrxx.exe 1348 rllfxxr.exe 1396 5tntnn.exe 4276 bnnhbt.exe 4480 vjvpp.exe 3256 xfxrffx.exe 3152 dvpjd.exe 1864 lfxxrrl.exe 4344 3hhbtb.exe 4588 ntthbb.exe 2068 jjpjd.exe 2116 vjjjv.exe 2420 fxrfxll.exe 4748 jjjdp.exe 1644 dpdvp.exe 3220 5xxxxxx.exe -
resource yara_rule behavioral2/memory/2356-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-934-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-1019-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-1054-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2356 1600 6d1de2c3ec769ef701911115812635fbe1a3efd290afacbe7134dcc4a8bc7a79.exe 82 PID 1600 wrote to memory of 2356 1600 6d1de2c3ec769ef701911115812635fbe1a3efd290afacbe7134dcc4a8bc7a79.exe 82 PID 1600 wrote to memory of 2356 1600 6d1de2c3ec769ef701911115812635fbe1a3efd290afacbe7134dcc4a8bc7a79.exe 82 PID 2356 wrote to memory of 2276 2356 rrxrxrx.exe 83 PID 2356 wrote to memory of 2276 2356 rrxrxrx.exe 83 PID 2356 wrote to memory of 2276 2356 rrxrxrx.exe 83 PID 2276 wrote to memory of 3204 2276 nbbtbb.exe 84 PID 2276 wrote to memory of 3204 2276 nbbtbb.exe 84 PID 2276 wrote to memory of 3204 2276 nbbtbb.exe 84 PID 3204 wrote to memory of 2768 3204 bnnnhh.exe 85 PID 3204 wrote to memory of 2768 3204 bnnnhh.exe 85 PID 3204 wrote to memory of 2768 3204 bnnnhh.exe 85 PID 2768 wrote to memory of 960 2768 vjjdd.exe 86 PID 2768 wrote to memory of 960 2768 vjjdd.exe 86 PID 2768 wrote to memory of 960 2768 vjjdd.exe 86 PID 960 wrote to memory of 4516 960 bnnhbt.exe 87 PID 960 wrote to memory of 4516 960 bnnhbt.exe 87 PID 960 wrote to memory of 4516 960 bnnhbt.exe 87 PID 4516 wrote to memory of 3236 4516 7jpjd.exe 88 PID 4516 wrote to memory of 3236 4516 7jpjd.exe 88 PID 4516 wrote to memory of 3236 4516 7jpjd.exe 88 PID 3236 wrote to memory of 2704 3236 ffxxrrx.exe 89 PID 3236 wrote to memory of 2704 3236 ffxxrrx.exe 89 PID 3236 wrote to memory of 2704 3236 ffxxrrx.exe 89 PID 2704 wrote to memory of 3200 2704 lllfxfx.exe 90 PID 2704 wrote to memory of 3200 2704 lllfxfx.exe 90 PID 2704 wrote to memory of 3200 2704 lllfxfx.exe 90 PID 3200 wrote to memory of 2740 3200 hhhhbb.exe 91 PID 3200 wrote to memory of 2740 3200 hhhhbb.exe 91 PID 3200 wrote to memory of 2740 3200 hhhhbb.exe 91 PID 2740 wrote to memory of 1400 2740 lxxxrlf.exe 92 PID 2740 wrote to memory of 1400 2740 lxxxrlf.exe 92 PID 2740 wrote to memory of 1400 2740 lxxxrlf.exe 92 PID 1400 wrote to memory of 2496 1400 htbtnn.exe 93 PID 1400 wrote to memory of 2496 1400 htbtnn.exe 93 PID 1400 wrote to memory of 2496 1400 htbtnn.exe 93 PID 2496 wrote to memory of 208 2496 lfxrllf.exe 94 PID 2496 wrote to memory of 208 2496 lfxrllf.exe 94 PID 2496 wrote to memory of 208 2496 lfxrllf.exe 94 PID 208 wrote to memory of 4500 208 nhtnbt.exe 95 PID 208 wrote to memory of 4500 208 nhtnbt.exe 95 PID 208 wrote to memory of 4500 208 nhtnbt.exe 95 PID 4500 wrote to memory of 4920 4500 5jjdp.exe 96 PID 4500 wrote to memory of 4920 4500 5jjdp.exe 96 PID 4500 wrote to memory of 4920 4500 5jjdp.exe 96 PID 4920 wrote to memory of 2716 4920 llllfxx.exe 97 PID 4920 wrote to memory of 2716 4920 llllfxx.exe 97 PID 4920 wrote to memory of 2716 4920 llllfxx.exe 97 PID 2716 wrote to memory of 3280 2716 nnnbtt.exe 98 PID 2716 wrote to memory of 3280 2716 nnnbtt.exe 98 PID 2716 wrote to memory of 3280 2716 nnnbtt.exe 98 PID 3280 wrote to memory of 1688 3280 3xxrrlf.exe 99 PID 3280 wrote to memory of 1688 3280 3xxrrlf.exe 99 PID 3280 wrote to memory of 1688 3280 3xxrrlf.exe 99 PID 1688 wrote to memory of 4424 1688 fxlxxrx.exe 100 PID 1688 wrote to memory of 4424 1688 fxlxxrx.exe 100 PID 1688 wrote to memory of 4424 1688 fxlxxrx.exe 100 PID 4424 wrote to memory of 3988 4424 thhtnb.exe 101 PID 4424 wrote to memory of 3988 4424 thhtnb.exe 101 PID 4424 wrote to memory of 3988 4424 thhtnb.exe 101 PID 3988 wrote to memory of 2344 3988 jjvpj.exe 102 PID 3988 wrote to memory of 2344 3988 jjvpj.exe 102 PID 3988 wrote to memory of 2344 3988 jjvpj.exe 102 PID 2344 wrote to memory of 4820 2344 pvdvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d1de2c3ec769ef701911115812635fbe1a3efd290afacbe7134dcc4a8bc7a79.exe"C:\Users\Admin\AppData\Local\Temp\6d1de2c3ec769ef701911115812635fbe1a3efd290afacbe7134dcc4a8bc7a79.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\rrxrxrx.exec:\rrxrxrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\nbbtbb.exec:\nbbtbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\bnnnhh.exec:\bnnnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\vjjdd.exec:\vjjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\bnnhbt.exec:\bnnhbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\7jpjd.exec:\7jpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\ffxxrrx.exec:\ffxxrrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\lllfxfx.exec:\lllfxfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\hhhhbb.exec:\hhhhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\lxxxrlf.exec:\lxxxrlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\htbtnn.exec:\htbtnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\lfxrllf.exec:\lfxrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\nhtnbt.exec:\nhtnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\5jjdp.exec:\5jjdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\llllfxx.exec:\llllfxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\nnnbtt.exec:\nnnbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\3xxrrlf.exec:\3xxrrlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\fxlxxrx.exec:\fxlxxrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\thhtnb.exec:\thhtnb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\jjvpj.exec:\jjvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\pvdvp.exec:\pvdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\1flfrrl.exec:\1flfrrl.exe23⤵
- Executes dropped EXE
PID:4820 -
\??\c:\bhhtnh.exec:\bhhtnh.exe24⤵
- Executes dropped EXE
PID:4720 -
\??\c:\tbhbtn.exec:\tbhbtn.exe25⤵
- Executes dropped EXE
PID:3692 -
\??\c:\djpdv.exec:\djpdv.exe26⤵
- Executes dropped EXE
PID:456 -
\??\c:\1rrlxxr.exec:\1rrlxxr.exe27⤵
- Executes dropped EXE
PID:4200 -
\??\c:\rxfxrlx.exec:\rxfxrlx.exe28⤵
- Executes dropped EXE
PID:2536 -
\??\c:\bnbtnh.exec:\bnbtnh.exe29⤵
- Executes dropped EXE
PID:3704 -
\??\c:\dvdvv.exec:\dvdvv.exe30⤵
- Executes dropped EXE
PID:2852 -
\??\c:\jjvjd.exec:\jjvjd.exe31⤵
- Executes dropped EXE
PID:1132 -
\??\c:\9xxxrrl.exec:\9xxxrrl.exe32⤵
- Executes dropped EXE
PID:4260 -
\??\c:\1nbthh.exec:\1nbthh.exe33⤵
- Executes dropped EXE
PID:2228 -
\??\c:\bttnbb.exec:\bttnbb.exe34⤵
- Executes dropped EXE
PID:3580 -
\??\c:\1vvpp.exec:\1vvpp.exe35⤵
- Executes dropped EXE
PID:2008 -
\??\c:\vjjvp.exec:\vjjvp.exe36⤵
- Executes dropped EXE
PID:4040 -
\??\c:\7lfxrxr.exec:\7lfxrxr.exe37⤵
- Executes dropped EXE
PID:1636 -
\??\c:\tnnhbb.exec:\tnnhbb.exe38⤵
- Executes dropped EXE
PID:1544 -
\??\c:\tbhbtn.exec:\tbhbtn.exe39⤵
- Executes dropped EXE
PID:3484 -
\??\c:\jdddv.exec:\jdddv.exe40⤵
- Executes dropped EXE
PID:1224 -
\??\c:\lrxllll.exec:\lrxllll.exe41⤵
- Executes dropped EXE
PID:1696 -
\??\c:\lrlxllx.exec:\lrlxllx.exe42⤵
- Executes dropped EXE
PID:1324 -
\??\c:\htthnn.exec:\htthnn.exe43⤵
- Executes dropped EXE
PID:1576 -
\??\c:\5dddd.exec:\5dddd.exe44⤵
- Executes dropped EXE
PID:408 -
\??\c:\7vdvp.exec:\7vdvp.exe45⤵
- Executes dropped EXE
PID:2788 -
\??\c:\llxrlfx.exec:\llxrlfx.exe46⤵
- Executes dropped EXE
PID:3568 -
\??\c:\hhbbtt.exec:\hhbbtt.exe47⤵
- Executes dropped EXE
PID:4848 -
\??\c:\ntbttn.exec:\ntbttn.exe48⤵
- Executes dropped EXE
PID:1312 -
\??\c:\5pvpd.exec:\5pvpd.exe49⤵
- Executes dropped EXE
PID:3904 -
\??\c:\rlrxrxx.exec:\rlrxrxx.exe50⤵
- Executes dropped EXE
PID:3560 -
\??\c:\rllfxxr.exec:\rllfxxr.exe51⤵
- Executes dropped EXE
PID:1348 -
\??\c:\5tntnn.exec:\5tntnn.exe52⤵
- Executes dropped EXE
PID:1396 -
\??\c:\bnnhbt.exec:\bnnhbt.exe53⤵
- Executes dropped EXE
PID:4276 -
\??\c:\vjvpp.exec:\vjvpp.exe54⤵
- Executes dropped EXE
PID:4480 -
\??\c:\xfxrffx.exec:\xfxrffx.exe55⤵
- Executes dropped EXE
PID:3256 -
\??\c:\dvpjd.exec:\dvpjd.exe56⤵
- Executes dropped EXE
PID:3152 -
\??\c:\lfxxrrl.exec:\lfxxrrl.exe57⤵
- Executes dropped EXE
PID:1864 -
\??\c:\3hhbtb.exec:\3hhbtb.exe58⤵
- Executes dropped EXE
PID:4344 -
\??\c:\ntthbb.exec:\ntthbb.exe59⤵
- Executes dropped EXE
PID:4588 -
\??\c:\jjpjd.exec:\jjpjd.exe60⤵
- Executes dropped EXE
PID:2068 -
\??\c:\vjjjv.exec:\vjjjv.exe61⤵
- Executes dropped EXE
PID:2116 -
\??\c:\fxrfxll.exec:\fxrfxll.exe62⤵
- Executes dropped EXE
PID:2420 -
\??\c:\jjjdp.exec:\jjjdp.exe63⤵
- Executes dropped EXE
PID:4748 -
\??\c:\dpdvp.exec:\dpdvp.exe64⤵
- Executes dropped EXE
PID:1644 -
\??\c:\5xxxxxx.exec:\5xxxxxx.exe65⤵
- Executes dropped EXE
PID:3220 -
\??\c:\3lrxrxl.exec:\3lrxrxl.exe66⤵PID:3360
-
\??\c:\lfrflff.exec:\lfrflff.exe67⤵PID:3516
-
\??\c:\jdvvv.exec:\jdvvv.exe68⤵PID:2644
-
\??\c:\9lrlxrx.exec:\9lrlxrx.exe69⤵PID:2264
-
\??\c:\thnnhb.exec:\thnnhb.exe70⤵PID:4808
-
\??\c:\ddvpp.exec:\ddvpp.exe71⤵PID:972
-
\??\c:\ddjdv.exec:\ddjdv.exe72⤵PID:60
-
\??\c:\xflxrlf.exec:\xflxrlf.exe73⤵PID:2500
-
\??\c:\5nhhbb.exec:\5nhhbb.exe74⤵PID:3944
-
\??\c:\jddvv.exec:\jddvv.exe75⤵PID:2136
-
\??\c:\rllfxrr.exec:\rllfxrr.exe76⤵PID:4868
-
\??\c:\9bhbth.exec:\9bhbth.exe77⤵PID:892
-
\??\c:\jpvvp.exec:\jpvvp.exe78⤵PID:4300
-
\??\c:\flrlxxl.exec:\flrlxxl.exe79⤵PID:2020
-
\??\c:\rfrlfxr.exec:\rfrlfxr.exe80⤵PID:1468
-
\??\c:\btnhbb.exec:\btnhbb.exe81⤵PID:4612
-
\??\c:\hhtbnt.exec:\hhtbnt.exe82⤵PID:3280
-
\??\c:\pdjdv.exec:\pdjdv.exe83⤵PID:2120
-
\??\c:\9xxrffx.exec:\9xxrffx.exe84⤵PID:4424
-
\??\c:\nntnbt.exec:\nntnbt.exe85⤵PID:4756
-
\??\c:\jdjdd.exec:\jdjdd.exe86⤵PID:4076
-
\??\c:\vjpjj.exec:\vjpjj.exe87⤵PID:4888
-
\??\c:\fflllfx.exec:\fflllfx.exe88⤵PID:1144
-
\??\c:\ntbthh.exec:\ntbthh.exe89⤵PID:696
-
\??\c:\btbbnt.exec:\btbbnt.exe90⤵PID:1520
-
\??\c:\9vpdj.exec:\9vpdj.exe91⤵PID:984
-
\??\c:\xlrfrrl.exec:\xlrfrrl.exe92⤵PID:2536
-
\??\c:\bthbnn.exec:\bthbnn.exe93⤵PID:4364
-
\??\c:\hnhbnn.exec:\hnhbnn.exe94⤵PID:3744
-
\??\c:\djjdd.exec:\djjdd.exe95⤵PID:2944
-
\??\c:\xfxxffr.exec:\xfxxffr.exe96⤵PID:4508
-
\??\c:\5tnhbt.exec:\5tnhbt.exe97⤵PID:1732
-
\??\c:\pvdpj.exec:\pvdpj.exe98⤵PID:2148
-
\??\c:\vppjd.exec:\vppjd.exe99⤵PID:1496
-
\??\c:\rlxlllf.exec:\rlxlllf.exe100⤵PID:3524
-
\??\c:\ntbbtt.exec:\ntbbtt.exe101⤵PID:1852
-
\??\c:\tnnhhh.exec:\tnnhhh.exe102⤵PID:1072
-
\??\c:\jvdvp.exec:\jvdvp.exe103⤵PID:1484
-
\??\c:\7lffxrl.exec:\7lffxrl.exe104⤵PID:1192
-
\??\c:\1xfxllx.exec:\1xfxllx.exe105⤵PID:5052
-
\??\c:\hbbbtt.exec:\hbbbtt.exe106⤵PID:2132
-
\??\c:\pddpd.exec:\pddpd.exe107⤵PID:1748
-
\??\c:\lxfrllx.exec:\lxfrllx.exe108⤵PID:3912
-
\??\c:\lxfxlfx.exec:\lxfxlfx.exe109⤵PID:4848
-
\??\c:\nbbtnn.exec:\nbbtnn.exe110⤵PID:1728
-
\??\c:\thhbnh.exec:\thhbnh.exe111⤵PID:1956
-
\??\c:\vvdvv.exec:\vvdvv.exe112⤵PID:3708
-
\??\c:\fflfxrf.exec:\fflfxrf.exe113⤵PID:3560
-
\??\c:\lfxfxrl.exec:\lfxfxrl.exe114⤵PID:4024
-
\??\c:\1hbttt.exec:\1hbttt.exe115⤵PID:764
-
\??\c:\1hnhbb.exec:\1hnhbb.exe116⤵PID:2616
-
\??\c:\jdjpv.exec:\jdjpv.exe117⤵PID:4236
-
\??\c:\lxxrrll.exec:\lxxrrll.exe118⤵PID:4320
-
\??\c:\htthtn.exec:\htthtn.exe119⤵PID:4228
-
\??\c:\pjjdp.exec:\pjjdp.exe120⤵PID:5108
-
\??\c:\xffrlfx.exec:\xffrlfx.exe121⤵PID:2524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-