Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 09:14 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe
-
Size
454KB
-
MD5
564b49a0f3b114d549753edeee698a0c
-
SHA1
7fe3669a5047ac8f3f84bb424bd32250b438153c
-
SHA256
af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a
-
SHA512
9053e25005b19a37adfddb05af4a07df0ab383ea9c9ad5009ab6d229814634b5f4440c35d545dec515165665df6e7835ac41af87100067bcea2ac4a363e568fc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/796-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1160-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1160-26-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2888-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/644-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-135-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1332-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-169-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1620-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-288-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2664-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-325-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-332-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2292-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-426-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2756-429-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2668-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-594-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2800-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-884-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2736-898-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1976-951-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1680-1023-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2656 tnntnb.exe 1160 dvjpv.exe 2888 bnbttt.exe 2768 5dppv.exe 2724 1nbnbb.exe 2580 vpdvd.exe 2988 1xfxlll.exe 2744 nntbhh.exe 2588 vjvvd.exe 644 7lffxrr.exe 1252 htbhth.exe 1624 djpdp.exe 2540 fflxfrx.exe 2748 nnthht.exe 2316 pjpvv.exe 1332 1rrlfxx.exe 2040 9jvvj.exe 1760 5pvvd.exe 2912 7bttnh.exe 1620 7vdpp.exe 2212 lrxrfxl.exe 700 htbbbn.exe 840 vjvdj.exe 1860 lrflxrr.exe 1612 jvvvv.exe 1052 lxrrlff.exe 3052 5xlxrrl.exe 1816 hthhbb.exe 568 dvjpv.exe 1496 fxlrxfr.exe 3000 vjvpv.exe 1584 jvpvj.exe 2652 rrfxxxf.exe 2492 5bbhhh.exe 2664 1pvpj.exe 2712 7vpjj.exe 2832 7llfffx.exe 2840 tntnnh.exe 2292 nthhbt.exe 2580 vdpjj.exe 2796 vjvpd.exe 2572 lxlllfl.exe 2736 7tbhhh.exe 2096 htbbbt.exe 920 pdjjj.exe 1852 jvvvd.exe 1776 xxllllr.exe 2804 nbnhbb.exe 2008 ttbbhb.exe 1968 dpdpv.exe 1972 frrlrrr.exe 1976 lrrllfr.exe 2756 9ththb.exe 1908 hbhbhb.exe 2668 5djjj.exe 2336 rfllfxx.exe 2132 thtntn.exe 1912 tbnhht.exe 2212 9dppd.exe 444 vjpjj.exe 2036 frrfllf.exe 1596 7tbtnn.exe 1544 5dpjd.exe 776 ddjdd.exe -
resource yara_rule behavioral1/memory/796-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-288-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2664-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/740-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-857-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-951-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1680-1023-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-1037-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/356-1082-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-1113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-1138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-1177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-1203-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2756-1218-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1756-1313-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfflrx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 796 wrote to memory of 2656 796 af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe 31 PID 796 wrote to memory of 2656 796 af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe 31 PID 796 wrote to memory of 2656 796 af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe 31 PID 796 wrote to memory of 2656 796 af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe 31 PID 2656 wrote to memory of 1160 2656 tnntnb.exe 32 PID 2656 wrote to memory of 1160 2656 tnntnb.exe 32 PID 2656 wrote to memory of 1160 2656 tnntnb.exe 32 PID 2656 wrote to memory of 1160 2656 tnntnb.exe 32 PID 1160 wrote to memory of 2888 1160 dvjpv.exe 33 PID 1160 wrote to memory of 2888 1160 dvjpv.exe 33 PID 1160 wrote to memory of 2888 1160 dvjpv.exe 33 PID 1160 wrote to memory of 2888 1160 dvjpv.exe 33 PID 2888 wrote to memory of 2768 2888 bnbttt.exe 34 PID 2888 wrote to memory of 2768 2888 bnbttt.exe 34 PID 2888 wrote to memory of 2768 2888 bnbttt.exe 34 PID 2888 wrote to memory of 2768 2888 bnbttt.exe 34 PID 2768 wrote to memory of 2724 2768 5dppv.exe 35 PID 2768 wrote to memory of 2724 2768 5dppv.exe 35 PID 2768 wrote to memory of 2724 2768 5dppv.exe 35 PID 2768 wrote to memory of 2724 2768 5dppv.exe 35 PID 2724 wrote to memory of 2580 2724 1nbnbb.exe 36 PID 2724 wrote to memory of 2580 2724 1nbnbb.exe 36 PID 2724 wrote to memory of 2580 2724 1nbnbb.exe 36 PID 2724 wrote to memory of 2580 2724 1nbnbb.exe 36 PID 2580 wrote to memory of 2988 2580 vpdvd.exe 37 PID 2580 wrote to memory of 2988 2580 vpdvd.exe 37 PID 2580 wrote to memory of 2988 2580 vpdvd.exe 37 PID 2580 wrote to memory of 2988 2580 vpdvd.exe 37 PID 2988 wrote to memory of 2744 2988 1xfxlll.exe 38 PID 2988 wrote to memory of 2744 2988 1xfxlll.exe 38 PID 2988 wrote to memory of 2744 2988 1xfxlll.exe 38 PID 2988 wrote to memory of 2744 2988 1xfxlll.exe 38 PID 2744 wrote to memory of 2588 2744 nntbhh.exe 39 PID 2744 wrote to memory of 2588 2744 nntbhh.exe 39 PID 2744 wrote to memory of 2588 2744 nntbhh.exe 39 PID 2744 wrote to memory of 2588 2744 nntbhh.exe 39 PID 2588 wrote to memory of 644 2588 vjvvd.exe 40 PID 2588 wrote to memory of 644 2588 vjvvd.exe 40 PID 2588 wrote to memory of 644 2588 vjvvd.exe 40 PID 2588 wrote to memory of 644 2588 vjvvd.exe 40 PID 644 wrote to memory of 1252 644 7lffxrr.exe 41 PID 644 wrote to memory of 1252 644 7lffxrr.exe 41 PID 644 wrote to memory of 1252 644 7lffxrr.exe 41 PID 644 wrote to memory of 1252 644 7lffxrr.exe 41 PID 1252 wrote to memory of 1624 1252 htbhth.exe 42 PID 1252 wrote to memory of 1624 1252 htbhth.exe 42 PID 1252 wrote to memory of 1624 1252 htbhth.exe 42 PID 1252 wrote to memory of 1624 1252 htbhth.exe 42 PID 1624 wrote to memory of 2540 1624 djpdp.exe 43 PID 1624 wrote to memory of 2540 1624 djpdp.exe 43 PID 1624 wrote to memory of 2540 1624 djpdp.exe 43 PID 1624 wrote to memory of 2540 1624 djpdp.exe 43 PID 2540 wrote to memory of 2748 2540 fflxfrx.exe 44 PID 2540 wrote to memory of 2748 2540 fflxfrx.exe 44 PID 2540 wrote to memory of 2748 2540 fflxfrx.exe 44 PID 2540 wrote to memory of 2748 2540 fflxfrx.exe 44 PID 2748 wrote to memory of 2316 2748 nnthht.exe 45 PID 2748 wrote to memory of 2316 2748 nnthht.exe 45 PID 2748 wrote to memory of 2316 2748 nnthht.exe 45 PID 2748 wrote to memory of 2316 2748 nnthht.exe 45 PID 2316 wrote to memory of 1332 2316 pjpvv.exe 46 PID 2316 wrote to memory of 1332 2316 pjpvv.exe 46 PID 2316 wrote to memory of 1332 2316 pjpvv.exe 46 PID 2316 wrote to memory of 1332 2316 pjpvv.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe"C:\Users\Admin\AppData\Local\Temp\af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\tnntnb.exec:\tnntnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\dvjpv.exec:\dvjpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\bnbttt.exec:\bnbttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\5dppv.exec:\5dppv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\1nbnbb.exec:\1nbnbb.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\vpdvd.exec:\vpdvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\1xfxlll.exec:\1xfxlll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\nntbhh.exec:\nntbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\vjvvd.exec:\vjvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\7lffxrr.exec:\7lffxrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\htbhth.exec:\htbhth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\djpdp.exec:\djpdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\fflxfrx.exec:\fflxfrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\nnthht.exec:\nnthht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\pjpvv.exec:\pjpvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\1rrlfxx.exec:\1rrlfxx.exe17⤵
- Executes dropped EXE
PID:1332 -
\??\c:\9jvvj.exec:\9jvvj.exe18⤵
- Executes dropped EXE
PID:2040 -
\??\c:\5pvvd.exec:\5pvvd.exe19⤵
- Executes dropped EXE
PID:1760 -
\??\c:\7bttnh.exec:\7bttnh.exe20⤵
- Executes dropped EXE
PID:2912 -
\??\c:\7vdpp.exec:\7vdpp.exe21⤵
- Executes dropped EXE
PID:1620 -
\??\c:\lrxrfxl.exec:\lrxrfxl.exe22⤵
- Executes dropped EXE
PID:2212 -
\??\c:\htbbbn.exec:\htbbbn.exe23⤵
- Executes dropped EXE
PID:700 -
\??\c:\vjvdj.exec:\vjvdj.exe24⤵
- Executes dropped EXE
PID:840 -
\??\c:\lrflxrr.exec:\lrflxrr.exe25⤵
- Executes dropped EXE
PID:1860 -
\??\c:\jvvvv.exec:\jvvvv.exe26⤵
- Executes dropped EXE
PID:1612 -
\??\c:\lxrrlff.exec:\lxrrlff.exe27⤵
- Executes dropped EXE
PID:1052 -
\??\c:\5xlxrrl.exec:\5xlxrrl.exe28⤵
- Executes dropped EXE
PID:3052 -
\??\c:\hthhbb.exec:\hthhbb.exe29⤵
- Executes dropped EXE
PID:1816 -
\??\c:\dvjpv.exec:\dvjpv.exe30⤵
- Executes dropped EXE
PID:568 -
\??\c:\fxlrxfr.exec:\fxlrxfr.exe31⤵
- Executes dropped EXE
PID:1496 -
\??\c:\vjvpv.exec:\vjvpv.exe32⤵
- Executes dropped EXE
PID:3000 -
\??\c:\jvpvj.exec:\jvpvj.exe33⤵
- Executes dropped EXE
PID:1584 -
\??\c:\rrfxxxf.exec:\rrfxxxf.exe34⤵
- Executes dropped EXE
PID:2652 -
\??\c:\5bbhhh.exec:\5bbhhh.exe35⤵
- Executes dropped EXE
PID:2492 -
\??\c:\1pvpj.exec:\1pvpj.exe36⤵
- Executes dropped EXE
PID:2664 -
\??\c:\7vpjj.exec:\7vpjj.exe37⤵
- Executes dropped EXE
PID:2712 -
\??\c:\7llfffx.exec:\7llfffx.exe38⤵
- Executes dropped EXE
PID:2832 -
\??\c:\tntnnh.exec:\tntnnh.exe39⤵
- Executes dropped EXE
PID:2840 -
\??\c:\nthhbt.exec:\nthhbt.exe40⤵
- Executes dropped EXE
PID:2292 -
\??\c:\vdpjj.exec:\vdpjj.exe41⤵
- Executes dropped EXE
PID:2580 -
\??\c:\vjvpd.exec:\vjvpd.exe42⤵
- Executes dropped EXE
PID:2796 -
\??\c:\lxlllfl.exec:\lxlllfl.exe43⤵
- Executes dropped EXE
PID:2572 -
\??\c:\7tbhhh.exec:\7tbhhh.exe44⤵
- Executes dropped EXE
PID:2736 -
\??\c:\htbbbt.exec:\htbbbt.exe45⤵
- Executes dropped EXE
PID:2096 -
\??\c:\pdjjj.exec:\pdjjj.exe46⤵
- Executes dropped EXE
PID:920 -
\??\c:\jvvvd.exec:\jvvvd.exe47⤵
- Executes dropped EXE
PID:1852 -
\??\c:\xxllllr.exec:\xxllllr.exe48⤵
- Executes dropped EXE
PID:1776 -
\??\c:\nbnhbb.exec:\nbnhbb.exe49⤵
- Executes dropped EXE
PID:2804 -
\??\c:\ttbbhb.exec:\ttbbhb.exe50⤵
- Executes dropped EXE
PID:2008 -
\??\c:\dpdpv.exec:\dpdpv.exe51⤵
- Executes dropped EXE
PID:1968 -
\??\c:\frrlrrr.exec:\frrlrrr.exe52⤵
- Executes dropped EXE
PID:1972 -
\??\c:\lrrllfr.exec:\lrrllfr.exe53⤵
- Executes dropped EXE
PID:1976 -
\??\c:\9ththb.exec:\9ththb.exe54⤵
- Executes dropped EXE
PID:2756 -
\??\c:\hbhbhb.exec:\hbhbhb.exe55⤵
- Executes dropped EXE
PID:1908 -
\??\c:\5djjj.exec:\5djjj.exe56⤵
- Executes dropped EXE
PID:2668 -
\??\c:\rfllfxx.exec:\rfllfxx.exe57⤵
- Executes dropped EXE
PID:2336 -
\??\c:\thtntn.exec:\thtntn.exe58⤵
- Executes dropped EXE
PID:2132 -
\??\c:\tbnhht.exec:\tbnhht.exe59⤵
- Executes dropped EXE
PID:1912 -
\??\c:\9dppd.exec:\9dppd.exe60⤵
- Executes dropped EXE
PID:2212 -
\??\c:\vjpjj.exec:\vjpjj.exe61⤵
- Executes dropped EXE
PID:444 -
\??\c:\frrfllf.exec:\frrfllf.exe62⤵
- Executes dropped EXE
PID:2036 -
\??\c:\7tbtnn.exec:\7tbtnn.exe63⤵
- Executes dropped EXE
PID:1596 -
\??\c:\5dpjd.exec:\5dpjd.exe64⤵
- Executes dropped EXE
PID:1544 -
\??\c:\ddjdd.exec:\ddjdd.exe65⤵
- Executes dropped EXE
PID:776 -
\??\c:\rlxxfxx.exec:\rlxxfxx.exe66⤵PID:740
-
\??\c:\1nbbbn.exec:\1nbbbn.exe67⤵PID:1788
-
\??\c:\7tbbtn.exec:\7tbbtn.exe68⤵PID:696
-
\??\c:\jpdvv.exec:\jpdvv.exe69⤵PID:2116
-
\??\c:\rrxxxxl.exec:\rrxxxxl.exe70⤵PID:2160
-
\??\c:\lxlffxx.exec:\lxlffxx.exe71⤵PID:1004
-
\??\c:\btnntt.exec:\btnntt.exe72⤵PID:2320
-
\??\c:\jvvjj.exec:\jvvjj.exe73⤵PID:1696
-
\??\c:\dpddv.exec:\dpddv.exe74⤵PID:1812
-
\??\c:\1rxxxxr.exec:\1rxxxxr.exe75⤵PID:2652
-
\??\c:\1flfxxr.exec:\1flfxxr.exe76⤵PID:2208
-
\??\c:\nbhbbt.exec:\nbhbbt.exe77⤵PID:1152
-
\??\c:\dpjjj.exec:\dpjjj.exe78⤵PID:2856
-
\??\c:\1pvdj.exec:\1pvdj.exe79⤵PID:2716
-
\??\c:\9rfllll.exec:\9rfllll.exe80⤵PID:2884
-
\??\c:\1tbhbb.exec:\1tbhbb.exe81⤵PID:2688
-
\??\c:\5nbhnn.exec:\5nbhnn.exe82⤵PID:1708
-
\??\c:\ppjvj.exec:\ppjvj.exe83⤵PID:2252
-
\??\c:\1pvdj.exec:\1pvdj.exe84⤵PID:2568
-
\??\c:\xlfrrll.exec:\xlfrrll.exe85⤵PID:2692
-
\??\c:\nhnnnt.exec:\nhnnnt.exe86⤵PID:540
-
\??\c:\9hhtbb.exec:\9hhtbb.exe87⤵PID:1032
-
\??\c:\ppjpj.exec:\ppjpj.exe88⤵PID:2896
-
\??\c:\dpjjv.exec:\dpjjv.exe89⤵PID:1428
-
\??\c:\5rrxrxl.exec:\5rrxrxl.exe90⤵PID:2560
-
\??\c:\hnhhtt.exec:\hnhhtt.exe91⤵PID:2800
-
\??\c:\ttnbnn.exec:\ttnbnn.exe92⤵PID:2456
-
\??\c:\dvpvd.exec:\dvpvd.exe93⤵PID:1044
-
\??\c:\9rfrrlf.exec:\9rfrrlf.exe94⤵PID:2004
-
\??\c:\rlflxfr.exec:\rlflxfr.exe95⤵PID:2040
-
\??\c:\hhttth.exec:\hhttth.exe96⤵PID:2424
-
\??\c:\ttbhnn.exec:\ttbhnn.exe97⤵PID:1908
-
\??\c:\dvjdj.exec:\dvjdj.exe98⤵PID:2668
-
\??\c:\rxlrxrx.exec:\rxlrxrx.exe99⤵PID:2172
-
\??\c:\lflrfxx.exec:\lflrfxx.exe100⤵PID:916
-
\??\c:\bntttn.exec:\bntttn.exe101⤵PID:1104
-
\??\c:\jdpjv.exec:\jdpjv.exe102⤵PID:812
-
\??\c:\vvpvd.exec:\vvpvd.exe103⤵PID:1360
-
\??\c:\frxllll.exec:\frxllll.exe104⤵PID:840
-
\??\c:\bhhnbn.exec:\bhhnbn.exe105⤵PID:992
-
\??\c:\pvjvj.exec:\pvjvj.exe106⤵PID:1612
-
\??\c:\jjvjp.exec:\jjvjp.exe107⤵PID:300
-
\??\c:\rlxflfx.exec:\rlxflfx.exe108⤵PID:1784
-
\??\c:\3hbnbh.exec:\3hbnbh.exe109⤵PID:2392
-
\??\c:\vvdpp.exec:\vvdpp.exe110⤵PID:900
-
\??\c:\7vvdd.exec:\7vvdd.exe111⤵PID:2116
-
\??\c:\fxlrffr.exec:\fxlrffr.exe112⤵PID:892
-
\??\c:\flxxxlr.exec:\flxxxlr.exe113⤵PID:2268
-
\??\c:\bbtbht.exec:\bbtbht.exe114⤵PID:1496
-
\??\c:\ppvvj.exec:\ppvvj.exe115⤵PID:1584
-
\??\c:\jvjjj.exec:\jvjjj.exe116⤵PID:796
-
\??\c:\xlflfxf.exec:\xlflfxf.exe117⤵PID:1160
-
\??\c:\thnnnn.exec:\thnnnn.exe118⤵PID:1848
-
\??\c:\nbtnbb.exec:\nbtnbb.exe119⤵PID:2416
-
\??\c:\vvddj.exec:\vvddj.exe120⤵PID:2860
-
\??\c:\xxrxrxl.exec:\xxrxrxl.exe121⤵PID:2696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-