Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe
-
Size
454KB
-
MD5
564b49a0f3b114d549753edeee698a0c
-
SHA1
7fe3669a5047ac8f3f84bb424bd32250b438153c
-
SHA256
af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a
-
SHA512
9053e25005b19a37adfddb05af4a07df0ab383ea9c9ad5009ab6d229814634b5f4440c35d545dec515165665df6e7835ac41af87100067bcea2ac4a363e568fc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3616-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/576-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/576-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-816-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-893-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-1053-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-1232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-1290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-1550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2096 fxxxrxr.exe 3744 fffxxfr.exe 924 pjvdj.exe 2024 tnhnhn.exe 404 vjvvv.exe 2408 ppvvv.exe 5036 nntnnh.exe 1836 vjpjj.exe 3556 xlxrxrr.exe 4680 rrrrrrr.exe 2620 xlrlxxr.exe 4292 jpdvp.exe 2132 fxxrllf.exe 672 httthh.exe 676 vdjdp.exe 2704 hnbnhh.exe 5116 rxllxxr.exe 4936 5hnhnn.exe 1052 1pppj.exe 3576 xffxrlf.exe 552 dvvpp.exe 1312 rflfxrl.exe 3972 tnnbtn.exe 2448 xllxrxx.exe 1488 bntnnh.exe 2616 jdjdv.exe 3808 rrlfllf.exe 2064 frxrrrl.exe 4596 flxrlll.exe 4348 httnhh.exe 4580 lffxxxr.exe 576 ttbttt.exe 3396 rrffffr.exe 748 jvdvp.exe 4220 llxxxxf.exe 2324 hbhhbt.exe 852 bnbbtb.exe 632 5jpvj.exe 4736 xxlxfxl.exe 3064 9thntt.exe 512 5ntnhh.exe 3148 vpdjd.exe 1072 xlrrllf.exe 2176 nntbnb.exe 4408 hhnnhh.exe 1216 ppvpp.exe 4748 frfrlfx.exe 4280 tnbtnh.exe 3792 tbnhhh.exe 5040 dvvpj.exe 4456 llxflxr.exe 4124 bthbhh.exe 3976 vpdvv.exe 4976 pdjdv.exe 1636 xxrfrlf.exe 4000 9hnhtn.exe 4776 9hhtnn.exe 932 pvvpd.exe 4592 rlrrllx.exe 4948 3frrxfr.exe 2832 nhnhtt.exe 3388 jdpjp.exe 1508 fxfxrrr.exe 2916 nntttt.exe -
resource yara_rule behavioral2/memory/3616-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/576-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/576-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-823-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3616 wrote to memory of 2096 3616 af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe 82 PID 3616 wrote to memory of 2096 3616 af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe 82 PID 3616 wrote to memory of 2096 3616 af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe 82 PID 2096 wrote to memory of 3744 2096 fxxxrxr.exe 83 PID 2096 wrote to memory of 3744 2096 fxxxrxr.exe 83 PID 2096 wrote to memory of 3744 2096 fxxxrxr.exe 83 PID 3744 wrote to memory of 924 3744 fffxxfr.exe 84 PID 3744 wrote to memory of 924 3744 fffxxfr.exe 84 PID 3744 wrote to memory of 924 3744 fffxxfr.exe 84 PID 924 wrote to memory of 2024 924 pjvdj.exe 85 PID 924 wrote to memory of 2024 924 pjvdj.exe 85 PID 924 wrote to memory of 2024 924 pjvdj.exe 85 PID 2024 wrote to memory of 404 2024 tnhnhn.exe 86 PID 2024 wrote to memory of 404 2024 tnhnhn.exe 86 PID 2024 wrote to memory of 404 2024 tnhnhn.exe 86 PID 404 wrote to memory of 2408 404 vjvvv.exe 87 PID 404 wrote to memory of 2408 404 vjvvv.exe 87 PID 404 wrote to memory of 2408 404 vjvvv.exe 87 PID 2408 wrote to memory of 5036 2408 ppvvv.exe 88 PID 2408 wrote to memory of 5036 2408 ppvvv.exe 88 PID 2408 wrote to memory of 5036 2408 ppvvv.exe 88 PID 5036 wrote to memory of 1836 5036 nntnnh.exe 89 PID 5036 wrote to memory of 1836 5036 nntnnh.exe 89 PID 5036 wrote to memory of 1836 5036 nntnnh.exe 89 PID 1836 wrote to memory of 3556 1836 vjpjj.exe 90 PID 1836 wrote to memory of 3556 1836 vjpjj.exe 90 PID 1836 wrote to memory of 3556 1836 vjpjj.exe 90 PID 3556 wrote to memory of 4680 3556 xlxrxrr.exe 91 PID 3556 wrote to memory of 4680 3556 xlxrxrr.exe 91 PID 3556 wrote to memory of 4680 3556 xlxrxrr.exe 91 PID 4680 wrote to memory of 2620 4680 rrrrrrr.exe 92 PID 4680 wrote to memory of 2620 4680 rrrrrrr.exe 92 PID 4680 wrote to memory of 2620 4680 rrrrrrr.exe 92 PID 2620 wrote to memory of 4292 2620 xlrlxxr.exe 93 PID 2620 wrote to memory of 4292 2620 xlrlxxr.exe 93 PID 2620 wrote to memory of 4292 2620 xlrlxxr.exe 93 PID 4292 wrote to memory of 2132 4292 jpdvp.exe 94 PID 4292 wrote to memory of 2132 4292 jpdvp.exe 94 PID 4292 wrote to memory of 2132 4292 jpdvp.exe 94 PID 2132 wrote to memory of 672 2132 fxxrllf.exe 95 PID 2132 wrote to memory of 672 2132 fxxrllf.exe 95 PID 2132 wrote to memory of 672 2132 fxxrllf.exe 95 PID 672 wrote to memory of 676 672 httthh.exe 96 PID 672 wrote to memory of 676 672 httthh.exe 96 PID 672 wrote to memory of 676 672 httthh.exe 96 PID 676 wrote to memory of 2704 676 vdjdp.exe 97 PID 676 wrote to memory of 2704 676 vdjdp.exe 97 PID 676 wrote to memory of 2704 676 vdjdp.exe 97 PID 2704 wrote to memory of 5116 2704 hnbnhh.exe 98 PID 2704 wrote to memory of 5116 2704 hnbnhh.exe 98 PID 2704 wrote to memory of 5116 2704 hnbnhh.exe 98 PID 5116 wrote to memory of 4936 5116 rxllxxr.exe 99 PID 5116 wrote to memory of 4936 5116 rxllxxr.exe 99 PID 5116 wrote to memory of 4936 5116 rxllxxr.exe 99 PID 4936 wrote to memory of 1052 4936 5hnhnn.exe 100 PID 4936 wrote to memory of 1052 4936 5hnhnn.exe 100 PID 4936 wrote to memory of 1052 4936 5hnhnn.exe 100 PID 1052 wrote to memory of 3576 1052 1pppj.exe 101 PID 1052 wrote to memory of 3576 1052 1pppj.exe 101 PID 1052 wrote to memory of 3576 1052 1pppj.exe 101 PID 3576 wrote to memory of 552 3576 xffxrlf.exe 102 PID 3576 wrote to memory of 552 3576 xffxrlf.exe 102 PID 3576 wrote to memory of 552 3576 xffxrlf.exe 102 PID 552 wrote to memory of 1312 552 dvvpp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe"C:\Users\Admin\AppData\Local\Temp\af75537e3b31985c74c1e6506481aa1be3537d8c7fe463a6f811f762ac1c541a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\fxxxrxr.exec:\fxxxrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\fffxxfr.exec:\fffxxfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\pjvdj.exec:\pjvdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\tnhnhn.exec:\tnhnhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\vjvvv.exec:\vjvvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\ppvvv.exec:\ppvvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\nntnnh.exec:\nntnnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\vjpjj.exec:\vjpjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\xlxrxrr.exec:\xlxrxrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\xlrlxxr.exec:\xlrlxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\jpdvp.exec:\jpdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\fxxrllf.exec:\fxxrllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\httthh.exec:\httthh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\vdjdp.exec:\vdjdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\hnbnhh.exec:\hnbnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\rxllxxr.exec:\rxllxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\5hnhnn.exec:\5hnhnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\1pppj.exec:\1pppj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\xffxrlf.exec:\xffxrlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\dvvpp.exec:\dvvpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\rflfxrl.exec:\rflfxrl.exe23⤵
- Executes dropped EXE
PID:1312 -
\??\c:\tnnbtn.exec:\tnnbtn.exe24⤵
- Executes dropped EXE
PID:3972 -
\??\c:\xllxrxx.exec:\xllxrxx.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2448 -
\??\c:\bntnnh.exec:\bntnnh.exe26⤵
- Executes dropped EXE
PID:1488 -
\??\c:\jdjdv.exec:\jdjdv.exe27⤵
- Executes dropped EXE
PID:2616 -
\??\c:\rrlfllf.exec:\rrlfllf.exe28⤵
- Executes dropped EXE
PID:3808 -
\??\c:\frxrrrl.exec:\frxrrrl.exe29⤵
- Executes dropped EXE
PID:2064 -
\??\c:\flxrlll.exec:\flxrlll.exe30⤵
- Executes dropped EXE
PID:4596 -
\??\c:\httnhh.exec:\httnhh.exe31⤵
- Executes dropped EXE
PID:4348 -
\??\c:\lffxxxr.exec:\lffxxxr.exe32⤵
- Executes dropped EXE
PID:4580 -
\??\c:\ttbttt.exec:\ttbttt.exe33⤵
- Executes dropped EXE
PID:576 -
\??\c:\rrffffr.exec:\rrffffr.exe34⤵
- Executes dropped EXE
PID:3396 -
\??\c:\jvdvp.exec:\jvdvp.exe35⤵
- Executes dropped EXE
PID:748 -
\??\c:\llxxxxf.exec:\llxxxxf.exe36⤵
- Executes dropped EXE
PID:4220 -
\??\c:\hbhhbt.exec:\hbhhbt.exe37⤵
- Executes dropped EXE
PID:2324 -
\??\c:\bnbbtb.exec:\bnbbtb.exe38⤵
- Executes dropped EXE
PID:852 -
\??\c:\5jpvj.exec:\5jpvj.exe39⤵
- Executes dropped EXE
PID:632 -
\??\c:\xxlxfxl.exec:\xxlxfxl.exe40⤵
- Executes dropped EXE
PID:4736 -
\??\c:\9thntt.exec:\9thntt.exe41⤵
- Executes dropped EXE
PID:3064 -
\??\c:\5ntnhh.exec:\5ntnhh.exe42⤵
- Executes dropped EXE
PID:512 -
\??\c:\vpdjd.exec:\vpdjd.exe43⤵
- Executes dropped EXE
PID:3148 -
\??\c:\xlrrllf.exec:\xlrrllf.exe44⤵
- Executes dropped EXE
PID:1072 -
\??\c:\nntbnb.exec:\nntbnb.exe45⤵
- Executes dropped EXE
PID:2176 -
\??\c:\hhnnhh.exec:\hhnnhh.exe46⤵
- Executes dropped EXE
PID:4408 -
\??\c:\ppvpp.exec:\ppvpp.exe47⤵
- Executes dropped EXE
PID:1216 -
\??\c:\frfrlfx.exec:\frfrlfx.exe48⤵
- Executes dropped EXE
PID:4748 -
\??\c:\tnbtnh.exec:\tnbtnh.exe49⤵
- Executes dropped EXE
PID:4280 -
\??\c:\tbnhhh.exec:\tbnhhh.exe50⤵
- Executes dropped EXE
PID:3792 -
\??\c:\dvvpj.exec:\dvvpj.exe51⤵
- Executes dropped EXE
PID:5040 -
\??\c:\llxflxr.exec:\llxflxr.exe52⤵
- Executes dropped EXE
PID:4456 -
\??\c:\bthbhh.exec:\bthbhh.exe53⤵
- Executes dropped EXE
PID:4124 -
\??\c:\vpdvv.exec:\vpdvv.exe54⤵
- Executes dropped EXE
PID:3976 -
\??\c:\pdjdv.exec:\pdjdv.exe55⤵
- Executes dropped EXE
PID:4976 -
\??\c:\xxrfrlf.exec:\xxrfrlf.exe56⤵
- Executes dropped EXE
PID:1636 -
\??\c:\9hnhtn.exec:\9hnhtn.exe57⤵
- Executes dropped EXE
PID:4000 -
\??\c:\9hhtnn.exec:\9hhtnn.exe58⤵
- Executes dropped EXE
PID:4776 -
\??\c:\pvvpd.exec:\pvvpd.exe59⤵
- Executes dropped EXE
PID:932 -
\??\c:\rlrrllx.exec:\rlrrllx.exe60⤵
- Executes dropped EXE
PID:4592 -
\??\c:\3frrxfr.exec:\3frrxfr.exe61⤵
- Executes dropped EXE
PID:4948 -
\??\c:\nhnhtt.exec:\nhnhtt.exe62⤵
- Executes dropped EXE
PID:2832 -
\??\c:\jdpjp.exec:\jdpjp.exe63⤵
- Executes dropped EXE
PID:3388 -
\??\c:\fxfxrrr.exec:\fxfxrrr.exe64⤵
- Executes dropped EXE
PID:1508 -
\??\c:\nntttt.exec:\nntttt.exe65⤵
- Executes dropped EXE
PID:2916 -
\??\c:\3nbbnt.exec:\3nbbnt.exe66⤵PID:1608
-
\??\c:\vjjjd.exec:\vjjjd.exe67⤵PID:348
-
\??\c:\xxxlllx.exec:\xxxlllx.exe68⤵PID:2400
-
\??\c:\nhntnn.exec:\nhntnn.exe69⤵PID:3496
-
\??\c:\bhbtnh.exec:\bhbtnh.exe70⤵PID:4656
-
\??\c:\dppjd.exec:\dppjd.exe71⤵PID:3840
-
\??\c:\xlrlflf.exec:\xlrlflf.exe72⤵PID:3300
-
\??\c:\3ntnbb.exec:\3ntnbb.exe73⤵PID:5072
-
\??\c:\bbhthb.exec:\bbhthb.exe74⤵PID:4608
-
\??\c:\jvvpj.exec:\jvvpj.exe75⤵PID:1184
-
\??\c:\lffrfxl.exec:\lffrfxl.exe76⤵PID:1984
-
\??\c:\hthtnn.exec:\hthtnn.exe77⤵PID:4892
-
\??\c:\jdddv.exec:\jdddv.exe78⤵PID:3436
-
\??\c:\xrxrlrl.exec:\xrxrlrl.exe79⤵PID:1156
-
\??\c:\xrlfllx.exec:\xrlfllx.exe80⤵PID:844
-
\??\c:\3tttnt.exec:\3tttnt.exe81⤵PID:2236
-
\??\c:\vvdjj.exec:\vvdjj.exe82⤵PID:552
-
\??\c:\7jpvp.exec:\7jpvp.exe83⤵PID:3348
-
\??\c:\1flfrxx.exec:\1flfrxx.exe84⤵PID:4028
-
\??\c:\bhbttt.exec:\bhbttt.exe85⤵PID:3972
-
\??\c:\9jppp.exec:\9jppp.exe86⤵PID:1844
-
\??\c:\xrxxllf.exec:\xrxxllf.exe87⤵PID:1908
-
\??\c:\xrrfxfx.exec:\xrrfxfx.exe88⤵PID:3996
-
\??\c:\nnttnn.exec:\nnttnn.exe89⤵PID:4884
-
\??\c:\1fxrffx.exec:\1fxrffx.exe90⤵PID:4928
-
\??\c:\btbbnn.exec:\btbbnn.exe91⤵PID:1592
-
\??\c:\bntnbt.exec:\bntnbt.exe92⤵PID:4872
-
\??\c:\vjjvj.exec:\vjjvj.exe93⤵PID:576
-
\??\c:\lfrrrxf.exec:\lfrrrxf.exe94⤵PID:4120
-
\??\c:\hhbtnt.exec:\hhbtnt.exe95⤵PID:2596
-
\??\c:\jjvjp.exec:\jjvjp.exe96⤵PID:3488
-
\??\c:\jvdvv.exec:\jvdvv.exe97⤵PID:1880
-
\??\c:\xrrlfxx.exec:\xrrlfxx.exe98⤵PID:1876
-
\??\c:\nbhbtn.exec:\nbhbtn.exe99⤵PID:388
-
\??\c:\thtnbb.exec:\thtnbb.exe100⤵PID:2452
-
\??\c:\dvjjv.exec:\dvjjv.exe101⤵PID:3516
-
\??\c:\9llfrrr.exec:\9llfrrr.exe102⤵PID:1712
-
\??\c:\hbnhbt.exec:\hbnhbt.exe103⤵PID:4728
-
\??\c:\jjdvv.exec:\jjdvv.exe104⤵PID:4628
-
\??\c:\9lxrffx.exec:\9lxrffx.exe105⤵PID:1304
-
\??\c:\ntbttn.exec:\ntbttn.exe106⤵PID:1228
-
\??\c:\vvddj.exec:\vvddj.exe107⤵PID:3652
-
\??\c:\dvvpp.exec:\dvvpp.exe108⤵PID:908
-
\??\c:\rffrrlf.exec:\rffrrlf.exe109⤵PID:2556
-
\??\c:\ffrfxlf.exec:\ffrfxlf.exe110⤵PID:3792
-
\??\c:\btbbtt.exec:\btbbtt.exe111⤵PID:5040
-
\??\c:\ddpjv.exec:\ddpjv.exe112⤵PID:4008
-
\??\c:\9frrxlf.exec:\9frrxlf.exe113⤵PID:4076
-
\??\c:\lflfxrl.exec:\lflfxrl.exe114⤵PID:3976
-
\??\c:\nhthbb.exec:\nhthbb.exe115⤵PID:4976
-
\??\c:\jvjjp.exec:\jvjjp.exe116⤵PID:4984
-
\??\c:\xflfrrx.exec:\xflfrrx.exe117⤵PID:3648
-
\??\c:\ttbbtb.exec:\ttbbtb.exe118⤵PID:1576
-
\??\c:\9ddvj.exec:\9ddvj.exe119⤵PID:2388
-
\??\c:\jdddj.exec:\jdddj.exe120⤵PID:4860
-
\??\c:\lffxrrl.exec:\lffxrrl.exe121⤵PID:2688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-