Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db5b9db31d9ed42f360f157d17c53c7ac34274f3411e622082345222f199475eN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
db5b9db31d9ed42f360f157d17c53c7ac34274f3411e622082345222f199475eN.exe
-
Size
455KB
-
MD5
3e601458a051e0e762149455d3da8e80
-
SHA1
970977da830da4d80ee3fa72d0917b2c88bff33c
-
SHA256
db5b9db31d9ed42f360f157d17c53c7ac34274f3411e622082345222f199475e
-
SHA512
6a6c586762b5888b8792811e674133765fddc4f1468b64bf97caf8daddb0612f57a9a65e8d55b42b49fee1ec56747415c891a88ddfe011b36b242fe789a2629b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4916-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/612-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-837-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-1024-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-1299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-1666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 884 rffxrrx.exe 1940 7ntnnt.exe 1708 vpdvp.exe 2348 fxfflll.exe 4484 nbhbbb.exe 3216 jjvvp.exe 2732 hnnnbb.exe 3984 hbntbb.exe 532 lfrrrff.exe 2568 rfflrxf.exe 2796 pdppp.exe 4124 9tbhtn.exe 4368 vpjdj.exe 4724 9vpvv.exe 4556 9btthn.exe 4964 vpddj.exe 516 vvjpv.exe 4168 fxrrxxl.exe 5012 ffrfrrf.exe 2232 jpjpp.exe 1752 hnbbth.exe 3812 jddjj.exe 2100 7thhbb.exe 2812 lrrrrxx.exe 2912 hbbttt.exe 5048 rflfxxx.exe 3916 vvdvp.exe 1180 llrxxfr.exe 4860 ppddj.exe 3252 1thbtt.exe 4612 rfrlfll.exe 4296 3pjjd.exe 4932 thhnhn.exe 4808 9htntt.exe 1144 vvjdd.exe 2376 xxllllr.exe 2188 tbnnnn.exe 3932 ttnnnt.exe 4356 pvdvv.exe 432 fxlfffx.exe 320 hbtntb.exe 4396 3dddd.exe 3340 jjjdv.exe 2248 xrfxrxr.exe 5056 tbtthn.exe 316 jjvvp.exe 2844 ppvjd.exe 1268 3lrrxrr.exe 4648 bnbbtt.exe 612 djvvd.exe 4476 xrfxxfx.exe 696 nthhbh.exe 1888 dpddd.exe 4816 rlffffr.exe 2636 rllfxxx.exe 4424 hbnhhh.exe 4632 jjjdv.exe 1992 fflfflf.exe 3108 fffffff.exe 2180 tttbth.exe 1600 vpddd.exe 4768 xfllrll.exe 2312 5bhhhn.exe 3492 3hhhhn.exe -
resource yara_rule behavioral2/memory/4916-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/612-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-1024-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-1299-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4916 wrote to memory of 884 4916 db5b9db31d9ed42f360f157d17c53c7ac34274f3411e622082345222f199475eN.exe 82 PID 4916 wrote to memory of 884 4916 db5b9db31d9ed42f360f157d17c53c7ac34274f3411e622082345222f199475eN.exe 82 PID 4916 wrote to memory of 884 4916 db5b9db31d9ed42f360f157d17c53c7ac34274f3411e622082345222f199475eN.exe 82 PID 884 wrote to memory of 1940 884 rffxrrx.exe 83 PID 884 wrote to memory of 1940 884 rffxrrx.exe 83 PID 884 wrote to memory of 1940 884 rffxrrx.exe 83 PID 1940 wrote to memory of 1708 1940 7ntnnt.exe 84 PID 1940 wrote to memory of 1708 1940 7ntnnt.exe 84 PID 1940 wrote to memory of 1708 1940 7ntnnt.exe 84 PID 1708 wrote to memory of 2348 1708 vpdvp.exe 85 PID 1708 wrote to memory of 2348 1708 vpdvp.exe 85 PID 1708 wrote to memory of 2348 1708 vpdvp.exe 85 PID 2348 wrote to memory of 4484 2348 fxfflll.exe 86 PID 2348 wrote to memory of 4484 2348 fxfflll.exe 86 PID 2348 wrote to memory of 4484 2348 fxfflll.exe 86 PID 4484 wrote to memory of 3216 4484 nbhbbb.exe 87 PID 4484 wrote to memory of 3216 4484 nbhbbb.exe 87 PID 4484 wrote to memory of 3216 4484 nbhbbb.exe 87 PID 3216 wrote to memory of 2732 3216 jjvvp.exe 88 PID 3216 wrote to memory of 2732 3216 jjvvp.exe 88 PID 3216 wrote to memory of 2732 3216 jjvvp.exe 88 PID 2732 wrote to memory of 3984 2732 hnnnbb.exe 89 PID 2732 wrote to memory of 3984 2732 hnnnbb.exe 89 PID 2732 wrote to memory of 3984 2732 hnnnbb.exe 89 PID 3984 wrote to memory of 532 3984 hbntbb.exe 90 PID 3984 wrote to memory of 532 3984 hbntbb.exe 90 PID 3984 wrote to memory of 532 3984 hbntbb.exe 90 PID 532 wrote to memory of 2568 532 lfrrrff.exe 91 PID 532 wrote to memory of 2568 532 lfrrrff.exe 91 PID 532 wrote to memory of 2568 532 lfrrrff.exe 91 PID 2568 wrote to memory of 2796 2568 rfflrxf.exe 92 PID 2568 wrote to memory of 2796 2568 rfflrxf.exe 92 PID 2568 wrote to memory of 2796 2568 rfflrxf.exe 92 PID 2796 wrote to memory of 4124 2796 pdppp.exe 93 PID 2796 wrote to memory of 4124 2796 pdppp.exe 93 PID 2796 wrote to memory of 4124 2796 pdppp.exe 93 PID 4124 wrote to memory of 4368 4124 9tbhtn.exe 94 PID 4124 wrote to memory of 4368 4124 9tbhtn.exe 94 PID 4124 wrote to memory of 4368 4124 9tbhtn.exe 94 PID 4368 wrote to memory of 4724 4368 vpjdj.exe 95 PID 4368 wrote to memory of 4724 4368 vpjdj.exe 95 PID 4368 wrote to memory of 4724 4368 vpjdj.exe 95 PID 4724 wrote to memory of 4556 4724 9vpvv.exe 96 PID 4724 wrote to memory of 4556 4724 9vpvv.exe 96 PID 4724 wrote to memory of 4556 4724 9vpvv.exe 96 PID 4556 wrote to memory of 4964 4556 9btthn.exe 97 PID 4556 wrote to memory of 4964 4556 9btthn.exe 97 PID 4556 wrote to memory of 4964 4556 9btthn.exe 97 PID 4964 wrote to memory of 516 4964 vpddj.exe 98 PID 4964 wrote to memory of 516 4964 vpddj.exe 98 PID 4964 wrote to memory of 516 4964 vpddj.exe 98 PID 516 wrote to memory of 4168 516 vvjpv.exe 99 PID 516 wrote to memory of 4168 516 vvjpv.exe 99 PID 516 wrote to memory of 4168 516 vvjpv.exe 99 PID 4168 wrote to memory of 5012 4168 fxrrxxl.exe 100 PID 4168 wrote to memory of 5012 4168 fxrrxxl.exe 100 PID 4168 wrote to memory of 5012 4168 fxrrxxl.exe 100 PID 5012 wrote to memory of 2232 5012 ffrfrrf.exe 101 PID 5012 wrote to memory of 2232 5012 ffrfrrf.exe 101 PID 5012 wrote to memory of 2232 5012 ffrfrrf.exe 101 PID 2232 wrote to memory of 1752 2232 jpjpp.exe 102 PID 2232 wrote to memory of 1752 2232 jpjpp.exe 102 PID 2232 wrote to memory of 1752 2232 jpjpp.exe 102 PID 1752 wrote to memory of 3812 1752 hnbbth.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\db5b9db31d9ed42f360f157d17c53c7ac34274f3411e622082345222f199475eN.exe"C:\Users\Admin\AppData\Local\Temp\db5b9db31d9ed42f360f157d17c53c7ac34274f3411e622082345222f199475eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\rffxrrx.exec:\rffxrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\7ntnnt.exec:\7ntnnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\vpdvp.exec:\vpdvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\fxfflll.exec:\fxfflll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\nbhbbb.exec:\nbhbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\jjvvp.exec:\jjvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\hnnnbb.exec:\hnnnbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\hbntbb.exec:\hbntbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\lfrrrff.exec:\lfrrrff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\rfflrxf.exec:\rfflrxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\pdppp.exec:\pdppp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\9tbhtn.exec:\9tbhtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\vpjdj.exec:\vpjdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\9vpvv.exec:\9vpvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\9btthn.exec:\9btthn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\vpddj.exec:\vpddj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\vvjpv.exec:\vvjpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\fxrrxxl.exec:\fxrrxxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\ffrfrrf.exec:\ffrfrrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\jpjpp.exec:\jpjpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\hnbbth.exec:\hnbbth.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\jddjj.exec:\jddjj.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3812 -
\??\c:\7thhbb.exec:\7thhbb.exe24⤵
- Executes dropped EXE
PID:2100 -
\??\c:\lrrrrxx.exec:\lrrrrxx.exe25⤵
- Executes dropped EXE
PID:2812 -
\??\c:\hbbttt.exec:\hbbttt.exe26⤵
- Executes dropped EXE
PID:2912 -
\??\c:\rflfxxx.exec:\rflfxxx.exe27⤵
- Executes dropped EXE
PID:5048 -
\??\c:\vvdvp.exec:\vvdvp.exe28⤵
- Executes dropped EXE
PID:3916 -
\??\c:\llrxxfr.exec:\llrxxfr.exe29⤵
- Executes dropped EXE
PID:1180 -
\??\c:\ppddj.exec:\ppddj.exe30⤵
- Executes dropped EXE
PID:4860 -
\??\c:\1thbtt.exec:\1thbtt.exe31⤵
- Executes dropped EXE
PID:3252 -
\??\c:\rfrlfll.exec:\rfrlfll.exe32⤵
- Executes dropped EXE
PID:4612 -
\??\c:\3pjjd.exec:\3pjjd.exe33⤵
- Executes dropped EXE
PID:4296 -
\??\c:\thhnhn.exec:\thhnhn.exe34⤵
- Executes dropped EXE
PID:4932 -
\??\c:\9htntt.exec:\9htntt.exe35⤵
- Executes dropped EXE
PID:4808 -
\??\c:\vvjdd.exec:\vvjdd.exe36⤵
- Executes dropped EXE
PID:1144 -
\??\c:\xxllllr.exec:\xxllllr.exe37⤵
- Executes dropped EXE
PID:2376 -
\??\c:\tbnnnn.exec:\tbnnnn.exe38⤵
- Executes dropped EXE
PID:2188 -
\??\c:\ttnnnt.exec:\ttnnnt.exe39⤵
- Executes dropped EXE
PID:3932 -
\??\c:\pvdvv.exec:\pvdvv.exe40⤵
- Executes dropped EXE
PID:4356 -
\??\c:\fxlfffx.exec:\fxlfffx.exe41⤵
- Executes dropped EXE
PID:432 -
\??\c:\hbtntb.exec:\hbtntb.exe42⤵
- Executes dropped EXE
PID:320 -
\??\c:\3dddd.exec:\3dddd.exe43⤵
- Executes dropped EXE
PID:4396 -
\??\c:\jjjdv.exec:\jjjdv.exe44⤵
- Executes dropped EXE
PID:3340 -
\??\c:\xrfxrxr.exec:\xrfxrxr.exe45⤵
- Executes dropped EXE
PID:2248 -
\??\c:\tbtthn.exec:\tbtthn.exe46⤵
- Executes dropped EXE
PID:5056 -
\??\c:\jjvvp.exec:\jjvvp.exe47⤵
- Executes dropped EXE
PID:316 -
\??\c:\ppvjd.exec:\ppvjd.exe48⤵
- Executes dropped EXE
PID:2844 -
\??\c:\3lrrxrr.exec:\3lrrxrr.exe49⤵
- Executes dropped EXE
PID:1268 -
\??\c:\bnbbtt.exec:\bnbbtt.exe50⤵
- Executes dropped EXE
PID:4648 -
\??\c:\djvvd.exec:\djvvd.exe51⤵
- Executes dropped EXE
PID:612 -
\??\c:\xrfxxfx.exec:\xrfxxfx.exe52⤵
- Executes dropped EXE
PID:4476 -
\??\c:\nthhbh.exec:\nthhbh.exe53⤵
- Executes dropped EXE
PID:696 -
\??\c:\dpddd.exec:\dpddd.exe54⤵
- Executes dropped EXE
PID:1888 -
\??\c:\rlffffr.exec:\rlffffr.exe55⤵
- Executes dropped EXE
PID:4816 -
\??\c:\rllfxxx.exec:\rllfxxx.exe56⤵
- Executes dropped EXE
PID:2636 -
\??\c:\hbnhhh.exec:\hbnhhh.exe57⤵
- Executes dropped EXE
PID:4424 -
\??\c:\jjjdv.exec:\jjjdv.exe58⤵
- Executes dropped EXE
PID:4632 -
\??\c:\fflfflf.exec:\fflfflf.exe59⤵
- Executes dropped EXE
PID:1992 -
\??\c:\fffffff.exec:\fffffff.exe60⤵
- Executes dropped EXE
PID:3108 -
\??\c:\tttbth.exec:\tttbth.exe61⤵
- Executes dropped EXE
PID:2180 -
\??\c:\vpddd.exec:\vpddd.exe62⤵
- Executes dropped EXE
PID:1600 -
\??\c:\xfllrll.exec:\xfllrll.exe63⤵
- Executes dropped EXE
PID:4768 -
\??\c:\5bhhhn.exec:\5bhhhn.exe64⤵
- Executes dropped EXE
PID:2312 -
\??\c:\3hhhhn.exec:\3hhhhn.exe65⤵
- Executes dropped EXE
PID:3492 -
\??\c:\djvpv.exec:\djvpv.exe66⤵PID:3216
-
\??\c:\ffflrxx.exec:\ffflrxx.exe67⤵PID:3480
-
\??\c:\thhntb.exec:\thhntb.exe68⤵PID:2300
-
\??\c:\tbhhbh.exec:\tbhhbh.exe69⤵PID:228
-
\??\c:\ddjdd.exec:\ddjdd.exe70⤵PID:3984
-
\??\c:\rxrflrf.exec:\rxrflrf.exe71⤵PID:4704
-
\??\c:\hthhnn.exec:\hthhnn.exe72⤵PID:1208
-
\??\c:\jpdjj.exec:\jpdjj.exe73⤵PID:4852
-
\??\c:\xflllll.exec:\xflllll.exe74⤵PID:1340
-
\??\c:\5lllfff.exec:\5lllfff.exe75⤵PID:3892
-
\??\c:\1hhhbh.exec:\1hhhbh.exe76⤵PID:2288
-
\??\c:\7djdp.exec:\7djdp.exe77⤵PID:4368
-
\??\c:\1xfffll.exec:\1xfffll.exe78⤵PID:2876
-
\??\c:\bhttnn.exec:\bhttnn.exe79⤵PID:3936
-
\??\c:\dvdvv.exec:\dvdvv.exe80⤵PID:2688
-
\??\c:\pvppv.exec:\pvppv.exe81⤵PID:4964
-
\??\c:\rlxxlrl.exec:\rlxxlrl.exe82⤵PID:4024
-
\??\c:\hhnnhh.exec:\hhnnhh.exe83⤵PID:5088
-
\??\c:\vpddv.exec:\vpddv.exe84⤵PID:2540
-
\??\c:\vjvpp.exec:\vjvpp.exe85⤵PID:8
-
\??\c:\fxffxff.exec:\fxffxff.exe86⤵PID:1028
-
\??\c:\bhbbnn.exec:\bhbbnn.exe87⤵PID:2232
-
\??\c:\3ddvp.exec:\3ddvp.exe88⤵PID:4580
-
\??\c:\pjddd.exec:\pjddd.exe89⤵PID:1620
-
\??\c:\lxlfxff.exec:\lxlfxff.exe90⤵PID:4968
-
\??\c:\thtbbn.exec:\thtbbn.exe91⤵PID:2260
-
\??\c:\ppddj.exec:\ppddj.exe92⤵PID:2956
-
\??\c:\vvjdd.exec:\vvjdd.exe93⤵PID:1148
-
\??\c:\9fxffff.exec:\9fxffff.exe94⤵PID:872
-
\??\c:\tbhbtt.exec:\tbhbtt.exe95⤵PID:4408
-
\??\c:\1jvpd.exec:\1jvpd.exe96⤵PID:1364
-
\??\c:\lfrrlll.exec:\lfrrlll.exe97⤵PID:4868
-
\??\c:\nbnnnn.exec:\nbnnnn.exe98⤵PID:3508
-
\??\c:\pjjjj.exec:\pjjjj.exe99⤵PID:1236
-
\??\c:\ppvjj.exec:\ppvjj.exe100⤵PID:708
-
\??\c:\1lxxrxr.exec:\1lxxrxr.exe101⤵PID:4296
-
\??\c:\bttttb.exec:\bttttb.exe102⤵PID:4932
-
\??\c:\9bnhhh.exec:\9bnhhh.exe103⤵PID:4808
-
\??\c:\dvjdv.exec:\dvjdv.exe104⤵PID:4792
-
\??\c:\1fxrlll.exec:\1fxrlll.exe105⤵PID:2360
-
\??\c:\btbttt.exec:\btbttt.exe106⤵PID:2164
-
\??\c:\hthhhn.exec:\hthhhn.exe107⤵PID:3932
-
\??\c:\ppddp.exec:\ppddp.exe108⤵PID:4356
-
\??\c:\ppddp.exec:\ppddp.exe109⤵PID:2276
-
\??\c:\fxffxxx.exec:\fxffxxx.exe110⤵PID:3220
-
\??\c:\hbtttt.exec:\hbtttt.exe111⤵PID:3304
-
\??\c:\ddvpv.exec:\ddvpv.exe112⤵PID:1696
-
\??\c:\7jvvv.exec:\7jvvv.exe113⤵PID:3012
-
\??\c:\lrxxrxx.exec:\lrxxrxx.exe114⤵PID:4324
-
\??\c:\hnbttt.exec:\hnbttt.exe115⤵PID:4432
-
\??\c:\jdppp.exec:\jdppp.exe116⤵PID:3448
-
\??\c:\ppvpp.exec:\ppvpp.exe117⤵PID:4844
-
\??\c:\lfrrlrx.exec:\lfrrlrx.exe118⤵PID:2220
-
\??\c:\rxrllll.exec:\rxrllll.exe119⤵PID:1532
-
\??\c:\bnhhhh.exec:\bnhhhh.exe120⤵PID:612
-
\??\c:\5pjjd.exec:\5pjjd.exe121⤵PID:4476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-