Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe
-
Size
454KB
-
MD5
93e7a04c0c38b78117ea6718d36de650
-
SHA1
ea92c0589c7c37b23be137cb96535bb4e6529d86
-
SHA256
fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aa
-
SHA512
ad133aaaa031b2edd8a47b8b9f9152c785b64dd03ba2bddec981f04e14eea5fea7f3cbf4fc8770fe610fea21d36539468758cc56f0bb330ac15d32fd4725a8e3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbejr:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3564-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-798-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-851-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-1410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1616 nnnhhb.exe 4884 jpvpj.exe 3188 rxfxllf.exe 5032 bntnnn.exe 4208 hbbtnn.exe 2808 lrlxlrf.exe 1264 7pppj.exe 372 xxffffx.exe 2064 vdppj.exe 3476 lrxfrrl.exe 4696 pvdvp.exe 1284 lrxxffl.exe 1436 hbbhtt.exe 1020 5rlfllf.exe 2960 xrrxlrl.exe 3272 jdjdv.exe 4872 nhbbtb.exe 1104 dpdjp.exe 2328 3fxrlrr.exe 412 7hnhbb.exe 216 rfrlfrl.exe 1620 hnnbtn.exe 4948 dddpd.exe 3280 1hthbt.exe 744 5rxxffl.exe 1676 ttbtbb.exe 3464 1vpdp.exe 4292 7xlfllx.exe 2156 7tnnhb.exe 4592 3pdvj.exe 1352 9rlxlfr.exe 3968 bthbnn.exe 3304 xrrlfxr.exe 4480 ttntnt.exe 3792 pvvpd.exe 3544 dpdpj.exe 1792 1lrfxlx.exe 2052 thbttb.exe 3492 vdjvj.exe 1804 3xfrrll.exe 2068 1tnbnn.exe 4268 3rrrlll.exe 920 3nhtnh.exe 4712 ddvvp.exe 3060 3pjdp.exe 2428 rffrfxl.exe 1888 3tnnbb.exe 4952 pdvpp.exe 3724 xllfxxr.exe 3568 3hnnhh.exe 3456 5vpjd.exe 4704 7ffrlll.exe 4984 9xfrrll.exe 4684 hbnnhh.exe 5004 dvvpj.exe 5112 5xxlffr.exe 2552 nnhnth.exe 4272 jdvpj.exe 1728 5pjvd.exe 2036 lfxrllf.exe 4048 xlfxlfr.exe 1784 dvjdp.exe 1020 xfxxxrr.exe 3672 1bttht.exe -
resource yara_rule behavioral2/memory/3564-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-788-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-798-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3564 wrote to memory of 1616 3564 fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe 83 PID 3564 wrote to memory of 1616 3564 fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe 83 PID 3564 wrote to memory of 1616 3564 fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe 83 PID 1616 wrote to memory of 4884 1616 nnnhhb.exe 84 PID 1616 wrote to memory of 4884 1616 nnnhhb.exe 84 PID 1616 wrote to memory of 4884 1616 nnnhhb.exe 84 PID 4884 wrote to memory of 3188 4884 jpvpj.exe 85 PID 4884 wrote to memory of 3188 4884 jpvpj.exe 85 PID 4884 wrote to memory of 3188 4884 jpvpj.exe 85 PID 3188 wrote to memory of 5032 3188 rxfxllf.exe 86 PID 3188 wrote to memory of 5032 3188 rxfxllf.exe 86 PID 3188 wrote to memory of 5032 3188 rxfxllf.exe 86 PID 5032 wrote to memory of 4208 5032 bntnnn.exe 87 PID 5032 wrote to memory of 4208 5032 bntnnn.exe 87 PID 5032 wrote to memory of 4208 5032 bntnnn.exe 87 PID 4208 wrote to memory of 2808 4208 hbbtnn.exe 88 PID 4208 wrote to memory of 2808 4208 hbbtnn.exe 88 PID 4208 wrote to memory of 2808 4208 hbbtnn.exe 88 PID 2808 wrote to memory of 1264 2808 lrlxlrf.exe 89 PID 2808 wrote to memory of 1264 2808 lrlxlrf.exe 89 PID 2808 wrote to memory of 1264 2808 lrlxlrf.exe 89 PID 1264 wrote to memory of 372 1264 7pppj.exe 90 PID 1264 wrote to memory of 372 1264 7pppj.exe 90 PID 1264 wrote to memory of 372 1264 7pppj.exe 90 PID 372 wrote to memory of 2064 372 xxffffx.exe 91 PID 372 wrote to memory of 2064 372 xxffffx.exe 91 PID 372 wrote to memory of 2064 372 xxffffx.exe 91 PID 2064 wrote to memory of 3476 2064 vdppj.exe 92 PID 2064 wrote to memory of 3476 2064 vdppj.exe 92 PID 2064 wrote to memory of 3476 2064 vdppj.exe 92 PID 3476 wrote to memory of 4696 3476 lrxfrrl.exe 93 PID 3476 wrote to memory of 4696 3476 lrxfrrl.exe 93 PID 3476 wrote to memory of 4696 3476 lrxfrrl.exe 93 PID 4696 wrote to memory of 1284 4696 pvdvp.exe 94 PID 4696 wrote to memory of 1284 4696 pvdvp.exe 94 PID 4696 wrote to memory of 1284 4696 pvdvp.exe 94 PID 1284 wrote to memory of 1436 1284 lrxxffl.exe 95 PID 1284 wrote to memory of 1436 1284 lrxxffl.exe 95 PID 1284 wrote to memory of 1436 1284 lrxxffl.exe 95 PID 1436 wrote to memory of 1020 1436 hbbhtt.exe 96 PID 1436 wrote to memory of 1020 1436 hbbhtt.exe 96 PID 1436 wrote to memory of 1020 1436 hbbhtt.exe 96 PID 1020 wrote to memory of 2960 1020 5rlfllf.exe 97 PID 1020 wrote to memory of 2960 1020 5rlfllf.exe 97 PID 1020 wrote to memory of 2960 1020 5rlfllf.exe 97 PID 2960 wrote to memory of 3272 2960 xrrxlrl.exe 98 PID 2960 wrote to memory of 3272 2960 xrrxlrl.exe 98 PID 2960 wrote to memory of 3272 2960 xrrxlrl.exe 98 PID 3272 wrote to memory of 4872 3272 jdjdv.exe 99 PID 3272 wrote to memory of 4872 3272 jdjdv.exe 99 PID 3272 wrote to memory of 4872 3272 jdjdv.exe 99 PID 4872 wrote to memory of 1104 4872 nhbbtb.exe 100 PID 4872 wrote to memory of 1104 4872 nhbbtb.exe 100 PID 4872 wrote to memory of 1104 4872 nhbbtb.exe 100 PID 1104 wrote to memory of 2328 1104 dpdjp.exe 101 PID 1104 wrote to memory of 2328 1104 dpdjp.exe 101 PID 1104 wrote to memory of 2328 1104 dpdjp.exe 101 PID 2328 wrote to memory of 412 2328 3fxrlrr.exe 102 PID 2328 wrote to memory of 412 2328 3fxrlrr.exe 102 PID 2328 wrote to memory of 412 2328 3fxrlrr.exe 102 PID 412 wrote to memory of 216 412 7hnhbb.exe 103 PID 412 wrote to memory of 216 412 7hnhbb.exe 103 PID 412 wrote to memory of 216 412 7hnhbb.exe 103 PID 216 wrote to memory of 1620 216 rfrlfrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe"C:\Users\Admin\AppData\Local\Temp\fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\nnnhhb.exec:\nnnhhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\jpvpj.exec:\jpvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\rxfxllf.exec:\rxfxllf.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\bntnnn.exec:\bntnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\hbbtnn.exec:\hbbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\lrlxlrf.exec:\lrlxlrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\7pppj.exec:\7pppj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\xxffffx.exec:\xxffffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\vdppj.exec:\vdppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\lrxfrrl.exec:\lrxfrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\pvdvp.exec:\pvdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\lrxxffl.exec:\lrxxffl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\hbbhtt.exec:\hbbhtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\5rlfllf.exec:\5rlfllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\xrrxlrl.exec:\xrrxlrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\jdjdv.exec:\jdjdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\nhbbtb.exec:\nhbbtb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\dpdjp.exec:\dpdjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\3fxrlrr.exec:\3fxrlrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\7hnhbb.exec:\7hnhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\rfrlfrl.exec:\rfrlfrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\hnnbtn.exec:\hnnbtn.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
\??\c:\dddpd.exec:\dddpd.exe24⤵
- Executes dropped EXE
PID:4948 -
\??\c:\1hthbt.exec:\1hthbt.exe25⤵
- Executes dropped EXE
PID:3280 -
\??\c:\5rxxffl.exec:\5rxxffl.exe26⤵
- Executes dropped EXE
PID:744 -
\??\c:\ttbtbb.exec:\ttbtbb.exe27⤵
- Executes dropped EXE
PID:1676 -
\??\c:\1vpdp.exec:\1vpdp.exe28⤵
- Executes dropped EXE
PID:3464 -
\??\c:\7xlfllx.exec:\7xlfllx.exe29⤵
- Executes dropped EXE
PID:4292 -
\??\c:\7tnnhb.exec:\7tnnhb.exe30⤵
- Executes dropped EXE
PID:2156 -
\??\c:\3pdvj.exec:\3pdvj.exe31⤵
- Executes dropped EXE
PID:4592 -
\??\c:\9rlxlfr.exec:\9rlxlfr.exe32⤵
- Executes dropped EXE
PID:1352 -
\??\c:\bthbnn.exec:\bthbnn.exe33⤵
- Executes dropped EXE
PID:3968 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe34⤵
- Executes dropped EXE
PID:3304 -
\??\c:\ttntnt.exec:\ttntnt.exe35⤵
- Executes dropped EXE
PID:4480 -
\??\c:\pvvpd.exec:\pvvpd.exe36⤵
- Executes dropped EXE
PID:3792 -
\??\c:\dpdpj.exec:\dpdpj.exe37⤵
- Executes dropped EXE
PID:3544 -
\??\c:\1lrfxlx.exec:\1lrfxlx.exe38⤵
- Executes dropped EXE
PID:1792 -
\??\c:\thbttb.exec:\thbttb.exe39⤵
- Executes dropped EXE
PID:2052 -
\??\c:\vdjvj.exec:\vdjvj.exe40⤵
- Executes dropped EXE
PID:3492 -
\??\c:\3xfrrll.exec:\3xfrrll.exe41⤵
- Executes dropped EXE
PID:1804 -
\??\c:\1tnbnn.exec:\1tnbnn.exe42⤵
- Executes dropped EXE
PID:2068 -
\??\c:\3rrrlll.exec:\3rrrlll.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4268 -
\??\c:\3nhtnh.exec:\3nhtnh.exe44⤵
- Executes dropped EXE
PID:920 -
\??\c:\ddvvp.exec:\ddvvp.exe45⤵
- Executes dropped EXE
PID:4712 -
\??\c:\3pjdp.exec:\3pjdp.exe46⤵
- Executes dropped EXE
PID:3060 -
\??\c:\rffrfxl.exec:\rffrfxl.exe47⤵
- Executes dropped EXE
PID:2428 -
\??\c:\3tnnbb.exec:\3tnnbb.exe48⤵
- Executes dropped EXE
PID:1888 -
\??\c:\pdvpp.exec:\pdvpp.exe49⤵
- Executes dropped EXE
PID:4952 -
\??\c:\xllfxxr.exec:\xllfxxr.exe50⤵
- Executes dropped EXE
PID:3724 -
\??\c:\3hnnhh.exec:\3hnnhh.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3568 -
\??\c:\5vpjd.exec:\5vpjd.exe52⤵
- Executes dropped EXE
PID:3456 -
\??\c:\7ffrlll.exec:\7ffrlll.exe53⤵
- Executes dropped EXE
PID:4704 -
\??\c:\9xfrrll.exec:\9xfrrll.exe54⤵
- Executes dropped EXE
PID:4984 -
\??\c:\hbnnhh.exec:\hbnnhh.exe55⤵
- Executes dropped EXE
PID:4684 -
\??\c:\dvvpj.exec:\dvvpj.exe56⤵
- Executes dropped EXE
PID:5004 -
\??\c:\5xxlffr.exec:\5xxlffr.exe57⤵
- Executes dropped EXE
PID:5112 -
\??\c:\nnhnth.exec:\nnhnth.exe58⤵
- Executes dropped EXE
PID:2552 -
\??\c:\jdvpj.exec:\jdvpj.exe59⤵
- Executes dropped EXE
PID:4272 -
\??\c:\5pjvd.exec:\5pjvd.exe60⤵
- Executes dropped EXE
PID:1728 -
\??\c:\lfxrllf.exec:\lfxrllf.exe61⤵
- Executes dropped EXE
PID:2036 -
\??\c:\xlfxlfr.exec:\xlfxlfr.exe62⤵
- Executes dropped EXE
PID:4048 -
\??\c:\dvjdp.exec:\dvjdp.exe63⤵
- Executes dropped EXE
PID:1784 -
\??\c:\xfxxxrr.exec:\xfxxxrr.exe64⤵
- Executes dropped EXE
PID:1020 -
\??\c:\1bttht.exec:\1bttht.exe65⤵
- Executes dropped EXE
PID:3672 -
\??\c:\7pvpd.exec:\7pvpd.exe66⤵PID:4768
-
\??\c:\9rlfxxx.exec:\9rlfxxx.exe67⤵PID:2944
-
\??\c:\1bhbtn.exec:\1bhbtn.exe68⤵PID:1104
-
\??\c:\nhbtbt.exec:\nhbtbt.exe69⤵PID:4472
-
\??\c:\jvvjd.exec:\jvvjd.exe70⤵PID:4140
-
\??\c:\flfxrrx.exec:\flfxrrx.exe71⤵PID:2768
-
\??\c:\ntbtnn.exec:\ntbtnn.exe72⤵PID:5028
-
\??\c:\3vpdp.exec:\3vpdp.exe73⤵
- System Location Discovery: System Language Discovery
PID:3248 -
\??\c:\lfxlrlf.exec:\lfxlrlf.exe74⤵PID:1348
-
\??\c:\xlrrxfr.exec:\xlrrxfr.exe75⤵PID:2976
-
\??\c:\5tnbtn.exec:\5tnbtn.exe76⤵PID:1772
-
\??\c:\5dvjd.exec:\5dvjd.exe77⤵PID:4372
-
\??\c:\7lrlrfr.exec:\7lrlrfr.exe78⤵PID:3048
-
\??\c:\hhhbtt.exec:\hhhbtt.exe79⤵PID:2660
-
\??\c:\pjvjj.exec:\pjvjj.exe80⤵PID:4180
-
\??\c:\rrfrrrx.exec:\rrfrrrx.exe81⤵PID:4672
-
\??\c:\ttnnnb.exec:\ttnnnb.exe82⤵PID:5016
-
\??\c:\1hthbt.exec:\1hthbt.exe83⤵PID:4592
-
\??\c:\3vpdp.exec:\3vpdp.exe84⤵PID:2040
-
\??\c:\lfxrllf.exec:\lfxrllf.exe85⤵PID:1352
-
\??\c:\9frlffr.exec:\9frlffr.exe86⤵PID:2092
-
\??\c:\9bthbb.exec:\9bthbb.exe87⤵PID:4120
-
\??\c:\3vpjv.exec:\3vpjv.exe88⤵PID:4480
-
\??\c:\rflxxrl.exec:\rflxxrl.exe89⤵PID:2096
-
\??\c:\lrxlfxr.exec:\lrxlfxr.exe90⤵PID:212
-
\??\c:\5bhtbt.exec:\5bhtbt.exe91⤵PID:376
-
\??\c:\jpvvp.exec:\jpvvp.exe92⤵PID:1664
-
\??\c:\xlrfxll.exec:\xlrfxll.exe93⤵PID:2504
-
\??\c:\nhhbnn.exec:\nhhbnn.exe94⤵PID:1924
-
\??\c:\btbnbt.exec:\btbnbt.exe95⤵PID:664
-
\??\c:\vjvdd.exec:\vjvdd.exe96⤵PID:4000
-
\??\c:\flxllfx.exec:\flxllfx.exe97⤵PID:4920
-
\??\c:\hnnhht.exec:\hnnhht.exe98⤵PID:4172
-
\??\c:\vjpjd.exec:\vjpjd.exe99⤵PID:5108
-
\??\c:\5vvvv.exec:\5vvvv.exe100⤵PID:1372
-
\??\c:\llrlrrf.exec:\llrlrrf.exe101⤵PID:3288
-
\??\c:\7tnbnh.exec:\7tnbnh.exe102⤵PID:4692
-
\??\c:\jjdvj.exec:\jjdvj.exe103⤵PID:4952
-
\??\c:\jpvjv.exec:\jpvjv.exe104⤵PID:3724
-
\??\c:\xflxfxl.exec:\xflxfxl.exe105⤵PID:1144
-
\??\c:\bthbbb.exec:\bthbbb.exe106⤵PID:2060
-
\??\c:\vdpdp.exec:\vdpdp.exe107⤵PID:2896
-
\??\c:\3vjvp.exec:\3vjvp.exe108⤵PID:4456
-
\??\c:\lrfrfrl.exec:\lrfrfrl.exe109⤵PID:4188
-
\??\c:\tnnnnb.exec:\tnnnnb.exe110⤵PID:32
-
\??\c:\9ddvp.exec:\9ddvp.exe111⤵PID:3476
-
\??\c:\jvdjv.exec:\jvdjv.exe112⤵PID:4696
-
\??\c:\lffxlxr.exec:\lffxlxr.exe113⤵PID:3552
-
\??\c:\vddvp.exec:\vddvp.exe114⤵PID:3208
-
\??\c:\jdvjv.exec:\jdvjv.exe115⤵PID:3836
-
\??\c:\rffxrrl.exec:\rffxrrl.exe116⤵PID:3184
-
\??\c:\vpvvj.exec:\vpvvj.exe117⤵PID:4044
-
\??\c:\djddv.exec:\djddv.exe118⤵PID:1020
-
\??\c:\rxfrxrl.exec:\rxfrxrl.exe119⤵PID:4400
-
\??\c:\nhnbbt.exec:\nhnbbt.exe120⤵PID:5056
-
\??\c:\1hhthb.exec:\1hhthb.exe121⤵PID:5020
-
\??\c:\1pjdv.exec:\1pjdv.exe122⤵PID:3432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-