Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 13:46
Behavioral task
behavioral1
Sample
07fa7c8a926bf844880fc48705f069def0417749037859747319d692a8f15d45.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
07fa7c8a926bf844880fc48705f069def0417749037859747319d692a8f15d45.exe
-
Size
334KB
-
MD5
bebbac8ee4ed9d02b8b9e983dced4987
-
SHA1
49f1e18995c51a47f526c31a4675087d7e6054cc
-
SHA256
07fa7c8a926bf844880fc48705f069def0417749037859747319d692a8f15d45
-
SHA512
572aef0b2115b8eb9bf29b383712fc56a97ba19671728f9af1ef86513112f97074f4cb397786a63303fffae784d8477e855b4dddf9e41bc7619f5ee6939bc873
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRe:R4wFHoSHYHUrAwfMp3CDRe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1596-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1516-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3036-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3124-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/412-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3788-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3316-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1896-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3116-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5052-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/668-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3476-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2532-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/440-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3028-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3624-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3452-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/552-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3288-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1180-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4324-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2780-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3232-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3756-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1596-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2308-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1028-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1492-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4852-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3876-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1880-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2096-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4032-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4024-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1968-366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3128-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2508-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1880-447-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-488-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3788-533-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/516-546-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1068-557-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5000-576-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-595-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4068-616-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-679-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-1403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1516 tbthbb.exe 2552 vpvvv.exe 412 tttttn.exe 3036 ppvpv.exe 3124 lfrlfrl.exe 3060 nhbnhb.exe 4572 pdvvj.exe 3788 rfllxrl.exe 1244 9lfrlfx.exe 1312 jpvjd.exe 2172 llrrfxr.exe 3316 bbbnbh.exe 1896 rlfxrrf.exe 2532 nnnhbb.exe 3476 jvpjd.exe 3116 5rxrlrl.exe 668 bnnbth.exe 5052 jppjd.exe 4860 1vdvd.exe 440 btbnht.exe 3028 vvppv.exe 3624 tnhbth.exe 1104 pvvpj.exe 3452 hnhbnh.exe 2480 djjdv.exe 1700 tnttbt.exe 3724 3jpdp.exe 640 bthtnb.exe 3288 dvjdv.exe 552 dppdp.exe 1180 lrrxrrf.exe 4324 dppjv.exe 3140 lxfrrlf.exe 2780 btbthb.exe 3232 pvppd.exe 2332 3fxrfxl.exe 4028 nbbttn.exe 1976 frlxrlf.exe 3280 7ffxrrl.exe 2776 tnthhb.exe 3936 ppvvp.exe 3756 xffrfxl.exe 3504 fxrlfff.exe 1688 bhnhbt.exe 4372 bbhbtt.exe 1888 ddvpd.exe 1596 7rrlxrl.exe 4080 lffxrlx.exe 4536 btnbnh.exe 4496 ttnhhh.exe 4660 tthbnh.exe 436 jjpdv.exe 2992 fflfxrl.exe 3700 xrrlfxr.exe 2308 9tnhbb.exe 996 vvjdv.exe 4388 vvvjj.exe 1436 rlrlxrl.exe 1028 hnnntt.exe 4460 vppjd.exe 2392 pvddv.exe 3408 rflfxrl.exe 1984 bbnhbn.exe 3900 jdvpd.exe -
resource yara_rule behavioral2/memory/1596-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b33-3.dat upx behavioral2/memory/1516-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1596-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b8e-9.dat upx behavioral2/memory/1516-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-12.dat upx behavioral2/memory/2552-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b93-20.dat upx behavioral2/files/0x000a000000023b95-26.dat upx behavioral2/memory/3036-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-30.dat upx behavioral2/files/0x000a000000023b97-36.dat upx behavioral2/memory/4572-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3060-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3060-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3124-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/412-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/412-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-42.dat upx behavioral2/files/0x000a000000023b99-46.dat upx behavioral2/memory/3788-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9a-51.dat upx behavioral2/files/0x000a000000023b9b-55.dat upx behavioral2/files/0x000a000000023b9c-59.dat upx behavioral2/memory/2172-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3316-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9d-65.dat upx behavioral2/memory/1896-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9e-70.dat upx behavioral2/files/0x000a000000023ba0-76.dat upx behavioral2/memory/3116-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba2-86.dat upx behavioral2/files/0x000a000000023ba3-89.dat upx behavioral2/memory/5052-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/668-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba1-81.dat upx behavioral2/memory/3476-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2532-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b8f-95.dat upx behavioral2/files/0x0031000000023ba4-99.dat upx behavioral2/memory/440-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3028-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba5-104.dat upx behavioral2/files/0x0058000000023ba6-110.dat upx behavioral2/memory/3028-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba7-115.dat upx behavioral2/memory/3624-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba8-120.dat upx behavioral2/memory/3452-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba9-123.dat upx behavioral2/files/0x000a000000023baa-127.dat upx behavioral2/memory/1700-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bab-133.dat upx behavioral2/files/0x000a000000023bac-137.dat upx behavioral2/files/0x000a000000023bad-141.dat upx behavioral2/files/0x000a000000023bae-145.dat upx behavioral2/memory/552-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3288-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023baf-151.dat upx behavioral2/files/0x000a000000023bb0-156.dat upx behavioral2/memory/1180-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4324-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2780-165-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1596 wrote to memory of 1516 1596 07fa7c8a926bf844880fc48705f069def0417749037859747319d692a8f15d45.exe 83 PID 1596 wrote to memory of 1516 1596 07fa7c8a926bf844880fc48705f069def0417749037859747319d692a8f15d45.exe 83 PID 1596 wrote to memory of 1516 1596 07fa7c8a926bf844880fc48705f069def0417749037859747319d692a8f15d45.exe 83 PID 1516 wrote to memory of 2552 1516 tbthbb.exe 84 PID 1516 wrote to memory of 2552 1516 tbthbb.exe 84 PID 1516 wrote to memory of 2552 1516 tbthbb.exe 84 PID 2552 wrote to memory of 412 2552 vpvvv.exe 85 PID 2552 wrote to memory of 412 2552 vpvvv.exe 85 PID 2552 wrote to memory of 412 2552 vpvvv.exe 85 PID 412 wrote to memory of 3036 412 tttttn.exe 86 PID 412 wrote to memory of 3036 412 tttttn.exe 86 PID 412 wrote to memory of 3036 412 tttttn.exe 86 PID 3036 wrote to memory of 3124 3036 ppvpv.exe 87 PID 3036 wrote to memory of 3124 3036 ppvpv.exe 87 PID 3036 wrote to memory of 3124 3036 ppvpv.exe 87 PID 3124 wrote to memory of 3060 3124 lfrlfrl.exe 88 PID 3124 wrote to memory of 3060 3124 lfrlfrl.exe 88 PID 3124 wrote to memory of 3060 3124 lfrlfrl.exe 88 PID 3060 wrote to memory of 4572 3060 nhbnhb.exe 89 PID 3060 wrote to memory of 4572 3060 nhbnhb.exe 89 PID 3060 wrote to memory of 4572 3060 nhbnhb.exe 89 PID 4572 wrote to memory of 3788 4572 pdvvj.exe 90 PID 4572 wrote to memory of 3788 4572 pdvvj.exe 90 PID 4572 wrote to memory of 3788 4572 pdvvj.exe 90 PID 3788 wrote to memory of 1244 3788 rfllxrl.exe 91 PID 3788 wrote to memory of 1244 3788 rfllxrl.exe 91 PID 3788 wrote to memory of 1244 3788 rfllxrl.exe 91 PID 1244 wrote to memory of 1312 1244 9lfrlfx.exe 92 PID 1244 wrote to memory of 1312 1244 9lfrlfx.exe 92 PID 1244 wrote to memory of 1312 1244 9lfrlfx.exe 92 PID 1312 wrote to memory of 2172 1312 jpvjd.exe 93 PID 1312 wrote to memory of 2172 1312 jpvjd.exe 93 PID 1312 wrote to memory of 2172 1312 jpvjd.exe 93 PID 2172 wrote to memory of 3316 2172 llrrfxr.exe 94 PID 2172 wrote to memory of 3316 2172 llrrfxr.exe 94 PID 2172 wrote to memory of 3316 2172 llrrfxr.exe 94 PID 3316 wrote to memory of 1896 3316 bbbnbh.exe 95 PID 3316 wrote to memory of 1896 3316 bbbnbh.exe 95 PID 3316 wrote to memory of 1896 3316 bbbnbh.exe 95 PID 1896 wrote to memory of 2532 1896 rlfxrrf.exe 96 PID 1896 wrote to memory of 2532 1896 rlfxrrf.exe 96 PID 1896 wrote to memory of 2532 1896 rlfxrrf.exe 96 PID 2532 wrote to memory of 3476 2532 nnnhbb.exe 97 PID 2532 wrote to memory of 3476 2532 nnnhbb.exe 97 PID 2532 wrote to memory of 3476 2532 nnnhbb.exe 97 PID 3476 wrote to memory of 3116 3476 jvpjd.exe 98 PID 3476 wrote to memory of 3116 3476 jvpjd.exe 98 PID 3476 wrote to memory of 3116 3476 jvpjd.exe 98 PID 3116 wrote to memory of 668 3116 5rxrlrl.exe 99 PID 3116 wrote to memory of 668 3116 5rxrlrl.exe 99 PID 3116 wrote to memory of 668 3116 5rxrlrl.exe 99 PID 668 wrote to memory of 5052 668 bnnbth.exe 100 PID 668 wrote to memory of 5052 668 bnnbth.exe 100 PID 668 wrote to memory of 5052 668 bnnbth.exe 100 PID 5052 wrote to memory of 4860 5052 jppjd.exe 101 PID 5052 wrote to memory of 4860 5052 jppjd.exe 101 PID 5052 wrote to memory of 4860 5052 jppjd.exe 101 PID 4860 wrote to memory of 440 4860 1vdvd.exe 102 PID 4860 wrote to memory of 440 4860 1vdvd.exe 102 PID 4860 wrote to memory of 440 4860 1vdvd.exe 102 PID 440 wrote to memory of 3028 440 btbnht.exe 103 PID 440 wrote to memory of 3028 440 btbnht.exe 103 PID 440 wrote to memory of 3028 440 btbnht.exe 103 PID 3028 wrote to memory of 3624 3028 vvppv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\07fa7c8a926bf844880fc48705f069def0417749037859747319d692a8f15d45.exe"C:\Users\Admin\AppData\Local\Temp\07fa7c8a926bf844880fc48705f069def0417749037859747319d692a8f15d45.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\tbthbb.exec:\tbthbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\vpvvv.exec:\vpvvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\tttttn.exec:\tttttn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\ppvpv.exec:\ppvpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\lfrlfrl.exec:\lfrlfrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\nhbnhb.exec:\nhbnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\pdvvj.exec:\pdvvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\rfllxrl.exec:\rfllxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\9lfrlfx.exec:\9lfrlfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\jpvjd.exec:\jpvjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\llrrfxr.exec:\llrrfxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\bbbnbh.exec:\bbbnbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\rlfxrrf.exec:\rlfxrrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\nnnhbb.exec:\nnnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\jvpjd.exec:\jvpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\5rxrlrl.exec:\5rxrlrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\bnnbth.exec:\bnnbth.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\jppjd.exec:\jppjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\1vdvd.exec:\1vdvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\btbnht.exec:\btbnht.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\vvppv.exec:\vvppv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\tnhbth.exec:\tnhbth.exe23⤵
- Executes dropped EXE
PID:3624 -
\??\c:\pvvpj.exec:\pvvpj.exe24⤵
- Executes dropped EXE
PID:1104 -
\??\c:\hnhbnh.exec:\hnhbnh.exe25⤵
- Executes dropped EXE
PID:3452 -
\??\c:\djjdv.exec:\djjdv.exe26⤵
- Executes dropped EXE
PID:2480 -
\??\c:\tnttbt.exec:\tnttbt.exe27⤵
- Executes dropped EXE
PID:1700 -
\??\c:\3jpdp.exec:\3jpdp.exe28⤵
- Executes dropped EXE
PID:3724 -
\??\c:\bthtnb.exec:\bthtnb.exe29⤵
- Executes dropped EXE
PID:640 -
\??\c:\dvjdv.exec:\dvjdv.exe30⤵
- Executes dropped EXE
PID:3288 -
\??\c:\dppdp.exec:\dppdp.exe31⤵
- Executes dropped EXE
PID:552 -
\??\c:\lrrxrrf.exec:\lrrxrrf.exe32⤵
- Executes dropped EXE
PID:1180 -
\??\c:\dppjv.exec:\dppjv.exe33⤵
- Executes dropped EXE
PID:4324 -
\??\c:\lxfrrlf.exec:\lxfrrlf.exe34⤵
- Executes dropped EXE
PID:3140 -
\??\c:\btbthb.exec:\btbthb.exe35⤵
- Executes dropped EXE
PID:2780 -
\??\c:\pvppd.exec:\pvppd.exe36⤵
- Executes dropped EXE
PID:3232 -
\??\c:\3fxrfxl.exec:\3fxrfxl.exe37⤵
- Executes dropped EXE
PID:2332 -
\??\c:\nbbttn.exec:\nbbttn.exe38⤵
- Executes dropped EXE
PID:4028 -
\??\c:\frlxrlf.exec:\frlxrlf.exe39⤵
- Executes dropped EXE
PID:1976 -
\??\c:\7ffxrrl.exec:\7ffxrrl.exe40⤵
- Executes dropped EXE
PID:3280 -
\??\c:\tnthhb.exec:\tnthhb.exe41⤵
- Executes dropped EXE
PID:2776 -
\??\c:\ppvvp.exec:\ppvvp.exe42⤵
- Executes dropped EXE
PID:3936 -
\??\c:\xffrfxl.exec:\xffrfxl.exe43⤵
- Executes dropped EXE
PID:3756 -
\??\c:\fxrlfff.exec:\fxrlfff.exe44⤵
- Executes dropped EXE
PID:3504 -
\??\c:\bhnhbt.exec:\bhnhbt.exe45⤵
- Executes dropped EXE
PID:1688 -
\??\c:\bbhbtt.exec:\bbhbtt.exe46⤵
- Executes dropped EXE
PID:4372 -
\??\c:\ddvpd.exec:\ddvpd.exe47⤵
- Executes dropped EXE
PID:1888 -
\??\c:\7rrlxrl.exec:\7rrlxrl.exe48⤵
- Executes dropped EXE
PID:1596 -
\??\c:\lffxrlx.exec:\lffxrlx.exe49⤵
- Executes dropped EXE
PID:4080 -
\??\c:\btnbnh.exec:\btnbnh.exe50⤵
- Executes dropped EXE
PID:4536 -
\??\c:\ttnhhh.exec:\ttnhhh.exe51⤵
- Executes dropped EXE
PID:4496 -
\??\c:\tthbnh.exec:\tthbnh.exe52⤵
- Executes dropped EXE
PID:4660 -
\??\c:\jjpdv.exec:\jjpdv.exe53⤵
- Executes dropped EXE
PID:436 -
\??\c:\fflfxrl.exec:\fflfxrl.exe54⤵
- Executes dropped EXE
PID:2992 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe55⤵
- Executes dropped EXE
PID:3700 -
\??\c:\9tnhbb.exec:\9tnhbb.exe56⤵
- Executes dropped EXE
PID:2308 -
\??\c:\vvjdv.exec:\vvjdv.exe57⤵
- Executes dropped EXE
PID:996 -
\??\c:\vvvjj.exec:\vvvjj.exe58⤵
- Executes dropped EXE
PID:4388 -
\??\c:\rlrlxrl.exec:\rlrlxrl.exe59⤵
- Executes dropped EXE
PID:1436 -
\??\c:\hnnntt.exec:\hnnntt.exe60⤵
- Executes dropped EXE
PID:1028 -
\??\c:\vppjd.exec:\vppjd.exe61⤵
- Executes dropped EXE
PID:4460 -
\??\c:\pvddv.exec:\pvddv.exe62⤵
- Executes dropped EXE
PID:2392 -
\??\c:\rflfxrl.exec:\rflfxrl.exe63⤵
- Executes dropped EXE
PID:3408 -
\??\c:\bbnhbn.exec:\bbnhbn.exe64⤵
- Executes dropped EXE
PID:1984 -
\??\c:\jdvpd.exec:\jdvpd.exe65⤵
- Executes dropped EXE
PID:3900 -
\??\c:\pppdd.exec:\pppdd.exe66⤵PID:2092
-
\??\c:\rlfrffr.exec:\rlfrffr.exe67⤵PID:1568
-
\??\c:\xrxrfxr.exec:\xrxrfxr.exe68⤵PID:1492
-
\??\c:\btnnbb.exec:\btnnbb.exe69⤵PID:1392
-
\??\c:\dpvpj.exec:\dpvpj.exe70⤵PID:4004
-
\??\c:\jjvpd.exec:\jjvpd.exe71⤵PID:4976
-
\??\c:\3fflfxl.exec:\3fflfxl.exe72⤵PID:4184
-
\??\c:\hnnnbb.exec:\hnnnbb.exe73⤵PID:2452
-
\??\c:\vpvjd.exec:\vpvjd.exe74⤵PID:2468
-
\??\c:\pvvpp.exec:\pvvpp.exe75⤵PID:2648
-
\??\c:\lflrfll.exec:\lflrfll.exe76⤵PID:5020
-
\??\c:\fllffxx.exec:\fllffxx.exe77⤵PID:4552
-
\??\c:\5thbtn.exec:\5thbtn.exe78⤵PID:1684
-
\??\c:\dvjdd.exec:\dvjdd.exe79⤵PID:396
-
\??\c:\rrlrlxr.exec:\rrlrlxr.exe80⤵PID:748
-
\??\c:\bthtnh.exec:\bthtnh.exe81⤵PID:3016
-
\??\c:\pdjdv.exec:\pdjdv.exe82⤵PID:1408
-
\??\c:\ppjvj.exec:\ppjvj.exe83⤵PID:4852
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe84⤵PID:4316
-
\??\c:\1flffxf.exec:\1flffxf.exe85⤵PID:3876
-
\??\c:\btttnn.exec:\btttnn.exe86⤵PID:1880
-
\??\c:\ppvjv.exec:\ppvjv.exe87⤵PID:2096
-
\??\c:\vjpdv.exec:\vjpdv.exe88⤵PID:3980
-
\??\c:\rlflfxr.exec:\rlflfxr.exe89⤵PID:1328
-
\??\c:\3bhbhn.exec:\3bhbhn.exe90⤵PID:1868
-
\??\c:\djppp.exec:\djppp.exe91⤵PID:4708
-
\??\c:\vvvvj.exec:\vvvvj.exe92⤵PID:536
-
\??\c:\lrrfxrl.exec:\lrrfxrl.exe93⤵PID:4800
-
\??\c:\tbhhtn.exec:\tbhhtn.exe94⤵PID:2372
-
\??\c:\tnhbhh.exec:\tnhbhh.exe95⤵PID:3032
-
\??\c:\pvpjv.exec:\pvpjv.exe96⤵PID:1828
-
\??\c:\5jvpd.exec:\5jvpd.exe97⤵PID:3572
-
\??\c:\5lxlxrf.exec:\5lxlxrf.exe98⤵PID:4276
-
\??\c:\xffxlfx.exec:\xffxlfx.exe99⤵PID:4032
-
\??\c:\tthbnt.exec:\tthbnt.exe100⤵PID:4324
-
\??\c:\dpjpv.exec:\dpjpv.exe101⤵PID:908
-
\??\c:\jppjv.exec:\jppjv.exe102⤵PID:868
-
\??\c:\rllrlrf.exec:\rllrlrf.exe103⤵PID:4260
-
\??\c:\hbnbtn.exec:\hbnbtn.exe104⤵PID:1352
-
\??\c:\tbthtn.exec:\tbthtn.exe105⤵PID:4024
-
\??\c:\jjpjd.exec:\jjpjd.exe106⤵PID:2332
-
\??\c:\fxxrffr.exec:\fxxrffr.exe107⤵PID:1676
-
\??\c:\fxlfxrl.exec:\fxlfxrl.exe108⤵PID:4200
-
\??\c:\htbthb.exec:\htbthb.exe109⤵PID:3280
-
\??\c:\ddvpp.exec:\ddvpp.exe110⤵PID:1396
-
\??\c:\5jdvj.exec:\5jdvj.exe111⤵PID:4272
-
\??\c:\1rllxrf.exec:\1rllxrf.exe112⤵PID:2436
-
\??\c:\rrrfxfr.exec:\rrrfxfr.exe113⤵PID:3504
-
\??\c:\3bhhtn.exec:\3bhhtn.exe114⤵PID:1688
-
\??\c:\nnnbtn.exec:\nnnbtn.exe115⤵PID:4372
-
\??\c:\jdvjv.exec:\jdvjv.exe116⤵PID:1888
-
\??\c:\xrrlxrl.exec:\xrrlxrl.exe117⤵PID:1596
-
\??\c:\bbnhtt.exec:\bbnhtt.exe118⤵PID:2188
-
\??\c:\tnnnhh.exec:\tnnnhh.exe119⤵PID:2700
-
\??\c:\pppdv.exec:\pppdv.exe120⤵PID:4680
-
\??\c:\fxfllll.exec:\fxfllll.exe121⤵PID:3020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-