Analysis
-
max time kernel
120s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 09:19
Behavioral task
behavioral1
Sample
ae932a241807e355c0b9cd2607d65e40N.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
120 seconds
General
-
Target
ae932a241807e355c0b9cd2607d65e40N.exe
-
Size
168KB
-
MD5
ae932a241807e355c0b9cd2607d65e40
-
SHA1
4ba275458cf03bfdfb4478f27941a3f1cf9a2e59
-
SHA256
b85d0f188dc281c5cd10e5ad4090298565ae4c930ba7b733fd707861028f5dc3
-
SHA512
e5afbc8f59395cea7dce211e01a2ef07fb2e47afe4f26941ac1f7143f2b50f7c2b0b5af0b395d3ccdbade7d698316821c15f871027baa6dc537f2a657f8b017e
-
SSDEEP
3072:khOmTsF93UYfwC6GIoutpYcvrqrE66kropO6BWlPFH4t+GNcAX:kcm4FmowdHoSphraHcpOFltH4t+Ib
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2508-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2272-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/348-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3788-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1592-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2976-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2676-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3556-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/964-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2144-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3380-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4156-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3096-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1964-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2884-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3392-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1068-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1960-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4588-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1212-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3496-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/536-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/960-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2520-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2096-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2524-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2268-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2816-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1172-445-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-449-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4044-477-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1144-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-576-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1956-612-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4068-614-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4892-627-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-652-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-686-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1560-820-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1220-824-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-1048-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1724-1091-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-1443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/868-1797-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 532 djddp.exe 2272 lrlxrlx.exe 348 rxxrfrl.exe 3788 tthtnb.exe 2880 bbthhb.exe 924 dpdpj.exe 1592 bntnht.exe 3472 5bhtbb.exe 2976 jjppd.exe 3088 lxfrxrf.exe 4724 hhnhnn.exe 4872 vdpjv.exe 2676 vjvpv.exe 3556 thbhth.exe 3632 tbhbtn.exe 964 pdvpd.exe 2864 lxxrffr.exe 4932 thtnbt.exe 2144 nbthbb.exe 3380 pdpvp.exe 4408 xlxlrlf.exe 2548 hhbhtb.exe 2296 nttnhb.exe 4156 1pppp.exe 1608 lfxlxrl.exe 2524 xrrlfxr.exe 4860 nhtntt.exe 5104 pjjvv.exe 4696 rlrxflr.exe 3096 hbnhbh.exe 2464 1jjdd.exe 2884 llfllfx.exe 1964 tnnhtt.exe 3336 ttttnh.exe 3580 vpjdp.exe 4820 7jjdv.exe 4556 llllxxr.exe 2024 5ntntt.exe 2472 1hnhtt.exe 4448 pppjj.exe 3392 ddvpd.exe 4968 xrrfrrl.exe 3368 1bnnnn.exe 1068 pvdvd.exe 348 5lrffxf.exe 4972 1xfrlrr.exe 3788 nhtnth.exe 744 bhbhth.exe 1724 7ddvj.exe 1948 1jvpp.exe 2952 7rllxrx.exe 1128 frxrlfx.exe 1960 htbthh.exe 2356 bhhthh.exe 3572 pjvjd.exe 1804 frrrlrr.exe 4588 rrrxrfx.exe 1212 hnnhbb.exe 1524 nbbnbh.exe 3496 ddvpd.exe 536 3djdp.exe 3036 fflxrlf.exe 3600 thnhhh.exe 2864 5hbtnh.exe -
resource yara_rule behavioral2/memory/2508-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00080000000234e3-3.dat upx behavioral2/memory/2508-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e4-10.dat upx behavioral2/memory/2272-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e5-11.dat upx behavioral2/memory/532-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/348-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e6-23.dat upx behavioral2/files/0x00070000000234e7-28.dat upx behavioral2/memory/3788-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e8-33.dat upx behavioral2/memory/2880-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234e9-38.dat upx behavioral2/memory/1592-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ea-43.dat upx behavioral2/files/0x00070000000234eb-48.dat upx behavioral2/memory/2976-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3472-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ec-56.dat upx behavioral2/memory/2976-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ed-61.dat upx behavioral2/memory/3088-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ee-68.dat upx behavioral2/memory/4872-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ef-73.dat upx behavioral2/files/0x00070000000234f0-77.dat upx behavioral2/memory/2676-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f1-82.dat upx behavioral2/memory/3556-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f2-88.dat upx behavioral2/memory/3632-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f3-94.dat upx behavioral2/memory/964-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f4-99.dat upx behavioral2/files/0x00070000000234f5-105.dat upx behavioral2/memory/2144-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f6-111.dat upx behavioral2/memory/3380-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f7-117.dat upx behavioral2/files/0x00070000000234f8-121.dat upx behavioral2/memory/4408-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234f9-127.dat upx behavioral2/files/0x00070000000234fa-133.dat upx behavioral2/files/0x00070000000234fb-137.dat upx behavioral2/memory/4156-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1608-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234fc-145.dat upx behavioral2/files/0x00070000000234fd-149.dat upx behavioral2/files/0x00070000000234fe-154.dat upx behavioral2/files/0x00080000000234e1-159.dat upx behavioral2/memory/5104-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234ff-165.dat upx behavioral2/memory/3096-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023500-171.dat upx behavioral2/memory/3096-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023501-177.dat upx behavioral2/memory/2464-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1964-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2884-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4556-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2024-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3392-215-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3368-220-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 532 2508 ae932a241807e355c0b9cd2607d65e40N.exe 86 PID 2508 wrote to memory of 532 2508 ae932a241807e355c0b9cd2607d65e40N.exe 86 PID 2508 wrote to memory of 532 2508 ae932a241807e355c0b9cd2607d65e40N.exe 86 PID 532 wrote to memory of 2272 532 djddp.exe 87 PID 532 wrote to memory of 2272 532 djddp.exe 87 PID 532 wrote to memory of 2272 532 djddp.exe 87 PID 2272 wrote to memory of 348 2272 lrlxrlx.exe 88 PID 2272 wrote to memory of 348 2272 lrlxrlx.exe 88 PID 2272 wrote to memory of 348 2272 lrlxrlx.exe 88 PID 348 wrote to memory of 3788 348 rxxrfrl.exe 89 PID 348 wrote to memory of 3788 348 rxxrfrl.exe 89 PID 348 wrote to memory of 3788 348 rxxrfrl.exe 89 PID 3788 wrote to memory of 2880 3788 tthtnb.exe 90 PID 3788 wrote to memory of 2880 3788 tthtnb.exe 90 PID 3788 wrote to memory of 2880 3788 tthtnb.exe 90 PID 2880 wrote to memory of 924 2880 bbthhb.exe 91 PID 2880 wrote to memory of 924 2880 bbthhb.exe 91 PID 2880 wrote to memory of 924 2880 bbthhb.exe 91 PID 924 wrote to memory of 1592 924 dpdpj.exe 92 PID 924 wrote to memory of 1592 924 dpdpj.exe 92 PID 924 wrote to memory of 1592 924 dpdpj.exe 92 PID 1592 wrote to memory of 3472 1592 bntnht.exe 93 PID 1592 wrote to memory of 3472 1592 bntnht.exe 93 PID 1592 wrote to memory of 3472 1592 bntnht.exe 93 PID 3472 wrote to memory of 2976 3472 5bhtbb.exe 94 PID 3472 wrote to memory of 2976 3472 5bhtbb.exe 94 PID 3472 wrote to memory of 2976 3472 5bhtbb.exe 94 PID 2976 wrote to memory of 3088 2976 jjppd.exe 95 PID 2976 wrote to memory of 3088 2976 jjppd.exe 95 PID 2976 wrote to memory of 3088 2976 jjppd.exe 95 PID 3088 wrote to memory of 4724 3088 lxfrxrf.exe 96 PID 3088 wrote to memory of 4724 3088 lxfrxrf.exe 96 PID 3088 wrote to memory of 4724 3088 lxfrxrf.exe 96 PID 4724 wrote to memory of 4872 4724 hhnhnn.exe 97 PID 4724 wrote to memory of 4872 4724 hhnhnn.exe 97 PID 4724 wrote to memory of 4872 4724 hhnhnn.exe 97 PID 4872 wrote to memory of 2676 4872 vdpjv.exe 98 PID 4872 wrote to memory of 2676 4872 vdpjv.exe 98 PID 4872 wrote to memory of 2676 4872 vdpjv.exe 98 PID 2676 wrote to memory of 3556 2676 vjvpv.exe 99 PID 2676 wrote to memory of 3556 2676 vjvpv.exe 99 PID 2676 wrote to memory of 3556 2676 vjvpv.exe 99 PID 3556 wrote to memory of 3632 3556 thbhth.exe 100 PID 3556 wrote to memory of 3632 3556 thbhth.exe 100 PID 3556 wrote to memory of 3632 3556 thbhth.exe 100 PID 3632 wrote to memory of 964 3632 tbhbtn.exe 101 PID 3632 wrote to memory of 964 3632 tbhbtn.exe 101 PID 3632 wrote to memory of 964 3632 tbhbtn.exe 101 PID 964 wrote to memory of 2864 964 pdvpd.exe 102 PID 964 wrote to memory of 2864 964 pdvpd.exe 102 PID 964 wrote to memory of 2864 964 pdvpd.exe 102 PID 2864 wrote to memory of 4932 2864 lxxrffr.exe 103 PID 2864 wrote to memory of 4932 2864 lxxrffr.exe 103 PID 2864 wrote to memory of 4932 2864 lxxrffr.exe 103 PID 4932 wrote to memory of 2144 4932 thtnbt.exe 104 PID 4932 wrote to memory of 2144 4932 thtnbt.exe 104 PID 4932 wrote to memory of 2144 4932 thtnbt.exe 104 PID 2144 wrote to memory of 3380 2144 nbthbb.exe 105 PID 2144 wrote to memory of 3380 2144 nbthbb.exe 105 PID 2144 wrote to memory of 3380 2144 nbthbb.exe 105 PID 3380 wrote to memory of 4408 3380 pdpvp.exe 106 PID 3380 wrote to memory of 4408 3380 pdpvp.exe 106 PID 3380 wrote to memory of 4408 3380 pdpvp.exe 106 PID 4408 wrote to memory of 2548 4408 xlxlrlf.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae932a241807e355c0b9cd2607d65e40N.exe"C:\Users\Admin\AppData\Local\Temp\ae932a241807e355c0b9cd2607d65e40N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\djddp.exec:\djddp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\lrlxrlx.exec:\lrlxrlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\rxxrfrl.exec:\rxxrfrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\tthtnb.exec:\tthtnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\bbthhb.exec:\bbthhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\dpdpj.exec:\dpdpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\bntnht.exec:\bntnht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\5bhtbb.exec:\5bhtbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\jjppd.exec:\jjppd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\lxfrxrf.exec:\lxfrxrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\hhnhnn.exec:\hhnhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\vdpjv.exec:\vdpjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\vjvpv.exec:\vjvpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\thbhth.exec:\thbhth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\tbhbtn.exec:\tbhbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\pdvpd.exec:\pdvpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\lxxrffr.exec:\lxxrffr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\thtnbt.exec:\thtnbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\nbthbb.exec:\nbthbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\pdpvp.exec:\pdpvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\xlxlrlf.exec:\xlxlrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\hhbhtb.exec:\hhbhtb.exe23⤵
- Executes dropped EXE
PID:2548 -
\??\c:\nttnhb.exec:\nttnhb.exe24⤵
- Executes dropped EXE
PID:2296 -
\??\c:\1pppp.exec:\1pppp.exe25⤵
- Executes dropped EXE
PID:4156 -
\??\c:\lfxlxrl.exec:\lfxlxrl.exe26⤵
- Executes dropped EXE
PID:1608 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe27⤵
- Executes dropped EXE
PID:2524 -
\??\c:\nhtntt.exec:\nhtntt.exe28⤵
- Executes dropped EXE
PID:4860 -
\??\c:\pjjvv.exec:\pjjvv.exe29⤵
- Executes dropped EXE
PID:5104 -
\??\c:\rlrxflr.exec:\rlrxflr.exe30⤵
- Executes dropped EXE
PID:4696 -
\??\c:\hbnhbh.exec:\hbnhbh.exe31⤵
- Executes dropped EXE
PID:3096 -
\??\c:\1jjdd.exec:\1jjdd.exe32⤵
- Executes dropped EXE
PID:2464 -
\??\c:\llfllfx.exec:\llfllfx.exe33⤵
- Executes dropped EXE
PID:2884 -
\??\c:\tnnhtt.exec:\tnnhtt.exe34⤵
- Executes dropped EXE
PID:1964 -
\??\c:\ttttnh.exec:\ttttnh.exe35⤵
- Executes dropped EXE
PID:3336 -
\??\c:\vpjdp.exec:\vpjdp.exe36⤵
- Executes dropped EXE
PID:3580 -
\??\c:\7jjdv.exec:\7jjdv.exe37⤵
- Executes dropped EXE
PID:4820 -
\??\c:\llllxxr.exec:\llllxxr.exe38⤵
- Executes dropped EXE
PID:4556 -
\??\c:\5ntntt.exec:\5ntntt.exe39⤵
- Executes dropped EXE
PID:2024 -
\??\c:\1hnhtt.exec:\1hnhtt.exe40⤵
- Executes dropped EXE
PID:2472 -
\??\c:\pppjj.exec:\pppjj.exe41⤵
- Executes dropped EXE
PID:4448 -
\??\c:\ddvpd.exec:\ddvpd.exe42⤵
- Executes dropped EXE
PID:3392 -
\??\c:\xrrfrrl.exec:\xrrfrrl.exe43⤵
- Executes dropped EXE
PID:4968 -
\??\c:\1bnnnn.exec:\1bnnnn.exe44⤵
- Executes dropped EXE
PID:3368 -
\??\c:\pvdvd.exec:\pvdvd.exe45⤵
- Executes dropped EXE
PID:1068 -
\??\c:\5lrffxf.exec:\5lrffxf.exe46⤵
- Executes dropped EXE
PID:348 -
\??\c:\1xfrlrr.exec:\1xfrlrr.exe47⤵
- Executes dropped EXE
PID:4972 -
\??\c:\nhtnth.exec:\nhtnth.exe48⤵
- Executes dropped EXE
PID:3788 -
\??\c:\bhbhth.exec:\bhbhth.exe49⤵
- Executes dropped EXE
PID:744 -
\??\c:\7ddvj.exec:\7ddvj.exe50⤵
- Executes dropped EXE
PID:1724 -
\??\c:\1jvpp.exec:\1jvpp.exe51⤵
- Executes dropped EXE
PID:1948 -
\??\c:\7rllxrx.exec:\7rllxrx.exe52⤵
- Executes dropped EXE
PID:2952 -
\??\c:\frxrlfx.exec:\frxrlfx.exe53⤵
- Executes dropped EXE
PID:1128 -
\??\c:\htbthh.exec:\htbthh.exe54⤵
- Executes dropped EXE
PID:1960 -
\??\c:\bhhthh.exec:\bhhthh.exe55⤵
- Executes dropped EXE
PID:2356 -
\??\c:\pjvjd.exec:\pjvjd.exe56⤵
- Executes dropped EXE
PID:3572 -
\??\c:\frrrlrr.exec:\frrrlrr.exe57⤵
- Executes dropped EXE
PID:1804 -
\??\c:\rrrxrfx.exec:\rrrxrfx.exe58⤵
- Executes dropped EXE
PID:4588 -
\??\c:\hnnhbb.exec:\hnnhbb.exe59⤵
- Executes dropped EXE
PID:1212 -
\??\c:\nbbnbh.exec:\nbbnbh.exe60⤵
- Executes dropped EXE
PID:1524 -
\??\c:\ddvpd.exec:\ddvpd.exe61⤵
- Executes dropped EXE
PID:3496 -
\??\c:\3djdp.exec:\3djdp.exe62⤵
- Executes dropped EXE
PID:536 -
\??\c:\fflxrlf.exec:\fflxrlf.exe63⤵
- Executes dropped EXE
PID:3036 -
\??\c:\thnhhh.exec:\thnhhh.exe64⤵
- Executes dropped EXE
PID:3600 -
\??\c:\5hbtnh.exec:\5hbtnh.exe65⤵
- Executes dropped EXE
PID:2864 -
\??\c:\ddvdv.exec:\ddvdv.exe66⤵PID:960
-
\??\c:\pjdvv.exec:\pjdvv.exe67⤵PID:1784
-
\??\c:\5rxrlfx.exec:\5rxrlfx.exe68⤵
- System Location Discovery: System Language Discovery
PID:4300 -
\??\c:\7rllfff.exec:\7rllfff.exe69⤵PID:3924
-
\??\c:\3nhbtt.exec:\3nhbtt.exe70⤵PID:2520
-
\??\c:\ntbthb.exec:\ntbthb.exe71⤵PID:3512
-
\??\c:\vvdvp.exec:\vvdvp.exe72⤵PID:4504
-
\??\c:\rlxrllr.exec:\rlxrllr.exe73⤵PID:4060
-
\??\c:\xlxfxrx.exec:\xlxfxrx.exe74⤵PID:1160
-
\??\c:\bhbbth.exec:\bhbbth.exe75⤵PID:2096
-
\??\c:\hbbtnb.exec:\hbbtnb.exe76⤵PID:2524
-
\??\c:\pjdjj.exec:\pjdjj.exe77⤵PID:336
-
\??\c:\9xxrllf.exec:\9xxrllf.exe78⤵PID:3396
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe79⤵PID:4892
-
\??\c:\hbhnhb.exec:\hbhnhb.exe80⤵PID:692
-
\??\c:\thhbtn.exec:\thhbtn.exe81⤵PID:3096
-
\??\c:\pjjjv.exec:\pjjjv.exe82⤵PID:2268
-
\??\c:\vjvpd.exec:\vjvpd.exe83⤵PID:4072
-
\??\c:\xrlrffx.exec:\xrlrffx.exe84⤵PID:4084
-
\??\c:\frrrffx.exec:\frrrffx.exe85⤵PID:2816
-
\??\c:\nnbtnn.exec:\nnbtnn.exe86⤵PID:3024
-
\??\c:\dvdvd.exec:\dvdvd.exe87⤵PID:1632
-
\??\c:\pjpjd.exec:\pjpjd.exe88⤵PID:4320
-
\??\c:\lffxrrl.exec:\lffxrrl.exe89⤵PID:5028
-
\??\c:\xlrrllf.exec:\xlrrllf.exe90⤵PID:5032
-
\??\c:\7ttnhn.exec:\7ttnhn.exe91⤵PID:4964
-
\??\c:\thtnhh.exec:\thtnhh.exe92⤵PID:4868
-
\??\c:\jddvd.exec:\jddvd.exe93⤵PID:4536
-
\??\c:\3fxlfff.exec:\3fxlfff.exe94⤵PID:212
-
\??\c:\fxxrrrl.exec:\fxxrrrl.exe95⤵PID:4736
-
\??\c:\nbtbnb.exec:\nbtbnb.exe96⤵PID:4992
-
\??\c:\bthnhh.exec:\bthnhh.exe97⤵PID:3240
-
\??\c:\5jjdv.exec:\5jjdv.exe98⤵PID:4972
-
\??\c:\rflfxxx.exec:\rflfxxx.exe99⤵PID:1012
-
\??\c:\thhnnt.exec:\thhnnt.exe100⤵PID:744
-
\??\c:\ttbtbb.exec:\ttbtbb.exe101⤵PID:1724
-
\??\c:\7vdvv.exec:\7vdvv.exe102⤵PID:1948
-
\??\c:\dvvpp.exec:\dvvpp.exe103⤵PID:2952
-
\??\c:\rllfxxr.exec:\rllfxxr.exe104⤵PID:4164
-
\??\c:\rlxlfff.exec:\rlxlfff.exe105⤵PID:448
-
\??\c:\bttnht.exec:\bttnht.exe106⤵PID:2588
-
\??\c:\hthttn.exec:\hthttn.exe107⤵PID:4412
-
\??\c:\vpvpd.exec:\vpvpd.exe108⤵PID:3952
-
\??\c:\fxxlxxr.exec:\fxxlxxr.exe109⤵PID:384
-
\??\c:\xrrfllx.exec:\xrrfllx.exe110⤵PID:4948
-
\??\c:\tnnhbb.exec:\tnnhbb.exe111⤵PID:4876
-
\??\c:\pvddv.exec:\pvddv.exe112⤵PID:964
-
\??\c:\ddvpj.exec:\ddvpj.exe113⤵PID:1172
-
\??\c:\fffxrll.exec:\fffxrll.exe114⤵PID:4092
-
\??\c:\lrxfflf.exec:\lrxfflf.exe115⤵PID:2408
-
\??\c:\nnhbbn.exec:\nnhbbn.exe116⤵PID:4540
-
\??\c:\3vdvj.exec:\3vdvj.exe117⤵PID:4616
-
\??\c:\vjdpj.exec:\vjdpj.exe118⤵PID:3100
-
\??\c:\fllxrll.exec:\fllxrll.exe119⤵PID:668
-
\??\c:\1bhbnn.exec:\1bhbnn.exe120⤵PID:1748
-
\??\c:\hbhnhb.exec:\hbhnhb.exe121⤵PID:3592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-