Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe
-
Size
454KB
-
MD5
2b4459e27da1049220207176c17f50d2
-
SHA1
7f59eb24954ad250efdaec961443b87efb91b4f1
-
SHA256
114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7
-
SHA512
5d4358f477f9b89ffd89adad2fe9ce226525f5006d4757b2bc61adc556555083dce4d5755aeea282f991f90826ccc173aae54e82659b7e4a046c6dd49a8c3553
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4996-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-800-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-948-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-1033-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-1055-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-1251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3924 jvdvv.exe 1032 lxlxxxx.exe 3068 bnbbbh.exe 3428 rxlllrr.exe 1188 djddj.exe 1652 xrlrffr.exe 3932 jvjpp.exe 3468 xflllrr.exe 4052 ffflrxf.exe 2944 7nhnnb.exe 1940 frlfrlr.exe 1920 nbtttt.exe 1936 jdpjj.exe 4964 tnhnbb.exe 3260 djdjd.exe 2196 9vjjj.exe 4992 7vpjv.exe 4324 hnhhbh.exe 112 jpvjv.exe 1116 xxllrxx.exe 4912 3tbbbt.exe 2640 jjvdv.exe 4288 ddvdp.exe 972 rrrxfll.exe 3192 7pvvd.exe 1616 dvpvp.exe 1724 pdvvp.exe 516 tbhnnb.exe 4004 jdvvd.exe 4208 hhnhhh.exe 1224 lrffxfl.exe 4604 fflllll.exe 2372 3vpjj.exe 3600 1xlfrxf.exe 1212 htbtnn.exe 3672 djvvp.exe 3136 dpdvp.exe 3340 rrfrrrr.exe 4636 5tbtht.exe 3900 jvdvp.exe 3292 lxfxlll.exe 3348 7btnbb.exe 4280 nbbbnn.exe 5076 pjjdp.exe 2788 lflxfxr.exe 2564 hbbbth.exe 4132 vjppj.exe 3712 xlxrllf.exe 3068 rlrrxlf.exe 4404 tnnnhn.exe 4060 vpdpp.exe 1640 9djvj.exe 1188 rllfrlf.exe 3612 bntnhh.exe 3932 jjpjj.exe 2072 rffrrlx.exe 1496 xrxxxxf.exe 1696 thhnhh.exe 4948 jjjjj.exe 640 lrflrfl.exe 1940 hhtttb.exe 1852 jjddp.exe 1920 frfffff.exe 2036 rfxrllf.exe -
resource yara_rule behavioral2/memory/4996-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-970-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-1026-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4996 wrote to memory of 3924 4996 114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe 82 PID 4996 wrote to memory of 3924 4996 114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe 82 PID 4996 wrote to memory of 3924 4996 114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe 82 PID 3924 wrote to memory of 1032 3924 jvdvv.exe 83 PID 3924 wrote to memory of 1032 3924 jvdvv.exe 83 PID 3924 wrote to memory of 1032 3924 jvdvv.exe 83 PID 1032 wrote to memory of 3068 1032 lxlxxxx.exe 84 PID 1032 wrote to memory of 3068 1032 lxlxxxx.exe 84 PID 1032 wrote to memory of 3068 1032 lxlxxxx.exe 84 PID 3068 wrote to memory of 3428 3068 bnbbbh.exe 85 PID 3068 wrote to memory of 3428 3068 bnbbbh.exe 85 PID 3068 wrote to memory of 3428 3068 bnbbbh.exe 85 PID 3428 wrote to memory of 1188 3428 rxlllrr.exe 86 PID 3428 wrote to memory of 1188 3428 rxlllrr.exe 86 PID 3428 wrote to memory of 1188 3428 rxlllrr.exe 86 PID 1188 wrote to memory of 1652 1188 djddj.exe 87 PID 1188 wrote to memory of 1652 1188 djddj.exe 87 PID 1188 wrote to memory of 1652 1188 djddj.exe 87 PID 1652 wrote to memory of 3932 1652 xrlrffr.exe 88 PID 1652 wrote to memory of 3932 1652 xrlrffr.exe 88 PID 1652 wrote to memory of 3932 1652 xrlrffr.exe 88 PID 3932 wrote to memory of 3468 3932 jvjpp.exe 89 PID 3932 wrote to memory of 3468 3932 jvjpp.exe 89 PID 3932 wrote to memory of 3468 3932 jvjpp.exe 89 PID 3468 wrote to memory of 4052 3468 xflllrr.exe 90 PID 3468 wrote to memory of 4052 3468 xflllrr.exe 90 PID 3468 wrote to memory of 4052 3468 xflllrr.exe 90 PID 4052 wrote to memory of 2944 4052 ffflrxf.exe 91 PID 4052 wrote to memory of 2944 4052 ffflrxf.exe 91 PID 4052 wrote to memory of 2944 4052 ffflrxf.exe 91 PID 2944 wrote to memory of 1940 2944 7nhnnb.exe 92 PID 2944 wrote to memory of 1940 2944 7nhnnb.exe 92 PID 2944 wrote to memory of 1940 2944 7nhnnb.exe 92 PID 1940 wrote to memory of 1920 1940 frlfrlr.exe 93 PID 1940 wrote to memory of 1920 1940 frlfrlr.exe 93 PID 1940 wrote to memory of 1920 1940 frlfrlr.exe 93 PID 1920 wrote to memory of 1936 1920 nbtttt.exe 94 PID 1920 wrote to memory of 1936 1920 nbtttt.exe 94 PID 1920 wrote to memory of 1936 1920 nbtttt.exe 94 PID 1936 wrote to memory of 4964 1936 jdpjj.exe 95 PID 1936 wrote to memory of 4964 1936 jdpjj.exe 95 PID 1936 wrote to memory of 4964 1936 jdpjj.exe 95 PID 4964 wrote to memory of 3260 4964 tnhnbb.exe 96 PID 4964 wrote to memory of 3260 4964 tnhnbb.exe 96 PID 4964 wrote to memory of 3260 4964 tnhnbb.exe 96 PID 3260 wrote to memory of 2196 3260 djdjd.exe 97 PID 3260 wrote to memory of 2196 3260 djdjd.exe 97 PID 3260 wrote to memory of 2196 3260 djdjd.exe 97 PID 2196 wrote to memory of 4992 2196 9vjjj.exe 98 PID 2196 wrote to memory of 4992 2196 9vjjj.exe 98 PID 2196 wrote to memory of 4992 2196 9vjjj.exe 98 PID 4992 wrote to memory of 4324 4992 7vpjv.exe 99 PID 4992 wrote to memory of 4324 4992 7vpjv.exe 99 PID 4992 wrote to memory of 4324 4992 7vpjv.exe 99 PID 4324 wrote to memory of 112 4324 hnhhbh.exe 100 PID 4324 wrote to memory of 112 4324 hnhhbh.exe 100 PID 4324 wrote to memory of 112 4324 hnhhbh.exe 100 PID 112 wrote to memory of 1116 112 jpvjv.exe 101 PID 112 wrote to memory of 1116 112 jpvjv.exe 101 PID 112 wrote to memory of 1116 112 jpvjv.exe 101 PID 1116 wrote to memory of 4912 1116 xxllrxx.exe 102 PID 1116 wrote to memory of 4912 1116 xxllrxx.exe 102 PID 1116 wrote to memory of 4912 1116 xxllrxx.exe 102 PID 4912 wrote to memory of 2640 4912 3tbbbt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe"C:\Users\Admin\AppData\Local\Temp\114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\jvdvv.exec:\jvdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\lxlxxxx.exec:\lxlxxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\bnbbbh.exec:\bnbbbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\rxlllrr.exec:\rxlllrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\djddj.exec:\djddj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\xrlrffr.exec:\xrlrffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\jvjpp.exec:\jvjpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\xflllrr.exec:\xflllrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\ffflrxf.exec:\ffflrxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\7nhnnb.exec:\7nhnnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\frlfrlr.exec:\frlfrlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\nbtttt.exec:\nbtttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\jdpjj.exec:\jdpjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\tnhnbb.exec:\tnhnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\djdjd.exec:\djdjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\9vjjj.exec:\9vjjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\7vpjv.exec:\7vpjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\hnhhbh.exec:\hnhhbh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\jpvjv.exec:\jpvjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\xxllrxx.exec:\xxllrxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\3tbbbt.exec:\3tbbbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\jjvdv.exec:\jjvdv.exe23⤵
- Executes dropped EXE
PID:2640 -
\??\c:\ddvdp.exec:\ddvdp.exe24⤵
- Executes dropped EXE
PID:4288 -
\??\c:\rrrxfll.exec:\rrrxfll.exe25⤵
- Executes dropped EXE
PID:972 -
\??\c:\7pvvd.exec:\7pvvd.exe26⤵
- Executes dropped EXE
PID:3192 -
\??\c:\dvpvp.exec:\dvpvp.exe27⤵
- Executes dropped EXE
PID:1616 -
\??\c:\pdvvp.exec:\pdvvp.exe28⤵
- Executes dropped EXE
PID:1724 -
\??\c:\tbhnnb.exec:\tbhnnb.exe29⤵
- Executes dropped EXE
PID:516 -
\??\c:\jdvvd.exec:\jdvvd.exe30⤵
- Executes dropped EXE
PID:4004 -
\??\c:\hhnhhh.exec:\hhnhhh.exe31⤵
- Executes dropped EXE
PID:4208 -
\??\c:\lrffxfl.exec:\lrffxfl.exe32⤵
- Executes dropped EXE
PID:1224 -
\??\c:\fflllll.exec:\fflllll.exe33⤵
- Executes dropped EXE
PID:4604 -
\??\c:\3vpjj.exec:\3vpjj.exe34⤵
- Executes dropped EXE
PID:2372 -
\??\c:\1xlfrxf.exec:\1xlfrxf.exe35⤵
- Executes dropped EXE
PID:3600 -
\??\c:\htbtnn.exec:\htbtnn.exe36⤵
- Executes dropped EXE
PID:1212 -
\??\c:\djvvp.exec:\djvvp.exe37⤵
- Executes dropped EXE
PID:3672 -
\??\c:\dpdvp.exec:\dpdvp.exe38⤵
- Executes dropped EXE
PID:3136 -
\??\c:\rrfrrrr.exec:\rrfrrrr.exe39⤵
- Executes dropped EXE
PID:3340 -
\??\c:\5tbtht.exec:\5tbtht.exe40⤵
- Executes dropped EXE
PID:4636 -
\??\c:\jvdvp.exec:\jvdvp.exe41⤵
- Executes dropped EXE
PID:3900 -
\??\c:\lxfxlll.exec:\lxfxlll.exe42⤵
- Executes dropped EXE
PID:3292 -
\??\c:\7btnbb.exec:\7btnbb.exe43⤵
- Executes dropped EXE
PID:3348 -
\??\c:\nbbbnn.exec:\nbbbnn.exe44⤵
- Executes dropped EXE
PID:4280 -
\??\c:\pjjdp.exec:\pjjdp.exe45⤵
- Executes dropped EXE
PID:5076 -
\??\c:\lflxfxr.exec:\lflxfxr.exe46⤵
- Executes dropped EXE
PID:2788 -
\??\c:\hbbbth.exec:\hbbbth.exe47⤵
- Executes dropped EXE
PID:2564 -
\??\c:\vjppj.exec:\vjppj.exe48⤵
- Executes dropped EXE
PID:4132 -
\??\c:\xlxrllf.exec:\xlxrllf.exe49⤵
- Executes dropped EXE
PID:3712 -
\??\c:\rlrrxlf.exec:\rlrrxlf.exe50⤵
- Executes dropped EXE
PID:3068 -
\??\c:\tnnnhn.exec:\tnnnhn.exe51⤵
- Executes dropped EXE
PID:4404 -
\??\c:\vpdpp.exec:\vpdpp.exe52⤵
- Executes dropped EXE
PID:4060 -
\??\c:\9djvj.exec:\9djvj.exe53⤵
- Executes dropped EXE
PID:1640 -
\??\c:\rllfrlf.exec:\rllfrlf.exe54⤵
- Executes dropped EXE
PID:1188 -
\??\c:\bntnhh.exec:\bntnhh.exe55⤵
- Executes dropped EXE
PID:3612 -
\??\c:\jjpjj.exec:\jjpjj.exe56⤵
- Executes dropped EXE
PID:3932 -
\??\c:\rffrrlx.exec:\rffrrlx.exe57⤵
- Executes dropped EXE
PID:2072 -
\??\c:\xrxxxxf.exec:\xrxxxxf.exe58⤵
- Executes dropped EXE
PID:1496 -
\??\c:\thhnhh.exec:\thhnhh.exe59⤵
- Executes dropped EXE
PID:1696 -
\??\c:\jjjjj.exec:\jjjjj.exe60⤵
- Executes dropped EXE
PID:4948 -
\??\c:\lrflrfl.exec:\lrflrfl.exe61⤵
- Executes dropped EXE
PID:640 -
\??\c:\hhtttb.exec:\hhtttb.exe62⤵
- Executes dropped EXE
PID:1940 -
\??\c:\jjddp.exec:\jjddp.exe63⤵
- Executes dropped EXE
PID:1852 -
\??\c:\frfffff.exec:\frfffff.exe64⤵
- Executes dropped EXE
PID:1920 -
\??\c:\rfxrllf.exec:\rfxrllf.exe65⤵
- Executes dropped EXE
PID:2036 -
\??\c:\nttbhn.exec:\nttbhn.exe66⤵PID:3476
-
\??\c:\jdvvj.exec:\jdvvj.exe67⤵PID:4164
-
\??\c:\9ffxxxr.exec:\9ffxxxr.exe68⤵PID:2696
-
\??\c:\hhbbht.exec:\hhbbht.exe69⤵PID:4340
-
\??\c:\7djvp.exec:\7djvp.exe70⤵PID:4448
-
\??\c:\7xflfff.exec:\7xflfff.exe71⤵PID:424
-
\??\c:\9xrxxfl.exec:\9xrxxfl.exe72⤵
- System Location Discovery: System Language Discovery
PID:2392 -
\??\c:\3ntnnn.exec:\3ntnnn.exe73⤵PID:4868
-
\??\c:\jddvp.exec:\jddvp.exe74⤵PID:4708
-
\??\c:\rlrrrrx.exec:\rlrrrrx.exe75⤵PID:1472
-
\??\c:\9flrrxr.exec:\9flrrxr.exe76⤵PID:3880
-
\??\c:\ntnnnn.exec:\ntnnnn.exe77⤵PID:2640
-
\??\c:\vvpjj.exec:\vvpjj.exe78⤵PID:1536
-
\??\c:\ppdjd.exec:\ppdjd.exe79⤵PID:1420
-
\??\c:\fflfrrl.exec:\fflfrrl.exe80⤵PID:4424
-
\??\c:\bthhtb.exec:\bthhtb.exe81⤵PID:3648
-
\??\c:\pjpjd.exec:\pjpjd.exe82⤵PID:4216
-
\??\c:\ffrrlrx.exec:\ffrrlrx.exe83⤵PID:1616
-
\??\c:\3nbtbh.exec:\3nbtbh.exe84⤵PID:1724
-
\??\c:\jjdvp.exec:\jjdvp.exe85⤵PID:516
-
\??\c:\fxffxxr.exec:\fxffxxr.exe86⤵PID:1908
-
\??\c:\hhhhhh.exec:\hhhhhh.exe87⤵PID:4716
-
\??\c:\hbttbb.exec:\hbttbb.exe88⤵PID:3200
-
\??\c:\9jvdp.exec:\9jvdp.exe89⤵PID:2400
-
\??\c:\fxrrlrx.exec:\fxrrlrx.exe90⤵PID:1620
-
\??\c:\bnhhbh.exec:\bnhhbh.exe91⤵PID:4620
-
\??\c:\vvvpj.exec:\vvvpj.exe92⤵PID:5012
-
\??\c:\xrfxxff.exec:\xrfxxff.exe93⤵PID:4456
-
\??\c:\rrflffx.exec:\rrflffx.exe94⤵PID:668
-
\??\c:\hbttbb.exec:\hbttbb.exe95⤵PID:4532
-
\??\c:\pvvjv.exec:\pvvjv.exe96⤵PID:2712
-
\??\c:\xxffxff.exec:\xxffxff.exe97⤵PID:4544
-
\??\c:\hnbttb.exec:\hnbttb.exe98⤵PID:2924
-
\??\c:\btbbtt.exec:\btbbtt.exe99⤵PID:116
-
\??\c:\ddjdv.exec:\ddjdv.exe100⤵PID:4624
-
\??\c:\xrllllr.exec:\xrllllr.exe101⤵PID:3292
-
\??\c:\7hhnhb.exec:\7hhnhb.exe102⤵PID:4464
-
\??\c:\hnbbtb.exec:\hnbbtb.exe103⤵PID:4676
-
\??\c:\vjddv.exec:\vjddv.exe104⤵PID:5036
-
\??\c:\lffrlfx.exec:\lffrlfx.exe105⤵PID:4352
-
\??\c:\hbttbt.exec:\hbttbt.exe106⤵PID:4436
-
\??\c:\ppvpd.exec:\ppvpd.exe107⤵PID:2132
-
\??\c:\pvjjv.exec:\pvjjv.exe108⤵PID:440
-
\??\c:\9frlxfx.exec:\9frlxfx.exe109⤵PID:5072
-
\??\c:\nnbhnn.exec:\nnbhnn.exe110⤵PID:3712
-
\??\c:\vpvpd.exec:\vpvpd.exe111⤵PID:3068
-
\??\c:\rxffrrf.exec:\rxffrrf.exe112⤵PID:1580
-
\??\c:\rxrllrl.exec:\rxrllrl.exe113⤵PID:1712
-
\??\c:\htnhhh.exec:\htnhhh.exe114⤵PID:3608
-
\??\c:\vpjdv.exec:\vpjdv.exe115⤵PID:888
-
\??\c:\lfrxfll.exec:\lfrxfll.exe116⤵PID:1924
-
\??\c:\tbnhnn.exec:\tbnhnn.exe117⤵PID:64
-
\??\c:\btbttn.exec:\btbttn.exe118⤵PID:3932
-
\??\c:\dvpdp.exec:\dvpdp.exe119⤵PID:4888
-
\??\c:\3dvjj.exec:\3dvjj.exe120⤵PID:3952
-
\??\c:\frfxrrr.exec:\frfxrrr.exe121⤵PID:4376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-