Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe
-
Size
453KB
-
MD5
4304bb1ac409f30a064f5c9bd4ee0455
-
SHA1
543744d7798a3b9d98f4f4c5257011b9d177c32b
-
SHA256
945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f
-
SHA512
de92ec0bcaf96184c6369058fbed7b287f9a865441007037969d793d1fe2263a407b7a0f66fd76fd6276edff7d634cc2eea5fa42fea86b40ba93b446786ad589
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3952-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-1956-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2164 jdvvv.exe 3216 xxxxfxr.exe 3532 hnnnhb.exe 4680 tbbttt.exe 3884 9btnnn.exe 3896 lrxrrxx.exe 5000 bbbbbb.exe 4908 htttnn.exe 3300 dpddv.exe 444 jpvvd.exe 2352 rrxrrrr.exe 3484 hbntnn.exe 4832 rrxxrxx.exe 2300 vdvvp.exe 3152 bttttt.exe 3552 tbbbtt.exe 3476 xffxllf.exe 1464 7btttb.exe 3876 nnttbn.exe 3912 thtnhh.exe 4508 jpppp.exe 3204 rrlfffx.exe 3076 hnthbn.exe 2764 vpppp.exe 2612 lxffxll.exe 5056 hbhhbh.exe 3012 llffxff.exe 4320 pjvpp.exe 4972 jdvvp.exe 912 hnttnb.exe 4624 7rrrflf.exe 2340 hnnnnn.exe 2788 1fxrllf.exe 2124 bhnhbt.exe 3264 hhbbtt.exe 4312 rxxllfr.exe 5080 bhtbtt.exe 5024 1vdpj.exe 3820 rxrfrlf.exe 2316 7hnntt.exe 2488 bhnhbb.exe 2436 vdpjj.exe 1984 5flfllx.exe 4028 nnhbtn.exe 4388 jpvvp.exe 3960 ffxrfxr.exe 3576 hnhbtt.exe 5104 nhhbth.exe 4912 5djdv.exe 4284 rrlxrrr.exe 2368 tbbtnn.exe 3952 pjjvp.exe 4880 rfxrlfx.exe 5044 hbtnhh.exe 3216 jpjjd.exe 3936 rrlfxrl.exe 244 hhbnhb.exe 2520 7ntnbn.exe 3600 3vjdj.exe 4384 1flfxfx.exe 740 bhbthb.exe 5000 pppjv.exe 4208 vdddd.exe 3672 tbthbt.exe -
resource yara_rule behavioral2/memory/3952-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-638-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pppp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3952 wrote to memory of 2164 3952 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 82 PID 3952 wrote to memory of 2164 3952 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 82 PID 3952 wrote to memory of 2164 3952 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 82 PID 2164 wrote to memory of 3216 2164 jdvvv.exe 83 PID 2164 wrote to memory of 3216 2164 jdvvv.exe 83 PID 2164 wrote to memory of 3216 2164 jdvvv.exe 83 PID 3216 wrote to memory of 3532 3216 xxxxfxr.exe 84 PID 3216 wrote to memory of 3532 3216 xxxxfxr.exe 84 PID 3216 wrote to memory of 3532 3216 xxxxfxr.exe 84 PID 3532 wrote to memory of 4680 3532 hnnnhb.exe 85 PID 3532 wrote to memory of 4680 3532 hnnnhb.exe 85 PID 3532 wrote to memory of 4680 3532 hnnnhb.exe 85 PID 4680 wrote to memory of 3884 4680 tbbttt.exe 86 PID 4680 wrote to memory of 3884 4680 tbbttt.exe 86 PID 4680 wrote to memory of 3884 4680 tbbttt.exe 86 PID 3884 wrote to memory of 3896 3884 9btnnn.exe 87 PID 3884 wrote to memory of 3896 3884 9btnnn.exe 87 PID 3884 wrote to memory of 3896 3884 9btnnn.exe 87 PID 3896 wrote to memory of 5000 3896 lrxrrxx.exe 88 PID 3896 wrote to memory of 5000 3896 lrxrrxx.exe 88 PID 3896 wrote to memory of 5000 3896 lrxrrxx.exe 88 PID 5000 wrote to memory of 4908 5000 bbbbbb.exe 89 PID 5000 wrote to memory of 4908 5000 bbbbbb.exe 89 PID 5000 wrote to memory of 4908 5000 bbbbbb.exe 89 PID 4908 wrote to memory of 3300 4908 htttnn.exe 90 PID 4908 wrote to memory of 3300 4908 htttnn.exe 90 PID 4908 wrote to memory of 3300 4908 htttnn.exe 90 PID 3300 wrote to memory of 444 3300 dpddv.exe 91 PID 3300 wrote to memory of 444 3300 dpddv.exe 91 PID 3300 wrote to memory of 444 3300 dpddv.exe 91 PID 444 wrote to memory of 2352 444 jpvvd.exe 92 PID 444 wrote to memory of 2352 444 jpvvd.exe 92 PID 444 wrote to memory of 2352 444 jpvvd.exe 92 PID 2352 wrote to memory of 3484 2352 rrxrrrr.exe 93 PID 2352 wrote to memory of 3484 2352 rrxrrrr.exe 93 PID 2352 wrote to memory of 3484 2352 rrxrrrr.exe 93 PID 3484 wrote to memory of 4832 3484 hbntnn.exe 94 PID 3484 wrote to memory of 4832 3484 hbntnn.exe 94 PID 3484 wrote to memory of 4832 3484 hbntnn.exe 94 PID 4832 wrote to memory of 2300 4832 rrxxrxx.exe 95 PID 4832 wrote to memory of 2300 4832 rrxxrxx.exe 95 PID 4832 wrote to memory of 2300 4832 rrxxrxx.exe 95 PID 2300 wrote to memory of 3152 2300 vdvvp.exe 96 PID 2300 wrote to memory of 3152 2300 vdvvp.exe 96 PID 2300 wrote to memory of 3152 2300 vdvvp.exe 96 PID 3152 wrote to memory of 3552 3152 bttttt.exe 97 PID 3152 wrote to memory of 3552 3152 bttttt.exe 97 PID 3152 wrote to memory of 3552 3152 bttttt.exe 97 PID 3552 wrote to memory of 3476 3552 tbbbtt.exe 98 PID 3552 wrote to memory of 3476 3552 tbbbtt.exe 98 PID 3552 wrote to memory of 3476 3552 tbbbtt.exe 98 PID 3476 wrote to memory of 1464 3476 xffxllf.exe 99 PID 3476 wrote to memory of 1464 3476 xffxllf.exe 99 PID 3476 wrote to memory of 1464 3476 xffxllf.exe 99 PID 1464 wrote to memory of 3876 1464 7btttb.exe 100 PID 1464 wrote to memory of 3876 1464 7btttb.exe 100 PID 1464 wrote to memory of 3876 1464 7btttb.exe 100 PID 3876 wrote to memory of 3912 3876 nnttbn.exe 101 PID 3876 wrote to memory of 3912 3876 nnttbn.exe 101 PID 3876 wrote to memory of 3912 3876 nnttbn.exe 101 PID 3912 wrote to memory of 4508 3912 thtnhh.exe 102 PID 3912 wrote to memory of 4508 3912 thtnhh.exe 102 PID 3912 wrote to memory of 4508 3912 thtnhh.exe 102 PID 4508 wrote to memory of 3204 4508 jpppp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe"C:\Users\Admin\AppData\Local\Temp\945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\jdvvv.exec:\jdvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\xxxxfxr.exec:\xxxxfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\hnnnhb.exec:\hnnnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\tbbttt.exec:\tbbttt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\9btnnn.exec:\9btnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\lrxrrxx.exec:\lrxrrxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\bbbbbb.exec:\bbbbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\htttnn.exec:\htttnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\dpddv.exec:\dpddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\jpvvd.exec:\jpvvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\rrxrrrr.exec:\rrxrrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\hbntnn.exec:\hbntnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\rrxxrxx.exec:\rrxxrxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\vdvvp.exec:\vdvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\bttttt.exec:\bttttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\tbbbtt.exec:\tbbbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\xffxllf.exec:\xffxllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\7btttb.exec:\7btttb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\nnttbn.exec:\nnttbn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\thtnhh.exec:\thtnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\jpppp.exec:\jpppp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\rrlfffx.exec:\rrlfffx.exe23⤵
- Executes dropped EXE
PID:3204 -
\??\c:\hnthbn.exec:\hnthbn.exe24⤵
- Executes dropped EXE
PID:3076 -
\??\c:\vpppp.exec:\vpppp.exe25⤵
- Executes dropped EXE
PID:2764 -
\??\c:\lxffxll.exec:\lxffxll.exe26⤵
- Executes dropped EXE
PID:2612 -
\??\c:\hbhhbh.exec:\hbhhbh.exe27⤵
- Executes dropped EXE
PID:5056 -
\??\c:\llffxff.exec:\llffxff.exe28⤵
- Executes dropped EXE
PID:3012 -
\??\c:\pjvpp.exec:\pjvpp.exe29⤵
- Executes dropped EXE
PID:4320 -
\??\c:\jdvvp.exec:\jdvvp.exe30⤵
- Executes dropped EXE
PID:4972 -
\??\c:\hnttnb.exec:\hnttnb.exe31⤵
- Executes dropped EXE
PID:912 -
\??\c:\7rrrflf.exec:\7rrrflf.exe32⤵
- Executes dropped EXE
PID:4624 -
\??\c:\hnnnnn.exec:\hnnnnn.exe33⤵
- Executes dropped EXE
PID:2340 -
\??\c:\1fxrllf.exec:\1fxrllf.exe34⤵
- Executes dropped EXE
PID:2788 -
\??\c:\bhnhbt.exec:\bhnhbt.exe35⤵
- Executes dropped EXE
PID:2124 -
\??\c:\hhbbtt.exec:\hhbbtt.exe36⤵
- Executes dropped EXE
PID:3264 -
\??\c:\rxxllfr.exec:\rxxllfr.exe37⤵
- Executes dropped EXE
PID:4312 -
\??\c:\bhtbtt.exec:\bhtbtt.exe38⤵
- Executes dropped EXE
PID:5080 -
\??\c:\1vdpj.exec:\1vdpj.exe39⤵
- Executes dropped EXE
PID:5024 -
\??\c:\rxrfrlf.exec:\rxrfrlf.exe40⤵
- Executes dropped EXE
PID:3820 -
\??\c:\7hnntt.exec:\7hnntt.exe41⤵
- Executes dropped EXE
PID:2316 -
\??\c:\bhnhbb.exec:\bhnhbb.exe42⤵
- Executes dropped EXE
PID:2488 -
\??\c:\vdpjj.exec:\vdpjj.exe43⤵
- Executes dropped EXE
PID:2436 -
\??\c:\5flfllx.exec:\5flfllx.exe44⤵
- Executes dropped EXE
PID:1984 -
\??\c:\nnhbtn.exec:\nnhbtn.exe45⤵
- Executes dropped EXE
PID:4028 -
\??\c:\jpvvp.exec:\jpvvp.exe46⤵
- Executes dropped EXE
PID:4388 -
\??\c:\ffxrfxr.exec:\ffxrfxr.exe47⤵
- Executes dropped EXE
PID:3960 -
\??\c:\hnhbtt.exec:\hnhbtt.exe48⤵
- Executes dropped EXE
PID:3576 -
\??\c:\nhhbth.exec:\nhhbth.exe49⤵
- Executes dropped EXE
PID:5104 -
\??\c:\5djdv.exec:\5djdv.exe50⤵
- Executes dropped EXE
PID:4912 -
\??\c:\rrlxrrr.exec:\rrlxrrr.exe51⤵
- Executes dropped EXE
PID:4284 -
\??\c:\tbbtnn.exec:\tbbtnn.exe52⤵
- Executes dropped EXE
PID:2368 -
\??\c:\pjjvp.exec:\pjjvp.exe53⤵
- Executes dropped EXE
PID:3952 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe54⤵
- Executes dropped EXE
PID:4880 -
\??\c:\hbtnhh.exec:\hbtnhh.exe55⤵
- Executes dropped EXE
PID:5044 -
\??\c:\jpjjd.exec:\jpjjd.exe56⤵
- Executes dropped EXE
PID:3216 -
\??\c:\rrlfxrl.exec:\rrlfxrl.exe57⤵
- Executes dropped EXE
PID:3936 -
\??\c:\hhbnhb.exec:\hhbnhb.exe58⤵
- Executes dropped EXE
PID:244 -
\??\c:\7ntnbn.exec:\7ntnbn.exe59⤵
- Executes dropped EXE
PID:2520 -
\??\c:\3vjdj.exec:\3vjdj.exe60⤵
- Executes dropped EXE
PID:3600 -
\??\c:\1flfxfx.exec:\1flfxfx.exe61⤵
- Executes dropped EXE
PID:4384 -
\??\c:\bhbthb.exec:\bhbthb.exe62⤵
- Executes dropped EXE
PID:740 -
\??\c:\pppjv.exec:\pppjv.exe63⤵
- Executes dropped EXE
PID:5000 -
\??\c:\vdddd.exec:\vdddd.exe64⤵
- Executes dropped EXE
PID:4208 -
\??\c:\tbthbt.exec:\tbthbt.exe65⤵
- Executes dropped EXE
PID:3672 -
\??\c:\7hhbnn.exec:\7hhbnn.exe66⤵PID:1960
-
\??\c:\vjpjd.exec:\vjpjd.exe67⤵PID:2156
-
\??\c:\rxxxlfr.exec:\rxxxlfr.exe68⤵PID:3992
-
\??\c:\nhttnn.exec:\nhttnn.exe69⤵PID:64
-
\??\c:\9ddvj.exec:\9ddvj.exe70⤵PID:684
-
\??\c:\dppjd.exec:\dppjd.exe71⤵PID:4068
-
\??\c:\lxxxllx.exec:\lxxxllx.exe72⤵PID:2060
-
\??\c:\1llfxxr.exec:\1llfxxr.exe73⤵PID:4820
-
\??\c:\hhbbnh.exec:\hhbbnh.exe74⤵PID:2736
-
\??\c:\jdjdv.exec:\jdjdv.exe75⤵PID:1104
-
\??\c:\rllfxrl.exec:\rllfxrl.exe76⤵PID:4600
-
\??\c:\ntbthh.exec:\ntbthh.exe77⤵PID:4000
-
\??\c:\jddvp.exec:\jddvp.exe78⤵PID:4988
-
\??\c:\vdjjj.exec:\vdjjj.exe79⤵PID:4488
-
\??\c:\frfxllx.exec:\frfxllx.exe80⤵PID:5100
-
\??\c:\3xlxrlx.exec:\3xlxrlx.exe81⤵PID:4836
-
\??\c:\bhnbtn.exec:\bhnbtn.exe82⤵PID:1780
-
\??\c:\9vvjd.exec:\9vvjd.exe83⤵PID:4356
-
\??\c:\ddvpd.exec:\ddvpd.exe84⤵PID:4580
-
\??\c:\ffxlfxr.exec:\ffxlfxr.exe85⤵PID:4532
-
\??\c:\ttnhbt.exec:\ttnhbt.exe86⤵PID:1496
-
\??\c:\vpvpv.exec:\vpvpv.exe87⤵PID:1808
-
\??\c:\llfxffx.exec:\llfxffx.exe88⤵PID:4140
-
\??\c:\7rlfxxr.exec:\7rlfxxr.exe89⤵
- System Location Discovery: System Language Discovery
PID:1312 -
\??\c:\hhnntn.exec:\hhnntn.exe90⤵PID:2272
-
\??\c:\dppjd.exec:\dppjd.exe91⤵PID:3012
-
\??\c:\1rrrffr.exec:\1rrrffr.exe92⤵PID:640
-
\??\c:\thttnh.exec:\thttnh.exe93⤵PID:4724
-
\??\c:\hbnbtn.exec:\hbnbtn.exe94⤵PID:4588
-
\??\c:\dddpj.exec:\dddpj.exe95⤵PID:1832
-
\??\c:\rxrfrrf.exec:\rxrfrrf.exe96⤵PID:768
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe97⤵PID:3824
-
\??\c:\1bthbb.exec:\1bthbb.exe98⤵PID:3448
-
\??\c:\jjdvj.exec:\jjdvj.exe99⤵PID:4692
-
\??\c:\rxrfxxr.exec:\rxrfxxr.exe100⤵PID:3032
-
\??\c:\ffxlxxl.exec:\ffxlxxl.exe101⤵PID:3240
-
\??\c:\thnbtt.exec:\thnbtt.exe102⤵PID:3180
-
\??\c:\jppvd.exec:\jppvd.exe103⤵PID:1036
-
\??\c:\7rrffff.exec:\7rrffff.exe104⤵PID:4768
-
\??\c:\hbtthb.exec:\hbtthb.exe105⤵PID:724
-
\??\c:\bntnhb.exec:\bntnhb.exe106⤵PID:1852
-
\??\c:\pppjd.exec:\pppjd.exe107⤵PID:2652
-
\??\c:\lxxrxrl.exec:\lxxrxrl.exe108⤵PID:2436
-
\??\c:\1nbthb.exec:\1nbthb.exe109⤵PID:2328
-
\??\c:\vvvdp.exec:\vvvdp.exe110⤵
- System Location Discovery: System Language Discovery
PID:3528 -
\??\c:\jddpj.exec:\jddpj.exe111⤵PID:1324
-
\??\c:\5fxrlfx.exec:\5fxrlfx.exe112⤵PID:4564
-
\??\c:\tnttht.exec:\tnttht.exe113⤵PID:3744
-
\??\c:\pjjdv.exec:\pjjdv.exe114⤵PID:5008
-
\??\c:\jvvpd.exec:\jvvpd.exe115⤵PID:4292
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe116⤵PID:1716
-
\??\c:\hhbthb.exec:\hhbthb.exe117⤵PID:2040
-
\??\c:\jvppd.exec:\jvppd.exe118⤵PID:4500
-
\??\c:\dpvpj.exec:\dpvpj.exe119⤵
- System Location Discovery: System Language Discovery
PID:1040 -
\??\c:\fffrxff.exec:\fffrxff.exe120⤵PID:4868
-
\??\c:\xfxrlfx.exec:\xfxrlfx.exe121⤵PID:1120
-
\??\c:\bhnhnh.exec:\bhnhnh.exe122⤵PID:3532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-