Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 00:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe
-
Size
453KB
-
MD5
40c8bde846d9ee11883b0e5098d0473f
-
SHA1
efc765918ed5d2c78f0dcf0d7b59cad7d86f7337
-
SHA256
af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00
-
SHA512
f16d0d791938bf77e66b1f52417e83b809c22319d74f0ee465616734e7e521e2af6f684a015957bdec42e38cdc790ec281d606ae4ebccb91ced8252c5a663fff
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAben:q7Tc2NYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3496-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-817-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-1037-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2908 pvjjp.exe 3004 dpppj.exe 4564 llrfrfl.exe 5044 tbhttn.exe 1688 bnbnbt.exe 4372 lllffxr.exe 4900 lrxlxlx.exe 2948 jvjjd.exe 3360 hntnnh.exe 1056 lrrrlrr.exe 4712 tttnnn.exe 4148 7dpjd.exe 1220 xllfffx.exe 4156 ntnbth.exe 3416 pjpjj.exe 3000 rrlfxxr.exe 4572 tthbtt.exe 620 rlxfllf.exe 896 vjdvv.exe 5036 tbbhbh.exe 3404 ffxxrrl.exe 2084 5thbbn.exe 1808 vvddd.exe 2784 rxfllrr.exe 2092 xrxrrrr.exe 960 xffxrrl.exe 4748 xllrrxf.exe 4544 ppvvv.exe 4036 rrllllr.exe 5080 rllllrl.exe 2736 tnbhnt.exe 3084 htnnhh.exe 1576 pdppp.exe 1484 9xxxxff.exe 3064 dvppp.exe 4928 ntthnn.exe 4256 djjjj.exe 1692 7fxrrxr.exe 3432 xfllffr.exe 3700 bbhttb.exe 1328 ddppp.exe 3608 hhhbnn.exe 720 vjddp.exe 4028 7jfxf.exe 444 3llflll.exe 2292 nntttt.exe 2900 ddddd.exe 1984 5jvvv.exe 1668 flfffff.exe 4392 1ttnhh.exe 1796 vddvd.exe 1340 ddvpv.exe 2764 lfrrlxr.exe 3584 bhhhhh.exe 4564 pvdvj.exe 2232 xfxxfll.exe 372 hbbhhh.exe 828 djvpp.exe 4960 djddv.exe 3152 bnnntn.exe 2924 jppjj.exe 2176 jpvvv.exe 4444 3frxxxr.exe 3812 5hhhnt.exe -
resource yara_rule behavioral2/memory/3496-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-771-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3496 wrote to memory of 2908 3496 af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe 83 PID 3496 wrote to memory of 2908 3496 af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe 83 PID 3496 wrote to memory of 2908 3496 af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe 83 PID 2908 wrote to memory of 3004 2908 pvjjp.exe 84 PID 2908 wrote to memory of 3004 2908 pvjjp.exe 84 PID 2908 wrote to memory of 3004 2908 pvjjp.exe 84 PID 3004 wrote to memory of 4564 3004 dpppj.exe 85 PID 3004 wrote to memory of 4564 3004 dpppj.exe 85 PID 3004 wrote to memory of 4564 3004 dpppj.exe 85 PID 4564 wrote to memory of 5044 4564 llrfrfl.exe 86 PID 4564 wrote to memory of 5044 4564 llrfrfl.exe 86 PID 4564 wrote to memory of 5044 4564 llrfrfl.exe 86 PID 5044 wrote to memory of 1688 5044 tbhttn.exe 87 PID 5044 wrote to memory of 1688 5044 tbhttn.exe 87 PID 5044 wrote to memory of 1688 5044 tbhttn.exe 87 PID 1688 wrote to memory of 4372 1688 bnbnbt.exe 88 PID 1688 wrote to memory of 4372 1688 bnbnbt.exe 88 PID 1688 wrote to memory of 4372 1688 bnbnbt.exe 88 PID 4372 wrote to memory of 4900 4372 lllffxr.exe 89 PID 4372 wrote to memory of 4900 4372 lllffxr.exe 89 PID 4372 wrote to memory of 4900 4372 lllffxr.exe 89 PID 4900 wrote to memory of 2948 4900 lrxlxlx.exe 90 PID 4900 wrote to memory of 2948 4900 lrxlxlx.exe 90 PID 4900 wrote to memory of 2948 4900 lrxlxlx.exe 90 PID 2948 wrote to memory of 3360 2948 jvjjd.exe 91 PID 2948 wrote to memory of 3360 2948 jvjjd.exe 91 PID 2948 wrote to memory of 3360 2948 jvjjd.exe 91 PID 3360 wrote to memory of 1056 3360 hntnnh.exe 92 PID 3360 wrote to memory of 1056 3360 hntnnh.exe 92 PID 3360 wrote to memory of 1056 3360 hntnnh.exe 92 PID 1056 wrote to memory of 4712 1056 lrrrlrr.exe 93 PID 1056 wrote to memory of 4712 1056 lrrrlrr.exe 93 PID 1056 wrote to memory of 4712 1056 lrrrlrr.exe 93 PID 4712 wrote to memory of 4148 4712 tttnnn.exe 94 PID 4712 wrote to memory of 4148 4712 tttnnn.exe 94 PID 4712 wrote to memory of 4148 4712 tttnnn.exe 94 PID 4148 wrote to memory of 1220 4148 7dpjd.exe 95 PID 4148 wrote to memory of 1220 4148 7dpjd.exe 95 PID 4148 wrote to memory of 1220 4148 7dpjd.exe 95 PID 1220 wrote to memory of 4156 1220 xllfffx.exe 96 PID 1220 wrote to memory of 4156 1220 xllfffx.exe 96 PID 1220 wrote to memory of 4156 1220 xllfffx.exe 96 PID 4156 wrote to memory of 3416 4156 ntnbth.exe 97 PID 4156 wrote to memory of 3416 4156 ntnbth.exe 97 PID 4156 wrote to memory of 3416 4156 ntnbth.exe 97 PID 3416 wrote to memory of 3000 3416 pjpjj.exe 98 PID 3416 wrote to memory of 3000 3416 pjpjj.exe 98 PID 3416 wrote to memory of 3000 3416 pjpjj.exe 98 PID 3000 wrote to memory of 4572 3000 rrlfxxr.exe 99 PID 3000 wrote to memory of 4572 3000 rrlfxxr.exe 99 PID 3000 wrote to memory of 4572 3000 rrlfxxr.exe 99 PID 4572 wrote to memory of 620 4572 tthbtt.exe 100 PID 4572 wrote to memory of 620 4572 tthbtt.exe 100 PID 4572 wrote to memory of 620 4572 tthbtt.exe 100 PID 620 wrote to memory of 896 620 rlxfllf.exe 101 PID 620 wrote to memory of 896 620 rlxfllf.exe 101 PID 620 wrote to memory of 896 620 rlxfllf.exe 101 PID 896 wrote to memory of 5036 896 vjdvv.exe 102 PID 896 wrote to memory of 5036 896 vjdvv.exe 102 PID 896 wrote to memory of 5036 896 vjdvv.exe 102 PID 5036 wrote to memory of 3404 5036 tbbhbh.exe 103 PID 5036 wrote to memory of 3404 5036 tbbhbh.exe 103 PID 5036 wrote to memory of 3404 5036 tbbhbh.exe 103 PID 3404 wrote to memory of 2084 3404 ffxxrrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe"C:\Users\Admin\AppData\Local\Temp\af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\pvjjp.exec:\pvjjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\dpppj.exec:\dpppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\llrfrfl.exec:\llrfrfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\tbhttn.exec:\tbhttn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\bnbnbt.exec:\bnbnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\lllffxr.exec:\lllffxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\lrxlxlx.exec:\lrxlxlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\jvjjd.exec:\jvjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\hntnnh.exec:\hntnnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\lrrrlrr.exec:\lrrrlrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\tttnnn.exec:\tttnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\7dpjd.exec:\7dpjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\xllfffx.exec:\xllfffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\ntnbth.exec:\ntnbth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\pjpjj.exec:\pjpjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\rrlfxxr.exec:\rrlfxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\tthbtt.exec:\tthbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\rlxfllf.exec:\rlxfllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\vjdvv.exec:\vjdvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
\??\c:\tbbhbh.exec:\tbbhbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\ffxxrrl.exec:\ffxxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\5thbbn.exec:\5thbbn.exe23⤵
- Executes dropped EXE
PID:2084 -
\??\c:\vvddd.exec:\vvddd.exe24⤵
- Executes dropped EXE
PID:1808 -
\??\c:\rxfllrr.exec:\rxfllrr.exe25⤵
- Executes dropped EXE
PID:2784 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe26⤵
- Executes dropped EXE
PID:2092 -
\??\c:\xffxrrl.exec:\xffxrrl.exe27⤵
- Executes dropped EXE
PID:960 -
\??\c:\xllrrxf.exec:\xllrrxf.exe28⤵
- Executes dropped EXE
PID:4748 -
\??\c:\ppvvv.exec:\ppvvv.exe29⤵
- Executes dropped EXE
PID:4544 -
\??\c:\rrllllr.exec:\rrllllr.exe30⤵
- Executes dropped EXE
PID:4036 -
\??\c:\rllllrl.exec:\rllllrl.exe31⤵
- Executes dropped EXE
PID:5080 -
\??\c:\tnbhnt.exec:\tnbhnt.exe32⤵
- Executes dropped EXE
PID:2736 -
\??\c:\htnnhh.exec:\htnnhh.exe33⤵
- Executes dropped EXE
PID:3084 -
\??\c:\pdppp.exec:\pdppp.exe34⤵
- Executes dropped EXE
PID:1576 -
\??\c:\9xxxxff.exec:\9xxxxff.exe35⤵
- Executes dropped EXE
PID:1484 -
\??\c:\dvppp.exec:\dvppp.exe36⤵
- Executes dropped EXE
PID:3064 -
\??\c:\ntthnn.exec:\ntthnn.exe37⤵
- Executes dropped EXE
PID:4928 -
\??\c:\djjjj.exec:\djjjj.exe38⤵
- Executes dropped EXE
PID:4256 -
\??\c:\7fxrrxr.exec:\7fxrrxr.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692 -
\??\c:\xfllffr.exec:\xfllffr.exe40⤵
- Executes dropped EXE
PID:3432 -
\??\c:\bbhttb.exec:\bbhttb.exe41⤵
- Executes dropped EXE
PID:3700 -
\??\c:\ddppp.exec:\ddppp.exe42⤵
- Executes dropped EXE
PID:1328 -
\??\c:\hhhbnn.exec:\hhhbnn.exe43⤵
- Executes dropped EXE
PID:3608 -
\??\c:\vjddp.exec:\vjddp.exe44⤵
- Executes dropped EXE
PID:720 -
\??\c:\7jfxf.exec:\7jfxf.exe45⤵
- Executes dropped EXE
PID:4028 -
\??\c:\3llflll.exec:\3llflll.exe46⤵
- Executes dropped EXE
PID:444 -
\??\c:\nntttt.exec:\nntttt.exe47⤵
- Executes dropped EXE
PID:2292 -
\??\c:\ddddd.exec:\ddddd.exe48⤵
- Executes dropped EXE
PID:2900 -
\??\c:\5jvvv.exec:\5jvvv.exe49⤵
- Executes dropped EXE
PID:1984 -
\??\c:\flfffff.exec:\flfffff.exe50⤵
- Executes dropped EXE
PID:1668 -
\??\c:\1ttnhh.exec:\1ttnhh.exe51⤵
- Executes dropped EXE
PID:4392 -
\??\c:\vddvd.exec:\vddvd.exe52⤵
- Executes dropped EXE
PID:1796 -
\??\c:\ddvpv.exec:\ddvpv.exe53⤵
- Executes dropped EXE
PID:1340 -
\??\c:\lfrrlxr.exec:\lfrrlxr.exe54⤵
- Executes dropped EXE
PID:2764 -
\??\c:\bhhhhh.exec:\bhhhhh.exe55⤵
- Executes dropped EXE
PID:3584 -
\??\c:\pvdvj.exec:\pvdvj.exe56⤵
- Executes dropped EXE
PID:4564 -
\??\c:\xfxxfll.exec:\xfxxfll.exe57⤵
- Executes dropped EXE
PID:2232 -
\??\c:\hbbhhh.exec:\hbbhhh.exe58⤵
- Executes dropped EXE
PID:372 -
\??\c:\djvpp.exec:\djvpp.exe59⤵
- Executes dropped EXE
PID:828 -
\??\c:\djddv.exec:\djddv.exe60⤵
- Executes dropped EXE
PID:4960 -
\??\c:\bnnntn.exec:\bnnntn.exe61⤵
- Executes dropped EXE
PID:3152 -
\??\c:\jppjj.exec:\jppjj.exe62⤵
- Executes dropped EXE
PID:2924 -
\??\c:\jpvvv.exec:\jpvvv.exe63⤵
- Executes dropped EXE
PID:2176 -
\??\c:\3frxxxr.exec:\3frxxxr.exe64⤵
- Executes dropped EXE
PID:4444 -
\??\c:\5hhhnt.exec:\5hhhnt.exe65⤵
- Executes dropped EXE
PID:3812 -
\??\c:\jjpjp.exec:\jjpjp.exe66⤵PID:3464
-
\??\c:\fxxrfxx.exec:\fxxrfxx.exe67⤵PID:3908
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe68⤵PID:2352
-
\??\c:\nnhbnn.exec:\nnhbnn.exe69⤵PID:3272
-
\??\c:\jpdjd.exec:\jpdjd.exe70⤵PID:1072
-
\??\c:\rxfxfxf.exec:\rxfxfxf.exe71⤵PID:4124
-
\??\c:\bbttnn.exec:\bbttnn.exe72⤵PID:4964
-
\??\c:\9jpjd.exec:\9jpjd.exe73⤵PID:1820
-
\??\c:\xrxllfx.exec:\xrxllfx.exe74⤵PID:4876
-
\??\c:\tnthbt.exec:\tnthbt.exe75⤵PID:4476
-
\??\c:\vvvvp.exec:\vvvvp.exe76⤵PID:2608
-
\??\c:\pdvjv.exec:\pdvjv.exe77⤵PID:620
-
\??\c:\rrxrrll.exec:\rrxrrll.exe78⤵PID:2216
-
\??\c:\hbnntb.exec:\hbnntb.exe79⤵PID:4348
-
\??\c:\3vdvv.exec:\3vdvv.exe80⤵PID:3044
-
\??\c:\xflrrxx.exec:\xflrrxx.exe81⤵PID:2540
-
\??\c:\ttttnn.exec:\ttttnn.exe82⤵PID:5016
-
\??\c:\ddddd.exec:\ddddd.exe83⤵PID:3016
-
\??\c:\vpjvv.exec:\vpjvv.exe84⤵PID:2128
-
\??\c:\hnhthb.exec:\hnhthb.exe85⤵PID:5056
-
\??\c:\djpdp.exec:\djpdp.exe86⤵PID:3104
-
\??\c:\1xrxlrr.exec:\1xrxlrr.exe87⤵PID:4528
-
\??\c:\9nhnnt.exec:\9nhnnt.exe88⤵PID:1892
-
\??\c:\vjjjd.exec:\vjjjd.exe89⤵PID:4752
-
\??\c:\pvvpp.exec:\pvvpp.exe90⤵PID:2748
-
\??\c:\llrrrrr.exec:\llrrrrr.exe91⤵PID:716
-
\??\c:\hhnhbb.exec:\hhnhbb.exe92⤵
- System Location Discovery: System Language Discovery
PID:4772 -
\??\c:\bnbbhn.exec:\bnbbhn.exe93⤵PID:2636
-
\??\c:\3jdjj.exec:\3jdjj.exe94⤵PID:1028
-
\??\c:\llrlllf.exec:\llrlllf.exe95⤵PID:2140
-
\??\c:\5tnnnt.exec:\5tnnnt.exe96⤵PID:1508
-
\??\c:\jjvdd.exec:\jjvdd.exe97⤵PID:4580
-
\??\c:\llxrlrl.exec:\llxrlrl.exe98⤵PID:1952
-
\??\c:\rxxxffl.exec:\rxxxffl.exe99⤵PID:4812
-
\??\c:\hntbnt.exec:\hntbnt.exe100⤵PID:3512
-
\??\c:\jpddd.exec:\jpddd.exe101⤵PID:2400
-
\??\c:\llfxrrl.exec:\llfxrrl.exe102⤵PID:2028
-
\??\c:\lfrrxll.exec:\lfrrxll.exe103⤵PID:700
-
\??\c:\bttttt.exec:\bttttt.exe104⤵PID:3516
-
\??\c:\vpvvv.exec:\vpvvv.exe105⤵PID:4708
-
\??\c:\3rllffx.exec:\3rllffx.exe106⤵PID:64
-
\??\c:\rxxxxff.exec:\rxxxxff.exe107⤵PID:3164
-
\??\c:\hhhhbh.exec:\hhhhbh.exe108⤵PID:2384
-
\??\c:\bnnnbh.exec:\bnnnbh.exe109⤵PID:1920
-
\??\c:\pjvpv.exec:\pjvpv.exe110⤵PID:2284
-
\??\c:\xrxrrrf.exec:\xrxrrrf.exe111⤵PID:4892
-
\??\c:\hnbthh.exec:\hnbthh.exe112⤵PID:4400
-
\??\c:\pjpjd.exec:\pjpjd.exe113⤵
- System Location Discovery: System Language Discovery
PID:2760 -
\??\c:\1ffxxfx.exec:\1ffxxfx.exe114⤵PID:4492
-
\??\c:\tttnnt.exec:\tttnnt.exe115⤵PID:1796
-
\??\c:\jdjjd.exec:\jdjjd.exe116⤵PID:804
-
\??\c:\lrrlllf.exec:\lrrlllf.exe117⤵PID:3636
-
\??\c:\1thbbb.exec:\1thbbb.exe118⤵PID:4412
-
\??\c:\hnhhnh.exec:\hnhhnh.exe119⤵PID:3528
-
\??\c:\pjddv.exec:\pjddv.exe120⤵PID:632
-
\??\c:\ffllfff.exec:\ffllfff.exe121⤵PID:2732
-
\??\c:\bhhbbh.exec:\bhhbbh.exe122⤵PID:4372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-