Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe
-
Size
457KB
-
MD5
1d3063cf283168a9b03f44cdf8602cd1
-
SHA1
dfe57942d65d9f3c9dda9dce003fe06c7973d0df
-
SHA256
b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040
-
SHA512
f0c7c1e532702db8aa949bf944c334e7cbaf59608841340ce151b4b6ba2a45471438ebdd5e89b40303689c4ddc4f9bf278cb90b9f2669d4ea399f433bf9ae4ec
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRH:q7Tc2NYHUrAwfMp3CDRH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/1956-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/336-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1328-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1236-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-467-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2300-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-691-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/1728-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-832-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1272-999-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-1002-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2388 lfrrrrr.exe 2352 7jpvv.exe 2288 lxrlffx.exe 336 ttntbh.exe 2440 dpddj.exe 2876 bnttbb.exe 2904 dvppd.exe 2644 bnbntt.exe 2672 btnhhh.exe 2636 xrflrlr.exe 2324 7tbbhh.exe 2936 5djpv.exe 2972 xfxflrr.exe 2940 ppjvj.exe 1328 llffrrl.exe 836 ttnnth.exe 1332 5dpvd.exe 2444 nhtbhn.exe 2056 vpjpd.exe 2364 btnttn.exe 2068 tnhntb.exe 1236 rlrfrxl.exe 544 nhbnhh.exe 1716 xrrlllx.exe 1776 hhbthn.exe 1744 lfrfffl.exe 2356 rffxxrx.exe 2600 jvpvd.exe 2556 llffllf.exe 1752 nhthth.exe 3048 fffrflx.exe 1592 btnnhn.exe 1812 vdjdd.exe 2248 xrrxffx.exe 1484 xxlrxxl.exe 3028 tnhnbh.exe 2260 ppvdj.exe 2828 rlfflrr.exe 2880 rrrlxxl.exe 2892 tnhtbt.exe 2780 dvjpv.exe 2640 xrflrxf.exe 2792 lxrxlrr.exe 2732 5btbhh.exe 2636 ddppv.exe 2816 9xrxflr.exe 2868 5fxxffr.exe 2924 1bntbb.exe 2932 djjpj.exe 2684 3pjvd.exe 2948 lfllrrr.exe 2980 nnbhnn.exe 1044 hbbbbb.exe 2348 7dvdj.exe 2224 5xxfflx.exe 1648 rlxfflx.exe 572 nthhtb.exe 2300 vpjvj.exe 1472 frffllx.exe 2068 xrffllr.exe 1236 btnbhh.exe 1948 dpvpd.exe 1820 7pjpd.exe 620 fxlrxxf.exe -
resource yara_rule behavioral1/memory/1956-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/336-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/336-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1328-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-839-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-853-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-980-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-999-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-1002-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2264-1104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-1123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-1130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-1143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-1150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-1164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-1171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-1184-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rfrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flffrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2388 1956 b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe 30 PID 1956 wrote to memory of 2388 1956 b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe 30 PID 1956 wrote to memory of 2388 1956 b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe 30 PID 1956 wrote to memory of 2388 1956 b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe 30 PID 2388 wrote to memory of 2352 2388 lfrrrrr.exe 31 PID 2388 wrote to memory of 2352 2388 lfrrrrr.exe 31 PID 2388 wrote to memory of 2352 2388 lfrrrrr.exe 31 PID 2388 wrote to memory of 2352 2388 lfrrrrr.exe 31 PID 2352 wrote to memory of 2288 2352 7jpvv.exe 32 PID 2352 wrote to memory of 2288 2352 7jpvv.exe 32 PID 2352 wrote to memory of 2288 2352 7jpvv.exe 32 PID 2352 wrote to memory of 2288 2352 7jpvv.exe 32 PID 2288 wrote to memory of 336 2288 lxrlffx.exe 33 PID 2288 wrote to memory of 336 2288 lxrlffx.exe 33 PID 2288 wrote to memory of 336 2288 lxrlffx.exe 33 PID 2288 wrote to memory of 336 2288 lxrlffx.exe 33 PID 336 wrote to memory of 2440 336 ttntbh.exe 34 PID 336 wrote to memory of 2440 336 ttntbh.exe 34 PID 336 wrote to memory of 2440 336 ttntbh.exe 34 PID 336 wrote to memory of 2440 336 ttntbh.exe 34 PID 2440 wrote to memory of 2876 2440 dpddj.exe 35 PID 2440 wrote to memory of 2876 2440 dpddj.exe 35 PID 2440 wrote to memory of 2876 2440 dpddj.exe 35 PID 2440 wrote to memory of 2876 2440 dpddj.exe 35 PID 2876 wrote to memory of 2904 2876 bnttbb.exe 36 PID 2876 wrote to memory of 2904 2876 bnttbb.exe 36 PID 2876 wrote to memory of 2904 2876 bnttbb.exe 36 PID 2876 wrote to memory of 2904 2876 bnttbb.exe 36 PID 2904 wrote to memory of 2644 2904 dvppd.exe 37 PID 2904 wrote to memory of 2644 2904 dvppd.exe 37 PID 2904 wrote to memory of 2644 2904 dvppd.exe 37 PID 2904 wrote to memory of 2644 2904 dvppd.exe 37 PID 2644 wrote to memory of 2672 2644 bnbntt.exe 38 PID 2644 wrote to memory of 2672 2644 bnbntt.exe 38 PID 2644 wrote to memory of 2672 2644 bnbntt.exe 38 PID 2644 wrote to memory of 2672 2644 bnbntt.exe 38 PID 2672 wrote to memory of 2636 2672 btnhhh.exe 39 PID 2672 wrote to memory of 2636 2672 btnhhh.exe 39 PID 2672 wrote to memory of 2636 2672 btnhhh.exe 39 PID 2672 wrote to memory of 2636 2672 btnhhh.exe 39 PID 2636 wrote to memory of 2324 2636 xrflrlr.exe 40 PID 2636 wrote to memory of 2324 2636 xrflrlr.exe 40 PID 2636 wrote to memory of 2324 2636 xrflrlr.exe 40 PID 2636 wrote to memory of 2324 2636 xrflrlr.exe 40 PID 2324 wrote to memory of 2936 2324 7tbbhh.exe 41 PID 2324 wrote to memory of 2936 2324 7tbbhh.exe 41 PID 2324 wrote to memory of 2936 2324 7tbbhh.exe 41 PID 2324 wrote to memory of 2936 2324 7tbbhh.exe 41 PID 2936 wrote to memory of 2972 2936 5djpv.exe 42 PID 2936 wrote to memory of 2972 2936 5djpv.exe 42 PID 2936 wrote to memory of 2972 2936 5djpv.exe 42 PID 2936 wrote to memory of 2972 2936 5djpv.exe 42 PID 2972 wrote to memory of 2940 2972 xfxflrr.exe 43 PID 2972 wrote to memory of 2940 2972 xfxflrr.exe 43 PID 2972 wrote to memory of 2940 2972 xfxflrr.exe 43 PID 2972 wrote to memory of 2940 2972 xfxflrr.exe 43 PID 2940 wrote to memory of 1328 2940 ppjvj.exe 44 PID 2940 wrote to memory of 1328 2940 ppjvj.exe 44 PID 2940 wrote to memory of 1328 2940 ppjvj.exe 44 PID 2940 wrote to memory of 1328 2940 ppjvj.exe 44 PID 1328 wrote to memory of 836 1328 llffrrl.exe 45 PID 1328 wrote to memory of 836 1328 llffrrl.exe 45 PID 1328 wrote to memory of 836 1328 llffrrl.exe 45 PID 1328 wrote to memory of 836 1328 llffrrl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe"C:\Users\Admin\AppData\Local\Temp\b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\lfrrrrr.exec:\lfrrrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\7jpvv.exec:\7jpvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\lxrlffx.exec:\lxrlffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\ttntbh.exec:\ttntbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\dpddj.exec:\dpddj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\bnttbb.exec:\bnttbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\dvppd.exec:\dvppd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\bnbntt.exec:\bnbntt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\btnhhh.exec:\btnhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\xrflrlr.exec:\xrflrlr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\7tbbhh.exec:\7tbbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\5djpv.exec:\5djpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\xfxflrr.exec:\xfxflrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\ppjvj.exec:\ppjvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\llffrrl.exec:\llffrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\ttnnth.exec:\ttnnth.exe17⤵
- Executes dropped EXE
PID:836 -
\??\c:\5dpvd.exec:\5dpvd.exe18⤵
- Executes dropped EXE
PID:1332 -
\??\c:\nhtbhn.exec:\nhtbhn.exe19⤵
- Executes dropped EXE
PID:2444 -
\??\c:\vpjpd.exec:\vpjpd.exe20⤵
- Executes dropped EXE
PID:2056 -
\??\c:\btnttn.exec:\btnttn.exe21⤵
- Executes dropped EXE
PID:2364 -
\??\c:\tnhntb.exec:\tnhntb.exe22⤵
- Executes dropped EXE
PID:2068 -
\??\c:\rlrfrxl.exec:\rlrfrxl.exe23⤵
- Executes dropped EXE
PID:1236 -
\??\c:\nhbnhh.exec:\nhbnhh.exe24⤵
- Executes dropped EXE
PID:544 -
\??\c:\xrrlllx.exec:\xrrlllx.exe25⤵
- Executes dropped EXE
PID:1716 -
\??\c:\hhbthn.exec:\hhbthn.exe26⤵
- Executes dropped EXE
PID:1776 -
\??\c:\lfrfffl.exec:\lfrfffl.exe27⤵
- Executes dropped EXE
PID:1744 -
\??\c:\rffxxrx.exec:\rffxxrx.exe28⤵
- Executes dropped EXE
PID:2356 -
\??\c:\jvpvd.exec:\jvpvd.exe29⤵
- Executes dropped EXE
PID:2600 -
\??\c:\llffllf.exec:\llffllf.exe30⤵
- Executes dropped EXE
PID:2556 -
\??\c:\nhthth.exec:\nhthth.exe31⤵
- Executes dropped EXE
PID:1752 -
\??\c:\fffrflx.exec:\fffrflx.exe32⤵
- Executes dropped EXE
PID:3048 -
\??\c:\btnnhn.exec:\btnnhn.exe33⤵
- Executes dropped EXE
PID:1592 -
\??\c:\vdjdd.exec:\vdjdd.exe34⤵
- Executes dropped EXE
PID:1812 -
\??\c:\xrrxffx.exec:\xrrxffx.exe35⤵
- Executes dropped EXE
PID:2248 -
\??\c:\xxlrxxl.exec:\xxlrxxl.exe36⤵
- Executes dropped EXE
PID:1484 -
\??\c:\tnhnbh.exec:\tnhnbh.exe37⤵
- Executes dropped EXE
PID:3028 -
\??\c:\ppvdj.exec:\ppvdj.exe38⤵
- Executes dropped EXE
PID:2260 -
\??\c:\rlfflrr.exec:\rlfflrr.exe39⤵
- Executes dropped EXE
PID:2828 -
\??\c:\rrrlxxl.exec:\rrrlxxl.exe40⤵
- Executes dropped EXE
PID:2880 -
\??\c:\tnhtbt.exec:\tnhtbt.exe41⤵
- Executes dropped EXE
PID:2892 -
\??\c:\dvjpv.exec:\dvjpv.exe42⤵
- Executes dropped EXE
PID:2780 -
\??\c:\xrflrxf.exec:\xrflrxf.exe43⤵
- Executes dropped EXE
PID:2640 -
\??\c:\lxrxlrr.exec:\lxrxlrr.exe44⤵
- Executes dropped EXE
PID:2792 -
\??\c:\5btbhh.exec:\5btbhh.exe45⤵
- Executes dropped EXE
PID:2732 -
\??\c:\ddppv.exec:\ddppv.exe46⤵
- Executes dropped EXE
PID:2636 -
\??\c:\9xrxflr.exec:\9xrxflr.exe47⤵
- Executes dropped EXE
PID:2816 -
\??\c:\5fxxffr.exec:\5fxxffr.exe48⤵
- Executes dropped EXE
PID:2868 -
\??\c:\1bntbb.exec:\1bntbb.exe49⤵
- Executes dropped EXE
PID:2924 -
\??\c:\djjpj.exec:\djjpj.exe50⤵
- Executes dropped EXE
PID:2932 -
\??\c:\3pjvd.exec:\3pjvd.exe51⤵
- Executes dropped EXE
PID:2684 -
\??\c:\lfllrrr.exec:\lfllrrr.exe52⤵
- Executes dropped EXE
PID:2948 -
\??\c:\nnbhnn.exec:\nnbhnn.exe53⤵
- Executes dropped EXE
PID:2980 -
\??\c:\hbbbbb.exec:\hbbbbb.exe54⤵
- Executes dropped EXE
PID:1044 -
\??\c:\7dvdj.exec:\7dvdj.exe55⤵
- Executes dropped EXE
PID:2348 -
\??\c:\5xxfflx.exec:\5xxfflx.exe56⤵
- Executes dropped EXE
PID:2224 -
\??\c:\rlxfflx.exec:\rlxfflx.exe57⤵
- Executes dropped EXE
PID:1648 -
\??\c:\nthhtb.exec:\nthhtb.exe58⤵
- Executes dropped EXE
PID:572 -
\??\c:\vpjvj.exec:\vpjvj.exe59⤵
- Executes dropped EXE
PID:2300 -
\??\c:\frffllx.exec:\frffllx.exe60⤵
- Executes dropped EXE
PID:1472 -
\??\c:\xrffllr.exec:\xrffllr.exe61⤵
- Executes dropped EXE
PID:2068 -
\??\c:\btnbhh.exec:\btnbhh.exe62⤵
- Executes dropped EXE
PID:1236 -
\??\c:\dpvpd.exec:\dpvpd.exe63⤵
- Executes dropped EXE
PID:1948 -
\??\c:\7pjpd.exec:\7pjpd.exe64⤵
- Executes dropped EXE
PID:1820 -
\??\c:\fxlrxxf.exec:\fxlrxxf.exe65⤵
- Executes dropped EXE
PID:620 -
\??\c:\bhthtt.exec:\bhthtt.exe66⤵PID:2588
-
\??\c:\ppjvj.exec:\ppjvj.exe67⤵PID:2916
-
\??\c:\9vjjp.exec:\9vjjp.exe68⤵PID:1780
-
\??\c:\xxflxfl.exec:\xxflxfl.exe69⤵PID:2208
-
\??\c:\3hhthn.exec:\3hhthn.exe70⤵PID:2256
-
\??\c:\pjvpv.exec:\pjvpv.exe71⤵PID:2416
-
\??\c:\pddvv.exec:\pddvv.exe72⤵PID:1816
-
\??\c:\xfrrffr.exec:\xfrrffr.exe73⤵PID:1292
-
\??\c:\nhnthh.exec:\nhnthh.exe74⤵PID:2220
-
\??\c:\nhhhth.exec:\nhhhth.exe75⤵PID:532
-
\??\c:\jvjdp.exec:\jvjdp.exe76⤵PID:2500
-
\??\c:\lflrxxf.exec:\lflrxxf.exe77⤵PID:1836
-
\??\c:\thbnbh.exec:\thbnbh.exe78⤵PID:584
-
\??\c:\ttnntb.exec:\ttnntb.exe79⤵PID:1476
-
\??\c:\vvpvj.exec:\vvpvj.exe80⤵PID:2252
-
\??\c:\fffrxll.exec:\fffrxll.exe81⤵PID:2840
-
\??\c:\fxrxrrl.exec:\fxrxrrl.exe82⤵PID:3052
-
\??\c:\7tnbht.exec:\7tnbht.exe83⤵PID:2892
-
\??\c:\btntbn.exec:\btntbn.exe84⤵PID:2192
-
\??\c:\vjppd.exec:\vjppd.exe85⤵PID:2432
-
\??\c:\rxxxlrf.exec:\rxxxlrf.exe86⤵PID:2668
-
\??\c:\xfllrfr.exec:\xfllrfr.exe87⤵PID:2740
-
\??\c:\hthhnn.exec:\hthhnn.exe88⤵PID:2216
-
\??\c:\jpjpd.exec:\jpjpd.exe89⤵PID:2660
-
\??\c:\dvvvj.exec:\dvvvj.exe90⤵PID:1532
-
\??\c:\xxrrflf.exec:\xxrrflf.exe91⤵PID:3000
-
\??\c:\llllxrf.exec:\llllxrf.exe92⤵PID:2956
-
\??\c:\tnbhnt.exec:\tnbhnt.exe93⤵PID:1296
-
\??\c:\jdvjv.exec:\jdvjv.exe94⤵PID:1196
-
\??\c:\xrxxflr.exec:\xrxxflr.exe95⤵PID:1728
-
\??\c:\rlflxfr.exec:\rlflxfr.exe96⤵PID:1624
-
\??\c:\hhnbhn.exec:\hhnbhn.exe97⤵PID:1768
-
\??\c:\3jpjj.exec:\3jpjj.exe98⤵PID:2336
-
\??\c:\vvvvd.exec:\vvvvd.exe99⤵PID:2384
-
\??\c:\rlxfrrx.exec:\rlxfrrx.exe100⤵PID:2092
-
\??\c:\7bntbn.exec:\7bntbn.exe101⤵PID:2100
-
\??\c:\bbnnnn.exec:\bbnnnn.exe102⤵PID:2136
-
\??\c:\jdppv.exec:\jdppv.exe103⤵PID:464
-
\??\c:\1lffxxx.exec:\1lffxxx.exe104⤵PID:1084
-
\??\c:\lfrrrrr.exec:\lfrrrrr.exe105⤵PID:904
-
\??\c:\hhthtt.exec:\hhthtt.exe106⤵PID:2020
-
\??\c:\ttnbnb.exec:\ttnbnb.exe107⤵PID:2552
-
\??\c:\ddvjv.exec:\ddvjv.exe108⤵PID:1260
-
\??\c:\pdvpp.exec:\pdvpp.exe109⤵PID:2588
-
\??\c:\llflrxl.exec:\llflrxl.exe110⤵PID:2544
-
\??\c:\hbtntt.exec:\hbtntt.exe111⤵PID:1780
-
\??\c:\tnbhtb.exec:\tnbhtb.exe112⤵PID:2284
-
\??\c:\3jppj.exec:\3jppj.exe113⤵PID:2536
-
\??\c:\llxrxfl.exec:\llxrxfl.exe114⤵PID:876
-
\??\c:\3lxrrxf.exec:\3lxrrxf.exe115⤵PID:1600
-
\??\c:\9hhhnn.exec:\9hhhnn.exe116⤵PID:1592
-
\??\c:\5dpjd.exec:\5dpjd.exe117⤵PID:596
-
\??\c:\vpjpd.exec:\vpjpd.exe118⤵PID:2172
-
\??\c:\5xrrrrr.exec:\5xrrrrr.exe119⤵PID:2504
-
\??\c:\nhtthh.exec:\nhtthh.exe120⤵PID:336
-
\??\c:\9tnhbb.exec:\9tnhbb.exe121⤵PID:584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-