Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe
-
Size
454KB
-
MD5
cbdf7352fb2534971c710847791a1f50
-
SHA1
c45c598e645adcd2ee426926b06d381602fe8cc1
-
SHA256
907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cb
-
SHA512
c2f22da7fddd8a8fe541ba922b1b463712808a24cc6255d4b5c4d68da91ad73ad9168c8dd1b088a0dd4da8e1ecedae0be289f660f5e0e37b9218770d9a94a5f3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/960-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-941-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-1035-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-1319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-1827-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2700 vjvpp.exe 4744 xxfxlfr.exe 3648 80086.exe 3624 nbttbn.exe 4268 048428.exe 2116 lrxlflf.exe 3100 htbttt.exe 3140 848844.exe 3292 hhnhtt.exe 1796 u440066.exe 4116 bhnhhb.exe 3104 0224484.exe 2352 bhnbtn.exe 920 o280004.exe 3196 48826.exe 4400 fxxrllf.exe 4280 frxxrll.exe 3860 vjpjd.exe 3856 xxfxrlf.exe 2504 62082.exe 3924 6080468.exe 2084 4482400.exe 1736 rrrxxrr.exe 3852 80602.exe 3044 62482.exe 4920 jdppv.exe 1064 4426666.exe 4128 ttbtbb.exe 4988 tnhbbb.exe 208 08884.exe 3928 8804282.exe 1812 lllfffx.exe 4416 flrrllf.exe 2588 0248260.exe 5064 q86460.exe 4036 24824.exe 1840 jvpvp.exe 4256 268600.exe 5084 jdjdv.exe 4488 2666626.exe 2676 6408260.exe 4568 flrrfrx.exe 4684 lxlfxxr.exe 1436 rxflflf.exe 1508 w86404.exe 5076 xlxrxrr.exe 4604 k68260.exe 3864 22260.exe 4868 400446.exe 5012 pvvjj.exe 1116 jpdvp.exe 828 btbbtn.exe 2288 0466008.exe 4412 vjjdv.exe 3296 0626000.exe 3944 7tnbtn.exe 4688 9ddpj.exe 4232 06208.exe 1448 bhtnnh.exe 3468 rlxlfxl.exe 3624 hhttbn.exe 4484 624822.exe 1488 lrxrrlf.exe 3096 rxrlffx.exe -
resource yara_rule behavioral2/memory/960-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-941-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w22608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2666626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 060422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbttbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0466066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6080468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 960 wrote to memory of 2700 960 907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe 83 PID 960 wrote to memory of 2700 960 907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe 83 PID 960 wrote to memory of 2700 960 907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe 83 PID 2700 wrote to memory of 4744 2700 vjvpp.exe 84 PID 2700 wrote to memory of 4744 2700 vjvpp.exe 84 PID 2700 wrote to memory of 4744 2700 vjvpp.exe 84 PID 4744 wrote to memory of 3648 4744 xxfxlfr.exe 85 PID 4744 wrote to memory of 3648 4744 xxfxlfr.exe 85 PID 4744 wrote to memory of 3648 4744 xxfxlfr.exe 85 PID 3648 wrote to memory of 3624 3648 80086.exe 86 PID 3648 wrote to memory of 3624 3648 80086.exe 86 PID 3648 wrote to memory of 3624 3648 80086.exe 86 PID 3624 wrote to memory of 4268 3624 nbttbn.exe 87 PID 3624 wrote to memory of 4268 3624 nbttbn.exe 87 PID 3624 wrote to memory of 4268 3624 nbttbn.exe 87 PID 4268 wrote to memory of 2116 4268 048428.exe 88 PID 4268 wrote to memory of 2116 4268 048428.exe 88 PID 4268 wrote to memory of 2116 4268 048428.exe 88 PID 2116 wrote to memory of 3100 2116 lrxlflf.exe 89 PID 2116 wrote to memory of 3100 2116 lrxlflf.exe 89 PID 2116 wrote to memory of 3100 2116 lrxlflf.exe 89 PID 3100 wrote to memory of 3140 3100 htbttt.exe 90 PID 3100 wrote to memory of 3140 3100 htbttt.exe 90 PID 3100 wrote to memory of 3140 3100 htbttt.exe 90 PID 3140 wrote to memory of 3292 3140 848844.exe 91 PID 3140 wrote to memory of 3292 3140 848844.exe 91 PID 3140 wrote to memory of 3292 3140 848844.exe 91 PID 3292 wrote to memory of 1796 3292 hhnhtt.exe 92 PID 3292 wrote to memory of 1796 3292 hhnhtt.exe 92 PID 3292 wrote to memory of 1796 3292 hhnhtt.exe 92 PID 1796 wrote to memory of 4116 1796 u440066.exe 93 PID 1796 wrote to memory of 4116 1796 u440066.exe 93 PID 1796 wrote to memory of 4116 1796 u440066.exe 93 PID 4116 wrote to memory of 3104 4116 bhnhhb.exe 94 PID 4116 wrote to memory of 3104 4116 bhnhhb.exe 94 PID 4116 wrote to memory of 3104 4116 bhnhhb.exe 94 PID 3104 wrote to memory of 2352 3104 0224484.exe 95 PID 3104 wrote to memory of 2352 3104 0224484.exe 95 PID 3104 wrote to memory of 2352 3104 0224484.exe 95 PID 2352 wrote to memory of 920 2352 bhnbtn.exe 96 PID 2352 wrote to memory of 920 2352 bhnbtn.exe 96 PID 2352 wrote to memory of 920 2352 bhnbtn.exe 96 PID 920 wrote to memory of 3196 920 o280004.exe 97 PID 920 wrote to memory of 3196 920 o280004.exe 97 PID 920 wrote to memory of 3196 920 o280004.exe 97 PID 3196 wrote to memory of 4400 3196 48826.exe 98 PID 3196 wrote to memory of 4400 3196 48826.exe 98 PID 3196 wrote to memory of 4400 3196 48826.exe 98 PID 4400 wrote to memory of 4280 4400 fxxrllf.exe 99 PID 4400 wrote to memory of 4280 4400 fxxrllf.exe 99 PID 4400 wrote to memory of 4280 4400 fxxrllf.exe 99 PID 4280 wrote to memory of 3860 4280 frxxrll.exe 100 PID 4280 wrote to memory of 3860 4280 frxxrll.exe 100 PID 4280 wrote to memory of 3860 4280 frxxrll.exe 100 PID 3860 wrote to memory of 3856 3860 vjpjd.exe 101 PID 3860 wrote to memory of 3856 3860 vjpjd.exe 101 PID 3860 wrote to memory of 3856 3860 vjpjd.exe 101 PID 3856 wrote to memory of 2504 3856 xxfxrlf.exe 102 PID 3856 wrote to memory of 2504 3856 xxfxrlf.exe 102 PID 3856 wrote to memory of 2504 3856 xxfxrlf.exe 102 PID 2504 wrote to memory of 3924 2504 62082.exe 103 PID 2504 wrote to memory of 3924 2504 62082.exe 103 PID 2504 wrote to memory of 3924 2504 62082.exe 103 PID 3924 wrote to memory of 2084 3924 6080468.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe"C:\Users\Admin\AppData\Local\Temp\907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\vjvpp.exec:\vjvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\xxfxlfr.exec:\xxfxlfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\80086.exec:\80086.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\nbttbn.exec:\nbttbn.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\048428.exec:\048428.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\lrxlflf.exec:\lrxlflf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\htbttt.exec:\htbttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\848844.exec:\848844.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\hhnhtt.exec:\hhnhtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\u440066.exec:\u440066.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\bhnhhb.exec:\bhnhhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\0224484.exec:\0224484.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\bhnbtn.exec:\bhnbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\o280004.exec:\o280004.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\48826.exec:\48826.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\fxxrllf.exec:\fxxrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\frxxrll.exec:\frxxrll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\vjpjd.exec:\vjpjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\xxfxrlf.exec:\xxfxrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\62082.exec:\62082.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\6080468.exec:\6080468.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\4482400.exec:\4482400.exe23⤵
- Executes dropped EXE
PID:2084 -
\??\c:\rrrxxrr.exec:\rrrxxrr.exe24⤵
- Executes dropped EXE
PID:1736 -
\??\c:\80602.exec:\80602.exe25⤵
- Executes dropped EXE
PID:3852 -
\??\c:\62482.exec:\62482.exe26⤵
- Executes dropped EXE
PID:3044 -
\??\c:\jdppv.exec:\jdppv.exe27⤵
- Executes dropped EXE
PID:4920 -
\??\c:\4426666.exec:\4426666.exe28⤵
- Executes dropped EXE
PID:1064 -
\??\c:\ttbtbb.exec:\ttbtbb.exe29⤵
- Executes dropped EXE
PID:4128 -
\??\c:\tnhbbb.exec:\tnhbbb.exe30⤵
- Executes dropped EXE
PID:4988 -
\??\c:\08884.exec:\08884.exe31⤵
- Executes dropped EXE
PID:208 -
\??\c:\8804282.exec:\8804282.exe32⤵
- Executes dropped EXE
PID:3928 -
\??\c:\lllfffx.exec:\lllfffx.exe33⤵
- Executes dropped EXE
PID:1812 -
\??\c:\flrrllf.exec:\flrrllf.exe34⤵
- Executes dropped EXE
PID:4416 -
\??\c:\0248260.exec:\0248260.exe35⤵
- Executes dropped EXE
PID:2588 -
\??\c:\q86460.exec:\q86460.exe36⤵
- Executes dropped EXE
PID:5064 -
\??\c:\24824.exec:\24824.exe37⤵
- Executes dropped EXE
PID:4036 -
\??\c:\jvpvp.exec:\jvpvp.exe38⤵
- Executes dropped EXE
PID:1840 -
\??\c:\268600.exec:\268600.exe39⤵
- Executes dropped EXE
PID:4256 -
\??\c:\jdjdv.exec:\jdjdv.exe40⤵
- Executes dropped EXE
PID:5084 -
\??\c:\2666626.exec:\2666626.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4488 -
\??\c:\6408260.exec:\6408260.exe42⤵
- Executes dropped EXE
PID:2676 -
\??\c:\flrrfrx.exec:\flrrfrx.exe43⤵
- Executes dropped EXE
PID:4568 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe44⤵
- Executes dropped EXE
PID:4684 -
\??\c:\rxflflf.exec:\rxflflf.exe45⤵
- Executes dropped EXE
PID:1436 -
\??\c:\w86404.exec:\w86404.exe46⤵
- Executes dropped EXE
PID:1508 -
\??\c:\xlxrxrr.exec:\xlxrxrr.exe47⤵
- Executes dropped EXE
PID:5076 -
\??\c:\k68260.exec:\k68260.exe48⤵
- Executes dropped EXE
PID:4604 -
\??\c:\22260.exec:\22260.exe49⤵
- Executes dropped EXE
PID:3864 -
\??\c:\400446.exec:\400446.exe50⤵
- Executes dropped EXE
PID:4868 -
\??\c:\pvvjj.exec:\pvvjj.exe51⤵
- Executes dropped EXE
PID:5012 -
\??\c:\jpdvp.exec:\jpdvp.exe52⤵
- Executes dropped EXE
PID:1116 -
\??\c:\btbbtn.exec:\btbbtn.exe53⤵
- Executes dropped EXE
PID:828 -
\??\c:\0466008.exec:\0466008.exe54⤵
- Executes dropped EXE
PID:2288 -
\??\c:\vjjdv.exec:\vjjdv.exe55⤵
- Executes dropped EXE
PID:4412 -
\??\c:\0626000.exec:\0626000.exe56⤵
- Executes dropped EXE
PID:3296 -
\??\c:\7tnbtn.exec:\7tnbtn.exe57⤵
- Executes dropped EXE
PID:3944 -
\??\c:\9ddpj.exec:\9ddpj.exe58⤵
- Executes dropped EXE
PID:4688 -
\??\c:\06208.exec:\06208.exe59⤵
- Executes dropped EXE
PID:4232 -
\??\c:\bhtnnh.exec:\bhtnnh.exe60⤵
- Executes dropped EXE
PID:1448 -
\??\c:\rlxlfxl.exec:\rlxlfxl.exe61⤵
- Executes dropped EXE
PID:3468 -
\??\c:\hhttbn.exec:\hhttbn.exe62⤵
- Executes dropped EXE
PID:3624 -
\??\c:\624822.exec:\624822.exe63⤵
- Executes dropped EXE
PID:4484 -
\??\c:\lrxrrlf.exec:\lrxrrlf.exe64⤵
- Executes dropped EXE
PID:1488 -
\??\c:\rxrlffx.exec:\rxrlffx.exe65⤵
- Executes dropped EXE
PID:3096 -
\??\c:\9vddp.exec:\9vddp.exe66⤵PID:3064
-
\??\c:\pjvdv.exec:\pjvdv.exe67⤵PID:4404
-
\??\c:\802266.exec:\802266.exe68⤵PID:3292
-
\??\c:\42604.exec:\42604.exe69⤵PID:864
-
\??\c:\28026.exec:\28026.exe70⤵PID:2704
-
\??\c:\c860642.exec:\c860642.exe71⤵PID:3200
-
\??\c:\frflllf.exec:\frflllf.exe72⤵PID:4336
-
\??\c:\rflfxxr.exec:\rflfxxr.exe73⤵PID:3880
-
\??\c:\02242.exec:\02242.exe74⤵PID:5104
-
\??\c:\3xxrllf.exec:\3xxrllf.exe75⤵PID:2984
-
\??\c:\bttttb.exec:\bttttb.exe76⤵PID:4112
-
\??\c:\dvvpp.exec:\dvvpp.exe77⤵PID:3528
-
\??\c:\08860.exec:\08860.exe78⤵PID:1720
-
\??\c:\06822.exec:\06822.exe79⤵PID:3760
-
\??\c:\nnhhtn.exec:\nnhhtn.exe80⤵PID:1264
-
\??\c:\m4626.exec:\m4626.exe81⤵PID:2976
-
\??\c:\btthbt.exec:\btthbt.exe82⤵PID:2144
-
\??\c:\8686482.exec:\8686482.exe83⤵PID:2000
-
\??\c:\06448.exec:\06448.exe84⤵PID:4108
-
\??\c:\s2820.exec:\s2820.exe85⤵PID:2212
-
\??\c:\vjvpd.exec:\vjvpd.exe86⤵PID:1492
-
\??\c:\5rfxrrf.exec:\5rfxrrf.exe87⤵PID:4128
-
\??\c:\0848866.exec:\0848866.exe88⤵PID:2404
-
\??\c:\8400482.exec:\8400482.exe89⤵PID:4144
-
\??\c:\vjvdp.exec:\vjvdp.exe90⤵PID:3312
-
\??\c:\9rrlxrx.exec:\9rrlxrx.exe91⤵PID:3928
-
\??\c:\7rrrlff.exec:\7rrrlff.exe92⤵PID:2184
-
\??\c:\frxlxfr.exec:\frxlxfr.exe93⤵PID:1076
-
\??\c:\22042.exec:\22042.exe94⤵
- System Location Discovery: System Language Discovery
PID:3112 -
\??\c:\622826.exec:\622826.exe95⤵PID:1524
-
\??\c:\8286048.exec:\8286048.exe96⤵PID:4256
-
\??\c:\flflxrl.exec:\flflxrl.exe97⤵PID:5084
-
\??\c:\20206.exec:\20206.exe98⤵PID:4488
-
\??\c:\2242666.exec:\2242666.exe99⤵PID:3016
-
\??\c:\2288206.exec:\2288206.exe100⤵PID:4568
-
\??\c:\440862.exec:\440862.exe101⤵PID:2920
-
\??\c:\pdddv.exec:\pdddv.exe102⤵PID:696
-
\??\c:\pjdpd.exec:\pjdpd.exe103⤵PID:3464
-
\??\c:\1hbtnn.exec:\1hbtnn.exe104⤵PID:3172
-
\??\c:\4846000.exec:\4846000.exe105⤵PID:3532
-
\??\c:\rrllxxl.exec:\rrllxxl.exe106⤵PID:3584
-
\??\c:\htbbnt.exec:\htbbnt.exe107⤵PID:3144
-
\??\c:\fxrlllx.exec:\fxrlllx.exe108⤵PID:4180
-
\??\c:\222600.exec:\222600.exe109⤵PID:5028
-
\??\c:\rrrflrf.exec:\rrrflrf.exe110⤵PID:5052
-
\??\c:\84204.exec:\84204.exe111⤵PID:4356
-
\??\c:\80008.exec:\80008.exe112⤵PID:4360
-
\??\c:\tbthnt.exec:\tbthnt.exe113⤵PID:4660
-
\??\c:\rffxrlx.exec:\rffxrlx.exe114⤵PID:3700
-
\??\c:\002648.exec:\002648.exe115⤵PID:4560
-
\??\c:\jvjdp.exec:\jvjdp.exe116⤵PID:4744
-
\??\c:\tbhbtt.exec:\tbhbtt.exe117⤵PID:5032
-
\??\c:\djpjd.exec:\djpjd.exe118⤵PID:3020
-
\??\c:\8604888.exec:\8604888.exe119⤵PID:2284
-
\??\c:\6686046.exec:\6686046.exe120⤵PID:3664
-
\??\c:\08048.exec:\08048.exe121⤵PID:5008
-
\??\c:\6402626.exec:\6402626.exe122⤵PID:4504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-