Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe
-
Size
456KB
-
MD5
0b9d47010907aa23bb213bf9aaf30f76
-
SHA1
dcf41e7fbfdd76ccb95e3085359639c39cf32880
-
SHA256
07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a
-
SHA512
2571deece4daef21daab81d472009c7dfc1b1ce97ffc876c379eac5512936c6a1b51c6d522a538323965e00bd94ccc25a871600f8a9bafc6ff67172a2dc27698
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRS:q7Tc2NYHUrAwfMp3CDRS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4508-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-1054-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-1553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-828-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4508 lxfxxfx.exe 3464 7ttnnt.exe 2292 fxxlfll.exe 2880 dvvpp.exe 4308 nhhbtt.exe 2024 dddvp.exe 1224 fxxlxxl.exe 2824 nbhhbh.exe 4596 hnbttt.exe 3500 xflfxxr.exe 2892 5nbbhn.exe 1708 dddvv.exe 2924 rlrrffx.exe 1652 nbhbtb.exe 4104 bbtnbh.exe 4020 bhnnbt.exe 1012 pjjdp.exe 1424 xllfxxr.exe 4440 9hnhtt.exe 732 7dvvp.exe 3128 5flfllr.exe 4184 nhnhtn.exe 3124 jdjdv.exe 884 rxlrllf.exe 3244 fxxxrxr.exe 4480 5htnth.exe 2968 1jdvv.exe 4828 xrffflx.exe 3820 9tthbn.exe 3540 bnttnn.exe 4152 vppjv.exe 380 fxxlfxl.exe 1612 tttnnt.exe 4268 ddvvv.exe 4604 fxfrrfl.exe 3436 lffxxxr.exe 2240 tnnhbb.exe 2416 hhbbtt.exe 4600 jjpjj.exe 1416 hbnhhh.exe 3100 7dppj.exe 2096 rxrlfxr.exe 3412 llrrlrr.exe 3024 htnhhn.exe 1628 dppjv.exe 5068 pvpdp.exe 3620 3xfxrlf.exe 1980 nbtnhn.exe 4356 dvdpj.exe 4088 1vvjp.exe 4504 9llxllf.exe 2132 5rfrrlx.exe 2764 hbhhht.exe 540 5dvpd.exe 2368 5dvjd.exe 4952 fxlfrll.exe 1848 9bbtnn.exe 3928 ppdpj.exe 1916 vjdjv.exe 1604 xlrfrlf.exe 3624 bnbhnh.exe 2288 3bbnhb.exe 4420 dppjj.exe 876 frrrfff.exe -
resource yara_rule behavioral2/memory/4508-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-1054-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-1569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-1553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-828-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-116-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2860 wrote to memory of 4508 2860 07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe 85 PID 2860 wrote to memory of 4508 2860 07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe 85 PID 2860 wrote to memory of 4508 2860 07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe 85 PID 4508 wrote to memory of 3464 4508 lxfxxfx.exe 260 PID 4508 wrote to memory of 3464 4508 lxfxxfx.exe 260 PID 4508 wrote to memory of 3464 4508 lxfxxfx.exe 260 PID 3464 wrote to memory of 2292 3464 7ttnnt.exe 495 PID 3464 wrote to memory of 2292 3464 7ttnnt.exe 495 PID 3464 wrote to memory of 2292 3464 7ttnnt.exe 495 PID 2292 wrote to memory of 2880 2292 fxxlfll.exe 268 PID 2292 wrote to memory of 2880 2292 fxxlfll.exe 268 PID 2292 wrote to memory of 2880 2292 fxxlfll.exe 268 PID 2880 wrote to memory of 4308 2880 dvvpp.exe 89 PID 2880 wrote to memory of 4308 2880 dvvpp.exe 89 PID 2880 wrote to memory of 4308 2880 dvvpp.exe 89 PID 4308 wrote to memory of 2024 4308 nhhbtt.exe 90 PID 4308 wrote to memory of 2024 4308 nhhbtt.exe 90 PID 4308 wrote to memory of 2024 4308 nhhbtt.exe 90 PID 2024 wrote to memory of 1224 2024 dddvp.exe 91 PID 2024 wrote to memory of 1224 2024 dddvp.exe 91 PID 2024 wrote to memory of 1224 2024 dddvp.exe 91 PID 1224 wrote to memory of 2824 1224 fxxlxxl.exe 505 PID 1224 wrote to memory of 2824 1224 fxxlxxl.exe 505 PID 1224 wrote to memory of 2824 1224 fxxlxxl.exe 505 PID 2824 wrote to memory of 4596 2824 nbhhbh.exe 93 PID 2824 wrote to memory of 4596 2824 nbhhbh.exe 93 PID 2824 wrote to memory of 4596 2824 nbhhbh.exe 93 PID 4596 wrote to memory of 3500 4596 hnbttt.exe 613 PID 4596 wrote to memory of 3500 4596 hnbttt.exe 613 PID 4596 wrote to memory of 3500 4596 hnbttt.exe 613 PID 3500 wrote to memory of 2892 3500 xflfxxr.exe 95 PID 3500 wrote to memory of 2892 3500 xflfxxr.exe 95 PID 3500 wrote to memory of 2892 3500 xflfxxr.exe 95 PID 2892 wrote to memory of 1708 2892 5nbbhn.exe 96 PID 2892 wrote to memory of 1708 2892 5nbbhn.exe 96 PID 2892 wrote to memory of 1708 2892 5nbbhn.exe 96 PID 1708 wrote to memory of 2924 1708 dddvv.exe 97 PID 1708 wrote to memory of 2924 1708 dddvv.exe 97 PID 1708 wrote to memory of 2924 1708 dddvv.exe 97 PID 2924 wrote to memory of 1652 2924 rlrrffx.exe 214 PID 2924 wrote to memory of 1652 2924 rlrrffx.exe 214 PID 2924 wrote to memory of 1652 2924 rlrrffx.exe 214 PID 1652 wrote to memory of 4104 1652 nbhbtb.exe 99 PID 1652 wrote to memory of 4104 1652 nbhbtb.exe 99 PID 1652 wrote to memory of 4104 1652 nbhbtb.exe 99 PID 4104 wrote to memory of 4020 4104 bbtnbh.exe 100 PID 4104 wrote to memory of 4020 4104 bbtnbh.exe 100 PID 4104 wrote to memory of 4020 4104 bbtnbh.exe 100 PID 4020 wrote to memory of 1012 4020 bhnnbt.exe 101 PID 4020 wrote to memory of 1012 4020 bhnnbt.exe 101 PID 4020 wrote to memory of 1012 4020 bhnnbt.exe 101 PID 1012 wrote to memory of 1424 1012 pjjdp.exe 102 PID 1012 wrote to memory of 1424 1012 pjjdp.exe 102 PID 1012 wrote to memory of 1424 1012 pjjdp.exe 102 PID 1424 wrote to memory of 4440 1424 xllfxxr.exe 103 PID 1424 wrote to memory of 4440 1424 xllfxxr.exe 103 PID 1424 wrote to memory of 4440 1424 xllfxxr.exe 103 PID 4440 wrote to memory of 732 4440 9hnhtt.exe 401 PID 4440 wrote to memory of 732 4440 9hnhtt.exe 401 PID 4440 wrote to memory of 732 4440 9hnhtt.exe 401 PID 732 wrote to memory of 3128 732 7dvvp.exe 105 PID 732 wrote to memory of 3128 732 7dvvp.exe 105 PID 732 wrote to memory of 3128 732 7dvvp.exe 105 PID 3128 wrote to memory of 4184 3128 5flfllr.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe"C:\Users\Admin\AppData\Local\Temp\07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\lxfxxfx.exec:\lxfxxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\7ttnnt.exec:\7ttnnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\fxxlfll.exec:\fxxlfll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\dvvpp.exec:\dvvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\nhhbtt.exec:\nhhbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\dddvp.exec:\dddvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\fxxlxxl.exec:\fxxlxxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\nbhhbh.exec:\nbhhbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\hnbttt.exec:\hnbttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\xflfxxr.exec:\xflfxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\5nbbhn.exec:\5nbbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\dddvv.exec:\dddvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\rlrrffx.exec:\rlrrffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\nbhbtb.exec:\nbhbtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\bbtnbh.exec:\bbtnbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\bhnnbt.exec:\bhnnbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\pjjdp.exec:\pjjdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\xllfxxr.exec:\xllfxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\9hnhtt.exec:\9hnhtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\7dvvp.exec:\7dvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\5flfllr.exec:\5flfllr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\nhnhtn.exec:\nhnhtn.exe23⤵
- Executes dropped EXE
PID:4184 -
\??\c:\jdjdv.exec:\jdjdv.exe24⤵
- Executes dropped EXE
PID:3124 -
\??\c:\rxlrllf.exec:\rxlrllf.exe25⤵
- Executes dropped EXE
PID:884 -
\??\c:\fxxxrxr.exec:\fxxxrxr.exe26⤵
- Executes dropped EXE
PID:3244 -
\??\c:\5htnth.exec:\5htnth.exe27⤵
- Executes dropped EXE
PID:4480 -
\??\c:\1jdvv.exec:\1jdvv.exe28⤵
- Executes dropped EXE
PID:2968 -
\??\c:\xrffflx.exec:\xrffflx.exe29⤵
- Executes dropped EXE
PID:4828 -
\??\c:\9tthbn.exec:\9tthbn.exe30⤵
- Executes dropped EXE
PID:3820 -
\??\c:\bnttnn.exec:\bnttnn.exe31⤵
- Executes dropped EXE
PID:3540 -
\??\c:\vppjv.exec:\vppjv.exe32⤵
- Executes dropped EXE
PID:4152 -
\??\c:\fxxlfxl.exec:\fxxlfxl.exe33⤵
- Executes dropped EXE
PID:380 -
\??\c:\tttnnt.exec:\tttnnt.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
\??\c:\ddvvv.exec:\ddvvv.exe35⤵
- Executes dropped EXE
PID:4268 -
\??\c:\fxfrrfl.exec:\fxfrrfl.exe36⤵
- Executes dropped EXE
PID:4604 -
\??\c:\lffxxxr.exec:\lffxxxr.exe37⤵
- Executes dropped EXE
PID:3436 -
\??\c:\tnnhbb.exec:\tnnhbb.exe38⤵
- Executes dropped EXE
PID:2240 -
\??\c:\hhbbtt.exec:\hhbbtt.exe39⤵
- Executes dropped EXE
PID:2416 -
\??\c:\jjpjj.exec:\jjpjj.exe40⤵
- Executes dropped EXE
PID:4600 -
\??\c:\hbnhhh.exec:\hbnhhh.exe41⤵
- Executes dropped EXE
PID:1416 -
\??\c:\7dppj.exec:\7dppj.exe42⤵
- Executes dropped EXE
PID:3100 -
\??\c:\rxrlfxr.exec:\rxrlfxr.exe43⤵
- Executes dropped EXE
PID:2096 -
\??\c:\llrrlrr.exec:\llrrlrr.exe44⤵
- Executes dropped EXE
PID:3412 -
\??\c:\htnhhn.exec:\htnhhn.exe45⤵
- Executes dropped EXE
PID:3024 -
\??\c:\dppjv.exec:\dppjv.exe46⤵
- Executes dropped EXE
PID:1628 -
\??\c:\pvpdp.exec:\pvpdp.exe47⤵
- Executes dropped EXE
PID:5068 -
\??\c:\3xfxrlf.exec:\3xfxrlf.exe48⤵
- Executes dropped EXE
PID:3620 -
\??\c:\nbtnhn.exec:\nbtnhn.exe49⤵
- Executes dropped EXE
PID:1980 -
\??\c:\dvdpj.exec:\dvdpj.exe50⤵
- Executes dropped EXE
PID:4356 -
\??\c:\1vvjp.exec:\1vvjp.exe51⤵
- Executes dropped EXE
PID:4088 -
\??\c:\9llxllf.exec:\9llxllf.exe52⤵
- Executes dropped EXE
PID:4504 -
\??\c:\5rfrrlx.exec:\5rfrrlx.exe53⤵
- Executes dropped EXE
PID:2132 -
\??\c:\hbhhht.exec:\hbhhht.exe54⤵
- Executes dropped EXE
PID:2764 -
\??\c:\5dvpd.exec:\5dvpd.exe55⤵
- Executes dropped EXE
PID:540 -
\??\c:\5dvjd.exec:\5dvjd.exe56⤵
- Executes dropped EXE
PID:2368 -
\??\c:\fxlfrll.exec:\fxlfrll.exe57⤵
- Executes dropped EXE
PID:4952 -
\??\c:\9bbtnn.exec:\9bbtnn.exe58⤵
- Executes dropped EXE
PID:1848 -
\??\c:\ppdpj.exec:\ppdpj.exe59⤵
- Executes dropped EXE
PID:3928 -
\??\c:\vjdjv.exec:\vjdjv.exe60⤵
- Executes dropped EXE
PID:1916 -
\??\c:\xlrfrlf.exec:\xlrfrlf.exe61⤵
- Executes dropped EXE
PID:1604 -
\??\c:\bnbhnh.exec:\bnbhnh.exe62⤵
- Executes dropped EXE
PID:3624 -
\??\c:\3bbnhb.exec:\3bbnhb.exe63⤵
- Executes dropped EXE
PID:2288 -
\??\c:\dppjj.exec:\dppjj.exe64⤵
- Executes dropped EXE
PID:4420 -
\??\c:\frrrfff.exec:\frrrfff.exe65⤵
- Executes dropped EXE
PID:876 -
\??\c:\9rxlxrx.exec:\9rxlxrx.exe66⤵PID:4488
-
\??\c:\tbbbbn.exec:\tbbbbn.exe67⤵PID:2260
-
\??\c:\pjjdp.exec:\pjjdp.exe68⤵PID:212
-
\??\c:\lfrlfxl.exec:\lfrlfxl.exe69⤵PID:1452
-
\??\c:\lfrllrl.exec:\lfrllrl.exe70⤵PID:2668
-
\??\c:\tbhbtn.exec:\tbhbtn.exe71⤵PID:3340
-
\??\c:\pdvjd.exec:\pdvjd.exe72⤵PID:2488
-
\??\c:\pdjpv.exec:\pdjpv.exe73⤵PID:4212
-
\??\c:\xrlxlxl.exec:\xrlxlxl.exe74⤵PID:2252
-
\??\c:\5bhhbb.exec:\5bhhbb.exe75⤵PID:4048
-
\??\c:\pdjjd.exec:\pdjjd.exe76⤵PID:1192
-
\??\c:\llxlfff.exec:\llxlfff.exe77⤵PID:3824
-
\??\c:\rlxxxxf.exec:\rlxxxxf.exe78⤵PID:3240
-
\??\c:\nbtnhh.exec:\nbtnhh.exe79⤵PID:4620
-
\??\c:\dvvpj.exec:\dvvpj.exe80⤵PID:2072
-
\??\c:\pjpjv.exec:\pjpjv.exe81⤵PID:2036
-
\??\c:\fxrlxrl.exec:\fxrlxrl.exe82⤵PID:448
-
\??\c:\hbhbtb.exec:\hbhbtb.exe83⤵PID:4792
-
\??\c:\1nhtnh.exec:\1nhtnh.exe84⤵PID:920
-
\??\c:\jpvpd.exec:\jpvpd.exe85⤵PID:4532
-
\??\c:\ddjdd.exec:\ddjdd.exe86⤵PID:4908
-
\??\c:\frrfrff.exec:\frrfrff.exe87⤵PID:4844
-
\??\c:\tntnnh.exec:\tntnnh.exe88⤵PID:1464
-
\??\c:\3pvpd.exec:\3pvpd.exe89⤵PID:380
-
\??\c:\pjjdv.exec:\pjjdv.exe90⤵PID:3636
-
\??\c:\rllfffx.exec:\rllfffx.exe91⤵PID:3516
-
\??\c:\btbtnn.exec:\btbtnn.exe92⤵PID:3596
-
\??\c:\thnhbt.exec:\thnhbt.exe93⤵PID:4340
-
\??\c:\3jjdp.exec:\3jjdp.exe94⤵PID:864
-
\??\c:\dppjv.exec:\dppjv.exe95⤵PID:3120
-
\??\c:\lrxrflf.exec:\lrxrflf.exe96⤵PID:408
-
\??\c:\nnnhhb.exec:\nnnhhb.exe97⤵PID:4108
-
\??\c:\tthtbt.exec:\tthtbt.exe98⤵PID:3772
-
\??\c:\jdpvd.exec:\jdpvd.exe99⤵PID:4220
-
\??\c:\rrxlrrf.exec:\rrxlrrf.exe100⤵PID:116
-
\??\c:\lxrlfff.exec:\lxrlfff.exe101⤵PID:4256
-
\??\c:\nntttn.exec:\nntttn.exe102⤵PID:796
-
\??\c:\djjvj.exec:\djjvj.exe103⤵PID:2096
-
\??\c:\jpdvp.exec:\jpdvp.exe104⤵PID:3412
-
\??\c:\rrrlxrl.exec:\rrrlxrl.exe105⤵PID:4368
-
\??\c:\ttbtbb.exec:\ttbtbb.exe106⤵PID:4196
-
\??\c:\bnbttn.exec:\bnbttn.exe107⤵PID:3700
-
\??\c:\pjpjd.exec:\pjpjd.exe108⤵PID:3996
-
\??\c:\rllrllf.exec:\rllrllf.exe109⤵PID:3000
-
\??\c:\3thhbn.exec:\3thhbn.exe110⤵PID:2404
-
\??\c:\bthhbh.exec:\bthhbh.exe111⤵PID:5076
-
\??\c:\1pvpj.exec:\1pvpj.exe112⤵PID:3464
-
\??\c:\vjdvj.exec:\vjdvj.exe113⤵PID:3696
-
\??\c:\5lflxrl.exec:\5lflxrl.exe114⤵PID:2216
-
\??\c:\bntntn.exec:\bntntn.exe115⤵PID:2812
-
\??\c:\bthhtt.exec:\bthhtt.exe116⤵PID:2368
-
\??\c:\vvpjd.exec:\vvpjd.exe117⤵PID:2772
-
\??\c:\lrfxrlf.exec:\lrfxrlf.exe118⤵PID:384
-
\??\c:\flrrxrl.exec:\flrrxrl.exe119⤵PID:1412
-
\??\c:\9nnhbt.exec:\9nnhbt.exe120⤵
- System Location Discovery: System Language Discovery
PID:1744 -
\??\c:\vdpdv.exec:\vdpdv.exe121⤵PID:4832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-