Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe
-
Size
457KB
-
MD5
1d3063cf283168a9b03f44cdf8602cd1
-
SHA1
dfe57942d65d9f3c9dda9dce003fe06c7973d0df
-
SHA256
b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040
-
SHA512
f0c7c1e532702db8aa949bf944c334e7cbaf59608841340ce151b4b6ba2a45471438ebdd5e89b40303689c4ddc4f9bf278cb90b9f2669d4ea399f433bf9ae4ec
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRH:q7Tc2NYHUrAwfMp3CDRH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1008-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/488-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-827-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-978-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 488 fxlfxxx.exe 3820 fxfxfxr.exe 900 ddvdj.exe 5012 djpdv.exe 3944 hntbhn.exe 1812 tbnbtn.exe 3888 fxfxxrl.exe 760 7bbtnn.exe 1744 dvvpp.exe 680 xxlrffl.exe 2892 ppdvp.exe 3500 frflrlr.exe 1996 5hhbbb.exe 5008 vpvdv.exe 3552 nthhhh.exe 4512 htbbhh.exe 1964 lfxrlfx.exe 4896 hnnhbt.exe 4312 nhtntn.exe 1500 llrxffl.exe 100 thnnhh.exe 2936 xxxrfxl.exe 1636 bthhnn.exe 3192 jdppv.exe 4168 htbthh.exe 2216 lrfrfxl.exe 1388 vpvjd.exe 1992 nhhbth.exe 3964 pvjvp.exe 1584 hnbttt.exe 1624 5djjd.exe 2920 nntnnt.exe 1536 xxxrfff.exe 4080 bhbtnh.exe 2036 5nbnbb.exe 2500 llllfxl.exe 668 9bbtnt.exe 868 pdpjj.exe 4376 1frxlfx.exe 2820 hbtnhb.exe 4420 vpvpj.exe 3960 jvvpd.exe 4528 rflflfx.exe 2276 ttttnn.exe 2780 jdjdv.exe 4940 dvpjv.exe 3564 rrrllll.exe 3136 htbtnh.exe 2040 jppjd.exe 4356 lfllfff.exe 4448 nttbhb.exe 1748 jdpdj.exe 824 frrlxrl.exe 3124 frxxrrl.exe 3468 bbhhtb.exe 4504 7pppj.exe 2272 5lrlllf.exe 3580 nhhtnh.exe 2804 nbhhbb.exe 3992 frrlrlx.exe 3296 nnnnnn.exe 5100 httnhb.exe 1812 djjpj.exe 4976 lxfxrrl.exe -
resource yara_rule behavioral2/memory/1008-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/488-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-732-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrllxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrxllx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1008 wrote to memory of 488 1008 b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe 82 PID 1008 wrote to memory of 488 1008 b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe 82 PID 1008 wrote to memory of 488 1008 b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe 82 PID 488 wrote to memory of 3820 488 fxlfxxx.exe 83 PID 488 wrote to memory of 3820 488 fxlfxxx.exe 83 PID 488 wrote to memory of 3820 488 fxlfxxx.exe 83 PID 3820 wrote to memory of 900 3820 fxfxfxr.exe 84 PID 3820 wrote to memory of 900 3820 fxfxfxr.exe 84 PID 3820 wrote to memory of 900 3820 fxfxfxr.exe 84 PID 900 wrote to memory of 5012 900 ddvdj.exe 85 PID 900 wrote to memory of 5012 900 ddvdj.exe 85 PID 900 wrote to memory of 5012 900 ddvdj.exe 85 PID 5012 wrote to memory of 3944 5012 djpdv.exe 86 PID 5012 wrote to memory of 3944 5012 djpdv.exe 86 PID 5012 wrote to memory of 3944 5012 djpdv.exe 86 PID 3944 wrote to memory of 1812 3944 hntbhn.exe 87 PID 3944 wrote to memory of 1812 3944 hntbhn.exe 87 PID 3944 wrote to memory of 1812 3944 hntbhn.exe 87 PID 1812 wrote to memory of 3888 1812 tbnbtn.exe 88 PID 1812 wrote to memory of 3888 1812 tbnbtn.exe 88 PID 1812 wrote to memory of 3888 1812 tbnbtn.exe 88 PID 3888 wrote to memory of 760 3888 fxfxxrl.exe 89 PID 3888 wrote to memory of 760 3888 fxfxxrl.exe 89 PID 3888 wrote to memory of 760 3888 fxfxxrl.exe 89 PID 760 wrote to memory of 1744 760 7bbtnn.exe 90 PID 760 wrote to memory of 1744 760 7bbtnn.exe 90 PID 760 wrote to memory of 1744 760 7bbtnn.exe 90 PID 1744 wrote to memory of 680 1744 dvvpp.exe 91 PID 1744 wrote to memory of 680 1744 dvvpp.exe 91 PID 1744 wrote to memory of 680 1744 dvvpp.exe 91 PID 680 wrote to memory of 2892 680 xxlrffl.exe 92 PID 680 wrote to memory of 2892 680 xxlrffl.exe 92 PID 680 wrote to memory of 2892 680 xxlrffl.exe 92 PID 2892 wrote to memory of 3500 2892 ppdvp.exe 93 PID 2892 wrote to memory of 3500 2892 ppdvp.exe 93 PID 2892 wrote to memory of 3500 2892 ppdvp.exe 93 PID 3500 wrote to memory of 1996 3500 frflrlr.exe 94 PID 3500 wrote to memory of 1996 3500 frflrlr.exe 94 PID 3500 wrote to memory of 1996 3500 frflrlr.exe 94 PID 1996 wrote to memory of 5008 1996 5hhbbb.exe 95 PID 1996 wrote to memory of 5008 1996 5hhbbb.exe 95 PID 1996 wrote to memory of 5008 1996 5hhbbb.exe 95 PID 5008 wrote to memory of 3552 5008 vpvdv.exe 96 PID 5008 wrote to memory of 3552 5008 vpvdv.exe 96 PID 5008 wrote to memory of 3552 5008 vpvdv.exe 96 PID 3552 wrote to memory of 4512 3552 nthhhh.exe 97 PID 3552 wrote to memory of 4512 3552 nthhhh.exe 97 PID 3552 wrote to memory of 4512 3552 nthhhh.exe 97 PID 4512 wrote to memory of 1964 4512 htbbhh.exe 98 PID 4512 wrote to memory of 1964 4512 htbbhh.exe 98 PID 4512 wrote to memory of 1964 4512 htbbhh.exe 98 PID 1964 wrote to memory of 4896 1964 lfxrlfx.exe 99 PID 1964 wrote to memory of 4896 1964 lfxrlfx.exe 99 PID 1964 wrote to memory of 4896 1964 lfxrlfx.exe 99 PID 4896 wrote to memory of 4312 4896 hnnhbt.exe 100 PID 4896 wrote to memory of 4312 4896 hnnhbt.exe 100 PID 4896 wrote to memory of 4312 4896 hnnhbt.exe 100 PID 4312 wrote to memory of 1500 4312 nhtntn.exe 101 PID 4312 wrote to memory of 1500 4312 nhtntn.exe 101 PID 4312 wrote to memory of 1500 4312 nhtntn.exe 101 PID 1500 wrote to memory of 100 1500 llrxffl.exe 102 PID 1500 wrote to memory of 100 1500 llrxffl.exe 102 PID 1500 wrote to memory of 100 1500 llrxffl.exe 102 PID 100 wrote to memory of 2936 100 thnnhh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe"C:\Users\Admin\AppData\Local\Temp\b07360c60b3d046b0caff3834371f2b094c1950889ccc69e659df90861345040.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\fxlfxxx.exec:\fxlfxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:488 -
\??\c:\fxfxfxr.exec:\fxfxfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\ddvdj.exec:\ddvdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\djpdv.exec:\djpdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\hntbhn.exec:\hntbhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\tbnbtn.exec:\tbnbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\fxfxxrl.exec:\fxfxxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\7bbtnn.exec:\7bbtnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\dvvpp.exec:\dvvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\xxlrffl.exec:\xxlrffl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\ppdvp.exec:\ppdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\frflrlr.exec:\frflrlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\5hhbbb.exec:\5hhbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\vpvdv.exec:\vpvdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\nthhhh.exec:\nthhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\htbbhh.exec:\htbbhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\hnnhbt.exec:\hnnhbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\nhtntn.exec:\nhtntn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\llrxffl.exec:\llrxffl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\thnnhh.exec:\thnnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\xxxrfxl.exec:\xxxrfxl.exe23⤵
- Executes dropped EXE
PID:2936 -
\??\c:\bthhnn.exec:\bthhnn.exe24⤵
- Executes dropped EXE
PID:1636 -
\??\c:\jdppv.exec:\jdppv.exe25⤵
- Executes dropped EXE
PID:3192 -
\??\c:\htbthh.exec:\htbthh.exe26⤵
- Executes dropped EXE
PID:4168 -
\??\c:\lrfrfxl.exec:\lrfrfxl.exe27⤵
- Executes dropped EXE
PID:2216 -
\??\c:\vpvjd.exec:\vpvjd.exe28⤵
- Executes dropped EXE
PID:1388 -
\??\c:\nhhbth.exec:\nhhbth.exe29⤵
- Executes dropped EXE
PID:1992 -
\??\c:\pvjvp.exec:\pvjvp.exe30⤵
- Executes dropped EXE
PID:3964 -
\??\c:\hnbttt.exec:\hnbttt.exe31⤵
- Executes dropped EXE
PID:1584 -
\??\c:\5djjd.exec:\5djjd.exe32⤵
- Executes dropped EXE
PID:1624 -
\??\c:\nntnnt.exec:\nntnnt.exe33⤵
- Executes dropped EXE
PID:2920 -
\??\c:\xxxrfff.exec:\xxxrfff.exe34⤵
- Executes dropped EXE
PID:1536 -
\??\c:\bhbtnh.exec:\bhbtnh.exe35⤵
- Executes dropped EXE
PID:4080 -
\??\c:\5nbnbb.exec:\5nbnbb.exe36⤵
- Executes dropped EXE
PID:2036 -
\??\c:\llllfxl.exec:\llllfxl.exe37⤵
- Executes dropped EXE
PID:2500 -
\??\c:\9bbtnt.exec:\9bbtnt.exe38⤵
- Executes dropped EXE
PID:668 -
\??\c:\pdpjj.exec:\pdpjj.exe39⤵
- Executes dropped EXE
PID:868 -
\??\c:\1frxlfx.exec:\1frxlfx.exe40⤵
- Executes dropped EXE
PID:4376 -
\??\c:\hbtnhb.exec:\hbtnhb.exe41⤵
- Executes dropped EXE
PID:2820 -
\??\c:\vpvpj.exec:\vpvpj.exe42⤵
- Executes dropped EXE
PID:4420 -
\??\c:\jvvpd.exec:\jvvpd.exe43⤵
- Executes dropped EXE
PID:3960 -
\??\c:\rflflfx.exec:\rflflfx.exe44⤵
- Executes dropped EXE
PID:4528 -
\??\c:\ttttnn.exec:\ttttnn.exe45⤵
- Executes dropped EXE
PID:2276 -
\??\c:\jdjdv.exec:\jdjdv.exe46⤵
- Executes dropped EXE
PID:2780 -
\??\c:\dvpjv.exec:\dvpjv.exe47⤵
- Executes dropped EXE
PID:4940 -
\??\c:\rrrllll.exec:\rrrllll.exe48⤵
- Executes dropped EXE
PID:3564 -
\??\c:\htbtnh.exec:\htbtnh.exe49⤵
- Executes dropped EXE
PID:3136 -
\??\c:\jppjd.exec:\jppjd.exe50⤵
- Executes dropped EXE
PID:2040 -
\??\c:\lfllfff.exec:\lfllfff.exe51⤵
- Executes dropped EXE
PID:4356 -
\??\c:\nttbhb.exec:\nttbhb.exe52⤵
- Executes dropped EXE
PID:4448 -
\??\c:\jdpdj.exec:\jdpdj.exe53⤵
- Executes dropped EXE
PID:1748 -
\??\c:\frrlxrl.exec:\frrlxrl.exe54⤵
- Executes dropped EXE
PID:824 -
\??\c:\frxxrrl.exec:\frxxrrl.exe55⤵
- Executes dropped EXE
PID:3124 -
\??\c:\bbhhtb.exec:\bbhhtb.exe56⤵
- Executes dropped EXE
PID:3468 -
\??\c:\7pppj.exec:\7pppj.exe57⤵
- Executes dropped EXE
PID:4504 -
\??\c:\5lrlllf.exec:\5lrlllf.exe58⤵
- Executes dropped EXE
PID:2272 -
\??\c:\nhhtnh.exec:\nhhtnh.exe59⤵
- Executes dropped EXE
PID:3580 -
\??\c:\nbhhbb.exec:\nbhhbb.exe60⤵
- Executes dropped EXE
PID:2804 -
\??\c:\frrlrlx.exec:\frrlrlx.exe61⤵
- Executes dropped EXE
PID:3992 -
\??\c:\nnnnnn.exec:\nnnnnn.exe62⤵
- Executes dropped EXE
PID:3296 -
\??\c:\httnhb.exec:\httnhb.exe63⤵
- Executes dropped EXE
PID:5100 -
\??\c:\djjpj.exec:\djjpj.exe64⤵
- Executes dropped EXE
PID:1812 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe65⤵
- Executes dropped EXE
PID:4976 -
\??\c:\3hnhbb.exec:\3hnhbb.exe66⤵PID:4260
-
\??\c:\hhnhbh.exec:\hhnhbh.exe67⤵PID:4568
-
\??\c:\ddvpj.exec:\ddvpj.exe68⤵PID:3988
-
\??\c:\xrffxrx.exec:\xrffxrx.exe69⤵PID:1968
-
\??\c:\tbbnhh.exec:\tbbnhh.exe70⤵PID:316
-
\??\c:\vvpjv.exec:\vvpjv.exe71⤵PID:1472
-
\??\c:\rxrrflx.exec:\rxrrflx.exe72⤵PID:4020
-
\??\c:\tbbbbb.exec:\tbbbbb.exe73⤵PID:692
-
\??\c:\vpddj.exec:\vpddj.exe74⤵PID:2644
-
\??\c:\dvjdd.exec:\dvjdd.exe75⤵PID:3924
-
\??\c:\nthbtn.exec:\nthbtn.exe76⤵PID:4500
-
\??\c:\xrrrlrl.exec:\xrrrlrl.exe77⤵PID:1904
-
\??\c:\nntnnn.exec:\nntnnn.exe78⤵PID:2860
-
\??\c:\jdjdv.exec:\jdjdv.exe79⤵PID:3084
-
\??\c:\flxxrrr.exec:\flxxrrr.exe80⤵PID:1340
-
\??\c:\hhbtnh.exec:\hhbtnh.exe81⤵PID:3644
-
\??\c:\1ppjj.exec:\1ppjj.exe82⤵PID:4812
-
\??\c:\rxlfrff.exec:\rxlfrff.exe83⤵PID:656
-
\??\c:\7nhtth.exec:\7nhtth.exe84⤵PID:224
-
\??\c:\pjppv.exec:\pjppv.exe85⤵PID:1300
-
\??\c:\llxxflr.exec:\llxxflr.exe86⤵PID:3528
-
\??\c:\tnhhhh.exec:\tnhhhh.exe87⤵PID:2808
-
\??\c:\9tnbnb.exec:\9tnbnb.exe88⤵PID:4824
-
\??\c:\djdjv.exec:\djdjv.exe89⤵PID:5084
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe90⤵PID:3660
-
\??\c:\tntttt.exec:\tntttt.exe91⤵PID:1360
-
\??\c:\vppjd.exec:\vppjd.exe92⤵PID:4296
-
\??\c:\rflxxxr.exec:\rflxxxr.exe93⤵PID:2020
-
\??\c:\hnnnnn.exec:\hnnnnn.exe94⤵PID:3664
-
\??\c:\nnbtbh.exec:\nnbtbh.exe95⤵PID:4128
-
\??\c:\dpvpd.exec:\dpvpd.exe96⤵PID:3804
-
\??\c:\rxfxxll.exec:\rxfxxll.exe97⤵PID:2052
-
\??\c:\tbntnn.exec:\tbntnn.exe98⤵PID:1584
-
\??\c:\dvjdj.exec:\dvjdj.exe99⤵PID:2604
-
\??\c:\xlxlfxr.exec:\xlxlfxr.exe100⤵PID:1704
-
\??\c:\hhhbtn.exec:\hhhbtn.exe101⤵PID:4904
-
\??\c:\5jjjd.exec:\5jjjd.exe102⤵PID:3692
-
\??\c:\rflfxfr.exec:\rflfxfr.exe103⤵PID:3012
-
\??\c:\bhtnnn.exec:\bhtnnn.exe104⤵PID:960
-
\??\c:\dvvpj.exec:\dvvpj.exe105⤵PID:5040
-
\??\c:\vjjjd.exec:\vjjjd.exe106⤵PID:2792
-
\??\c:\llrrrrl.exec:\llrrrrl.exe107⤵PID:2600
-
\??\c:\3bbbhh.exec:\3bbbhh.exe108⤵PID:4140
-
\??\c:\bttbbb.exec:\bttbbb.exe109⤵PID:4488
-
\??\c:\vpvpv.exec:\vpvpv.exe110⤵PID:1960
-
\??\c:\frxrlfx.exec:\frxrlfx.exe111⤵PID:2340
-
\??\c:\hbtnhh.exec:\hbtnhh.exe112⤵PID:4528
-
\??\c:\dddvv.exec:\dddvv.exe113⤵PID:3028
-
\??\c:\flrlffx.exec:\flrlffx.exe114⤵PID:2780
-
\??\c:\ttbbbt.exec:\ttbbbt.exe115⤵PID:1184
-
\??\c:\ppvpj.exec:\ppvpj.exe116⤵PID:3564
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe117⤵PID:3136
-
\??\c:\5ntttn.exec:\5ntttn.exe118⤵PID:2040
-
\??\c:\jdjdp.exec:\jdjdp.exe119⤵PID:4624
-
\??\c:\vvdvp.exec:\vvdvp.exe120⤵PID:376
-
\??\c:\rrrlffr.exec:\rrrlffr.exe121⤵PID:5104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-