Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 05:45
Behavioral task
behavioral1
Sample
32f46b134e4cfe0a9b3e0b9770b3740d09360ccfdf48022aa65482820d0ccd63N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
32f46b134e4cfe0a9b3e0b9770b3740d09360ccfdf48022aa65482820d0ccd63N.exe
-
Size
460KB
-
MD5
e6ceb161f79574f72b48a93f25148f80
-
SHA1
67c199e652930fe998599a05db596f479e4fcfad
-
SHA256
32f46b134e4cfe0a9b3e0b9770b3740d09360ccfdf48022aa65482820d0ccd63
-
SHA512
75b090cccf97271294ff098d347b0aeb99902cf0c3ee78ae72f192dad1e40382fffb79f496e2f7bdaa232623e089274341ecc41f06559dc0687b82333d40d474
-
SSDEEP
12288:J4wFHoSTeR0oQRkay+eFp3IDvSbh5nPVP+OKaf1VM:VeR0oykayRFp3lztP+OKaf1VM
Malware Config
Signatures
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2724-6-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1476-10-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2920-17-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/220-25-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3748-39-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4224-31-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3504-24-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1504-47-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2096-54-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/428-60-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2752-66-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2000-78-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2796-80-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2080-94-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3000-100-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/5012-106-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1112-111-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/440-126-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4416-124-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1820-145-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1796-153-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3704-159-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1416-173-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4704-180-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2836-190-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3108-194-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2380-198-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3536-202-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/616-209-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/5112-225-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4200-229-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4240-242-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4948-246-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2208-256-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/332-257-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2228-267-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2072-274-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2116-287-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/116-294-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4928-304-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2000-320-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4972-327-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4120-352-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4416-356-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/440-360-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2812-364-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1776-377-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3232-387-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2344-403-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1664-410-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4860-429-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/640-448-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2228-464-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2304-474-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2648-523-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3156-530-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2504-534-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/3308-568-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4704-593-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/2692-768-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/4868-823-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon behavioral2/memory/1420-963-0x0000000000400000-0x000000000043A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1476 7jpjp.exe 2920 xflfxxr.exe 3504 jvpvv.exe 220 llrlfxr.exe 4224 tnhbnb.exe 3748 bnhtnb.exe 1504 jdvjv.exe 2096 5vdjj.exe 428 htthbt.exe 2752 ppdvp.exe 1608 hntnnn.exe 2000 xxlfxxx.exe 2796 9vvpj.exe 4960 jvvpj.exe 2080 lrxxffx.exe 3000 pddvp.exe 5012 nhhbtn.exe 1112 9llfrrl.exe 388 xlxrffx.exe 4416 9pjdv.exe 440 rffxrrl.exe 2040 rlxrlrr.exe 4228 thnhhh.exe 1820 1xrlrrf.exe 624 hbbtnn.exe 1796 xllfxrl.exe 3704 rllffxr.exe 1656 dddpp.exe 1416 5nnbtt.exe 4704 fxlflxl.exe 2036 vddvv.exe 2836 9ffxrlf.exe 3108 tntnhb.exe 2380 jvddv.exe 3536 lllxllf.exe 2536 bbnnbt.exe 616 jppjd.exe 2308 djpjj.exe 2004 xlllxrl.exe 2448 nbbtnh.exe 2172 dpppp.exe 5112 vpppj.exe 4200 xfrllrl.exe 5108 tnhbtt.exe 4540 xllxrlx.exe 4980 htbnhb.exe 4240 vpvpv.exe 4948 lrrrllf.exe 3268 htthbb.exe 1528 hbbtnh.exe 2208 1jdvj.exe 332 xrrlxrr.exe 4328 nhhtnh.exe 2228 nbbthh.exe 2724 jpvjd.exe 2072 rllfxfx.exe 4196 3xrlffx.exe 1980 btttnh.exe 3892 pvvpp.exe 2116 xrrxrrl.exe 4124 xxfrllf.exe 116 nhtnnn.exe 4812 7vdvj.exe 4744 dvddp.exe -
resource yara_rule behavioral2/memory/2724-0-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0009000000023457-5.dat upx behavioral2/memory/2724-6-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1476-10-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00090000000234b4-11.dat upx behavioral2/files/0x00070000000234bb-13.dat upx behavioral2/memory/2920-17-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234bc-21.dat upx behavioral2/memory/220-25-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234bd-28.dat upx behavioral2/files/0x00070000000234be-34.dat upx behavioral2/memory/3748-39-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234bf-41.dat upx behavioral2/memory/4224-31-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3504-24-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1504-47-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234c0-45.dat upx behavioral2/files/0x00070000000234c2-52.dat upx behavioral2/memory/428-55-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2096-54-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234c3-58.dat upx behavioral2/memory/428-60-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234c4-64.dat upx behavioral2/memory/2752-66-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234c5-71.dat upx behavioral2/files/0x00070000000234c6-75.dat upx behavioral2/memory/2000-78-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2796-80-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234c7-83.dat upx behavioral2/files/0x00070000000234c8-88.dat upx behavioral2/files/0x00070000000234c9-92.dat upx behavioral2/memory/2080-94-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00080000000234b8-98.dat upx behavioral2/memory/3000-100-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234ca-104.dat upx behavioral2/memory/5012-106-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1112-111-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234cb-113.dat upx behavioral2/files/0x00070000000234cd-116.dat upx behavioral2/files/0x00070000000234ce-122.dat upx behavioral2/memory/440-126-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4416-124-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234cf-128.dat upx behavioral2/files/0x00070000000234d0-135.dat upx behavioral2/memory/4228-136-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234d1-140.dat upx behavioral2/files/0x00070000000234d2-146.dat upx behavioral2/memory/1820-145-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1796-153-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234d3-151.dat upx behavioral2/files/0x00070000000234d4-156.dat upx behavioral2/memory/3704-159-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234d5-162.dat upx behavioral2/files/0x00070000000234d6-167.dat upx behavioral2/files/0x00070000000234d7-174.dat upx behavioral2/memory/1416-173-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234d8-178.dat upx behavioral2/memory/4704-180-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00070000000234d9-184.dat upx behavioral2/memory/2836-190-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3108-194-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2380-198-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3536-202-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/616-209-0x0000000000400000-0x000000000043A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 1476 2724 32f46b134e4cfe0a9b3e0b9770b3740d09360ccfdf48022aa65482820d0ccd63N.exe 82 PID 2724 wrote to memory of 1476 2724 32f46b134e4cfe0a9b3e0b9770b3740d09360ccfdf48022aa65482820d0ccd63N.exe 82 PID 2724 wrote to memory of 1476 2724 32f46b134e4cfe0a9b3e0b9770b3740d09360ccfdf48022aa65482820d0ccd63N.exe 82 PID 1476 wrote to memory of 2920 1476 7jpjp.exe 83 PID 1476 wrote to memory of 2920 1476 7jpjp.exe 83 PID 1476 wrote to memory of 2920 1476 7jpjp.exe 83 PID 2920 wrote to memory of 3504 2920 xflfxxr.exe 84 PID 2920 wrote to memory of 3504 2920 xflfxxr.exe 84 PID 2920 wrote to memory of 3504 2920 xflfxxr.exe 84 PID 3504 wrote to memory of 220 3504 jvpvv.exe 85 PID 3504 wrote to memory of 220 3504 jvpvv.exe 85 PID 3504 wrote to memory of 220 3504 jvpvv.exe 85 PID 220 wrote to memory of 4224 220 llrlfxr.exe 86 PID 220 wrote to memory of 4224 220 llrlfxr.exe 86 PID 220 wrote to memory of 4224 220 llrlfxr.exe 86 PID 4224 wrote to memory of 3748 4224 tnhbnb.exe 87 PID 4224 wrote to memory of 3748 4224 tnhbnb.exe 87 PID 4224 wrote to memory of 3748 4224 tnhbnb.exe 87 PID 3748 wrote to memory of 1504 3748 bnhtnb.exe 88 PID 3748 wrote to memory of 1504 3748 bnhtnb.exe 88 PID 3748 wrote to memory of 1504 3748 bnhtnb.exe 88 PID 1504 wrote to memory of 2096 1504 jdvjv.exe 89 PID 1504 wrote to memory of 2096 1504 jdvjv.exe 89 PID 1504 wrote to memory of 2096 1504 jdvjv.exe 89 PID 2096 wrote to memory of 428 2096 5vdjj.exe 90 PID 2096 wrote to memory of 428 2096 5vdjj.exe 90 PID 2096 wrote to memory of 428 2096 5vdjj.exe 90 PID 428 wrote to memory of 2752 428 htthbt.exe 91 PID 428 wrote to memory of 2752 428 htthbt.exe 91 PID 428 wrote to memory of 2752 428 htthbt.exe 91 PID 2752 wrote to memory of 1608 2752 ppdvp.exe 92 PID 2752 wrote to memory of 1608 2752 ppdvp.exe 92 PID 2752 wrote to memory of 1608 2752 ppdvp.exe 92 PID 1608 wrote to memory of 2000 1608 hntnnn.exe 93 PID 1608 wrote to memory of 2000 1608 hntnnn.exe 93 PID 1608 wrote to memory of 2000 1608 hntnnn.exe 93 PID 2000 wrote to memory of 2796 2000 xxlfxxx.exe 94 PID 2000 wrote to memory of 2796 2000 xxlfxxx.exe 94 PID 2000 wrote to memory of 2796 2000 xxlfxxx.exe 94 PID 2796 wrote to memory of 4960 2796 9vvpj.exe 95 PID 2796 wrote to memory of 4960 2796 9vvpj.exe 95 PID 2796 wrote to memory of 4960 2796 9vvpj.exe 95 PID 4960 wrote to memory of 2080 4960 jvvpj.exe 96 PID 4960 wrote to memory of 2080 4960 jvvpj.exe 96 PID 4960 wrote to memory of 2080 4960 jvvpj.exe 96 PID 2080 wrote to memory of 3000 2080 lrxxffx.exe 97 PID 2080 wrote to memory of 3000 2080 lrxxffx.exe 97 PID 2080 wrote to memory of 3000 2080 lrxxffx.exe 97 PID 3000 wrote to memory of 5012 3000 pddvp.exe 98 PID 3000 wrote to memory of 5012 3000 pddvp.exe 98 PID 3000 wrote to memory of 5012 3000 pddvp.exe 98 PID 5012 wrote to memory of 1112 5012 nhhbtn.exe 99 PID 5012 wrote to memory of 1112 5012 nhhbtn.exe 99 PID 5012 wrote to memory of 1112 5012 nhhbtn.exe 99 PID 1112 wrote to memory of 388 1112 9llfrrl.exe 100 PID 1112 wrote to memory of 388 1112 9llfrrl.exe 100 PID 1112 wrote to memory of 388 1112 9llfrrl.exe 100 PID 388 wrote to memory of 4416 388 xlxrffx.exe 101 PID 388 wrote to memory of 4416 388 xlxrffx.exe 101 PID 388 wrote to memory of 4416 388 xlxrffx.exe 101 PID 4416 wrote to memory of 440 4416 9pjdv.exe 102 PID 4416 wrote to memory of 440 4416 9pjdv.exe 102 PID 4416 wrote to memory of 440 4416 9pjdv.exe 102 PID 440 wrote to memory of 2040 440 rffxrrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\32f46b134e4cfe0a9b3e0b9770b3740d09360ccfdf48022aa65482820d0ccd63N.exe"C:\Users\Admin\AppData\Local\Temp\32f46b134e4cfe0a9b3e0b9770b3740d09360ccfdf48022aa65482820d0ccd63N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\7jpjp.exec:\7jpjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\xflfxxr.exec:\xflfxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\jvpvv.exec:\jvpvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\llrlfxr.exec:\llrlfxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\tnhbnb.exec:\tnhbnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\bnhtnb.exec:\bnhtnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\jdvjv.exec:\jdvjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\5vdjj.exec:\5vdjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\htthbt.exec:\htthbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\ppdvp.exec:\ppdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\hntnnn.exec:\hntnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\xxlfxxx.exec:\xxlfxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\9vvpj.exec:\9vvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\jvvpj.exec:\jvvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\lrxxffx.exec:\lrxxffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\pddvp.exec:\pddvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\nhhbtn.exec:\nhhbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\9llfrrl.exec:\9llfrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\xlxrffx.exec:\xlxrffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\9pjdv.exec:\9pjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\rffxrrl.exec:\rffxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\rlxrlrr.exec:\rlxrlrr.exe23⤵
- Executes dropped EXE
PID:2040 -
\??\c:\thnhhh.exec:\thnhhh.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4228 -
\??\c:\1xrlrrf.exec:\1xrlrrf.exe25⤵
- Executes dropped EXE
PID:1820 -
\??\c:\hbbtnn.exec:\hbbtnn.exe26⤵
- Executes dropped EXE
PID:624 -
\??\c:\xllfxrl.exec:\xllfxrl.exe27⤵
- Executes dropped EXE
PID:1796 -
\??\c:\rllffxr.exec:\rllffxr.exe28⤵
- Executes dropped EXE
PID:3704 -
\??\c:\dddpp.exec:\dddpp.exe29⤵
- Executes dropped EXE
PID:1656 -
\??\c:\5nnbtt.exec:\5nnbtt.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1416 -
\??\c:\fxlflxl.exec:\fxlflxl.exe31⤵
- Executes dropped EXE
PID:4704 -
\??\c:\vddvv.exec:\vddvv.exe32⤵
- Executes dropped EXE
PID:2036 -
\??\c:\9ffxrlf.exec:\9ffxrlf.exe33⤵
- Executes dropped EXE
PID:2836 -
\??\c:\tntnhb.exec:\tntnhb.exe34⤵
- Executes dropped EXE
PID:3108 -
\??\c:\jvddv.exec:\jvddv.exe35⤵
- Executes dropped EXE
PID:2380 -
\??\c:\lllxllf.exec:\lllxllf.exe36⤵
- Executes dropped EXE
PID:3536 -
\??\c:\bbnnbt.exec:\bbnnbt.exe37⤵
- Executes dropped EXE
PID:2536 -
\??\c:\jppjd.exec:\jppjd.exe38⤵
- Executes dropped EXE
PID:616 -
\??\c:\djpjj.exec:\djpjj.exe39⤵
- Executes dropped EXE
PID:2308 -
\??\c:\xlllxrl.exec:\xlllxrl.exe40⤵
- Executes dropped EXE
PID:2004 -
\??\c:\nbbtnh.exec:\nbbtnh.exe41⤵
- Executes dropped EXE
PID:2448 -
\??\c:\dpppp.exec:\dpppp.exe42⤵
- Executes dropped EXE
PID:2172 -
\??\c:\vpppj.exec:\vpppj.exe43⤵
- Executes dropped EXE
PID:5112 -
\??\c:\xfrllrl.exec:\xfrllrl.exe44⤵
- Executes dropped EXE
PID:4200 -
\??\c:\tnhbtt.exec:\tnhbtt.exe45⤵
- Executes dropped EXE
PID:5108 -
\??\c:\xllxrlx.exec:\xllxrlx.exe46⤵
- Executes dropped EXE
PID:4540 -
\??\c:\htbnhb.exec:\htbnhb.exe47⤵
- Executes dropped EXE
PID:4980 -
\??\c:\vpvpv.exec:\vpvpv.exe48⤵
- Executes dropped EXE
PID:4240 -
\??\c:\lrrrllf.exec:\lrrrllf.exe49⤵
- Executes dropped EXE
PID:4948 -
\??\c:\htthbb.exec:\htthbb.exe50⤵
- Executes dropped EXE
PID:3268 -
\??\c:\hbbtnh.exec:\hbbtnh.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528 -
\??\c:\1jdvj.exec:\1jdvj.exe52⤵
- Executes dropped EXE
PID:2208 -
\??\c:\xrrlxrr.exec:\xrrlxrr.exe53⤵
- Executes dropped EXE
PID:332 -
\??\c:\nhhtnh.exec:\nhhtnh.exe54⤵
- Executes dropped EXE
PID:4328 -
\??\c:\nbbthh.exec:\nbbthh.exe55⤵
- Executes dropped EXE
PID:2228 -
\??\c:\jpvjd.exec:\jpvjd.exe56⤵
- Executes dropped EXE
PID:2724 -
\??\c:\rllfxfx.exec:\rllfxfx.exe57⤵
- Executes dropped EXE
PID:2072 -
\??\c:\3xrlffx.exec:\3xrlffx.exe58⤵
- Executes dropped EXE
PID:4196 -
\??\c:\btttnh.exec:\btttnh.exe59⤵
- Executes dropped EXE
PID:1980 -
\??\c:\pvvpp.exec:\pvvpp.exe60⤵
- Executes dropped EXE
PID:3892 -
\??\c:\xrrxrrl.exec:\xrrxrrl.exe61⤵
- Executes dropped EXE
PID:2116 -
\??\c:\xxfrllf.exec:\xxfrllf.exe62⤵
- Executes dropped EXE
PID:4124 -
\??\c:\nhtnnn.exec:\nhtnnn.exe63⤵
- Executes dropped EXE
PID:116 -
\??\c:\7vdvj.exec:\7vdvj.exe64⤵
- Executes dropped EXE
PID:4812 -
\??\c:\dvddp.exec:\dvddp.exe65⤵
- Executes dropped EXE
PID:4744 -
\??\c:\ntbtnn.exec:\ntbtnn.exe66⤵PID:4928
-
\??\c:\7vddd.exec:\7vddd.exe67⤵PID:4872
-
\??\c:\frlxllf.exec:\frlxllf.exe68⤵PID:3492
-
\??\c:\3xrlffx.exec:\3xrlffx.exe69⤵PID:5016
-
\??\c:\hhnnbb.exec:\hhnnbb.exe70⤵PID:3860
-
\??\c:\jppjv.exec:\jppjv.exe71⤵PID:2000
-
\??\c:\frxrlfr.exec:\frxrlfr.exe72⤵
- System Location Discovery: System Language Discovery
PID:2364 -
\??\c:\tbhhbb.exec:\tbhhbb.exe73⤵PID:4972
-
\??\c:\pjjdp.exec:\pjjdp.exe74⤵PID:2244
-
\??\c:\rxrlfxr.exec:\rxrlfxr.exe75⤵PID:4932
-
\??\c:\nnnnhb.exec:\nnnnhb.exe76⤵PID:1172
-
\??\c:\pvjjd.exec:\pvjjd.exe77⤵PID:3784
-
\??\c:\5pvvp.exec:\5pvvp.exe78⤵PID:4600
-
\??\c:\llllxlf.exec:\llllxlf.exe79⤵PID:4996
-
\??\c:\9ttttn.exec:\9ttttn.exe80⤵PID:4236
-
\??\c:\7pvpd.exec:\7pvpd.exe81⤵PID:4120
-
\??\c:\rflfrrl.exec:\rflfrrl.exe82⤵PID:4416
-
\??\c:\tntbtt.exec:\tntbtt.exe83⤵PID:440
-
\??\c:\ppdvp.exec:\ppdvp.exe84⤵PID:2812
-
\??\c:\jjpjd.exec:\jjpjd.exe85⤵PID:2248
-
\??\c:\nbhttt.exec:\nbhttt.exe86⤵PID:4492
-
\??\c:\5thbbb.exec:\5thbbb.exe87⤵PID:3308
-
\??\c:\jpppd.exec:\jpppd.exe88⤵PID:1776
-
\??\c:\llrlffx.exec:\llrlffx.exe89⤵PID:624
-
\??\c:\tntnhh.exec:\tntnhh.exe90⤵PID:3824
-
\??\c:\ddpjp.exec:\ddpjp.exe91⤵PID:3232
-
\??\c:\ddddj.exec:\ddddj.exe92⤵PID:4864
-
\??\c:\7rlfxxr.exec:\7rlfxxr.exe93⤵PID:4904
-
\??\c:\fxxrrrl.exec:\fxxrrrl.exe94⤵PID:3752
-
\??\c:\tbhhtb.exec:\tbhhtb.exe95⤵PID:4704
-
\??\c:\vvdvp.exec:\vvdvp.exe96⤵PID:2344
-
\??\c:\vddvp.exec:\vddvp.exe97⤵PID:1216
-
\??\c:\frfxrrl.exec:\frfxrrl.exe98⤵PID:1664
-
\??\c:\nnnnhh.exec:\nnnnhh.exe99⤵PID:3536
-
\??\c:\nbbbnn.exec:\nbbbnn.exe100⤵PID:2536
-
\??\c:\5dddv.exec:\5dddv.exe101⤵PID:828
-
\??\c:\pvvpj.exec:\pvvpj.exe102⤵PID:4964
-
\??\c:\7rrfxxl.exec:\7rrfxxl.exe103⤵PID:3404
-
\??\c:\hbhtnt.exec:\hbhtnt.exe104⤵PID:4860
-
\??\c:\bttnbb.exec:\bttnbb.exe105⤵PID:2352
-
\??\c:\jvpvp.exec:\jvpvp.exe106⤵PID:5088
-
\??\c:\llrrlrr.exec:\llrrlrr.exe107⤵PID:1884
-
\??\c:\rrxrllf.exec:\rrxrllf.exe108⤵PID:1736
-
\??\c:\nbttnh.exec:\nbttnh.exe109⤵PID:4288
-
\??\c:\5ppjd.exec:\5ppjd.exe110⤵PID:640
-
\??\c:\jdvpj.exec:\jdvpj.exe111⤵PID:2932
-
\??\c:\1ffxlfl.exec:\1ffxlfl.exe112⤵PID:4868
-
\??\c:\tttnbb.exec:\tttnbb.exe113⤵PID:4316
-
\??\c:\vjjdp.exec:\vjjdp.exe114⤵PID:2928
-
\??\c:\rrxlxrf.exec:\rrxlxrf.exe115⤵PID:2228
-
\??\c:\lxrlxrl.exec:\lxrlxrl.exe116⤵PID:2724
-
\??\c:\bhnhbt.exec:\bhnhbt.exe117⤵PID:2072
-
\??\c:\xxrrlll.exec:\xxrrlll.exe118⤵PID:2304
-
\??\c:\3bnhth.exec:\3bnhth.exe119⤵PID:3504
-
\??\c:\dvddd.exec:\dvddd.exe120⤵PID:3892
-
\??\c:\9pjdp.exec:\9pjdp.exe121⤵PID:4060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-