Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 19:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ae85323574cd6ac4396e979b11354a0bdb30ecf191902067ca3147bef54dd3fcN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ae85323574cd6ac4396e979b11354a0bdb30ecf191902067ca3147bef54dd3fcN.exe
-
Size
454KB
-
MD5
e62247797350d0e675fb3a4d390615e0
-
SHA1
bf1d68597d168b65dc16b7798392cf64dd459ea7
-
SHA256
ae85323574cd6ac4396e979b11354a0bdb30ecf191902067ca3147bef54dd3fc
-
SHA512
191609dc5c085a6b414958b2736dc2a9e293fa1a7d1a57b68ce27c00e3fefc9f675f989cd2791362b2635036a0ee7a1a6a6ac16dcde145c4fd242c59198a5033
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeaCi:q7Tc2NYHUrAwfMp3CDri
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4624-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-887-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-1056-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-1263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2636 3frllll.exe 4364 dvvdj.exe 916 bbhbbb.exe 552 5rlxrlf.exe 3488 bhbtnn.exe 2824 lflfxxr.exe 2304 xrlrlrl.exe 2580 7ppjd.exe 2280 fxxrxfx.exe 3028 7ppjd.exe 1148 fffrfrr.exe 4052 vjpdd.exe 832 7lfxllf.exe 3004 tntttt.exe 208 5vdvv.exe 3504 nhhhbt.exe 3704 ppvpp.exe 2676 bttnnh.exe 4700 bnhhbb.exe 1492 hbhtnt.exe 60 dvpjd.exe 1656 rflfffl.exe 2936 dvvpj.exe 412 jjjdp.exe 2632 llfxrrr.exe 1588 jdvpd.exe 1960 bttnnh.exe 1496 pvvvp.exe 2336 thtnhh.exe 4044 jvvdv.exe 4460 fxfxffl.exe 4448 rrrxlxx.exe 1172 7jvpj.exe 4868 7hhbnn.exe 1192 hnbbtt.exe 5092 fxrllrl.exe 3224 9fffxfx.exe 1696 thtnht.exe 2688 pdvpp.exe 1628 xfrlxxx.exe 1800 tnhhbn.exe 1184 ddjdj.exe 2076 rflflfl.exe 2908 hntnnh.exe 3124 jpdpj.exe 1532 fflfxrf.exe 3608 flrlxrl.exe 4464 btnbtn.exe 460 vdjpd.exe 3716 3xxrfff.exe 3668 hnbtnn.exe 1508 dpvpd.exe 4076 vvvdj.exe 4400 7lfxrrl.exe 2604 bthbhb.exe 648 jdvpj.exe 4352 xrlfxrl.exe 3556 thbnbt.exe 2360 thhbtt.exe 2340 vpjdv.exe 1804 1rrrllf.exe 1644 hnnhhb.exe 3488 pddvj.exe 5004 jvpvj.exe -
resource yara_rule behavioral2/memory/4624-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-787-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4624 wrote to memory of 2636 4624 ae85323574cd6ac4396e979b11354a0bdb30ecf191902067ca3147bef54dd3fcN.exe 82 PID 4624 wrote to memory of 2636 4624 ae85323574cd6ac4396e979b11354a0bdb30ecf191902067ca3147bef54dd3fcN.exe 82 PID 4624 wrote to memory of 2636 4624 ae85323574cd6ac4396e979b11354a0bdb30ecf191902067ca3147bef54dd3fcN.exe 82 PID 2636 wrote to memory of 4364 2636 3frllll.exe 83 PID 2636 wrote to memory of 4364 2636 3frllll.exe 83 PID 2636 wrote to memory of 4364 2636 3frllll.exe 83 PID 4364 wrote to memory of 916 4364 dvvdj.exe 84 PID 4364 wrote to memory of 916 4364 dvvdj.exe 84 PID 4364 wrote to memory of 916 4364 dvvdj.exe 84 PID 916 wrote to memory of 552 916 bbhbbb.exe 85 PID 916 wrote to memory of 552 916 bbhbbb.exe 85 PID 916 wrote to memory of 552 916 bbhbbb.exe 85 PID 552 wrote to memory of 3488 552 5rlxrlf.exe 86 PID 552 wrote to memory of 3488 552 5rlxrlf.exe 86 PID 552 wrote to memory of 3488 552 5rlxrlf.exe 86 PID 3488 wrote to memory of 2824 3488 bhbtnn.exe 87 PID 3488 wrote to memory of 2824 3488 bhbtnn.exe 87 PID 3488 wrote to memory of 2824 3488 bhbtnn.exe 87 PID 2824 wrote to memory of 2304 2824 lflfxxr.exe 88 PID 2824 wrote to memory of 2304 2824 lflfxxr.exe 88 PID 2824 wrote to memory of 2304 2824 lflfxxr.exe 88 PID 2304 wrote to memory of 2580 2304 xrlrlrl.exe 89 PID 2304 wrote to memory of 2580 2304 xrlrlrl.exe 89 PID 2304 wrote to memory of 2580 2304 xrlrlrl.exe 89 PID 2580 wrote to memory of 2280 2580 7ppjd.exe 90 PID 2580 wrote to memory of 2280 2580 7ppjd.exe 90 PID 2580 wrote to memory of 2280 2580 7ppjd.exe 90 PID 2280 wrote to memory of 3028 2280 fxxrxfx.exe 91 PID 2280 wrote to memory of 3028 2280 fxxrxfx.exe 91 PID 2280 wrote to memory of 3028 2280 fxxrxfx.exe 91 PID 3028 wrote to memory of 1148 3028 7ppjd.exe 92 PID 3028 wrote to memory of 1148 3028 7ppjd.exe 92 PID 3028 wrote to memory of 1148 3028 7ppjd.exe 92 PID 1148 wrote to memory of 4052 1148 fffrfrr.exe 93 PID 1148 wrote to memory of 4052 1148 fffrfrr.exe 93 PID 1148 wrote to memory of 4052 1148 fffrfrr.exe 93 PID 4052 wrote to memory of 832 4052 vjpdd.exe 94 PID 4052 wrote to memory of 832 4052 vjpdd.exe 94 PID 4052 wrote to memory of 832 4052 vjpdd.exe 94 PID 832 wrote to memory of 3004 832 7lfxllf.exe 95 PID 832 wrote to memory of 3004 832 7lfxllf.exe 95 PID 832 wrote to memory of 3004 832 7lfxllf.exe 95 PID 3004 wrote to memory of 208 3004 tntttt.exe 96 PID 3004 wrote to memory of 208 3004 tntttt.exe 96 PID 3004 wrote to memory of 208 3004 tntttt.exe 96 PID 208 wrote to memory of 3504 208 5vdvv.exe 97 PID 208 wrote to memory of 3504 208 5vdvv.exe 97 PID 208 wrote to memory of 3504 208 5vdvv.exe 97 PID 3504 wrote to memory of 3704 3504 nhhhbt.exe 98 PID 3504 wrote to memory of 3704 3504 nhhhbt.exe 98 PID 3504 wrote to memory of 3704 3504 nhhhbt.exe 98 PID 3704 wrote to memory of 2676 3704 ppvpp.exe 99 PID 3704 wrote to memory of 2676 3704 ppvpp.exe 99 PID 3704 wrote to memory of 2676 3704 ppvpp.exe 99 PID 2676 wrote to memory of 4700 2676 bttnnh.exe 100 PID 2676 wrote to memory of 4700 2676 bttnnh.exe 100 PID 2676 wrote to memory of 4700 2676 bttnnh.exe 100 PID 4700 wrote to memory of 1492 4700 bnhhbb.exe 101 PID 4700 wrote to memory of 1492 4700 bnhhbb.exe 101 PID 4700 wrote to memory of 1492 4700 bnhhbb.exe 101 PID 1492 wrote to memory of 60 1492 hbhtnt.exe 102 PID 1492 wrote to memory of 60 1492 hbhtnt.exe 102 PID 1492 wrote to memory of 60 1492 hbhtnt.exe 102 PID 60 wrote to memory of 1656 60 dvpjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae85323574cd6ac4396e979b11354a0bdb30ecf191902067ca3147bef54dd3fcN.exe"C:\Users\Admin\AppData\Local\Temp\ae85323574cd6ac4396e979b11354a0bdb30ecf191902067ca3147bef54dd3fcN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\3frllll.exec:\3frllll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\dvvdj.exec:\dvvdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\bbhbbb.exec:\bbhbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\5rlxrlf.exec:\5rlxrlf.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\bhbtnn.exec:\bhbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\lflfxxr.exec:\lflfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\xrlrlrl.exec:\xrlrlrl.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\7ppjd.exec:\7ppjd.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\fxxrxfx.exec:\fxxrxfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\7ppjd.exec:\7ppjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\fffrfrr.exec:\fffrfrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\vjpdd.exec:\vjpdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\7lfxllf.exec:\7lfxllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\tntttt.exec:\tntttt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\5vdvv.exec:\5vdvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\nhhhbt.exec:\nhhhbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\ppvpp.exec:\ppvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\bttnnh.exec:\bttnnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\bnhhbb.exec:\bnhhbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\hbhtnt.exec:\hbhtnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\dvpjd.exec:\dvpjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\rflfffl.exec:\rflfffl.exe23⤵
- Executes dropped EXE
PID:1656 -
\??\c:\dvvpj.exec:\dvvpj.exe24⤵
- Executes dropped EXE
PID:2936 -
\??\c:\jjjdp.exec:\jjjdp.exe25⤵
- Executes dropped EXE
PID:412 -
\??\c:\llfxrrr.exec:\llfxrrr.exe26⤵
- Executes dropped EXE
PID:2632 -
\??\c:\jdvpd.exec:\jdvpd.exe27⤵
- Executes dropped EXE
PID:1588 -
\??\c:\bttnnh.exec:\bttnnh.exe28⤵
- Executes dropped EXE
PID:1960 -
\??\c:\pvvvp.exec:\pvvvp.exe29⤵
- Executes dropped EXE
PID:1496 -
\??\c:\thtnhh.exec:\thtnhh.exe30⤵
- Executes dropped EXE
PID:2336 -
\??\c:\jvvdv.exec:\jvvdv.exe31⤵
- Executes dropped EXE
PID:4044 -
\??\c:\fxfxffl.exec:\fxfxffl.exe32⤵
- Executes dropped EXE
PID:4460 -
\??\c:\rrrxlxx.exec:\rrrxlxx.exe33⤵
- Executes dropped EXE
PID:4448 -
\??\c:\7jvpj.exec:\7jvpj.exe34⤵
- Executes dropped EXE
PID:1172 -
\??\c:\7hhbnn.exec:\7hhbnn.exe35⤵
- Executes dropped EXE
PID:4868 -
\??\c:\hnbbtt.exec:\hnbbtt.exe36⤵
- Executes dropped EXE
PID:1192 -
\??\c:\fxrllrl.exec:\fxrllrl.exe37⤵
- Executes dropped EXE
PID:5092 -
\??\c:\9fffxfx.exec:\9fffxfx.exe38⤵
- Executes dropped EXE
PID:3224 -
\??\c:\thtnht.exec:\thtnht.exe39⤵
- Executes dropped EXE
PID:1696 -
\??\c:\pdvpp.exec:\pdvpp.exe40⤵
- Executes dropped EXE
PID:2688 -
\??\c:\xfrlxxx.exec:\xfrlxxx.exe41⤵
- Executes dropped EXE
PID:1628 -
\??\c:\tnhhbn.exec:\tnhhbn.exe42⤵
- Executes dropped EXE
PID:1800 -
\??\c:\ddjdj.exec:\ddjdj.exe43⤵
- Executes dropped EXE
PID:1184 -
\??\c:\rflflfl.exec:\rflflfl.exe44⤵
- Executes dropped EXE
PID:2076 -
\??\c:\hntnnh.exec:\hntnnh.exe45⤵
- Executes dropped EXE
PID:2908 -
\??\c:\jpdpj.exec:\jpdpj.exe46⤵
- Executes dropped EXE
PID:3124 -
\??\c:\fflfxrf.exec:\fflfxrf.exe47⤵
- Executes dropped EXE
PID:1532 -
\??\c:\flrlxrl.exec:\flrlxrl.exe48⤵
- Executes dropped EXE
PID:3608 -
\??\c:\btnbtn.exec:\btnbtn.exe49⤵
- Executes dropped EXE
PID:4464 -
\??\c:\vdjpd.exec:\vdjpd.exe50⤵
- Executes dropped EXE
PID:460 -
\??\c:\3xxrfff.exec:\3xxrfff.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3716 -
\??\c:\hnbtnn.exec:\hnbtnn.exe52⤵
- Executes dropped EXE
PID:3668 -
\??\c:\dpvpd.exec:\dpvpd.exe53⤵
- Executes dropped EXE
PID:1508 -
\??\c:\vvvdj.exec:\vvvdj.exe54⤵
- Executes dropped EXE
PID:4076 -
\??\c:\7lfxrrl.exec:\7lfxrrl.exe55⤵
- Executes dropped EXE
PID:4400 -
\??\c:\bthbhb.exec:\bthbhb.exe56⤵
- Executes dropped EXE
PID:2604 -
\??\c:\jdvpj.exec:\jdvpj.exe57⤵
- Executes dropped EXE
PID:648 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe58⤵
- Executes dropped EXE
PID:4352 -
\??\c:\thbnbt.exec:\thbnbt.exe59⤵
- Executes dropped EXE
PID:3556 -
\??\c:\thhbtt.exec:\thhbtt.exe60⤵
- Executes dropped EXE
PID:2360 -
\??\c:\vpjdv.exec:\vpjdv.exe61⤵
- Executes dropped EXE
PID:2340 -
\??\c:\1rrrllf.exec:\1rrrllf.exe62⤵
- Executes dropped EXE
PID:1804 -
\??\c:\hnnhhb.exec:\hnnhhb.exe63⤵
- Executes dropped EXE
PID:1644 -
\??\c:\pddvj.exec:\pddvj.exe64⤵
- Executes dropped EXE
PID:3488 -
\??\c:\jvpvj.exec:\jvpvj.exe65⤵
- Executes dropped EXE
PID:5004 -
\??\c:\xllxlfr.exec:\xllxlfr.exe66⤵PID:4360
-
\??\c:\bbtttb.exec:\bbtttb.exe67⤵PID:2760
-
\??\c:\jvjvd.exec:\jvjvd.exe68⤵PID:680
-
\??\c:\rffxrlr.exec:\rffxrlr.exe69⤵PID:4856
-
\??\c:\5rlfxff.exec:\5rlfxff.exe70⤵PID:4024
-
\??\c:\5tnhbt.exec:\5tnhbt.exe71⤵
- System Location Discovery: System Language Discovery
PID:4576 -
\??\c:\dvpdd.exec:\dvpdd.exe72⤵PID:3028
-
\??\c:\pdvjv.exec:\pdvjv.exe73⤵PID:1148
-
\??\c:\xlxlfxf.exec:\xlxlfxf.exe74⤵PID:2468
-
\??\c:\hbtnnn.exec:\hbtnnn.exe75⤵PID:3228
-
\??\c:\dpdvv.exec:\dpdvv.exe76⤵PID:388
-
\??\c:\ppdvp.exec:\ppdvp.exe77⤵PID:4444
-
\??\c:\lrrlfxx.exec:\lrrlfxx.exe78⤵PID:3688
-
\??\c:\hnttbt.exec:\hnttbt.exe79⤵PID:4832
-
\??\c:\dppjj.exec:\dppjj.exe80⤵PID:3812
-
\??\c:\5jvpj.exec:\5jvpj.exe81⤵PID:264
-
\??\c:\rlxlfrl.exec:\rlxlfrl.exe82⤵PID:4004
-
\??\c:\nnbtbt.exec:\nnbtbt.exe83⤵PID:1120
-
\??\c:\bttbnn.exec:\bttbnn.exe84⤵PID:1832
-
\??\c:\vjvpd.exec:\vjvpd.exe85⤵
- System Location Discovery: System Language Discovery
PID:4700 -
\??\c:\lrrlfrl.exec:\lrrlfrl.exe86⤵PID:3012
-
\??\c:\frlxlfl.exec:\frlxlfl.exe87⤵PID:4828
-
\??\c:\nbbttn.exec:\nbbttn.exe88⤵PID:4236
-
\??\c:\dddpd.exec:\dddpd.exe89⤵PID:1700
-
\??\c:\ppdvj.exec:\ppdvj.exe90⤵PID:2040
-
\??\c:\frlflfx.exec:\frlflfx.exe91⤵PID:1448
-
\??\c:\bnhhtn.exec:\bnhhtn.exe92⤵PID:4560
-
\??\c:\hbbtnn.exec:\hbbtnn.exe93⤵PID:2632
-
\??\c:\1vdpp.exec:\1vdpp.exe94⤵PID:1576
-
\??\c:\1fxfxfx.exec:\1fxfxfx.exe95⤵PID:1312
-
\??\c:\3bnhbb.exec:\3bnhbb.exe96⤵PID:4616
-
\??\c:\vvvdd.exec:\vvvdd.exe97⤵PID:3300
-
\??\c:\vvjvp.exec:\vvjvp.exe98⤵PID:3968
-
\??\c:\xffrlfr.exec:\xffrlfr.exe99⤵PID:1328
-
\??\c:\nbnhbt.exec:\nbnhbt.exe100⤵PID:400
-
\??\c:\9dvpj.exec:\9dvpj.exe101⤵PID:116
-
\??\c:\llfxxxr.exec:\llfxxxr.exe102⤵PID:3512
-
\??\c:\hbtnhb.exec:\hbtnhb.exe103⤵PID:4868
-
\??\c:\3vdpd.exec:\3vdpd.exe104⤵PID:1192
-
\??\c:\3flfllr.exec:\3flfllr.exe105⤵PID:3020
-
\??\c:\nnnnhn.exec:\nnnnhn.exe106⤵PID:3224
-
\??\c:\jppdv.exec:\jppdv.exe107⤵PID:3640
-
\??\c:\fxxrlff.exec:\fxxrlff.exe108⤵PID:2688
-
\??\c:\9rrlllf.exec:\9rrlllf.exe109⤵PID:1628
-
\??\c:\nhhbbt.exec:\nhhbbt.exe110⤵PID:2164
-
\??\c:\pvpjp.exec:\pvpjp.exe111⤵PID:1072
-
\??\c:\frxrlll.exec:\frxrlll.exe112⤵PID:2288
-
\??\c:\bbtnbt.exec:\bbtnbt.exe113⤵PID:672
-
\??\c:\vpvpd.exec:\vpvpd.exe114⤵PID:2908
-
\??\c:\pddjv.exec:\pddjv.exe115⤵PID:2864
-
\??\c:\3frllfl.exec:\3frllfl.exe116⤵PID:4812
-
\??\c:\tnnhnt.exec:\tnnhnt.exe117⤵PID:1764
-
\??\c:\pdvpp.exec:\pdvpp.exe118⤵PID:2176
-
\??\c:\dpjjj.exec:\dpjjj.exe119⤵PID:3516
-
\??\c:\xlrlffx.exec:\xlrlffx.exe120⤵PID:2544
-
\??\c:\thbbtn.exec:\thbbtn.exe121⤵PID:3668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-