Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 03:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe
-
Size
453KB
-
MD5
26cf3cda4e28c363c1baea91fa96e3d6
-
SHA1
9b5965b7c46f4554757716f97a3cac6398f2833c
-
SHA256
dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97
-
SHA512
139098b143df2ffa28ba482168b5f8ee03fe351b1b75fe0da95ef8433bb6db9d849ba37e090accd1fcd40fb800a1571b4782b1ac346f45fda5b2918d8b3f5186
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeh:q7Tc2NYHUrAwfMp3CDh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2692-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-84-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2948-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-102-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2848-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-149-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1108-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/372-170-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/372-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-224-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1712-250-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2052-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-499-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2544-513-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2544-515-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/832-542-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2912-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-633-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2108-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-647-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1284-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-906-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-927-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/772-979-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-1023-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2692 3rrxffr.exe 2800 nbnntn.exe 2756 ppvjv.exe 2780 jdvvv.exe 2628 llffxfl.exe 2648 httthb.exe 2632 dppvj.exe 2652 tttbth.exe 2948 jvddp.exe 1920 fxfrrll.exe 2104 vpjdp.exe 2848 9rxxfrr.exe 2896 ttnnbb.exe 3004 lflxrlx.exe 2036 btnnhn.exe 1108 vpjdd.exe 372 rxxlxxx.exe 1480 jdvdv.exe 1244 lfrrflx.exe 2480 hhtbhh.exe 1752 jpddp.exe 2096 5rlrfrl.exe 2280 pvdvj.exe 1608 flxxxxr.exe 988 hbhhtt.exe 1712 dpvpp.exe 2052 7tbhbb.exe 2080 pjjjp.exe 1732 5rffrll.exe 2420 hbnhhn.exe 2496 jvpvj.exe 2908 hhnnbh.exe 1592 jpjdv.exe 3044 7xrrrrx.exe 1688 bbtbbh.exe 2912 tntnnn.exe 2624 3jvpp.exe 2860 xrfrflr.exe 2616 bbtbnn.exe 2284 hbhhtt.exe 2556 dvddj.exe 2652 5llxlrl.exe 2252 hbbhtt.exe 2668 dvjjp.exe 2788 5jpvj.exe 2104 7rxxxxl.exe 2660 3bbbbh.exe 2848 1dvvp.exe 2976 ffxflrf.exe 492 hhtntn.exe 1508 jjdjv.exe 1916 vpvpv.exe 2004 fffxlrx.exe 372 bnhhnn.exe 3052 pdpjj.exe 2512 fllxxxl.exe 2584 frlflff.exe 2184 9hnhnn.exe 1256 ddpvv.exe 2144 lfxrffl.exe 2396 htntbh.exe 1488 7tbbbh.exe 1660 pvjvj.exe 2544 7djjp.exe -
resource yara_rule behavioral1/memory/2692-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1108-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/372-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-407-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2660-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-801-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-906-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-979-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-1016-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2692 2936 dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe 30 PID 2936 wrote to memory of 2692 2936 dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe 30 PID 2936 wrote to memory of 2692 2936 dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe 30 PID 2936 wrote to memory of 2692 2936 dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe 30 PID 2692 wrote to memory of 2800 2692 3rrxffr.exe 31 PID 2692 wrote to memory of 2800 2692 3rrxffr.exe 31 PID 2692 wrote to memory of 2800 2692 3rrxffr.exe 31 PID 2692 wrote to memory of 2800 2692 3rrxffr.exe 31 PID 2800 wrote to memory of 2756 2800 nbnntn.exe 32 PID 2800 wrote to memory of 2756 2800 nbnntn.exe 32 PID 2800 wrote to memory of 2756 2800 nbnntn.exe 32 PID 2800 wrote to memory of 2756 2800 nbnntn.exe 32 PID 2756 wrote to memory of 2780 2756 ppvjv.exe 33 PID 2756 wrote to memory of 2780 2756 ppvjv.exe 33 PID 2756 wrote to memory of 2780 2756 ppvjv.exe 33 PID 2756 wrote to memory of 2780 2756 ppvjv.exe 33 PID 2780 wrote to memory of 2628 2780 jdvvv.exe 34 PID 2780 wrote to memory of 2628 2780 jdvvv.exe 34 PID 2780 wrote to memory of 2628 2780 jdvvv.exe 34 PID 2780 wrote to memory of 2628 2780 jdvvv.exe 34 PID 2628 wrote to memory of 2648 2628 llffxfl.exe 35 PID 2628 wrote to memory of 2648 2628 llffxfl.exe 35 PID 2628 wrote to memory of 2648 2628 llffxfl.exe 35 PID 2628 wrote to memory of 2648 2628 llffxfl.exe 35 PID 2648 wrote to memory of 2632 2648 httthb.exe 36 PID 2648 wrote to memory of 2632 2648 httthb.exe 36 PID 2648 wrote to memory of 2632 2648 httthb.exe 36 PID 2648 wrote to memory of 2632 2648 httthb.exe 36 PID 2632 wrote to memory of 2652 2632 dppvj.exe 37 PID 2632 wrote to memory of 2652 2632 dppvj.exe 37 PID 2632 wrote to memory of 2652 2632 dppvj.exe 37 PID 2632 wrote to memory of 2652 2632 dppvj.exe 37 PID 2652 wrote to memory of 2948 2652 tttbth.exe 38 PID 2652 wrote to memory of 2948 2652 tttbth.exe 38 PID 2652 wrote to memory of 2948 2652 tttbth.exe 38 PID 2652 wrote to memory of 2948 2652 tttbth.exe 38 PID 2948 wrote to memory of 1920 2948 jvddp.exe 39 PID 2948 wrote to memory of 1920 2948 jvddp.exe 39 PID 2948 wrote to memory of 1920 2948 jvddp.exe 39 PID 2948 wrote to memory of 1920 2948 jvddp.exe 39 PID 1920 wrote to memory of 2104 1920 fxfrrll.exe 40 PID 1920 wrote to memory of 2104 1920 fxfrrll.exe 40 PID 1920 wrote to memory of 2104 1920 fxfrrll.exe 40 PID 1920 wrote to memory of 2104 1920 fxfrrll.exe 40 PID 2104 wrote to memory of 2848 2104 vpjdp.exe 41 PID 2104 wrote to memory of 2848 2104 vpjdp.exe 41 PID 2104 wrote to memory of 2848 2104 vpjdp.exe 41 PID 2104 wrote to memory of 2848 2104 vpjdp.exe 41 PID 2848 wrote to memory of 2896 2848 9rxxfrr.exe 42 PID 2848 wrote to memory of 2896 2848 9rxxfrr.exe 42 PID 2848 wrote to memory of 2896 2848 9rxxfrr.exe 42 PID 2848 wrote to memory of 2896 2848 9rxxfrr.exe 42 PID 2896 wrote to memory of 3004 2896 ttnnbb.exe 43 PID 2896 wrote to memory of 3004 2896 ttnnbb.exe 43 PID 2896 wrote to memory of 3004 2896 ttnnbb.exe 43 PID 2896 wrote to memory of 3004 2896 ttnnbb.exe 43 PID 3004 wrote to memory of 2036 3004 lflxrlx.exe 44 PID 3004 wrote to memory of 2036 3004 lflxrlx.exe 44 PID 3004 wrote to memory of 2036 3004 lflxrlx.exe 44 PID 3004 wrote to memory of 2036 3004 lflxrlx.exe 44 PID 2036 wrote to memory of 1108 2036 btnnhn.exe 45 PID 2036 wrote to memory of 1108 2036 btnnhn.exe 45 PID 2036 wrote to memory of 1108 2036 btnnhn.exe 45 PID 2036 wrote to memory of 1108 2036 btnnhn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe"C:\Users\Admin\AppData\Local\Temp\dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\3rrxffr.exec:\3rrxffr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\nbnntn.exec:\nbnntn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\ppvjv.exec:\ppvjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\jdvvv.exec:\jdvvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\llffxfl.exec:\llffxfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\httthb.exec:\httthb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\dppvj.exec:\dppvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\tttbth.exec:\tttbth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\jvddp.exec:\jvddp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\fxfrrll.exec:\fxfrrll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\vpjdp.exec:\vpjdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\9rxxfrr.exec:\9rxxfrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\ttnnbb.exec:\ttnnbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\lflxrlx.exec:\lflxrlx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\btnnhn.exec:\btnnhn.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\vpjdd.exec:\vpjdd.exe17⤵
- Executes dropped EXE
PID:1108 -
\??\c:\rxxlxxx.exec:\rxxlxxx.exe18⤵
- Executes dropped EXE
PID:372 -
\??\c:\jdvdv.exec:\jdvdv.exe19⤵
- Executes dropped EXE
PID:1480 -
\??\c:\lfrrflx.exec:\lfrrflx.exe20⤵
- Executes dropped EXE
PID:1244 -
\??\c:\hhtbhh.exec:\hhtbhh.exe21⤵
- Executes dropped EXE
PID:2480 -
\??\c:\jpddp.exec:\jpddp.exe22⤵
- Executes dropped EXE
PID:1752 -
\??\c:\5rlrfrl.exec:\5rlrfrl.exe23⤵
- Executes dropped EXE
PID:2096 -
\??\c:\pvdvj.exec:\pvdvj.exe24⤵
- Executes dropped EXE
PID:2280 -
\??\c:\flxxxxr.exec:\flxxxxr.exe25⤵
- Executes dropped EXE
PID:1608 -
\??\c:\hbhhtt.exec:\hbhhtt.exe26⤵
- Executes dropped EXE
PID:988 -
\??\c:\dpvpp.exec:\dpvpp.exe27⤵
- Executes dropped EXE
PID:1712 -
\??\c:\7tbhbb.exec:\7tbhbb.exe28⤵
- Executes dropped EXE
PID:2052 -
\??\c:\pjjjp.exec:\pjjjp.exe29⤵
- Executes dropped EXE
PID:2080 -
\??\c:\5rffrll.exec:\5rffrll.exe30⤵
- Executes dropped EXE
PID:1732 -
\??\c:\hbnhhn.exec:\hbnhhn.exe31⤵
- Executes dropped EXE
PID:2420 -
\??\c:\jvpvj.exec:\jvpvj.exe32⤵
- Executes dropped EXE
PID:2496 -
\??\c:\hhnnbh.exec:\hhnnbh.exe33⤵
- Executes dropped EXE
PID:2908 -
\??\c:\jpjdv.exec:\jpjdv.exe34⤵
- Executes dropped EXE
PID:1592 -
\??\c:\7xrrrrx.exec:\7xrrrrx.exe35⤵
- Executes dropped EXE
PID:3044 -
\??\c:\bbtbbh.exec:\bbtbbh.exe36⤵
- Executes dropped EXE
PID:1688 -
\??\c:\tntnnn.exec:\tntnnn.exe37⤵
- Executes dropped EXE
PID:2912 -
\??\c:\3jvpp.exec:\3jvpp.exe38⤵
- Executes dropped EXE
PID:2624 -
\??\c:\xrfrflr.exec:\xrfrflr.exe39⤵
- Executes dropped EXE
PID:2860 -
\??\c:\bbtbnn.exec:\bbtbnn.exe40⤵
- Executes dropped EXE
PID:2616 -
\??\c:\hbhhtt.exec:\hbhhtt.exe41⤵
- Executes dropped EXE
PID:2284 -
\??\c:\dvddj.exec:\dvddj.exe42⤵
- Executes dropped EXE
PID:2556 -
\??\c:\5llxlrl.exec:\5llxlrl.exe43⤵
- Executes dropped EXE
PID:2652 -
\??\c:\hbbhtt.exec:\hbbhtt.exe44⤵
- Executes dropped EXE
PID:2252 -
\??\c:\dvjjp.exec:\dvjjp.exe45⤵
- Executes dropped EXE
PID:2668 -
\??\c:\5jpvj.exec:\5jpvj.exe46⤵
- Executes dropped EXE
PID:2788 -
\??\c:\7rxxxxl.exec:\7rxxxxl.exe47⤵
- Executes dropped EXE
PID:2104 -
\??\c:\3bbbbh.exec:\3bbbbh.exe48⤵
- Executes dropped EXE
PID:2660 -
\??\c:\1dvvp.exec:\1dvvp.exe49⤵
- Executes dropped EXE
PID:2848 -
\??\c:\ffxflrf.exec:\ffxflrf.exe50⤵
- Executes dropped EXE
PID:2976 -
\??\c:\hhtntn.exec:\hhtntn.exe51⤵
- Executes dropped EXE
PID:492 -
\??\c:\jjdjv.exec:\jjdjv.exe52⤵
- Executes dropped EXE
PID:1508 -
\??\c:\vpvpv.exec:\vpvpv.exe53⤵
- Executes dropped EXE
PID:1916 -
\??\c:\fffxlrx.exec:\fffxlrx.exe54⤵
- Executes dropped EXE
PID:2004 -
\??\c:\bnhhnn.exec:\bnhhnn.exe55⤵
- Executes dropped EXE
PID:372 -
\??\c:\pdpjj.exec:\pdpjj.exe56⤵
- Executes dropped EXE
PID:3052 -
\??\c:\fllxxxl.exec:\fllxxxl.exe57⤵
- Executes dropped EXE
PID:2512 -
\??\c:\frlflff.exec:\frlflff.exe58⤵
- Executes dropped EXE
PID:2584 -
\??\c:\9hnhnn.exec:\9hnhnn.exe59⤵
- Executes dropped EXE
PID:2184 -
\??\c:\ddpvv.exec:\ddpvv.exe60⤵
- Executes dropped EXE
PID:1256 -
\??\c:\lfxrffl.exec:\lfxrffl.exe61⤵
- Executes dropped EXE
PID:2144 -
\??\c:\htntbh.exec:\htntbh.exe62⤵
- Executes dropped EXE
PID:2396 -
\??\c:\7tbbbh.exec:\7tbbbh.exe63⤵
- Executes dropped EXE
PID:1488 -
\??\c:\pvjvj.exec:\pvjvj.exe64⤵
- Executes dropped EXE
PID:1660 -
\??\c:\7djjp.exec:\7djjp.exe65⤵
- Executes dropped EXE
PID:2544 -
\??\c:\9ffflff.exec:\9ffflff.exe66⤵PID:2576
-
\??\c:\7hnbnt.exec:\7hnbnt.exe67⤵PID:2440
-
\??\c:\dvdjd.exec:\dvdjd.exe68⤵PID:1744
-
\??\c:\rrlfflr.exec:\rrlfflr.exe69⤵PID:832
-
\??\c:\3lffrll.exec:\3lffrll.exe70⤵PID:1732
-
\??\c:\htnthn.exec:\htnthn.exe71⤵PID:2936
-
\??\c:\jdpvd.exec:\jdpvd.exe72⤵PID:2200
-
\??\c:\5frfrxf.exec:\5frfrxf.exe73⤵PID:3036
-
\??\c:\xlllfff.exec:\xlllfff.exe74⤵PID:2800
-
\??\c:\nnbnth.exec:\nnbnth.exe75⤵PID:2748
-
\??\c:\3djpp.exec:\3djpp.exe76⤵PID:2928
-
\??\c:\5xlrffr.exec:\5xlrffr.exe77⤵PID:2228
-
\??\c:\fxrrxfx.exec:\fxrrxfx.exe78⤵PID:2912
-
\??\c:\7bnbhn.exec:\7bnbhn.exe79⤵PID:2716
-
\??\c:\pdjdv.exec:\pdjdv.exe80⤵PID:2672
-
\??\c:\dvppv.exec:\dvppv.exe81⤵PID:2620
-
\??\c:\fxlflfl.exec:\fxlflfl.exe82⤵PID:2336
-
\??\c:\hhtntn.exec:\hhtntn.exe83⤵PID:1808
-
\??\c:\5jvpp.exec:\5jvpp.exe84⤵PID:2108
-
\??\c:\jvjjv.exec:\jvjjv.exe85⤵PID:2996
-
\??\c:\lfxrxxf.exec:\lfxrxxf.exe86⤵PID:2452
-
\??\c:\9rflxxx.exec:\9rflxxx.exe87⤵PID:2872
-
\??\c:\1nbbhh.exec:\1nbbhh.exe88⤵PID:2964
-
\??\c:\jvddp.exec:\jvddp.exe89⤵PID:2984
-
\??\c:\1dpjv.exec:\1dpjv.exe90⤵PID:984
-
\??\c:\lrxxrll.exec:\lrxxrll.exe91⤵PID:1052
-
\??\c:\3rxxxxx.exec:\3rxxxxx.exe92⤵
- System Location Discovery: System Language Discovery
PID:492 -
\??\c:\hbnntt.exec:\hbnntt.exe93⤵PID:2036
-
\??\c:\pdjdj.exec:\pdjdj.exe94⤵PID:1168
-
\??\c:\ddjjp.exec:\ddjjp.exe95⤵PID:2004
-
\??\c:\7xlrxrr.exec:\7xlrxrr.exe96⤵PID:320
-
\??\c:\tnbthh.exec:\tnbthh.exe97⤵PID:2816
-
\??\c:\jvjjj.exec:\jvjjj.exe98⤵PID:576
-
\??\c:\frxxrrx.exec:\frxxrrx.exe99⤵PID:1204
-
\??\c:\5lfxfrr.exec:\5lfxfrr.exe100⤵PID:328
-
\??\c:\nnbhhh.exec:\nnbhhh.exe101⤵PID:1256
-
\??\c:\1tnnnn.exec:\1tnnnn.exe102⤵PID:2144
-
\??\c:\dpddd.exec:\dpddd.exe103⤵PID:1928
-
\??\c:\fxflfxf.exec:\fxflfxf.exe104⤵PID:1756
-
\??\c:\9lrxffx.exec:\9lrxffx.exe105⤵PID:2360
-
\??\c:\bhttnn.exec:\bhttnn.exe106⤵PID:1100
-
\??\c:\3tbbbt.exec:\3tbbbt.exe107⤵PID:2568
-
\??\c:\7vjjj.exec:\7vjjj.exe108⤵PID:872
-
\??\c:\rfrlrrr.exec:\rfrlrrr.exe109⤵PID:1284
-
\??\c:\3bnnnh.exec:\3bnnnh.exe110⤵PID:2520
-
\??\c:\thbhhh.exec:\thbhhh.exe111⤵PID:1728
-
\??\c:\3vjjj.exec:\3vjjj.exe112⤵PID:2784
-
\??\c:\xlrrrlr.exec:\xlrrrlr.exe113⤵PID:2936
-
\??\c:\lfrfrlr.exec:\lfrfrlr.exe114⤵PID:2200
-
\??\c:\7tbttt.exec:\7tbttt.exe115⤵PID:2832
-
\??\c:\dvjvj.exec:\dvjvj.exe116⤵PID:2900
-
\??\c:\1xllrrx.exec:\1xllrrx.exe117⤵PID:3044
-
\??\c:\flxrxrx.exec:\flxrxrx.exe118⤵PID:2168
-
\??\c:\hbtntn.exec:\hbtntn.exe119⤵PID:2852
-
\??\c:\dvjpv.exec:\dvjpv.exe120⤵PID:2772
-
\??\c:\vpjjv.exec:\vpjjv.exe121⤵PID:2600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-