Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 08:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db96dcc94674281c3f7e3f382e8b993d939848e6dbb2afe06565d30e8e14349c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
db96dcc94674281c3f7e3f382e8b993d939848e6dbb2afe06565d30e8e14349c.exe
-
Size
454KB
-
MD5
25d3694aea83a1f1c0d74f3f172d78cf
-
SHA1
e024bef825fc3a8585c2fc399ebfbdfa51241b3f
-
SHA256
db96dcc94674281c3f7e3f382e8b993d939848e6dbb2afe06565d30e8e14349c
-
SHA512
347b6bce39c10a36accac39f60be87f42806fb87e4e45136be01c59d068666ab70d65458d1daf45f2fb46c79c164cae617dfff71f062d879a57ababa88d6fa40
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2056-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-37-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2828-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-77-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2824-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/904-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-133-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1300-141-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1300-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1168-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-180-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2960-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-193-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2084-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-289-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2816-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/588-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-592-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1584-600-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2748-613-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2812-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-651-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2740-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-683-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1172-691-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1076-704-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1488-764-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2464-892-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-917-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2776-942-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1056-967-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2504-980-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2360 3xlllll.exe 772 nbnthh.exe 2900 9pdjv.exe 1956 btnbnt.exe 2828 jdvdj.exe 2792 dpppd.exe 2824 xlfxlrf.exe 2740 vpjpv.exe 2624 1rxrxrx.exe 3052 dvvjv.exe 2576 tntbhn.exe 904 pjvvj.exe 480 lllfxfx.exe 1300 dvddp.exe 1168 jvpjp.exe 2004 jvppj.exe 1632 ffrxlrf.exe 2960 vvppd.exe 2084 1frxxfl.exe 2404 jdpvd.exe 2028 rllrflf.exe 2584 1vjjv.exe 1144 xrxxxff.exe 1720 vjdvd.exe 1776 7jvvd.exe 2384 1vpvd.exe 2968 9pddv.exe 1864 vpjpd.exe 1516 3pjvp.exe 896 1hhhnn.exe 2512 ppdjj.exe 2360 9thhtb.exe 1964 jddjp.exe 1564 5fxlrxf.exe 2788 5bbtbb.exe 1900 pjddj.exe 2816 dddvp.exe 2756 9fffffr.exe 2828 ttnbnn.exe 2720 btnttb.exe 2628 vjvdj.exe 2256 xrlrlfx.exe 2616 hhhnbb.exe 1976 bnhnbb.exe 2624 vjvpd.exe 2096 frlfrrf.exe 1728 xrxxrxl.exe 2912 nhbhnh.exe 1636 dvdjv.exe 588 dpddd.exe 592 llxrxxf.exe 2592 5hbttb.exe 1840 thhbnh.exe 2368 3pvpp.exe 1324 9frrfxx.exe 2940 9lflrrx.exe 2572 5nnntb.exe 620 jjddj.exe 996 jdvvd.exe 1576 rlxrffl.exe 3044 nbnttt.exe 2692 ddpvp.exe 1160 pjddp.exe 820 rfllllr.exe -
resource yara_rule behavioral1/memory/2056-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1172-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-756-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2464-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-1011-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrflxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttht.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2360 2056 db96dcc94674281c3f7e3f382e8b993d939848e6dbb2afe06565d30e8e14349c.exe 30 PID 2056 wrote to memory of 2360 2056 db96dcc94674281c3f7e3f382e8b993d939848e6dbb2afe06565d30e8e14349c.exe 30 PID 2056 wrote to memory of 2360 2056 db96dcc94674281c3f7e3f382e8b993d939848e6dbb2afe06565d30e8e14349c.exe 30 PID 2056 wrote to memory of 2360 2056 db96dcc94674281c3f7e3f382e8b993d939848e6dbb2afe06565d30e8e14349c.exe 30 PID 2360 wrote to memory of 772 2360 3xlllll.exe 31 PID 2360 wrote to memory of 772 2360 3xlllll.exe 31 PID 2360 wrote to memory of 772 2360 3xlllll.exe 31 PID 2360 wrote to memory of 772 2360 3xlllll.exe 31 PID 772 wrote to memory of 2900 772 nbnthh.exe 32 PID 772 wrote to memory of 2900 772 nbnthh.exe 32 PID 772 wrote to memory of 2900 772 nbnthh.exe 32 PID 772 wrote to memory of 2900 772 nbnthh.exe 32 PID 2900 wrote to memory of 1956 2900 9pdjv.exe 33 PID 2900 wrote to memory of 1956 2900 9pdjv.exe 33 PID 2900 wrote to memory of 1956 2900 9pdjv.exe 33 PID 2900 wrote to memory of 1956 2900 9pdjv.exe 33 PID 1956 wrote to memory of 2828 1956 btnbnt.exe 34 PID 1956 wrote to memory of 2828 1956 btnbnt.exe 34 PID 1956 wrote to memory of 2828 1956 btnbnt.exe 34 PID 1956 wrote to memory of 2828 1956 btnbnt.exe 34 PID 2828 wrote to memory of 2792 2828 jdvdj.exe 35 PID 2828 wrote to memory of 2792 2828 jdvdj.exe 35 PID 2828 wrote to memory of 2792 2828 jdvdj.exe 35 PID 2828 wrote to memory of 2792 2828 jdvdj.exe 35 PID 2792 wrote to memory of 2824 2792 dpppd.exe 36 PID 2792 wrote to memory of 2824 2792 dpppd.exe 36 PID 2792 wrote to memory of 2824 2792 dpppd.exe 36 PID 2792 wrote to memory of 2824 2792 dpppd.exe 36 PID 2824 wrote to memory of 2740 2824 xlfxlrf.exe 37 PID 2824 wrote to memory of 2740 2824 xlfxlrf.exe 37 PID 2824 wrote to memory of 2740 2824 xlfxlrf.exe 37 PID 2824 wrote to memory of 2740 2824 xlfxlrf.exe 37 PID 2740 wrote to memory of 2624 2740 vpjpv.exe 38 PID 2740 wrote to memory of 2624 2740 vpjpv.exe 38 PID 2740 wrote to memory of 2624 2740 vpjpv.exe 38 PID 2740 wrote to memory of 2624 2740 vpjpv.exe 38 PID 2624 wrote to memory of 3052 2624 1rxrxrx.exe 39 PID 2624 wrote to memory of 3052 2624 1rxrxrx.exe 39 PID 2624 wrote to memory of 3052 2624 1rxrxrx.exe 39 PID 2624 wrote to memory of 3052 2624 1rxrxrx.exe 39 PID 3052 wrote to memory of 2576 3052 dvvjv.exe 40 PID 3052 wrote to memory of 2576 3052 dvvjv.exe 40 PID 3052 wrote to memory of 2576 3052 dvvjv.exe 40 PID 3052 wrote to memory of 2576 3052 dvvjv.exe 40 PID 2576 wrote to memory of 904 2576 tntbhn.exe 41 PID 2576 wrote to memory of 904 2576 tntbhn.exe 41 PID 2576 wrote to memory of 904 2576 tntbhn.exe 41 PID 2576 wrote to memory of 904 2576 tntbhn.exe 41 PID 904 wrote to memory of 480 904 pjvvj.exe 42 PID 904 wrote to memory of 480 904 pjvvj.exe 42 PID 904 wrote to memory of 480 904 pjvvj.exe 42 PID 904 wrote to memory of 480 904 pjvvj.exe 42 PID 480 wrote to memory of 1300 480 lllfxfx.exe 43 PID 480 wrote to memory of 1300 480 lllfxfx.exe 43 PID 480 wrote to memory of 1300 480 lllfxfx.exe 43 PID 480 wrote to memory of 1300 480 lllfxfx.exe 43 PID 1300 wrote to memory of 1168 1300 dvddp.exe 44 PID 1300 wrote to memory of 1168 1300 dvddp.exe 44 PID 1300 wrote to memory of 1168 1300 dvddp.exe 44 PID 1300 wrote to memory of 1168 1300 dvddp.exe 44 PID 1168 wrote to memory of 2004 1168 jvpjp.exe 45 PID 1168 wrote to memory of 2004 1168 jvpjp.exe 45 PID 1168 wrote to memory of 2004 1168 jvpjp.exe 45 PID 1168 wrote to memory of 2004 1168 jvpjp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\db96dcc94674281c3f7e3f382e8b993d939848e6dbb2afe06565d30e8e14349c.exe"C:\Users\Admin\AppData\Local\Temp\db96dcc94674281c3f7e3f382e8b993d939848e6dbb2afe06565d30e8e14349c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\3xlllll.exec:\3xlllll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\nbnthh.exec:\nbnthh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\9pdjv.exec:\9pdjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\btnbnt.exec:\btnbnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\jdvdj.exec:\jdvdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\dpppd.exec:\dpppd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\xlfxlrf.exec:\xlfxlrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\vpjpv.exec:\vpjpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\1rxrxrx.exec:\1rxrxrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\dvvjv.exec:\dvvjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\tntbhn.exec:\tntbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\pjvvj.exec:\pjvvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\lllfxfx.exec:\lllfxfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:480 -
\??\c:\dvddp.exec:\dvddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\jvpjp.exec:\jvpjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\jvppj.exec:\jvppj.exe17⤵
- Executes dropped EXE
PID:2004 -
\??\c:\ffrxlrf.exec:\ffrxlrf.exe18⤵
- Executes dropped EXE
PID:1632 -
\??\c:\vvppd.exec:\vvppd.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
\??\c:\1frxxfl.exec:\1frxxfl.exe20⤵
- Executes dropped EXE
PID:2084 -
\??\c:\jdpvd.exec:\jdpvd.exe21⤵
- Executes dropped EXE
PID:2404 -
\??\c:\rllrflf.exec:\rllrflf.exe22⤵
- Executes dropped EXE
PID:2028 -
\??\c:\1vjjv.exec:\1vjjv.exe23⤵
- Executes dropped EXE
PID:2584 -
\??\c:\xrxxxff.exec:\xrxxxff.exe24⤵
- Executes dropped EXE
PID:1144 -
\??\c:\vjdvd.exec:\vjdvd.exe25⤵
- Executes dropped EXE
PID:1720 -
\??\c:\7jvvd.exec:\7jvvd.exe26⤵
- Executes dropped EXE
PID:1776 -
\??\c:\1vpvd.exec:\1vpvd.exe27⤵
- Executes dropped EXE
PID:2384 -
\??\c:\9pddv.exec:\9pddv.exe28⤵
- Executes dropped EXE
PID:2968 -
\??\c:\vpjpd.exec:\vpjpd.exe29⤵
- Executes dropped EXE
PID:1864 -
\??\c:\3pjvp.exec:\3pjvp.exe30⤵
- Executes dropped EXE
PID:1516 -
\??\c:\1hhhnn.exec:\1hhhnn.exe31⤵
- Executes dropped EXE
PID:896 -
\??\c:\ppdjj.exec:\ppdjj.exe32⤵
- Executes dropped EXE
PID:2512 -
\??\c:\9thhtb.exec:\9thhtb.exe33⤵
- Executes dropped EXE
PID:2360 -
\??\c:\jddjp.exec:\jddjp.exe34⤵
- Executes dropped EXE
PID:1964 -
\??\c:\5fxlrxf.exec:\5fxlrxf.exe35⤵
- Executes dropped EXE
PID:1564 -
\??\c:\5bbtbb.exec:\5bbtbb.exe36⤵
- Executes dropped EXE
PID:2788 -
\??\c:\pjddj.exec:\pjddj.exe37⤵
- Executes dropped EXE
PID:1900 -
\??\c:\dddvp.exec:\dddvp.exe38⤵
- Executes dropped EXE
PID:2816 -
\??\c:\9fffffr.exec:\9fffffr.exe39⤵
- Executes dropped EXE
PID:2756 -
\??\c:\ttnbnn.exec:\ttnbnn.exe40⤵
- Executes dropped EXE
PID:2828 -
\??\c:\btnttb.exec:\btnttb.exe41⤵
- Executes dropped EXE
PID:2720 -
\??\c:\vjvdj.exec:\vjvdj.exe42⤵
- Executes dropped EXE
PID:2628 -
\??\c:\xrlrlfx.exec:\xrlrlfx.exe43⤵
- Executes dropped EXE
PID:2256 -
\??\c:\hhhnbb.exec:\hhhnbb.exe44⤵
- Executes dropped EXE
PID:2616 -
\??\c:\bnhnbb.exec:\bnhnbb.exe45⤵
- Executes dropped EXE
PID:1976 -
\??\c:\vjvpd.exec:\vjvpd.exe46⤵
- Executes dropped EXE
PID:2624 -
\??\c:\frlfrrf.exec:\frlfrrf.exe47⤵
- Executes dropped EXE
PID:2096 -
\??\c:\xrxxrxl.exec:\xrxxrxl.exe48⤵
- Executes dropped EXE
PID:1728 -
\??\c:\nhbhnh.exec:\nhbhnh.exe49⤵
- Executes dropped EXE
PID:2912 -
\??\c:\dvdjv.exec:\dvdjv.exe50⤵
- Executes dropped EXE
PID:1636 -
\??\c:\dpddd.exec:\dpddd.exe51⤵
- Executes dropped EXE
PID:588 -
\??\c:\llxrxxf.exec:\llxrxxf.exe52⤵
- Executes dropped EXE
PID:592 -
\??\c:\5hbttb.exec:\5hbttb.exe53⤵
- Executes dropped EXE
PID:2592 -
\??\c:\thhbnh.exec:\thhbnh.exe54⤵
- Executes dropped EXE
PID:1840 -
\??\c:\3pvpp.exec:\3pvpp.exe55⤵
- Executes dropped EXE
PID:2368 -
\??\c:\9frrfxx.exec:\9frrfxx.exe56⤵
- Executes dropped EXE
PID:1324 -
\??\c:\9lflrrx.exec:\9lflrrx.exe57⤵
- Executes dropped EXE
PID:2940 -
\??\c:\5nnntb.exec:\5nnntb.exe58⤵
- Executes dropped EXE
PID:2572 -
\??\c:\jjddj.exec:\jjddj.exe59⤵
- Executes dropped EXE
PID:620 -
\??\c:\jdvvd.exec:\jdvvd.exe60⤵
- Executes dropped EXE
PID:996 -
\??\c:\rlxrffl.exec:\rlxrffl.exe61⤵
- Executes dropped EXE
PID:1576 -
\??\c:\nbnttt.exec:\nbnttt.exe62⤵
- Executes dropped EXE
PID:3044 -
\??\c:\ddpvp.exec:\ddpvp.exe63⤵
- Executes dropped EXE
PID:2692 -
\??\c:\pjddp.exec:\pjddp.exe64⤵
- Executes dropped EXE
PID:1160 -
\??\c:\rfllllr.exec:\rfllllr.exe65⤵
- Executes dropped EXE
PID:820 -
\??\c:\9hhhhn.exec:\9hhhhn.exe66⤵PID:1720
-
\??\c:\1hhthb.exec:\1hhthb.exe67⤵PID:2192
-
\??\c:\3jdpd.exec:\3jdpd.exe68⤵PID:1820
-
\??\c:\rlflrxr.exec:\rlflrxr.exe69⤵PID:2172
-
\??\c:\xrffllx.exec:\xrffllx.exe70⤵PID:2180
-
\??\c:\1htbtb.exec:\1htbtb.exe71⤵PID:1864
-
\??\c:\dvjjv.exec:\dvjjv.exe72⤵PID:1736
-
\??\c:\fxrlllr.exec:\fxrlllr.exe73⤵PID:2064
-
\??\c:\rfrxlrf.exec:\rfrxlrf.exe74⤵PID:2316
-
\??\c:\nhtntt.exec:\nhtntt.exe75⤵PID:2052
-
\??\c:\jjdjv.exec:\jjdjv.exe76⤵PID:772
-
\??\c:\jvdvj.exec:\jvdvj.exe77⤵PID:1584
-
\??\c:\rfrfxxl.exec:\rfrfxxl.exe78⤵PID:2696
-
\??\c:\ntnnht.exec:\ntnnht.exe79⤵PID:2748
-
\??\c:\vpddj.exec:\vpddj.exe80⤵PID:2812
-
\??\c:\ffxxrlx.exec:\ffxxrlx.exe81⤵PID:2832
-
\??\c:\rlxxffr.exec:\rlxxffr.exe82⤵PID:2760
-
\??\c:\5thntt.exec:\5thntt.exe83⤵PID:2632
-
\??\c:\vjpvv.exec:\vjpvv.exe84⤵PID:2764
-
\??\c:\pjvdj.exec:\pjvdj.exe85⤵PID:2604
-
\??\c:\lfllffx.exec:\lfllffx.exe86⤵PID:2740
-
\??\c:\7nbtnn.exec:\7nbtnn.exe87⤵PID:3056
-
\??\c:\jdvdj.exec:\jdvdj.exe88⤵PID:1976
-
\??\c:\vpjjd.exec:\vpjjd.exe89⤵PID:3060
-
\??\c:\xrllfll.exec:\xrllfll.exe90⤵PID:1700
-
\??\c:\thtnbt.exec:\thtnbt.exe91⤵PID:1172
-
\??\c:\7bttbb.exec:\7bttbb.exe92⤵
- System Location Discovery: System Language Discovery
PID:2912 -
\??\c:\3vjpp.exec:\3vjpp.exe93⤵PID:1076
-
\??\c:\llllxlf.exec:\llllxlf.exe94⤵PID:264
-
\??\c:\xrxfrxl.exec:\xrxfrxl.exe95⤵PID:2016
-
\??\c:\9hhhnn.exec:\9hhhnn.exe96⤵PID:1352
-
\??\c:\1vppv.exec:\1vppv.exe97⤵PID:832
-
\??\c:\xfxfrxl.exec:\xfxfrxl.exe98⤵PID:1496
-
\??\c:\nbbbbt.exec:\nbbbbt.exe99⤵PID:2460
-
\??\c:\3ntnhh.exec:\3ntnhh.exe100⤵PID:956
-
\??\c:\jdpdd.exec:\jdpdd.exe101⤵PID:2376
-
\??\c:\fxllrrl.exec:\fxllrrl.exe102⤵PID:1488
-
\??\c:\xrfrflx.exec:\xrfrflx.exe103⤵PID:3032
-
\??\c:\hbtntb.exec:\hbtntb.exe104⤵PID:1576
-
\??\c:\bttntn.exec:\bttntn.exe105⤵PID:3044
-
\??\c:\vjvvd.exec:\vjvvd.exe106⤵PID:2692
-
\??\c:\5fxxfll.exec:\5fxxfll.exe107⤵PID:1708
-
\??\c:\1xxfllx.exec:\1xxfllx.exe108⤵PID:924
-
\??\c:\tnbnnn.exec:\tnbnnn.exe109⤵PID:912
-
\??\c:\9ppvj.exec:\9ppvj.exe110⤵PID:732
-
\??\c:\dpvpv.exec:\dpvpv.exe111⤵PID:564
-
\??\c:\rrlfxrl.exec:\rrlfxrl.exe112⤵PID:2968
-
\??\c:\thtnnn.exec:\thtnnn.exe113⤵PID:536
-
\??\c:\hhbbnn.exec:\hhbbnn.exe114⤵PID:1856
-
\??\c:\5vpvv.exec:\5vpvv.exe115⤵PID:2480
-
\??\c:\9fxfrrf.exec:\9fxfrrf.exe116⤵PID:2532
-
\??\c:\3lrrxrx.exec:\3lrrxrx.exe117⤵PID:2356
-
\??\c:\nhttbb.exec:\nhttbb.exe118⤵PID:2160
-
\??\c:\jdppp.exec:\jdppp.exe119⤵PID:2360
-
\??\c:\vjvvv.exec:\vjvvv.exe120⤵PID:1796
-
\??\c:\frrlllf.exec:\frrlllf.exe121⤵PID:1588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-