Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe
-
Size
454KB
-
MD5
b78f3f3a60cf3e45c91adbb2e0e32899
-
SHA1
1ca46fda3d2ba5d270fe4fd6083cf29e553599d2
-
SHA256
19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f
-
SHA512
d79a955ae0c34b0e0700d33588a7d4afa6e8401dd7884b6c5536ffc4793d5a554deb79b7bd4753fdcc6e716eb6d799b8951326eea6ddc34a6bba2d3b2491975d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3780-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/472-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-1041-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-1078-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3184 nbnbnb.exe 1368 rfffxfx.exe 3908 djjjj.exe 2348 hhhnht.exe 4272 pjpdv.exe 4252 3rrlffx.exe 4084 rrlxrfx.exe 1216 frrfrlf.exe 4236 tnbbht.exe 1788 djdjv.exe 3940 9nhhbn.exe 1952 5vvvp.exe 2084 llfrllf.exe 212 nnhhtt.exe 4324 xffxfrx.exe 4992 bttbht.exe 2460 vpjvp.exe 1184 vpjvp.exe 4828 rrxlxxl.exe 4628 jvjdv.exe 4508 3llfxrl.exe 2160 xlxxrrr.exe 964 dvpjv.exe 540 frrlxrr.exe 724 djjvp.exe 4172 rlrllll.exe 1200 vvpdv.exe 3420 ppvpv.exe 2732 rrxrfff.exe 544 dvjjp.exe 472 xxflrff.exe 1816 5nhhhh.exe 828 xrfxrrr.exe 760 7tnhnn.exe 1972 ntbbbb.exe 2780 9vvdv.exe 4660 rrrxxfx.exe 4000 hthbtt.exe 2104 3pjpv.exe 2008 xfxrlll.exe 2572 tttttb.exe 1564 jpddp.exe 3668 jjvpp.exe 3052 xrrxxfx.exe 4204 bhbnnt.exe 708 ppjvv.exe 4656 rrfrrxr.exe 1620 bbnhhh.exe 2248 3hntbb.exe 3696 vjppj.exe 4932 9xflflf.exe 3592 bhbtnn.exe 1396 frrlxrl.exe 4228 tbbnhh.exe 772 djvvj.exe 3424 fffrrlx.exe 4100 7lllrrf.exe 2908 tnttth.exe 3608 jdpjd.exe 4328 fxfxxff.exe 1560 tnbtnn.exe 2932 1jjdv.exe 216 djpjv.exe 3684 flxrxfx.exe -
resource yara_rule behavioral2/memory/3780-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/472-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-857-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-1041-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3780 wrote to memory of 3184 3780 19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe 82 PID 3780 wrote to memory of 3184 3780 19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe 82 PID 3780 wrote to memory of 3184 3780 19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe 82 PID 3184 wrote to memory of 1368 3184 nbnbnb.exe 83 PID 3184 wrote to memory of 1368 3184 nbnbnb.exe 83 PID 3184 wrote to memory of 1368 3184 nbnbnb.exe 83 PID 1368 wrote to memory of 3908 1368 rfffxfx.exe 84 PID 1368 wrote to memory of 3908 1368 rfffxfx.exe 84 PID 1368 wrote to memory of 3908 1368 rfffxfx.exe 84 PID 3908 wrote to memory of 2348 3908 djjjj.exe 85 PID 3908 wrote to memory of 2348 3908 djjjj.exe 85 PID 3908 wrote to memory of 2348 3908 djjjj.exe 85 PID 2348 wrote to memory of 4272 2348 hhhnht.exe 86 PID 2348 wrote to memory of 4272 2348 hhhnht.exe 86 PID 2348 wrote to memory of 4272 2348 hhhnht.exe 86 PID 4272 wrote to memory of 4252 4272 pjpdv.exe 87 PID 4272 wrote to memory of 4252 4272 pjpdv.exe 87 PID 4272 wrote to memory of 4252 4272 pjpdv.exe 87 PID 4252 wrote to memory of 4084 4252 3rrlffx.exe 88 PID 4252 wrote to memory of 4084 4252 3rrlffx.exe 88 PID 4252 wrote to memory of 4084 4252 3rrlffx.exe 88 PID 4084 wrote to memory of 1216 4084 rrlxrfx.exe 89 PID 4084 wrote to memory of 1216 4084 rrlxrfx.exe 89 PID 4084 wrote to memory of 1216 4084 rrlxrfx.exe 89 PID 1216 wrote to memory of 4236 1216 frrfrlf.exe 90 PID 1216 wrote to memory of 4236 1216 frrfrlf.exe 90 PID 1216 wrote to memory of 4236 1216 frrfrlf.exe 90 PID 4236 wrote to memory of 1788 4236 tnbbht.exe 91 PID 4236 wrote to memory of 1788 4236 tnbbht.exe 91 PID 4236 wrote to memory of 1788 4236 tnbbht.exe 91 PID 1788 wrote to memory of 3940 1788 djdjv.exe 92 PID 1788 wrote to memory of 3940 1788 djdjv.exe 92 PID 1788 wrote to memory of 3940 1788 djdjv.exe 92 PID 3940 wrote to memory of 1952 3940 9nhhbn.exe 93 PID 3940 wrote to memory of 1952 3940 9nhhbn.exe 93 PID 3940 wrote to memory of 1952 3940 9nhhbn.exe 93 PID 1952 wrote to memory of 2084 1952 5vvvp.exe 94 PID 1952 wrote to memory of 2084 1952 5vvvp.exe 94 PID 1952 wrote to memory of 2084 1952 5vvvp.exe 94 PID 2084 wrote to memory of 212 2084 llfrllf.exe 95 PID 2084 wrote to memory of 212 2084 llfrllf.exe 95 PID 2084 wrote to memory of 212 2084 llfrllf.exe 95 PID 212 wrote to memory of 4324 212 nnhhtt.exe 96 PID 212 wrote to memory of 4324 212 nnhhtt.exe 96 PID 212 wrote to memory of 4324 212 nnhhtt.exe 96 PID 4324 wrote to memory of 4992 4324 xffxfrx.exe 97 PID 4324 wrote to memory of 4992 4324 xffxfrx.exe 97 PID 4324 wrote to memory of 4992 4324 xffxfrx.exe 97 PID 4992 wrote to memory of 2460 4992 bttbht.exe 98 PID 4992 wrote to memory of 2460 4992 bttbht.exe 98 PID 4992 wrote to memory of 2460 4992 bttbht.exe 98 PID 2460 wrote to memory of 1184 2460 vpjvp.exe 99 PID 2460 wrote to memory of 1184 2460 vpjvp.exe 99 PID 2460 wrote to memory of 1184 2460 vpjvp.exe 99 PID 1184 wrote to memory of 4828 1184 vpjvp.exe 100 PID 1184 wrote to memory of 4828 1184 vpjvp.exe 100 PID 1184 wrote to memory of 4828 1184 vpjvp.exe 100 PID 4828 wrote to memory of 4628 4828 rrxlxxl.exe 101 PID 4828 wrote to memory of 4628 4828 rrxlxxl.exe 101 PID 4828 wrote to memory of 4628 4828 rrxlxxl.exe 101 PID 4628 wrote to memory of 4508 4628 jvjdv.exe 102 PID 4628 wrote to memory of 4508 4628 jvjdv.exe 102 PID 4628 wrote to memory of 4508 4628 jvjdv.exe 102 PID 4508 wrote to memory of 2160 4508 3llfxrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe"C:\Users\Admin\AppData\Local\Temp\19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\nbnbnb.exec:\nbnbnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\rfffxfx.exec:\rfffxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\djjjj.exec:\djjjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\hhhnht.exec:\hhhnht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\pjpdv.exec:\pjpdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\3rrlffx.exec:\3rrlffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\rrlxrfx.exec:\rrlxrfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\frrfrlf.exec:\frrfrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\tnbbht.exec:\tnbbht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\djdjv.exec:\djdjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\9nhhbn.exec:\9nhhbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\5vvvp.exec:\5vvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\llfrllf.exec:\llfrllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\nnhhtt.exec:\nnhhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\xffxfrx.exec:\xffxfrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\bttbht.exec:\bttbht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\vpjvp.exec:\vpjvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\vpjvp.exec:\vpjvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\rrxlxxl.exec:\rrxlxxl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\jvjdv.exec:\jvjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\3llfxrl.exec:\3llfxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\xlxxrrr.exec:\xlxxrrr.exe23⤵
- Executes dropped EXE
PID:2160 -
\??\c:\dvpjv.exec:\dvpjv.exe24⤵
- Executes dropped EXE
PID:964 -
\??\c:\frrlxrr.exec:\frrlxrr.exe25⤵
- Executes dropped EXE
PID:540 -
\??\c:\djjvp.exec:\djjvp.exe26⤵
- Executes dropped EXE
PID:724 -
\??\c:\rlrllll.exec:\rlrllll.exe27⤵
- Executes dropped EXE
PID:4172 -
\??\c:\vvpdv.exec:\vvpdv.exe28⤵
- Executes dropped EXE
PID:1200 -
\??\c:\ppvpv.exec:\ppvpv.exe29⤵
- Executes dropped EXE
PID:3420 -
\??\c:\rrxrfff.exec:\rrxrfff.exe30⤵
- Executes dropped EXE
PID:2732 -
\??\c:\dvjjp.exec:\dvjjp.exe31⤵
- Executes dropped EXE
PID:544 -
\??\c:\xxflrff.exec:\xxflrff.exe32⤵
- Executes dropped EXE
PID:472 -
\??\c:\5nhhhh.exec:\5nhhhh.exe33⤵
- Executes dropped EXE
PID:1816 -
\??\c:\xrfxrrr.exec:\xrfxrrr.exe34⤵
- Executes dropped EXE
PID:828 -
\??\c:\7tnhnn.exec:\7tnhnn.exe35⤵
- Executes dropped EXE
PID:760 -
\??\c:\ntbbbb.exec:\ntbbbb.exe36⤵
- Executes dropped EXE
PID:1972 -
\??\c:\9vvdv.exec:\9vvdv.exe37⤵
- Executes dropped EXE
PID:2780 -
\??\c:\rrrxxfx.exec:\rrrxxfx.exe38⤵
- Executes dropped EXE
PID:4660 -
\??\c:\hthbtt.exec:\hthbtt.exe39⤵
- Executes dropped EXE
PID:4000 -
\??\c:\3pjpv.exec:\3pjpv.exe40⤵
- Executes dropped EXE
PID:2104 -
\??\c:\xfxrlll.exec:\xfxrlll.exe41⤵
- Executes dropped EXE
PID:2008 -
\??\c:\tttttb.exec:\tttttb.exe42⤵
- Executes dropped EXE
PID:2572 -
\??\c:\jpddp.exec:\jpddp.exe43⤵
- Executes dropped EXE
PID:1564 -
\??\c:\jjvpp.exec:\jjvpp.exe44⤵
- Executes dropped EXE
PID:3668 -
\??\c:\xrrxxfx.exec:\xrrxxfx.exe45⤵
- Executes dropped EXE
PID:3052 -
\??\c:\bhbnnt.exec:\bhbnnt.exe46⤵
- Executes dropped EXE
PID:4204 -
\??\c:\ppjvv.exec:\ppjvv.exe47⤵
- Executes dropped EXE
PID:708 -
\??\c:\rrfrrxr.exec:\rrfrrxr.exe48⤵
- Executes dropped EXE
PID:4656 -
\??\c:\bbnhhh.exec:\bbnhhh.exe49⤵
- Executes dropped EXE
PID:1620 -
\??\c:\3hntbb.exec:\3hntbb.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248 -
\??\c:\vjppj.exec:\vjppj.exe51⤵
- Executes dropped EXE
PID:3696 -
\??\c:\9xflflf.exec:\9xflflf.exe52⤵
- Executes dropped EXE
PID:4932 -
\??\c:\bhbtnn.exec:\bhbtnn.exe53⤵
- Executes dropped EXE
PID:3592 -
\??\c:\vdjdv.exec:\vdjdv.exe54⤵PID:1760
-
\??\c:\frrlxrl.exec:\frrlxrl.exe55⤵
- Executes dropped EXE
PID:1396 -
\??\c:\tbbnhh.exec:\tbbnhh.exe56⤵
- Executes dropped EXE
PID:4228 -
\??\c:\djvvj.exec:\djvvj.exe57⤵
- Executes dropped EXE
PID:772 -
\??\c:\fffrrlx.exec:\fffrrlx.exe58⤵
- Executes dropped EXE
PID:3424 -
\??\c:\7lllrrf.exec:\7lllrrf.exe59⤵
- Executes dropped EXE
PID:4100 -
\??\c:\tnttth.exec:\tnttth.exe60⤵
- Executes dropped EXE
PID:2908 -
\??\c:\jdpjd.exec:\jdpjd.exe61⤵
- Executes dropped EXE
PID:3608 -
\??\c:\fxfxxff.exec:\fxfxxff.exe62⤵
- Executes dropped EXE
PID:4328 -
\??\c:\tnbtnn.exec:\tnbtnn.exe63⤵
- Executes dropped EXE
PID:1560 -
\??\c:\1jjdv.exec:\1jjdv.exe64⤵
- Executes dropped EXE
PID:2932 -
\??\c:\djpjv.exec:\djpjv.exe65⤵
- Executes dropped EXE
PID:216 -
\??\c:\flxrxfx.exec:\flxrxfx.exe66⤵
- Executes dropped EXE
PID:3684 -
\??\c:\tbhbtt.exec:\tbhbtt.exe67⤵PID:936
-
\??\c:\pjpjj.exec:\pjpjj.exe68⤵PID:1644
-
\??\c:\lxlllll.exec:\lxlllll.exe69⤵PID:2864
-
\??\c:\thnbtt.exec:\thnbtt.exe70⤵PID:2916
-
\??\c:\5djjd.exec:\5djjd.exe71⤵PID:1604
-
\??\c:\7flfxxr.exec:\7flfxxr.exe72⤵PID:376
-
\??\c:\tnbttn.exec:\tnbttn.exe73⤵PID:5016
-
\??\c:\pdpjd.exec:\pdpjd.exe74⤵PID:4044
-
\??\c:\jdpvj.exec:\jdpvj.exe75⤵PID:3300
-
\??\c:\ttbtnn.exec:\ttbtnn.exe76⤵PID:552
-
\??\c:\pdpvp.exec:\pdpvp.exe77⤵PID:2096
-
\??\c:\xrrxrrr.exec:\xrrxrrr.exe78⤵PID:4364
-
\??\c:\xfxfxxr.exec:\xfxfxxr.exe79⤵PID:4616
-
\??\c:\nhbttt.exec:\nhbttt.exe80⤵PID:1184
-
\??\c:\dvvpj.exec:\dvvpj.exe81⤵PID:4064
-
\??\c:\fxfxlrx.exec:\fxfxlrx.exe82⤵PID:4492
-
\??\c:\hntnhb.exec:\hntnhb.exe83⤵PID:456
-
\??\c:\tbhbnh.exec:\tbhbnh.exe84⤵PID:2924
-
\??\c:\ddjdp.exec:\ddjdp.exe85⤵PID:3428
-
\??\c:\xrfxlfr.exec:\xrfxlfr.exe86⤵PID:1956
-
\??\c:\3htnnn.exec:\3htnnn.exe87⤵PID:4652
-
\??\c:\djpjp.exec:\djpjp.exe88⤵PID:3272
-
\??\c:\xfffrrr.exec:\xfffrrr.exe89⤵PID:2164
-
\??\c:\1fflxrl.exec:\1fflxrl.exe90⤵PID:724
-
\??\c:\bbhnhb.exec:\bbhnhb.exe91⤵PID:2036
-
\??\c:\pjddj.exec:\pjddj.exe92⤵PID:1200
-
\??\c:\lffrfxr.exec:\lffrfxr.exe93⤵PID:1508
-
\??\c:\9hhhnn.exec:\9hhhnn.exe94⤵PID:1140
-
\??\c:\jvvpd.exec:\jvvpd.exe95⤵PID:2336
-
\??\c:\dvvpd.exec:\dvvpd.exe96⤵PID:1124
-
\??\c:\llfxlfx.exec:\llfxlfx.exe97⤵PID:884
-
\??\c:\nnnbnt.exec:\nnnbnt.exe98⤵PID:644
-
\??\c:\dddvd.exec:\dddvd.exe99⤵PID:1816
-
\??\c:\xxlllll.exec:\xxlllll.exe100⤵PID:4308
-
\??\c:\xxxffxr.exec:\xxxffxr.exe101⤵
- System Location Discovery: System Language Discovery
PID:1160 -
\??\c:\hbbtnh.exec:\hbbtnh.exe102⤵PID:3112
-
\??\c:\vvjpd.exec:\vvjpd.exe103⤵PID:1812
-
\??\c:\jpjpp.exec:\jpjpp.exe104⤵PID:3096
-
\??\c:\1lrlffx.exec:\1lrlffx.exe105⤵PID:3852
-
\??\c:\bbnbhh.exec:\bbnbhh.exe106⤵PID:3480
-
\??\c:\pppjv.exec:\pppjv.exe107⤵PID:3840
-
\??\c:\fffxxrx.exec:\fffxxrx.exe108⤵PID:2008
-
\??\c:\thntbh.exec:\thntbh.exe109⤵PID:2572
-
\??\c:\pvpjd.exec:\pvpjd.exe110⤵PID:1564
-
\??\c:\ffrrrrx.exec:\ffrrrrx.exe111⤵PID:3784
-
\??\c:\hhntbh.exec:\hhntbh.exe112⤵PID:4644
-
\??\c:\pjdvv.exec:\pjdvv.exe113⤵PID:4204
-
\??\c:\ffxxrxr.exec:\ffxxrxr.exe114⤵PID:3672
-
\??\c:\frfxxxr.exec:\frfxxxr.exe115⤵PID:4484
-
\??\c:\bhbhht.exec:\bhbhht.exe116⤵PID:3080
-
\??\c:\djjjv.exec:\djjjv.exe117⤵PID:3656
-
\??\c:\fxfrffx.exec:\fxfrffx.exe118⤵PID:4872
-
\??\c:\hbbttb.exec:\hbbttb.exe119⤵PID:2256
-
\??\c:\djdvp.exec:\djdvp.exe120⤵PID:5000
-
\??\c:\xllfrlf.exec:\xllfrlf.exe121⤵PID:1760
-
\??\c:\btbnbb.exec:\btbnbb.exe122⤵PID:1376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-