Analysis
-
max time kernel
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/08/2024, 18:18
Behavioral task
behavioral1
Sample
079b7027998acda04d10c65bab53859436ec30d4e68b81ed419c4d68cf243a12.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
General
-
Target
079b7027998acda04d10c65bab53859436ec30d4e68b81ed419c4d68cf243a12.exe
-
Size
56KB
-
MD5
706bf3eb172849161403b83ca813a492
-
SHA1
1d6342d9fad2384921098573b2a616f09a0a5045
-
SHA256
079b7027998acda04d10c65bab53859436ec30d4e68b81ed419c4d68cf243a12
-
SHA512
66a0780869ebe48fc0af7e9d0dfbb0b4b9fd7679effeca59150aa2faa6129cbf968dff7bd713da955afe53d52bc3764360e7f4549a681cf897a3d36da6b13de1
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8yaVskCzY6D:9hOmTsF93UYfwC6GIoutyaVszb
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4192-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3624-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2072-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4120-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3852-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3036-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/748-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2520-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2428-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4596-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3216-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4908-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2004-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4228-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1808-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3068-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1344-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3692-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3152-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/60-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2000-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4232-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3712-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3328-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2432-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2012-355-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2724-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3800-418-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3984-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-477-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-499-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-518-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1648-557-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3396-590-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-600-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/32-753-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4444-899-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-1177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-1502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-1914-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3624 nbnhnn.exe 2072 9pvvv.exe 4120 vvvpd.exe 4080 frrrxxr.exe 4480 1bbtnn.exe 212 jpjjv.exe 3852 rrlfllx.exe 4320 fxrlfrl.exe 3036 bbhtnn.exe 1536 dvvdj.exe 3024 rlrflfx.exe 2632 xlrlffx.exe 748 tthnbh.exe 3848 vjppd.exe 1392 lffrlfx.exe 2520 btbtnn.exe 2428 bntbhh.exe 2772 frllfrr.exe 4596 htbbbb.exe 3216 dvppj.exe 4908 jjjjd.exe 216 xflfxxr.exe 4272 1dpjj.exe 4912 fxxrfff.exe 2372 ttbtbb.exe 2212 rlffxlf.exe 3600 9nnhhh.exe 2004 hhbhhb.exe 4584 rxxrrrr.exe 448 bhnhbb.exe 3856 5nbttt.exe 4872 httthh.exe 2436 dvjvp.exe 4228 3rrfxxx.exe 5096 nnttbb.exe 1808 djdvp.exe 3068 vvvvp.exe 1608 xxlxrrr.exe 3292 btttnn.exe 1344 jdjjd.exe 3556 jjjdp.exe 1720 fflllff.exe 1724 bhtnhh.exe 736 ttbbtt.exe 3940 vdvvp.exe 1452 dvdvv.exe 1444 fxrrrll.exe 4116 tttnnb.exe 3952 tthbhh.exe 4436 vpjdv.exe 3692 jddvp.exe 3152 rllfffx.exe 4464 3bhbtt.exe 4760 pjjjp.exe 60 jdjdp.exe 1620 5xlxllf.exe 32 bthtnn.exe 4772 3ntthh.exe 4232 djdvp.exe 4420 rlfxxxr.exe 4200 flrrlrr.exe 4780 bntntt.exe 3712 7ddjj.exe 5076 xlxrffx.exe -
resource yara_rule behavioral2/memory/4192-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00090000000233ff-3.dat upx behavioral2/memory/4192-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3624-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023467-10.dat upx behavioral2/files/0x0007000000023468-13.dat upx behavioral2/memory/2072-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4120-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023469-21.dat upx behavioral2/files/0x000700000002346a-27.dat upx behavioral2/memory/4080-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002346b-33.dat upx behavioral2/memory/4480-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002346c-39.dat upx behavioral2/memory/3852-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002346d-45.dat upx behavioral2/files/0x000700000002346e-50.dat upx behavioral2/memory/4320-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002346f-56.dat upx behavioral2/memory/3036-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1536-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023470-63.dat upx behavioral2/memory/1536-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023471-69.dat upx behavioral2/memory/3024-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2632-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023472-78.dat upx behavioral2/memory/2632-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023473-83.dat upx behavioral2/memory/748-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023474-88.dat upx behavioral2/files/0x0007000000023475-93.dat upx behavioral2/memory/1392-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023476-100.dat upx behavioral2/memory/2520-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023477-106.dat upx behavioral2/memory/2428-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023478-112.dat upx behavioral2/memory/4596-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023479-117.dat upx behavioral2/memory/3216-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347a-125.dat upx behavioral2/memory/4908-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347b-129.dat upx behavioral2/files/0x000700000002347c-134.dat upx behavioral2/memory/216-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347d-139.dat upx behavioral2/memory/4272-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023465-148.dat upx behavioral2/memory/4912-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347e-152.dat upx behavioral2/memory/2372-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347f-158.dat upx behavioral2/memory/2212-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023480-164.dat upx behavioral2/memory/3600-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023481-170.dat upx behavioral2/memory/2004-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023482-176.dat upx behavioral2/memory/4584-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023483-182.dat upx behavioral2/files/0x0007000000023484-187.dat upx behavioral2/memory/4228-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1808-206-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4192 wrote to memory of 3624 4192 079b7027998acda04d10c65bab53859436ec30d4e68b81ed419c4d68cf243a12.exe 81 PID 4192 wrote to memory of 3624 4192 079b7027998acda04d10c65bab53859436ec30d4e68b81ed419c4d68cf243a12.exe 81 PID 4192 wrote to memory of 3624 4192 079b7027998acda04d10c65bab53859436ec30d4e68b81ed419c4d68cf243a12.exe 81 PID 3624 wrote to memory of 2072 3624 nbnhnn.exe 82 PID 3624 wrote to memory of 2072 3624 nbnhnn.exe 82 PID 3624 wrote to memory of 2072 3624 nbnhnn.exe 82 PID 2072 wrote to memory of 4120 2072 9pvvv.exe 83 PID 2072 wrote to memory of 4120 2072 9pvvv.exe 83 PID 2072 wrote to memory of 4120 2072 9pvvv.exe 83 PID 4120 wrote to memory of 4080 4120 vvvpd.exe 84 PID 4120 wrote to memory of 4080 4120 vvvpd.exe 84 PID 4120 wrote to memory of 4080 4120 vvvpd.exe 84 PID 4080 wrote to memory of 4480 4080 frrrxxr.exe 85 PID 4080 wrote to memory of 4480 4080 frrrxxr.exe 85 PID 4080 wrote to memory of 4480 4080 frrrxxr.exe 85 PID 4480 wrote to memory of 212 4480 1bbtnn.exe 86 PID 4480 wrote to memory of 212 4480 1bbtnn.exe 86 PID 4480 wrote to memory of 212 4480 1bbtnn.exe 86 PID 212 wrote to memory of 3852 212 jpjjv.exe 87 PID 212 wrote to memory of 3852 212 jpjjv.exe 87 PID 212 wrote to memory of 3852 212 jpjjv.exe 87 PID 3852 wrote to memory of 4320 3852 rrlfllx.exe 88 PID 3852 wrote to memory of 4320 3852 rrlfllx.exe 88 PID 3852 wrote to memory of 4320 3852 rrlfllx.exe 88 PID 4320 wrote to memory of 3036 4320 fxrlfrl.exe 89 PID 4320 wrote to memory of 3036 4320 fxrlfrl.exe 89 PID 4320 wrote to memory of 3036 4320 fxrlfrl.exe 89 PID 3036 wrote to memory of 1536 3036 bbhtnn.exe 90 PID 3036 wrote to memory of 1536 3036 bbhtnn.exe 90 PID 3036 wrote to memory of 1536 3036 bbhtnn.exe 90 PID 1536 wrote to memory of 3024 1536 dvvdj.exe 91 PID 1536 wrote to memory of 3024 1536 dvvdj.exe 91 PID 1536 wrote to memory of 3024 1536 dvvdj.exe 91 PID 3024 wrote to memory of 2632 3024 rlrflfx.exe 92 PID 3024 wrote to memory of 2632 3024 rlrflfx.exe 92 PID 3024 wrote to memory of 2632 3024 rlrflfx.exe 92 PID 2632 wrote to memory of 748 2632 xlrlffx.exe 93 PID 2632 wrote to memory of 748 2632 xlrlffx.exe 93 PID 2632 wrote to memory of 748 2632 xlrlffx.exe 93 PID 748 wrote to memory of 3848 748 tthnbh.exe 94 PID 748 wrote to memory of 3848 748 tthnbh.exe 94 PID 748 wrote to memory of 3848 748 tthnbh.exe 94 PID 3848 wrote to memory of 1392 3848 vjppd.exe 95 PID 3848 wrote to memory of 1392 3848 vjppd.exe 95 PID 3848 wrote to memory of 1392 3848 vjppd.exe 95 PID 1392 wrote to memory of 2520 1392 lffrlfx.exe 96 PID 1392 wrote to memory of 2520 1392 lffrlfx.exe 96 PID 1392 wrote to memory of 2520 1392 lffrlfx.exe 96 PID 2520 wrote to memory of 2428 2520 btbtnn.exe 97 PID 2520 wrote to memory of 2428 2520 btbtnn.exe 97 PID 2520 wrote to memory of 2428 2520 btbtnn.exe 97 PID 2428 wrote to memory of 2772 2428 bntbhh.exe 98 PID 2428 wrote to memory of 2772 2428 bntbhh.exe 98 PID 2428 wrote to memory of 2772 2428 bntbhh.exe 98 PID 2772 wrote to memory of 4596 2772 frllfrr.exe 99 PID 2772 wrote to memory of 4596 2772 frllfrr.exe 99 PID 2772 wrote to memory of 4596 2772 frllfrr.exe 99 PID 4596 wrote to memory of 3216 4596 htbbbb.exe 100 PID 4596 wrote to memory of 3216 4596 htbbbb.exe 100 PID 4596 wrote to memory of 3216 4596 htbbbb.exe 100 PID 3216 wrote to memory of 4908 3216 dvppj.exe 101 PID 3216 wrote to memory of 4908 3216 dvppj.exe 101 PID 3216 wrote to memory of 4908 3216 dvppj.exe 101 PID 4908 wrote to memory of 216 4908 jjjjd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\079b7027998acda04d10c65bab53859436ec30d4e68b81ed419c4d68cf243a12.exe"C:\Users\Admin\AppData\Local\Temp\079b7027998acda04d10c65bab53859436ec30d4e68b81ed419c4d68cf243a12.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\nbnhnn.exec:\nbnhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\9pvvv.exec:\9pvvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\vvvpd.exec:\vvvpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\frrrxxr.exec:\frrrxxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\1bbtnn.exec:\1bbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\jpjjv.exec:\jpjjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\rrlfllx.exec:\rrlfllx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\fxrlfrl.exec:\fxrlfrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\bbhtnn.exec:\bbhtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\dvvdj.exec:\dvvdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\rlrflfx.exec:\rlrflfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\xlrlffx.exec:\xlrlffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\tthnbh.exec:\tthnbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\vjppd.exec:\vjppd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\lffrlfx.exec:\lffrlfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\btbtnn.exec:\btbtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\bntbhh.exec:\bntbhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\frllfrr.exec:\frllfrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\htbbbb.exec:\htbbbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\dvppj.exec:\dvppj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\jjjjd.exec:\jjjjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\xflfxxr.exec:\xflfxxr.exe23⤵
- Executes dropped EXE
PID:216 -
\??\c:\1dpjj.exec:\1dpjj.exe24⤵
- Executes dropped EXE
PID:4272 -
\??\c:\fxxrfff.exec:\fxxrfff.exe25⤵
- Executes dropped EXE
PID:4912 -
\??\c:\ttbtbb.exec:\ttbtbb.exe26⤵
- Executes dropped EXE
PID:2372 -
\??\c:\rlffxlf.exec:\rlffxlf.exe27⤵
- Executes dropped EXE
PID:2212 -
\??\c:\9nnhhh.exec:\9nnhhh.exe28⤵
- Executes dropped EXE
PID:3600 -
\??\c:\hhbhhb.exec:\hhbhhb.exe29⤵
- Executes dropped EXE
PID:2004 -
\??\c:\rxxrrrr.exec:\rxxrrrr.exe30⤵
- Executes dropped EXE
PID:4584 -
\??\c:\bhnhbb.exec:\bhnhbb.exe31⤵
- Executes dropped EXE
PID:448 -
\??\c:\5nbttt.exec:\5nbttt.exe32⤵
- Executes dropped EXE
PID:3856 -
\??\c:\httthh.exec:\httthh.exe33⤵
- Executes dropped EXE
PID:4872 -
\??\c:\dvjvp.exec:\dvjvp.exe34⤵
- Executes dropped EXE
PID:2436 -
\??\c:\3rrfxxx.exec:\3rrfxxx.exe35⤵
- Executes dropped EXE
PID:4228 -
\??\c:\nnttbb.exec:\nnttbb.exe36⤵
- Executes dropped EXE
PID:5096 -
\??\c:\djdvp.exec:\djdvp.exe37⤵
- Executes dropped EXE
PID:1808 -
\??\c:\vvvvp.exec:\vvvvp.exe38⤵
- Executes dropped EXE
PID:3068 -
\??\c:\xxlxrrr.exec:\xxlxrrr.exe39⤵
- Executes dropped EXE
PID:1608 -
\??\c:\btttnn.exec:\btttnn.exe40⤵
- Executes dropped EXE
PID:3292 -
\??\c:\jdjjd.exec:\jdjjd.exe41⤵
- Executes dropped EXE
PID:1344 -
\??\c:\jjjdp.exec:\jjjdp.exe42⤵
- Executes dropped EXE
PID:3556 -
\??\c:\fflllff.exec:\fflllff.exe43⤵
- Executes dropped EXE
PID:1720 -
\??\c:\bhtnhh.exec:\bhtnhh.exe44⤵
- Executes dropped EXE
PID:1724 -
\??\c:\ttbbtt.exec:\ttbbtt.exe45⤵
- Executes dropped EXE
PID:736 -
\??\c:\vdvvp.exec:\vdvvp.exe46⤵
- Executes dropped EXE
PID:3940 -
\??\c:\dvdvv.exec:\dvdvv.exe47⤵
- Executes dropped EXE
PID:1452 -
\??\c:\fxrrrll.exec:\fxrrrll.exe48⤵
- Executes dropped EXE
PID:1444 -
\??\c:\tttnnb.exec:\tttnnb.exe49⤵
- Executes dropped EXE
PID:4116 -
\??\c:\tthbhh.exec:\tthbhh.exe50⤵
- Executes dropped EXE
PID:3952 -
\??\c:\vpjdv.exec:\vpjdv.exe51⤵
- Executes dropped EXE
PID:4436 -
\??\c:\jddvp.exec:\jddvp.exe52⤵
- Executes dropped EXE
PID:3692 -
\??\c:\rllfffx.exec:\rllfffx.exe53⤵
- Executes dropped EXE
PID:3152 -
\??\c:\3bhbtt.exec:\3bhbtt.exe54⤵
- Executes dropped EXE
PID:4464 -
\??\c:\pjjjp.exec:\pjjjp.exe55⤵
- Executes dropped EXE
PID:4760 -
\??\c:\jdjdp.exec:\jdjdp.exe56⤵
- Executes dropped EXE
PID:60 -
\??\c:\5xlxllf.exec:\5xlxllf.exe57⤵
- Executes dropped EXE
PID:1620 -
\??\c:\bthtnn.exec:\bthtnn.exe58⤵
- Executes dropped EXE
PID:32 -
\??\c:\3ntthh.exec:\3ntthh.exe59⤵
- Executes dropped EXE
PID:4772 -
\??\c:\vvddd.exec:\vvddd.exe60⤵PID:2000
-
\??\c:\djdvp.exec:\djdvp.exe61⤵
- Executes dropped EXE
PID:4232 -
\??\c:\rlfxxxr.exec:\rlfxxxr.exe62⤵
- Executes dropped EXE
PID:4420 -
\??\c:\flrrlrr.exec:\flrrlrr.exe63⤵
- Executes dropped EXE
PID:4200 -
\??\c:\bntntt.exec:\bntntt.exe64⤵
- Executes dropped EXE
PID:4780 -
\??\c:\7ddjj.exec:\7ddjj.exe65⤵
- Executes dropped EXE
PID:3712 -
\??\c:\xlxrffx.exec:\xlxrffx.exe66⤵
- Executes dropped EXE
PID:5076 -
\??\c:\nttttb.exec:\nttttb.exe67⤵PID:4720
-
\??\c:\ntthtn.exec:\ntthtn.exe68⤵PID:4236
-
\??\c:\jdvjv.exec:\jdvjv.exe69⤵PID:2204
-
\??\c:\vdjjd.exec:\vdjjd.exe70⤵PID:2024
-
\??\c:\htnbtb.exec:\htnbtb.exe71⤵PID:2256
-
\??\c:\pjdvj.exec:\pjdvj.exe72⤵PID:4020
-
\??\c:\vjjdp.exec:\vjjdp.exe73⤵PID:4148
-
\??\c:\lfrxrlf.exec:\lfrxrlf.exe74⤵PID:4952
-
\??\c:\btbnbt.exec:\btbnbt.exe75⤵PID:764
-
\??\c:\3bhbtt.exec:\3bhbtt.exe76⤵PID:1536
-
\??\c:\7dpjj.exec:\7dpjj.exe77⤵PID:3328
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe78⤵PID:2432
-
\??\c:\llrrlfx.exec:\llrrlfx.exe79⤵PID:4664
-
\??\c:\5tnttn.exec:\5tnttn.exe80⤵PID:3492
-
\??\c:\vvjjj.exec:\vvjjj.exe81⤵PID:2012
-
\??\c:\llxrffx.exec:\llxrffx.exe82⤵PID:2716
-
\??\c:\bbthnb.exec:\bbthnb.exe83⤵PID:2724
-
\??\c:\ntbnhb.exec:\ntbnhb.exe84⤵PID:4948
-
\??\c:\dddpd.exec:\dddpd.exe85⤵PID:4932
-
\??\c:\vdvpd.exec:\vdvpd.exe86⤵PID:2340
-
\??\c:\xrfrfxx.exec:\xrfrfxx.exe87⤵PID:4500
-
\??\c:\rrllffx.exec:\rrllffx.exe88⤵PID:2220
-
\??\c:\hhbbtn.exec:\hhbbtn.exe89⤵PID:2244
-
\??\c:\jddvd.exec:\jddvd.exe90⤵PID:4856
-
\??\c:\jdjdv.exec:\jdjdv.exe91⤵PID:2304
-
\??\c:\lfxxllx.exec:\lfxxllx.exe92⤵PID:536
-
\??\c:\xflfrrl.exec:\xflfrrl.exe93⤵PID:4716
-
\??\c:\tbhhbb.exec:\tbhhbb.exe94⤵PID:4852
-
\??\c:\7bbnbt.exec:\7bbnbt.exe95⤵PID:3060
-
\??\c:\dvdvp.exec:\dvdvp.exe96⤵PID:4912
-
\??\c:\9lrfrlx.exec:\9lrfrlx.exe97⤵PID:3196
-
\??\c:\7xxxlfx.exec:\7xxxlfx.exe98⤵PID:2904
-
\??\c:\httnbt.exec:\httnbt.exe99⤵PID:400
-
\??\c:\bbhbnh.exec:\bbhbnh.exe100⤵PID:4076
-
\??\c:\djpjv.exec:\djpjv.exe101⤵PID:3800
-
\??\c:\vvvpd.exec:\vvvpd.exe102⤵PID:3984
-
\??\c:\xrlrrrl.exec:\xrlrrrl.exe103⤵PID:1180
-
\??\c:\bthbnh.exec:\bthbnh.exe104⤵PID:3380
-
\??\c:\5vddd.exec:\5vddd.exe105⤵PID:4824
-
\??\c:\vjddv.exec:\vjddv.exe106⤵PID:1716
-
\??\c:\xllfxrr.exec:\xllfxrr.exe107⤵PID:4988
-
\??\c:\ntttnh.exec:\ntttnh.exe108⤵PID:1804
-
\??\c:\nntnhb.exec:\nntnhb.exe109⤵PID:4752
-
\??\c:\djdjd.exec:\djdjd.exe110⤵PID:2604
-
\??\c:\pvpdp.exec:\pvpdp.exe111⤵PID:3068
-
\??\c:\lxffrrl.exec:\lxffrrl.exe112⤵PID:1608
-
\??\c:\1thhtn.exec:\1thhtn.exe113⤵PID:2820
-
\??\c:\bbhthh.exec:\bbhthh.exe114⤵PID:1344
-
\??\c:\ntnhtn.exec:\ntnhtn.exe115⤵PID:3016
-
\??\c:\vdjdd.exec:\vdjdd.exe116⤵PID:3188
-
\??\c:\xllxffx.exec:\xllxffx.exe117⤵PID:2176
-
\??\c:\bthhnt.exec:\bthhnt.exe118⤵PID:3532
-
\??\c:\nnnbtn.exec:\nnnbtn.exe119⤵PID:2136
-
\??\c:\vddpv.exec:\vddpv.exe120⤵PID:1044
-
\??\c:\rxrxfxr.exec:\rxrxfxr.exe121⤵PID:752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-