Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 03:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db19bf2fbdefa3906ce1c0f5e163d96db101e0116d42032f1febe79f450fa61c.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
db19bf2fbdefa3906ce1c0f5e163d96db101e0116d42032f1febe79f450fa61c.exe
-
Size
454KB
-
MD5
22de0ac9b93345e4b13913035fe0b3cf
-
SHA1
2129c6e6a5fc00548b6a4e19e95b35a0f08b2427
-
SHA256
db19bf2fbdefa3906ce1c0f5e163d96db101e0116d42032f1febe79f450fa61c
-
SHA512
04e34c950fc1fce9717018eb2d0edbbdbc9cb502984e3ba028bff3b8de19c3a9366e8e219e88d62a340f1c0eb1e566b12398813899a3d58fc2fd7f45b106bc8d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeToD:q7Tc2NYHUrAwfMp3CDcD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4644-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/580-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-822-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-841-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-878-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-1041-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2984 7xrfrlx.exe 2912 tnbttn.exe 4384 jddvp.exe 4008 xfxrllf.exe 3380 nnttnb.exe 1488 lrxxflr.exe 3296 jpvdv.exe 4032 rlxrrrr.exe 1056 vpjvj.exe 540 5ffrfxr.exe 2292 hbhbhh.exe 4316 dvjdj.exe 2584 3lrlllr.exe 1416 llxrrll.exe 1680 flxllrr.exe 1804 nnnnhn.exe 4372 rlrllll.exe 1000 fxxxrrl.exe 3632 vdjdv.exe 3408 9rrlllf.exe 2276 9bttnt.exe 2316 1vvdv.exe 3340 rlxxrrx.exe 4288 pvppv.exe 4508 lrxxfxf.exe 3120 bhnhbb.exe 1692 djvpp.exe 3676 vvvpj.exe 112 7hnhbb.exe 3368 jdjjj.exe 4056 lxrflff.exe 5088 hbbnhh.exe 5068 nhnhnt.exe 1728 hnnhht.exe 3588 ppvvv.exe 3416 lrxrrll.exe 964 lxfrllf.exe 4324 bhhnhh.exe 2936 jdpjp.exe 4668 lxxrfff.exe 1012 bbhhnh.exe 4712 hbhthh.exe 320 jvpjd.exe 4672 5bhnnh.exe 1748 pdpjd.exe 3332 rllffxx.exe 2036 7ntnnn.exe 3760 jpdpv.exe 1888 dvvpd.exe 1120 xxrrrrx.exe 1152 nbbtbt.exe 3412 ddvpj.exe 2892 5dvjv.exe 1588 9lrlffx.exe 4032 5ttnbb.exe 1056 pddvp.exe 3900 frxrrrl.exe 2292 7ttnhh.exe 3312 vdjdd.exe 4976 lfxxffx.exe 3336 nbbbhh.exe 4284 tbnhtt.exe 1128 jvddj.exe 3648 lflfrll.exe -
resource yara_rule behavioral2/memory/4644-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/580-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-670-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4644 wrote to memory of 2984 4644 db19bf2fbdefa3906ce1c0f5e163d96db101e0116d42032f1febe79f450fa61c.exe 82 PID 4644 wrote to memory of 2984 4644 db19bf2fbdefa3906ce1c0f5e163d96db101e0116d42032f1febe79f450fa61c.exe 82 PID 4644 wrote to memory of 2984 4644 db19bf2fbdefa3906ce1c0f5e163d96db101e0116d42032f1febe79f450fa61c.exe 82 PID 2984 wrote to memory of 2912 2984 7xrfrlx.exe 83 PID 2984 wrote to memory of 2912 2984 7xrfrlx.exe 83 PID 2984 wrote to memory of 2912 2984 7xrfrlx.exe 83 PID 2912 wrote to memory of 4384 2912 tnbttn.exe 84 PID 2912 wrote to memory of 4384 2912 tnbttn.exe 84 PID 2912 wrote to memory of 4384 2912 tnbttn.exe 84 PID 4384 wrote to memory of 4008 4384 jddvp.exe 85 PID 4384 wrote to memory of 4008 4384 jddvp.exe 85 PID 4384 wrote to memory of 4008 4384 jddvp.exe 85 PID 4008 wrote to memory of 3380 4008 xfxrllf.exe 86 PID 4008 wrote to memory of 3380 4008 xfxrllf.exe 86 PID 4008 wrote to memory of 3380 4008 xfxrllf.exe 86 PID 3380 wrote to memory of 1488 3380 nnttnb.exe 87 PID 3380 wrote to memory of 1488 3380 nnttnb.exe 87 PID 3380 wrote to memory of 1488 3380 nnttnb.exe 87 PID 1488 wrote to memory of 3296 1488 lrxxflr.exe 88 PID 1488 wrote to memory of 3296 1488 lrxxflr.exe 88 PID 1488 wrote to memory of 3296 1488 lrxxflr.exe 88 PID 3296 wrote to memory of 4032 3296 jpvdv.exe 89 PID 3296 wrote to memory of 4032 3296 jpvdv.exe 89 PID 3296 wrote to memory of 4032 3296 jpvdv.exe 89 PID 4032 wrote to memory of 1056 4032 rlxrrrr.exe 90 PID 4032 wrote to memory of 1056 4032 rlxrrrr.exe 90 PID 4032 wrote to memory of 1056 4032 rlxrrrr.exe 90 PID 1056 wrote to memory of 540 1056 vpjvj.exe 91 PID 1056 wrote to memory of 540 1056 vpjvj.exe 91 PID 1056 wrote to memory of 540 1056 vpjvj.exe 91 PID 540 wrote to memory of 2292 540 5ffrfxr.exe 92 PID 540 wrote to memory of 2292 540 5ffrfxr.exe 92 PID 540 wrote to memory of 2292 540 5ffrfxr.exe 92 PID 2292 wrote to memory of 4316 2292 hbhbhh.exe 93 PID 2292 wrote to memory of 4316 2292 hbhbhh.exe 93 PID 2292 wrote to memory of 4316 2292 hbhbhh.exe 93 PID 4316 wrote to memory of 2584 4316 dvjdj.exe 94 PID 4316 wrote to memory of 2584 4316 dvjdj.exe 94 PID 4316 wrote to memory of 2584 4316 dvjdj.exe 94 PID 2584 wrote to memory of 1416 2584 3lrlllr.exe 95 PID 2584 wrote to memory of 1416 2584 3lrlllr.exe 95 PID 2584 wrote to memory of 1416 2584 3lrlllr.exe 95 PID 1416 wrote to memory of 1680 1416 llxrrll.exe 96 PID 1416 wrote to memory of 1680 1416 llxrrll.exe 96 PID 1416 wrote to memory of 1680 1416 llxrrll.exe 96 PID 1680 wrote to memory of 1804 1680 flxllrr.exe 97 PID 1680 wrote to memory of 1804 1680 flxllrr.exe 97 PID 1680 wrote to memory of 1804 1680 flxllrr.exe 97 PID 1804 wrote to memory of 4372 1804 nnnnhn.exe 98 PID 1804 wrote to memory of 4372 1804 nnnnhn.exe 98 PID 1804 wrote to memory of 4372 1804 nnnnhn.exe 98 PID 4372 wrote to memory of 1000 4372 rlrllll.exe 99 PID 4372 wrote to memory of 1000 4372 rlrllll.exe 99 PID 4372 wrote to memory of 1000 4372 rlrllll.exe 99 PID 1000 wrote to memory of 3632 1000 fxxxrrl.exe 100 PID 1000 wrote to memory of 3632 1000 fxxxrrl.exe 100 PID 1000 wrote to memory of 3632 1000 fxxxrrl.exe 100 PID 3632 wrote to memory of 3408 3632 vdjdv.exe 101 PID 3632 wrote to memory of 3408 3632 vdjdv.exe 101 PID 3632 wrote to memory of 3408 3632 vdjdv.exe 101 PID 3408 wrote to memory of 2276 3408 9rrlllf.exe 102 PID 3408 wrote to memory of 2276 3408 9rrlllf.exe 102 PID 3408 wrote to memory of 2276 3408 9rrlllf.exe 102 PID 2276 wrote to memory of 2316 2276 9bttnt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\db19bf2fbdefa3906ce1c0f5e163d96db101e0116d42032f1febe79f450fa61c.exe"C:\Users\Admin\AppData\Local\Temp\db19bf2fbdefa3906ce1c0f5e163d96db101e0116d42032f1febe79f450fa61c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\7xrfrlx.exec:\7xrfrlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\tnbttn.exec:\tnbttn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\jddvp.exec:\jddvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\xfxrllf.exec:\xfxrllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\nnttnb.exec:\nnttnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\lrxxflr.exec:\lrxxflr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\jpvdv.exec:\jpvdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\rlxrrrr.exec:\rlxrrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\vpjvj.exec:\vpjvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\5ffrfxr.exec:\5ffrfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\hbhbhh.exec:\hbhbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\dvjdj.exec:\dvjdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\3lrlllr.exec:\3lrlllr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\llxrrll.exec:\llxrrll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\flxllrr.exec:\flxllrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\nnnnhn.exec:\nnnnhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\rlrllll.exec:\rlrllll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\vdjdv.exec:\vdjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\9rrlllf.exec:\9rrlllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\9bttnt.exec:\9bttnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\1vvdv.exec:\1vvdv.exe23⤵
- Executes dropped EXE
PID:2316 -
\??\c:\rlxxrrx.exec:\rlxxrrx.exe24⤵
- Executes dropped EXE
PID:3340 -
\??\c:\pvppv.exec:\pvppv.exe25⤵
- Executes dropped EXE
PID:4288 -
\??\c:\lrxxfxf.exec:\lrxxfxf.exe26⤵
- Executes dropped EXE
PID:4508 -
\??\c:\bhnhbb.exec:\bhnhbb.exe27⤵
- Executes dropped EXE
PID:3120 -
\??\c:\djvpp.exec:\djvpp.exe28⤵
- Executes dropped EXE
PID:1692 -
\??\c:\vvvpj.exec:\vvvpj.exe29⤵
- Executes dropped EXE
PID:3676 -
\??\c:\7hnhbb.exec:\7hnhbb.exe30⤵
- Executes dropped EXE
PID:112 -
\??\c:\jdjjj.exec:\jdjjj.exe31⤵
- Executes dropped EXE
PID:3368 -
\??\c:\lxrflff.exec:\lxrflff.exe32⤵
- Executes dropped EXE
PID:4056 -
\??\c:\hbbnhh.exec:\hbbnhh.exe33⤵
- Executes dropped EXE
PID:5088 -
\??\c:\nhnhnt.exec:\nhnhnt.exe34⤵
- Executes dropped EXE
PID:5068 -
\??\c:\hnnhht.exec:\hnnhht.exe35⤵
- Executes dropped EXE
PID:1728 -
\??\c:\ppvvv.exec:\ppvvv.exe36⤵
- Executes dropped EXE
PID:3588 -
\??\c:\lrxrrll.exec:\lrxrrll.exe37⤵
- Executes dropped EXE
PID:3416 -
\??\c:\lxfrllf.exec:\lxfrllf.exe38⤵
- Executes dropped EXE
PID:964 -
\??\c:\bhhnhh.exec:\bhhnhh.exe39⤵
- Executes dropped EXE
PID:4324 -
\??\c:\jdpjp.exec:\jdpjp.exe40⤵
- Executes dropped EXE
PID:2936 -
\??\c:\lxxrfff.exec:\lxxrfff.exe41⤵
- Executes dropped EXE
PID:4668 -
\??\c:\bbhhnh.exec:\bbhhnh.exe42⤵
- Executes dropped EXE
PID:1012 -
\??\c:\hbhthh.exec:\hbhthh.exe43⤵
- Executes dropped EXE
PID:4712 -
\??\c:\jvpjd.exec:\jvpjd.exe44⤵
- Executes dropped EXE
PID:320 -
\??\c:\7frlllf.exec:\7frlllf.exe45⤵PID:4304
-
\??\c:\5bhnnh.exec:\5bhnnh.exe46⤵
- Executes dropped EXE
PID:4672 -
\??\c:\pdpjd.exec:\pdpjd.exe47⤵
- Executes dropped EXE
PID:1748 -
\??\c:\rllffxx.exec:\rllffxx.exe48⤵
- Executes dropped EXE
PID:3332 -
\??\c:\7ntnnn.exec:\7ntnnn.exe49⤵
- Executes dropped EXE
PID:2036 -
\??\c:\jpdpv.exec:\jpdpv.exe50⤵
- Executes dropped EXE
PID:3760 -
\??\c:\dvvpd.exec:\dvvpd.exe51⤵
- Executes dropped EXE
PID:1888 -
\??\c:\xxrrrrx.exec:\xxrrrrx.exe52⤵
- Executes dropped EXE
PID:1120 -
\??\c:\nbbtbt.exec:\nbbtbt.exe53⤵
- Executes dropped EXE
PID:1152 -
\??\c:\ddvpj.exec:\ddvpj.exe54⤵
- Executes dropped EXE
PID:3412 -
\??\c:\5dvjv.exec:\5dvjv.exe55⤵
- Executes dropped EXE
PID:2892 -
\??\c:\9lrlffx.exec:\9lrlffx.exe56⤵
- Executes dropped EXE
PID:1588 -
\??\c:\5ttnbb.exec:\5ttnbb.exe57⤵
- Executes dropped EXE
PID:4032 -
\??\c:\pddvp.exec:\pddvp.exe58⤵
- Executes dropped EXE
PID:1056 -
\??\c:\frxrrrl.exec:\frxrrrl.exe59⤵
- Executes dropped EXE
PID:3900 -
\??\c:\7ttnhh.exec:\7ttnhh.exe60⤵
- Executes dropped EXE
PID:2292 -
\??\c:\vdjdd.exec:\vdjdd.exe61⤵
- Executes dropped EXE
PID:3312 -
\??\c:\lfxxffx.exec:\lfxxffx.exe62⤵
- Executes dropped EXE
PID:4976 -
\??\c:\nbbbhh.exec:\nbbbhh.exe63⤵
- Executes dropped EXE
PID:3336 -
\??\c:\tbnhtt.exec:\tbnhtt.exe64⤵
- Executes dropped EXE
PID:4284 -
\??\c:\jvddj.exec:\jvddj.exe65⤵
- Executes dropped EXE
PID:1128 -
\??\c:\lflfrll.exec:\lflfrll.exe66⤵
- Executes dropped EXE
PID:3648 -
\??\c:\rrxrllf.exec:\rrxrllf.exe67⤵PID:4264
-
\??\c:\thnnbb.exec:\thnnbb.exe68⤵PID:1812
-
\??\c:\vpjdp.exec:\vpjdp.exe69⤵PID:2208
-
\??\c:\xllxxrl.exec:\xllxxrl.exe70⤵PID:4492
-
\??\c:\lxrlfxr.exec:\lxrlfxr.exe71⤵PID:392
-
\??\c:\bnbttn.exec:\bnbttn.exe72⤵PID:3132
-
\??\c:\jdpjj.exec:\jdpjj.exe73⤵PID:3708
-
\??\c:\vjjdv.exec:\vjjdv.exe74⤵PID:5084
-
\??\c:\rllxrll.exec:\rllxrll.exe75⤵PID:3672
-
\??\c:\hbhbnh.exec:\hbhbnh.exe76⤵PID:4924
-
\??\c:\jvjpj.exec:\jvjpj.exe77⤵PID:4904
-
\??\c:\pdvpp.exec:\pdvpp.exe78⤵PID:2128
-
\??\c:\lllflfx.exec:\lllflfx.exe79⤵PID:2564
-
\??\c:\tnhhbb.exec:\tnhhbb.exe80⤵PID:2624
-
\??\c:\7jvpd.exec:\7jvpd.exe81⤵PID:4740
-
\??\c:\fffrlfx.exec:\fffrlfx.exe82⤵PID:764
-
\??\c:\tbhhhb.exec:\tbhhhb.exe83⤵PID:4060
-
\??\c:\dpvpj.exec:\dpvpj.exe84⤵PID:580
-
\??\c:\rlffxrr.exec:\rlffxrr.exe85⤵PID:3272
-
\??\c:\3xfxrxr.exec:\3xfxrxr.exe86⤵PID:3812
-
\??\c:\thtnhb.exec:\thtnhb.exe87⤵PID:2296
-
\??\c:\ppjdv.exec:\ppjdv.exe88⤵PID:1760
-
\??\c:\jjdvj.exec:\jjdvj.exe89⤵PID:1992
-
\??\c:\3fxrfff.exec:\3fxrfff.exe90⤵PID:2428
-
\??\c:\1httbb.exec:\1httbb.exe91⤵PID:4100
-
\??\c:\dddvj.exec:\dddvj.exe92⤵PID:1728
-
\??\c:\3jvpp.exec:\3jvpp.exe93⤵PID:3692
-
\??\c:\lffrlfx.exec:\lffrlfx.exe94⤵PID:1572
-
\??\c:\frrrllf.exec:\frrrllf.exe95⤵PID:2992
-
\??\c:\nbbbtt.exec:\nbbbtt.exe96⤵PID:368
-
\??\c:\ppjjj.exec:\ppjjj.exe97⤵PID:716
-
\??\c:\rxfxrxr.exec:\rxfxrxr.exe98⤵PID:1540
-
\??\c:\lfrlflf.exec:\lfrlflf.exe99⤵PID:1596
-
\??\c:\7hbbth.exec:\7hbbth.exe100⤵PID:4792
-
\??\c:\jjdvp.exec:\jjdvp.exe101⤵PID:1568
-
\??\c:\jpvpj.exec:\jpvpj.exe102⤵
- System Location Discovery: System Language Discovery
PID:1676 -
\??\c:\xxfxllf.exec:\xxfxllf.exe103⤵PID:4348
-
\??\c:\bhhhbt.exec:\bhhhbt.exe104⤵PID:876
-
\??\c:\bbnbnn.exec:\bbnbnn.exe105⤵PID:4956
-
\??\c:\vvdvp.exec:\vvdvp.exe106⤵PID:1256
-
\??\c:\fxlffff.exec:\fxlffff.exe107⤵PID:4156
-
\??\c:\lrxrlff.exec:\lrxrlff.exe108⤵PID:2912
-
\??\c:\tttnhb.exec:\tttnhb.exe109⤵PID:4392
-
\??\c:\ddvpd.exec:\ddvpd.exe110⤵PID:1976
-
\??\c:\xrrfrrl.exec:\xrrfrrl.exe111⤵PID:3836
-
\??\c:\7lxxrrl.exec:\7lxxrrl.exe112⤵PID:4072
-
\??\c:\nhbbtt.exec:\nhbbtt.exe113⤵PID:3044
-
\??\c:\5djvv.exec:\5djvv.exe114⤵PID:3112
-
\??\c:\3jdjv.exec:\3jdjv.exe115⤵PID:3324
-
\??\c:\rfrflff.exec:\rfrflff.exe116⤵PID:1152
-
\??\c:\bnttbn.exec:\bnttbn.exe117⤵PID:3928
-
\??\c:\nhhnbb.exec:\nhhnbb.exe118⤵PID:2892
-
\??\c:\pjdvv.exec:\pjdvv.exe119⤵PID:836
-
\??\c:\7dvvj.exec:\7dvvj.exe120⤵PID:4032
-
\??\c:\frlllrx.exec:\frlllrx.exe121⤵PID:448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-