Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 23:22
Behavioral task
behavioral1
Sample
afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe
-
Size
331KB
-
MD5
96031a5075425b53c9d1415d84b814f0
-
SHA1
76493bceccac7ac815d45fc06725abf36b47e276
-
SHA256
afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0
-
SHA512
b4d0e84e624bc054d3763aa18f622e973aae9edaf77700e02e0b1cb0fa484fe862f6e421f2ef11ed1d0134f431713e5c8e37a5f030a1502de4bdf1695cfffab7
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeU:R4wFHoSHYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1816-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2872-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2824-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2812-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1020-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2272-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2044-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4124-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3068-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/856-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3296-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1016-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2492-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4852-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/964-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3232-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5112-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1676-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4424-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3544-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/368-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2952-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3104-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4128-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4908-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3188-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3280-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1004-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2652-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3336-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4292-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-494-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-587-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3300-670-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2792-941-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-962-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2136-1067-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1816 btthtn.exe 3548 7jdvp.exe 2872 djjvj.exe 4456 ffxxrlf.exe 4076 hhtnbt.exe 1580 dpvpd.exe 2824 dvdpj.exe 2164 frlxrfx.exe 2812 pjpjj.exe 3688 dvdvj.exe 1020 rflfrlx.exe 2272 nbhbbb.exe 2044 nnhbhh.exe 4924 nhnbtn.exe 1612 bbttnn.exe 2408 vpdvp.exe 4124 frlxrrf.exe 2024 1vpjj.exe 3980 1xxrlrl.exe 3068 jdpdj.exe 5004 vpvpd.exe 856 rrrlfxr.exe 3296 rrxrxxf.exe 1952 dpvdp.exe 1420 xrfxllf.exe 4964 3tnhnh.exe 2280 vjpdv.exe 4040 xlfxffx.exe 4400 tbhbnn.exe 2340 fxxxllf.exe 1016 btbthb.exe 2492 3jvjp.exe 4852 frrfrrl.exe 4444 9pdvv.exe 2736 jpvvv.exe 2420 ffxxfxl.exe 1860 lxxlxlf.exe 964 hnbnhb.exe 4556 9vppd.exe 3232 djjpd.exe 4992 fllxlfr.exe 5112 nthtnh.exe 1924 rflffff.exe 872 7tbbhn.exe 1676 jvdvv.exe 4876 rflxxfr.exe 4916 rlrllff.exe 4424 tbhhbb.exe 4316 vvdvj.exe 5080 xrrlxrr.exe 3672 bnnhhh.exe 3544 ddjvv.exe 368 3pjvp.exe 2952 flxlxrf.exe 4456 bhnbnn.exe 3104 vjjvp.exe 4900 rffrfrl.exe 3080 bntnnb.exe 540 hhbthh.exe 3568 jjvjd.exe 4128 9lfxlrf.exe 1996 xffxxxr.exe 2812 hbhbhh.exe 1984 dvjdp.exe -
resource yara_rule behavioral2/memory/4408-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b23-3.dat upx behavioral2/memory/1816-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b84-9.dat upx behavioral2/files/0x000a000000023b85-11.dat upx behavioral2/memory/2872-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3548-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4408-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4456-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-30.dat upx behavioral2/memory/1580-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-34.dat upx behavioral2/memory/4076-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-25.dat upx behavioral2/files/0x000a000000023b86-20.dat upx behavioral2/files/0x000a000000023b8a-38.dat upx behavioral2/memory/2824-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-43.dat upx behavioral2/memory/2812-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-50.dat upx behavioral2/memory/2812-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1020-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-60.dat upx behavioral2/memory/2272-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-66.dat upx behavioral2/memory/3688-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-55.dat upx behavioral2/memory/2164-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-70.dat upx behavioral2/memory/2044-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-74.dat upx behavioral2/files/0x000a000000023b93-78.dat upx behavioral2/memory/2408-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-83.dat upx behavioral2/files/0x000b000000023b82-88.dat upx behavioral2/memory/4124-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-93.dat upx behavioral2/memory/2024-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-98.dat upx behavioral2/memory/3980-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-102.dat upx behavioral2/memory/5004-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3068-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-107.dat upx behavioral2/files/0x000b000000023b9a-113.dat upx behavioral2/memory/856-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3296-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9b-118.dat upx behavioral2/files/0x000b000000023b9c-122.dat upx behavioral2/files/0x000a000000023ba4-126.dat upx behavioral2/memory/4964-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bab-131.dat upx behavioral2/files/0x0008000000023bb4-135.dat upx behavioral2/files/0x0009000000023bb9-139.dat upx behavioral2/memory/4040-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bba-144.dat upx behavioral2/files/0x0009000000023bbb-148.dat upx behavioral2/files/0x000e000000023bbf-151.dat upx behavioral2/memory/1016-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2492-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4852-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1860-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/964-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4556-175-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4408 wrote to memory of 1816 4408 afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe 83 PID 4408 wrote to memory of 1816 4408 afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe 83 PID 4408 wrote to memory of 1816 4408 afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe 83 PID 1816 wrote to memory of 3548 1816 btthtn.exe 84 PID 1816 wrote to memory of 3548 1816 btthtn.exe 84 PID 1816 wrote to memory of 3548 1816 btthtn.exe 84 PID 3548 wrote to memory of 2872 3548 7jdvp.exe 85 PID 3548 wrote to memory of 2872 3548 7jdvp.exe 85 PID 3548 wrote to memory of 2872 3548 7jdvp.exe 85 PID 2872 wrote to memory of 4456 2872 djjvj.exe 86 PID 2872 wrote to memory of 4456 2872 djjvj.exe 86 PID 2872 wrote to memory of 4456 2872 djjvj.exe 86 PID 4456 wrote to memory of 4076 4456 ffxxrlf.exe 87 PID 4456 wrote to memory of 4076 4456 ffxxrlf.exe 87 PID 4456 wrote to memory of 4076 4456 ffxxrlf.exe 87 PID 4076 wrote to memory of 1580 4076 hhtnbt.exe 88 PID 4076 wrote to memory of 1580 4076 hhtnbt.exe 88 PID 4076 wrote to memory of 1580 4076 hhtnbt.exe 88 PID 1580 wrote to memory of 2824 1580 dpvpd.exe 89 PID 1580 wrote to memory of 2824 1580 dpvpd.exe 89 PID 1580 wrote to memory of 2824 1580 dpvpd.exe 89 PID 2824 wrote to memory of 2164 2824 dvdpj.exe 90 PID 2824 wrote to memory of 2164 2824 dvdpj.exe 90 PID 2824 wrote to memory of 2164 2824 dvdpj.exe 90 PID 2164 wrote to memory of 2812 2164 frlxrfx.exe 91 PID 2164 wrote to memory of 2812 2164 frlxrfx.exe 91 PID 2164 wrote to memory of 2812 2164 frlxrfx.exe 91 PID 2812 wrote to memory of 3688 2812 pjpjj.exe 92 PID 2812 wrote to memory of 3688 2812 pjpjj.exe 92 PID 2812 wrote to memory of 3688 2812 pjpjj.exe 92 PID 3688 wrote to memory of 1020 3688 dvdvj.exe 93 PID 3688 wrote to memory of 1020 3688 dvdvj.exe 93 PID 3688 wrote to memory of 1020 3688 dvdvj.exe 93 PID 1020 wrote to memory of 2272 1020 rflfrlx.exe 94 PID 1020 wrote to memory of 2272 1020 rflfrlx.exe 94 PID 1020 wrote to memory of 2272 1020 rflfrlx.exe 94 PID 2272 wrote to memory of 2044 2272 nbhbbb.exe 95 PID 2272 wrote to memory of 2044 2272 nbhbbb.exe 95 PID 2272 wrote to memory of 2044 2272 nbhbbb.exe 95 PID 2044 wrote to memory of 4924 2044 nnhbhh.exe 96 PID 2044 wrote to memory of 4924 2044 nnhbhh.exe 96 PID 2044 wrote to memory of 4924 2044 nnhbhh.exe 96 PID 4924 wrote to memory of 1612 4924 nhnbtn.exe 97 PID 4924 wrote to memory of 1612 4924 nhnbtn.exe 97 PID 4924 wrote to memory of 1612 4924 nhnbtn.exe 97 PID 1612 wrote to memory of 2408 1612 bbttnn.exe 98 PID 1612 wrote to memory of 2408 1612 bbttnn.exe 98 PID 1612 wrote to memory of 2408 1612 bbttnn.exe 98 PID 2408 wrote to memory of 4124 2408 vpdvp.exe 99 PID 2408 wrote to memory of 4124 2408 vpdvp.exe 99 PID 2408 wrote to memory of 4124 2408 vpdvp.exe 99 PID 4124 wrote to memory of 2024 4124 frlxrrf.exe 100 PID 4124 wrote to memory of 2024 4124 frlxrrf.exe 100 PID 4124 wrote to memory of 2024 4124 frlxrrf.exe 100 PID 2024 wrote to memory of 3980 2024 1vpjj.exe 101 PID 2024 wrote to memory of 3980 2024 1vpjj.exe 101 PID 2024 wrote to memory of 3980 2024 1vpjj.exe 101 PID 3980 wrote to memory of 3068 3980 1xxrlrl.exe 102 PID 3980 wrote to memory of 3068 3980 1xxrlrl.exe 102 PID 3980 wrote to memory of 3068 3980 1xxrlrl.exe 102 PID 3068 wrote to memory of 5004 3068 jdpdj.exe 103 PID 3068 wrote to memory of 5004 3068 jdpdj.exe 103 PID 3068 wrote to memory of 5004 3068 jdpdj.exe 103 PID 5004 wrote to memory of 856 5004 vpvpd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe"C:\Users\Admin\AppData\Local\Temp\afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\btthtn.exec:\btthtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\7jdvp.exec:\7jdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\djjvj.exec:\djjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\ffxxrlf.exec:\ffxxrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\hhtnbt.exec:\hhtnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\dpvpd.exec:\dpvpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\dvdpj.exec:\dvdpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\frlxrfx.exec:\frlxrfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\pjpjj.exec:\pjpjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\dvdvj.exec:\dvdvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\rflfrlx.exec:\rflfrlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\nbhbbb.exec:\nbhbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\nnhbhh.exec:\nnhbhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\nhnbtn.exec:\nhnbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\bbttnn.exec:\bbttnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\vpdvp.exec:\vpdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\frlxrrf.exec:\frlxrrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\1vpjj.exec:\1vpjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\1xxrlrl.exec:\1xxrlrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\jdpdj.exec:\jdpdj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\vpvpd.exec:\vpvpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\rrrlfxr.exec:\rrrlfxr.exe23⤵
- Executes dropped EXE
PID:856 -
\??\c:\rrxrxxf.exec:\rrxrxxf.exe24⤵
- Executes dropped EXE
PID:3296 -
\??\c:\dpvdp.exec:\dpvdp.exe25⤵
- Executes dropped EXE
PID:1952 -
\??\c:\xrfxllf.exec:\xrfxllf.exe26⤵
- Executes dropped EXE
PID:1420 -
\??\c:\3tnhnh.exec:\3tnhnh.exe27⤵
- Executes dropped EXE
PID:4964 -
\??\c:\vjpdv.exec:\vjpdv.exe28⤵
- Executes dropped EXE
PID:2280 -
\??\c:\xlfxffx.exec:\xlfxffx.exe29⤵
- Executes dropped EXE
PID:4040 -
\??\c:\tbhbnn.exec:\tbhbnn.exe30⤵
- Executes dropped EXE
PID:4400 -
\??\c:\fxxxllf.exec:\fxxxllf.exe31⤵
- Executes dropped EXE
PID:2340 -
\??\c:\btbthb.exec:\btbthb.exe32⤵
- Executes dropped EXE
PID:1016 -
\??\c:\3jvjp.exec:\3jvjp.exe33⤵
- Executes dropped EXE
PID:2492 -
\??\c:\frrfrrl.exec:\frrfrrl.exe34⤵
- Executes dropped EXE
PID:4852 -
\??\c:\9pdvv.exec:\9pdvv.exe35⤵
- Executes dropped EXE
PID:4444 -
\??\c:\jpvvv.exec:\jpvvv.exe36⤵
- Executes dropped EXE
PID:2736 -
\??\c:\ffxxfxl.exec:\ffxxfxl.exe37⤵
- Executes dropped EXE
PID:2420 -
\??\c:\lxxlxlf.exec:\lxxlxlf.exe38⤵
- Executes dropped EXE
PID:1860 -
\??\c:\hnbnhb.exec:\hnbnhb.exe39⤵
- Executes dropped EXE
PID:964 -
\??\c:\9vppd.exec:\9vppd.exe40⤵
- Executes dropped EXE
PID:4556 -
\??\c:\djjpd.exec:\djjpd.exe41⤵
- Executes dropped EXE
PID:3232 -
\??\c:\fllxlfr.exec:\fllxlfr.exe42⤵
- Executes dropped EXE
PID:4992 -
\??\c:\nthtnh.exec:\nthtnh.exe43⤵
- Executes dropped EXE
PID:5112 -
\??\c:\rflffff.exec:\rflffff.exe44⤵
- Executes dropped EXE
PID:1924 -
\??\c:\7tbbhn.exec:\7tbbhn.exe45⤵
- Executes dropped EXE
PID:872 -
\??\c:\jvdvv.exec:\jvdvv.exe46⤵
- Executes dropped EXE
PID:1676 -
\??\c:\rflxxfr.exec:\rflxxfr.exe47⤵
- Executes dropped EXE
PID:4876 -
\??\c:\rlrllff.exec:\rlrllff.exe48⤵
- Executes dropped EXE
PID:4916 -
\??\c:\tbhhbb.exec:\tbhhbb.exe49⤵
- Executes dropped EXE
PID:4424 -
\??\c:\vvdvj.exec:\vvdvj.exe50⤵
- Executes dropped EXE
PID:4316 -
\??\c:\xrrlxrr.exec:\xrrlxrr.exe51⤵
- Executes dropped EXE
PID:5080 -
\??\c:\bnnhhh.exec:\bnnhhh.exe52⤵
- Executes dropped EXE
PID:3672 -
\??\c:\ddjvv.exec:\ddjvv.exe53⤵
- Executes dropped EXE
PID:3544 -
\??\c:\3pjvp.exec:\3pjvp.exe54⤵
- Executes dropped EXE
PID:368 -
\??\c:\flxlxrf.exec:\flxlxrf.exe55⤵
- Executes dropped EXE
PID:2952 -
\??\c:\bhnbnn.exec:\bhnbnn.exe56⤵
- Executes dropped EXE
PID:4456 -
\??\c:\vjjvp.exec:\vjjvp.exe57⤵
- Executes dropped EXE
PID:3104 -
\??\c:\rffrfrl.exec:\rffrfrl.exe58⤵
- Executes dropped EXE
PID:4900 -
\??\c:\bntnnb.exec:\bntnnb.exe59⤵
- Executes dropped EXE
PID:3080 -
\??\c:\hhbthh.exec:\hhbthh.exe60⤵
- Executes dropped EXE
PID:540 -
\??\c:\jjvjd.exec:\jjvjd.exe61⤵
- Executes dropped EXE
PID:3568 -
\??\c:\9lfxlrf.exec:\9lfxlrf.exe62⤵
- Executes dropped EXE
PID:4128 -
\??\c:\xffxxxr.exec:\xffxxxr.exe63⤵
- Executes dropped EXE
PID:1996 -
\??\c:\hbhbhh.exec:\hbhbhh.exe64⤵
- Executes dropped EXE
PID:2812 -
\??\c:\dvjdp.exec:\dvjdp.exe65⤵
- Executes dropped EXE
PID:1984 -
\??\c:\rflxrlx.exec:\rflxrlx.exe66⤵PID:4656
-
\??\c:\7ffxrlf.exec:\7ffxrlf.exe67⤵PID:1748
-
\??\c:\thbtbt.exec:\thbtbt.exe68⤵PID:4736
-
\??\c:\jdvpd.exec:\jdvpd.exe69⤵PID:2036
-
\??\c:\fflfxrr.exec:\fflfxrr.exe70⤵PID:4536
-
\??\c:\llrflfx.exec:\llrflfx.exe71⤵PID:4908
-
\??\c:\5tthbb.exec:\5tthbb.exe72⤵PID:1532
-
\??\c:\dvjdj.exec:\dvjdj.exe73⤵PID:1612
-
\??\c:\ddjdp.exec:\ddjdp.exe74⤵PID:4072
-
\??\c:\rfrlffx.exec:\rfrlffx.exe75⤵PID:808
-
\??\c:\thhbnn.exec:\thhbnn.exe76⤵PID:3188
-
\??\c:\5jdvj.exec:\5jdvj.exe77⤵PID:1960
-
\??\c:\rlfxlff.exec:\rlfxlff.exe78⤵PID:2024
-
\??\c:\hbttnn.exec:\hbttnn.exe79⤵PID:3472
-
\??\c:\nbtntn.exec:\nbtntn.exe80⤵PID:4232
-
\??\c:\dppjd.exec:\dppjd.exe81⤵PID:4932
-
\??\c:\xrfrfxl.exec:\xrfrfxl.exe82⤵PID:3432
-
\??\c:\thnhhb.exec:\thnhhb.exe83⤵PID:3028
-
\??\c:\dvjvj.exec:\dvjvj.exe84⤵PID:5024
-
\??\c:\frxlrfl.exec:\frxlrfl.exe85⤵PID:736
-
\??\c:\rxxlxrf.exec:\rxxlxrf.exe86⤵PID:3296
-
\??\c:\nhnhtn.exec:\nhnhtn.exe87⤵PID:4092
-
\??\c:\hnhthh.exec:\hnhthh.exe88⤵PID:3280
-
\??\c:\pdvjv.exec:\pdvjv.exe89⤵
- System Location Discovery: System Language Discovery
PID:4812 -
\??\c:\dvvpj.exec:\dvvpj.exe90⤵PID:1004
-
\??\c:\rffxlff.exec:\rffxlff.exe91⤵PID:5028
-
\??\c:\1bbthh.exec:\1bbthh.exe92⤵PID:2932
-
\??\c:\dppdv.exec:\dppdv.exe93⤵PID:3608
-
\??\c:\5dvjv.exec:\5dvjv.exe94⤵
- System Location Discovery: System Language Discovery
PID:508 -
\??\c:\fflfrlx.exec:\fflfrlx.exe95⤵PID:3444
-
\??\c:\hntttt.exec:\hntttt.exe96⤵PID:5072
-
\??\c:\5vppj.exec:\5vppj.exe97⤵PID:3712
-
\??\c:\fxxlrxr.exec:\fxxlrxr.exe98⤵PID:3168
-
\??\c:\frrffxf.exec:\frrffxf.exe99⤵PID:2636
-
\??\c:\1bhtnh.exec:\1bhtnh.exe100⤵PID:3060
-
\??\c:\nnthbn.exec:\nnthbn.exe101⤵PID:3160
-
\??\c:\vpvpv.exec:\vpvpv.exe102⤵PID:1972
-
\??\c:\rffrlfx.exec:\rffrlfx.exe103⤵PID:1860
-
\??\c:\rrfxrlx.exec:\rrfxrlx.exe104⤵PID:2336
-
\??\c:\thnhtn.exec:\thnhtn.exe105⤵PID:1552
-
\??\c:\vdjjv.exec:\vdjjv.exe106⤵PID:620
-
\??\c:\5vvjv.exec:\5vvjv.exe107⤵PID:3232
-
\??\c:\xflxrfx.exec:\xflxrfx.exe108⤵PID:3580
-
\??\c:\nbbbth.exec:\nbbbth.exe109⤵PID:1768
-
\??\c:\bhnhbt.exec:\bhnhbt.exe110⤵PID:3052
-
\??\c:\9jjvp.exec:\9jjvp.exe111⤵PID:1508
-
\??\c:\rxlfxrx.exec:\rxlfxrx.exe112⤵PID:2652
-
\??\c:\rffxxrl.exec:\rffxxrl.exe113⤵PID:512
-
\??\c:\1nnnhn.exec:\1nnnhn.exe114⤵PID:3664
-
\??\c:\ththbt.exec:\ththbt.exe115⤵PID:4828
-
\??\c:\dppdv.exec:\dppdv.exe116⤵PID:2040
-
\??\c:\3ffxxll.exec:\3ffxxll.exe117⤵PID:1980
-
\??\c:\rffxllx.exec:\rffxllx.exe118⤵PID:4800
-
\??\c:\1nthtn.exec:\1nthtn.exe119⤵PID:3672
-
\??\c:\thbtnh.exec:\thbtnh.exe120⤵PID:3544
-
\??\c:\dvvpj.exec:\dvvpj.exe121⤵PID:4356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-