Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe
-
Size
454KB
-
MD5
e1473e5734be6a27bf7f719d14252403
-
SHA1
62da54c9ae9f7e2ff0073fbb5088f63fc1de5cd8
-
SHA256
7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98
-
SHA512
602791707ff71ea3a2463aae4f6fe030ecb0cdfdf0ea155506e0a92388b18a83fda4abae5f0c31f90ea83c3d77a293a7ae39ba4f9eb3d4cbac1e9f19f6dc170d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3272-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-818-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-882-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-1364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-1470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 636 tnnhhb.exe 2136 fffxrrl.exe 4584 rxllffr.exe 3612 5jdvp.exe 5052 hbtbtb.exe 2084 ntbttt.exe 1980 pvdvp.exe 2840 xrllffl.exe 3672 1vvpj.exe 5112 1lrrflx.exe 456 rfllfxl.exe 1816 btbtth.exe 2312 bhbtbn.exe 2032 ffxlxfl.exe 3104 hbnhtt.exe 2792 thbnth.exe 4652 vvdvp.exe 1252 rrrlfff.exe 2284 3ffxrll.exe 3188 xlffxrl.exe 5100 tnttbb.exe 4324 xrrllfx.exe 4864 djvpj.exe 4220 1pjvp.exe 1544 rxlrlfx.exe 2108 rxlfxxr.exe 3088 1nnnhn.exe 3348 7xlxlrf.exe 4668 9djpp.exe 4032 lflxrll.exe 4952 ffffxxx.exe 3400 jddvv.exe 4244 lrxrrrr.exe 880 jjjvj.exe 1148 1fxxrxr.exe 4196 bnnhhb.exe 2720 9thbbb.exe 412 jvjjj.exe 3116 frxrllf.exe 396 tbnhhb.exe 2996 vpvvj.exe 4540 xffxxff.exe 4084 xlfxrrx.exe 4500 hbhnnt.exe 216 jdddv.exe 3172 rrrlffx.exe 2168 lllllrl.exe 1600 nhnhbt.exe 1848 dvddd.exe 5008 rrxrffx.exe 4276 nhhbtt.exe 1236 9ddvp.exe 2764 1flfxfl.exe 3996 flffxrf.exe 5000 bhtnnb.exe 4480 pdppp.exe 3948 5xlflll.exe 2860 bhbhth.exe 2120 9jpjd.exe 616 xffxrrl.exe 1980 9ttnnn.exe 2840 llfxllr.exe 3960 rrlfllx.exe 5112 tbhhbb.exe -
resource yara_rule behavioral2/memory/3272-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/616-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-882-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-1364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-1470-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrrrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3272 wrote to memory of 636 3272 7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe 83 PID 3272 wrote to memory of 636 3272 7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe 83 PID 3272 wrote to memory of 636 3272 7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe 83 PID 636 wrote to memory of 2136 636 tnnhhb.exe 84 PID 636 wrote to memory of 2136 636 tnnhhb.exe 84 PID 636 wrote to memory of 2136 636 tnnhhb.exe 84 PID 2136 wrote to memory of 4584 2136 fffxrrl.exe 85 PID 2136 wrote to memory of 4584 2136 fffxrrl.exe 85 PID 2136 wrote to memory of 4584 2136 fffxrrl.exe 85 PID 4584 wrote to memory of 3612 4584 rxllffr.exe 86 PID 4584 wrote to memory of 3612 4584 rxllffr.exe 86 PID 4584 wrote to memory of 3612 4584 rxllffr.exe 86 PID 3612 wrote to memory of 5052 3612 5jdvp.exe 87 PID 3612 wrote to memory of 5052 3612 5jdvp.exe 87 PID 3612 wrote to memory of 5052 3612 5jdvp.exe 87 PID 5052 wrote to memory of 2084 5052 hbtbtb.exe 88 PID 5052 wrote to memory of 2084 5052 hbtbtb.exe 88 PID 5052 wrote to memory of 2084 5052 hbtbtb.exe 88 PID 2084 wrote to memory of 1980 2084 ntbttt.exe 89 PID 2084 wrote to memory of 1980 2084 ntbttt.exe 89 PID 2084 wrote to memory of 1980 2084 ntbttt.exe 89 PID 1980 wrote to memory of 2840 1980 pvdvp.exe 90 PID 1980 wrote to memory of 2840 1980 pvdvp.exe 90 PID 1980 wrote to memory of 2840 1980 pvdvp.exe 90 PID 2840 wrote to memory of 3672 2840 xrllffl.exe 91 PID 2840 wrote to memory of 3672 2840 xrllffl.exe 91 PID 2840 wrote to memory of 3672 2840 xrllffl.exe 91 PID 3672 wrote to memory of 5112 3672 1vvpj.exe 92 PID 3672 wrote to memory of 5112 3672 1vvpj.exe 92 PID 3672 wrote to memory of 5112 3672 1vvpj.exe 92 PID 5112 wrote to memory of 456 5112 1lrrflx.exe 93 PID 5112 wrote to memory of 456 5112 1lrrflx.exe 93 PID 5112 wrote to memory of 456 5112 1lrrflx.exe 93 PID 456 wrote to memory of 1816 456 rfllfxl.exe 94 PID 456 wrote to memory of 1816 456 rfllfxl.exe 94 PID 456 wrote to memory of 1816 456 rfllfxl.exe 94 PID 1816 wrote to memory of 2312 1816 btbtth.exe 95 PID 1816 wrote to memory of 2312 1816 btbtth.exe 95 PID 1816 wrote to memory of 2312 1816 btbtth.exe 95 PID 2312 wrote to memory of 2032 2312 bhbtbn.exe 96 PID 2312 wrote to memory of 2032 2312 bhbtbn.exe 96 PID 2312 wrote to memory of 2032 2312 bhbtbn.exe 96 PID 2032 wrote to memory of 3104 2032 ffxlxfl.exe 97 PID 2032 wrote to memory of 3104 2032 ffxlxfl.exe 97 PID 2032 wrote to memory of 3104 2032 ffxlxfl.exe 97 PID 3104 wrote to memory of 2792 3104 hbnhtt.exe 98 PID 3104 wrote to memory of 2792 3104 hbnhtt.exe 98 PID 3104 wrote to memory of 2792 3104 hbnhtt.exe 98 PID 2792 wrote to memory of 4652 2792 thbnth.exe 99 PID 2792 wrote to memory of 4652 2792 thbnth.exe 99 PID 2792 wrote to memory of 4652 2792 thbnth.exe 99 PID 4652 wrote to memory of 1252 4652 vvdvp.exe 100 PID 4652 wrote to memory of 1252 4652 vvdvp.exe 100 PID 4652 wrote to memory of 1252 4652 vvdvp.exe 100 PID 1252 wrote to memory of 2284 1252 rrrlfff.exe 101 PID 1252 wrote to memory of 2284 1252 rrrlfff.exe 101 PID 1252 wrote to memory of 2284 1252 rrrlfff.exe 101 PID 2284 wrote to memory of 3188 2284 3ffxrll.exe 102 PID 2284 wrote to memory of 3188 2284 3ffxrll.exe 102 PID 2284 wrote to memory of 3188 2284 3ffxrll.exe 102 PID 3188 wrote to memory of 5100 3188 xlffxrl.exe 103 PID 3188 wrote to memory of 5100 3188 xlffxrl.exe 103 PID 3188 wrote to memory of 5100 3188 xlffxrl.exe 103 PID 5100 wrote to memory of 4324 5100 tnttbb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe"C:\Users\Admin\AppData\Local\Temp\7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\tnnhhb.exec:\tnnhhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\fffxrrl.exec:\fffxrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\rxllffr.exec:\rxllffr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\5jdvp.exec:\5jdvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\hbtbtb.exec:\hbtbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\ntbttt.exec:\ntbttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\pvdvp.exec:\pvdvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\xrllffl.exec:\xrllffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\1vvpj.exec:\1vvpj.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\1lrrflx.exec:\1lrrflx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\rfllfxl.exec:\rfllfxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\btbtth.exec:\btbtth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\bhbtbn.exec:\bhbtbn.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\ffxlxfl.exec:\ffxlxfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\hbnhtt.exec:\hbnhtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\thbnth.exec:\thbnth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\vvdvp.exec:\vvdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\rrrlfff.exec:\rrrlfff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\3ffxrll.exec:\3ffxrll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\xlffxrl.exec:\xlffxrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\tnttbb.exec:\tnttbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\xrrllfx.exec:\xrrllfx.exe23⤵
- Executes dropped EXE
PID:4324 -
\??\c:\djvpj.exec:\djvpj.exe24⤵
- Executes dropped EXE
PID:4864 -
\??\c:\1pjvp.exec:\1pjvp.exe25⤵
- Executes dropped EXE
PID:4220 -
\??\c:\rxlrlfx.exec:\rxlrlfx.exe26⤵
- Executes dropped EXE
PID:1544 -
\??\c:\rxlfxxr.exec:\rxlfxxr.exe27⤵
- Executes dropped EXE
PID:2108 -
\??\c:\1nnnhn.exec:\1nnnhn.exe28⤵
- Executes dropped EXE
PID:3088 -
\??\c:\7xlxlrf.exec:\7xlxlrf.exe29⤵
- Executes dropped EXE
PID:3348 -
\??\c:\9djpp.exec:\9djpp.exe30⤵
- Executes dropped EXE
PID:4668 -
\??\c:\lflxrll.exec:\lflxrll.exe31⤵
- Executes dropped EXE
PID:4032 -
\??\c:\ffffxxx.exec:\ffffxxx.exe32⤵
- Executes dropped EXE
PID:4952 -
\??\c:\jddvv.exec:\jddvv.exe33⤵
- Executes dropped EXE
PID:3400 -
\??\c:\lrxrrrr.exec:\lrxrrrr.exe34⤵
- Executes dropped EXE
PID:4244 -
\??\c:\jjjvj.exec:\jjjvj.exe35⤵
- Executes dropped EXE
PID:880 -
\??\c:\1fxxrxr.exec:\1fxxrxr.exe36⤵
- Executes dropped EXE
PID:1148 -
\??\c:\bnnhhb.exec:\bnnhhb.exe37⤵
- Executes dropped EXE
PID:4196 -
\??\c:\9thbbb.exec:\9thbbb.exe38⤵
- Executes dropped EXE
PID:2720 -
\??\c:\jvjjj.exec:\jvjjj.exe39⤵
- Executes dropped EXE
PID:412 -
\??\c:\frxrllf.exec:\frxrllf.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3116 -
\??\c:\tbnhhb.exec:\tbnhhb.exe41⤵
- Executes dropped EXE
PID:396 -
\??\c:\vpvvj.exec:\vpvvj.exe42⤵
- Executes dropped EXE
PID:2996 -
\??\c:\xffxxff.exec:\xffxxff.exe43⤵
- Executes dropped EXE
PID:4540 -
\??\c:\xlfxrrx.exec:\xlfxrrx.exe44⤵
- Executes dropped EXE
PID:4084 -
\??\c:\hbhnnt.exec:\hbhnnt.exe45⤵
- Executes dropped EXE
PID:4500 -
\??\c:\jdddv.exec:\jdddv.exe46⤵
- Executes dropped EXE
PID:216 -
\??\c:\rrrlffx.exec:\rrrlffx.exe47⤵
- Executes dropped EXE
PID:3172 -
\??\c:\lllllrl.exec:\lllllrl.exe48⤵
- Executes dropped EXE
PID:2168 -
\??\c:\nhnhbt.exec:\nhnhbt.exe49⤵
- Executes dropped EXE
PID:1600 -
\??\c:\dvddd.exec:\dvddd.exe50⤵
- Executes dropped EXE
PID:1848 -
\??\c:\rrxrffx.exec:\rrxrffx.exe51⤵
- Executes dropped EXE
PID:5008 -
\??\c:\lffxlfx.exec:\lffxlfx.exe52⤵PID:4400
-
\??\c:\nhhbtt.exec:\nhhbtt.exe53⤵
- Executes dropped EXE
PID:4276 -
\??\c:\9ddvp.exec:\9ddvp.exe54⤵
- Executes dropped EXE
PID:1236 -
\??\c:\1flfxfl.exec:\1flfxfl.exe55⤵
- Executes dropped EXE
PID:2764 -
\??\c:\flffxrf.exec:\flffxrf.exe56⤵
- Executes dropped EXE
PID:3996 -
\??\c:\bhtnnb.exec:\bhtnnb.exe57⤵
- Executes dropped EXE
PID:5000 -
\??\c:\pdppp.exec:\pdppp.exe58⤵
- Executes dropped EXE
PID:4480 -
\??\c:\5xlflll.exec:\5xlflll.exe59⤵
- Executes dropped EXE
PID:3948 -
\??\c:\bhbhth.exec:\bhbhth.exe60⤵
- Executes dropped EXE
PID:2860 -
\??\c:\9jpjd.exec:\9jpjd.exe61⤵
- Executes dropped EXE
PID:2120 -
\??\c:\xffxrrl.exec:\xffxrrl.exe62⤵
- Executes dropped EXE
PID:616 -
\??\c:\9ttnnn.exec:\9ttnnn.exe63⤵
- Executes dropped EXE
PID:1980 -
\??\c:\llfxllr.exec:\llfxllr.exe64⤵
- Executes dropped EXE
PID:2840 -
\??\c:\rrlfllx.exec:\rrlfllx.exe65⤵
- Executes dropped EXE
PID:3960 -
\??\c:\tbhhbb.exec:\tbhhbb.exe66⤵
- Executes dropped EXE
PID:5112 -
\??\c:\pjjdv.exec:\pjjdv.exe67⤵PID:2980
-
\??\c:\rxfxxlf.exec:\rxfxxlf.exe68⤵PID:3324
-
\??\c:\hbtnhh.exec:\hbtnhh.exe69⤵PID:3424
-
\??\c:\vdpjj.exec:\vdpjj.exe70⤵PID:3380
-
\??\c:\7pjdv.exec:\7pjdv.exe71⤵PID:3244
-
\??\c:\xrfxffr.exec:\xrfxffr.exe72⤵PID:2312
-
\??\c:\nbhbnn.exec:\nbhbnn.exe73⤵PID:944
-
\??\c:\bnthtt.exec:\bnthtt.exe74⤵PID:3032
-
\??\c:\pjjdd.exec:\pjjdd.exe75⤵PID:1788
-
\??\c:\lrfrrrx.exec:\lrfrrrx.exe76⤵PID:1196
-
\??\c:\9hnhtt.exec:\9hnhtt.exe77⤵PID:4328
-
\??\c:\thnbtt.exec:\thnbtt.exe78⤵PID:3000
-
\??\c:\vdjdv.exec:\vdjdv.exe79⤵PID:4948
-
\??\c:\xrrlfrr.exec:\xrrlfrr.exe80⤵PID:1088
-
\??\c:\bhttnn.exec:\bhttnn.exe81⤵PID:5064
-
\??\c:\vjvpj.exec:\vjvpj.exe82⤵PID:988
-
\??\c:\lxlrllf.exec:\lxlrllf.exe83⤵PID:1948
-
\??\c:\btbtnn.exec:\btbtnn.exe84⤵PID:1640
-
\??\c:\hbhbbt.exec:\hbhbbt.exe85⤵PID:3512
-
\??\c:\ppvvd.exec:\ppvvd.exe86⤵PID:2096
-
\??\c:\xlllfxr.exec:\xlllfxr.exe87⤵PID:956
-
\??\c:\rfrlfll.exec:\rfrlfll.exe88⤵PID:3924
-
\??\c:\nhntnn.exec:\nhntnn.exe89⤵PID:444
-
\??\c:\5pppj.exec:\5pppj.exe90⤵PID:3320
-
\??\c:\rlrrfll.exec:\rlrrfll.exe91⤵PID:3396
-
\??\c:\9nttnn.exec:\9nttnn.exe92⤵PID:4072
-
\??\c:\pdjdd.exec:\pdjdd.exe93⤵PID:3852
-
\??\c:\7ppjd.exec:\7ppjd.exe94⤵PID:4972
-
\??\c:\7ffxxrl.exec:\7ffxxrl.exe95⤵PID:4552
-
\??\c:\htbtnn.exec:\htbtnn.exe96⤵PID:1168
-
\??\c:\jdvjd.exec:\jdvjd.exe97⤵PID:2256
-
\??\c:\9djdp.exec:\9djdp.exe98⤵PID:648
-
\??\c:\fxffxrr.exec:\fxffxrr.exe99⤵PID:876
-
\??\c:\7hhhtn.exec:\7hhhtn.exe100⤵PID:4772
-
\??\c:\7djdp.exec:\7djdp.exe101⤵PID:3728
-
\??\c:\rflffff.exec:\rflffff.exe102⤵PID:4028
-
\??\c:\btbbbb.exec:\btbbbb.exe103⤵PID:4924
-
\??\c:\1nhbth.exec:\1nhbth.exe104⤵PID:1952
-
\??\c:\dpdvv.exec:\dpdvv.exe105⤵PID:412
-
\??\c:\7xxxlll.exec:\7xxxlll.exe106⤵PID:1424
-
\??\c:\fllfxxx.exec:\fllfxxx.exe107⤵PID:1400
-
\??\c:\thnhbb.exec:\thnhbb.exe108⤵PID:2236
-
\??\c:\vjvpd.exec:\vjvpd.exe109⤵PID:3720
-
\??\c:\xxfxrfx.exec:\xxfxrfx.exe110⤵PID:2180
-
\??\c:\5bbbnb.exec:\5bbbnb.exe111⤵PID:1740
-
\??\c:\1hhbtt.exec:\1hhbtt.exe112⤵PID:2024
-
\??\c:\pdppd.exec:\pdppd.exe113⤵PID:3888
-
\??\c:\lxxxlff.exec:\lxxxlff.exe114⤵PID:3548
-
\??\c:\hbtnbn.exec:\hbtnbn.exe115⤵PID:2188
-
\??\c:\vvjdj.exec:\vvjdj.exe116⤵PID:4228
-
\??\c:\xfxxlrr.exec:\xfxxlrr.exe117⤵PID:5008
-
\??\c:\lrllffx.exec:\lrllffx.exe118⤵PID:4400
-
\??\c:\7hbnnn.exec:\7hbnnn.exe119⤵PID:2148
-
\??\c:\jjjjj.exec:\jjjjj.exe120⤵PID:1236
-
\??\c:\9hnhhh.exec:\9hnhhh.exe121⤵PID:3956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-