Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe
-
Size
454KB
-
MD5
5cae64eadc91e549abb82441b729e80e
-
SHA1
003aca3fbfd579f4cb62c3d3d7c0dcf9a893632c
-
SHA256
ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509
-
SHA512
9358fa00056e0eebc5c0652a1a06474f8c863fd462d7072ac647235a2bf785f6f1eb7ff00dbd79acbc560c147689761ab22a1f12f5ae3fbf7547c655cf58ae78
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 58 IoCs
resource yara_rule behavioral1/memory/2060-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-46-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2592-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-44-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2592-53-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2636-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-73-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2516-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/668-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-179-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2044-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-190-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1340-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-276-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/3060-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-423-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2548-443-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1956-450-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/624-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-514-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2588-523-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1844-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-578-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2720-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-623-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2816-645-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2236-674-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1996-699-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2328-749-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2868-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1212-959-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1212-977-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1112-1004-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1032-1066-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2188-1108-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2092-1115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-1178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-1185-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2060 bnhnhn.exe 2196 1djpp.exe 2108 ffrxlrf.exe 2220 hnbntb.exe 2592 1ntbtb.exe 2636 ddvvd.exe 2496 jpddp.exe 2516 llxflrf.exe 572 fflrxfr.exe 2540 btnnnh.exe 3024 ffllrrx.exe 668 bbbnnt.exe 2000 lfflxxf.exe 1908 tthhhh.exe 2252 rlxfrxl.exe 2824 7frrxff.exe 2324 fxfxllr.exe 2044 tttbhn.exe 2328 5xxfrrf.exe 2744 xflrfrf.exe 1140 lxrxlrx.exe 1340 xflfrxl.exe 1724 xxrfrxl.exe 2460 hbhhth.exe 1648 ddpvj.exe 1704 llrxflx.exe 1844 lrlxfrf.exe 2764 1lffrxf.exe 2860 dddjj.exe 1748 rxflxfr.exe 3000 9vdjp.exe 2056 frlxflr.exe 1700 vvjjp.exe 1196 rfrrffr.exe 2452 xllxxxl.exe 3060 5nbbbt.exe 2404 9pvpp.exe 2696 jjjjj.exe 2796 rxfflrx.exe 2780 1tnnbt.exe 2864 5pvdp.exe 2168 vvvdd.exe 2652 3rlrxxl.exe 2500 bnbhnn.exe 2300 7nntnt.exe 2320 3vdpj.exe 1308 lrxxxlf.exe 1028 xrffxfl.exe 2392 bbbhhn.exe 2020 9vddd.exe 1956 9xrxllx.exe 1952 ntnhtb.exe 2548 7hntnt.exe 2748 djjpd.exe 2332 rffrrxl.exe 2076 hbnbtb.exe 624 nnntbh.exe 1476 ddvvd.exe 772 xlxxffr.exe 1260 bhnnhh.exe 1140 hnhbnn.exe 1396 vpdjv.exe 2128 rxlrrxf.exe 2876 5lfxllr.exe -
resource yara_rule behavioral1/memory/2060-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/668-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-276-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2452-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-509-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2876-514-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1844-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-623-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2236-674-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/2328-749-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3000-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-853-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-872-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-940-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-977-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1652-1092-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-1115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-1141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-1178-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2060 2092 ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe 31 PID 2092 wrote to memory of 2060 2092 ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe 31 PID 2092 wrote to memory of 2060 2092 ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe 31 PID 2092 wrote to memory of 2060 2092 ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe 31 PID 2060 wrote to memory of 2196 2060 bnhnhn.exe 32 PID 2060 wrote to memory of 2196 2060 bnhnhn.exe 32 PID 2060 wrote to memory of 2196 2060 bnhnhn.exe 32 PID 2060 wrote to memory of 2196 2060 bnhnhn.exe 32 PID 2196 wrote to memory of 2108 2196 1djpp.exe 33 PID 2196 wrote to memory of 2108 2196 1djpp.exe 33 PID 2196 wrote to memory of 2108 2196 1djpp.exe 33 PID 2196 wrote to memory of 2108 2196 1djpp.exe 33 PID 2108 wrote to memory of 2220 2108 ffrxlrf.exe 34 PID 2108 wrote to memory of 2220 2108 ffrxlrf.exe 34 PID 2108 wrote to memory of 2220 2108 ffrxlrf.exe 34 PID 2108 wrote to memory of 2220 2108 ffrxlrf.exe 34 PID 2220 wrote to memory of 2592 2220 hnbntb.exe 35 PID 2220 wrote to memory of 2592 2220 hnbntb.exe 35 PID 2220 wrote to memory of 2592 2220 hnbntb.exe 35 PID 2220 wrote to memory of 2592 2220 hnbntb.exe 35 PID 2592 wrote to memory of 2636 2592 1ntbtb.exe 36 PID 2592 wrote to memory of 2636 2592 1ntbtb.exe 36 PID 2592 wrote to memory of 2636 2592 1ntbtb.exe 36 PID 2592 wrote to memory of 2636 2592 1ntbtb.exe 36 PID 2636 wrote to memory of 2496 2636 ddvvd.exe 37 PID 2636 wrote to memory of 2496 2636 ddvvd.exe 37 PID 2636 wrote to memory of 2496 2636 ddvvd.exe 37 PID 2636 wrote to memory of 2496 2636 ddvvd.exe 37 PID 2496 wrote to memory of 2516 2496 jpddp.exe 38 PID 2496 wrote to memory of 2516 2496 jpddp.exe 38 PID 2496 wrote to memory of 2516 2496 jpddp.exe 38 PID 2496 wrote to memory of 2516 2496 jpddp.exe 38 PID 2516 wrote to memory of 572 2516 llxflrf.exe 39 PID 2516 wrote to memory of 572 2516 llxflrf.exe 39 PID 2516 wrote to memory of 572 2516 llxflrf.exe 39 PID 2516 wrote to memory of 572 2516 llxflrf.exe 39 PID 572 wrote to memory of 2540 572 fflrxfr.exe 40 PID 572 wrote to memory of 2540 572 fflrxfr.exe 40 PID 572 wrote to memory of 2540 572 fflrxfr.exe 40 PID 572 wrote to memory of 2540 572 fflrxfr.exe 40 PID 2540 wrote to memory of 3024 2540 btnnnh.exe 41 PID 2540 wrote to memory of 3024 2540 btnnnh.exe 41 PID 2540 wrote to memory of 3024 2540 btnnnh.exe 41 PID 2540 wrote to memory of 3024 2540 btnnnh.exe 41 PID 3024 wrote to memory of 668 3024 ffllrrx.exe 42 PID 3024 wrote to memory of 668 3024 ffllrrx.exe 42 PID 3024 wrote to memory of 668 3024 ffllrrx.exe 42 PID 3024 wrote to memory of 668 3024 ffllrrx.exe 42 PID 668 wrote to memory of 2000 668 bbbnnt.exe 43 PID 668 wrote to memory of 2000 668 bbbnnt.exe 43 PID 668 wrote to memory of 2000 668 bbbnnt.exe 43 PID 668 wrote to memory of 2000 668 bbbnnt.exe 43 PID 2000 wrote to memory of 1908 2000 lfflxxf.exe 44 PID 2000 wrote to memory of 1908 2000 lfflxxf.exe 44 PID 2000 wrote to memory of 1908 2000 lfflxxf.exe 44 PID 2000 wrote to memory of 1908 2000 lfflxxf.exe 44 PID 1908 wrote to memory of 2252 1908 tthhhh.exe 45 PID 1908 wrote to memory of 2252 1908 tthhhh.exe 45 PID 1908 wrote to memory of 2252 1908 tthhhh.exe 45 PID 1908 wrote to memory of 2252 1908 tthhhh.exe 45 PID 2252 wrote to memory of 2824 2252 rlxfrxl.exe 46 PID 2252 wrote to memory of 2824 2252 rlxfrxl.exe 46 PID 2252 wrote to memory of 2824 2252 rlxfrxl.exe 46 PID 2252 wrote to memory of 2824 2252 rlxfrxl.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe"C:\Users\Admin\AppData\Local\Temp\ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\bnhnhn.exec:\bnhnhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\1djpp.exec:\1djpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\ffrxlrf.exec:\ffrxlrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\hnbntb.exec:\hnbntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\1ntbtb.exec:\1ntbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\ddvvd.exec:\ddvvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\jpddp.exec:\jpddp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\llxflrf.exec:\llxflrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\fflrxfr.exec:\fflrxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\btnnnh.exec:\btnnnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\ffllrrx.exec:\ffllrrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\bbbnnt.exec:\bbbnnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\lfflxxf.exec:\lfflxxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\tthhhh.exec:\tthhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\rlxfrxl.exec:\rlxfrxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\7frrxff.exec:\7frrxff.exe17⤵
- Executes dropped EXE
PID:2824 -
\??\c:\fxfxllr.exec:\fxfxllr.exe18⤵
- Executes dropped EXE
PID:2324 -
\??\c:\tttbhn.exec:\tttbhn.exe19⤵
- Executes dropped EXE
PID:2044 -
\??\c:\5xxfrrf.exec:\5xxfrrf.exe20⤵
- Executes dropped EXE
PID:2328 -
\??\c:\xflrfrf.exec:\xflrfrf.exe21⤵
- Executes dropped EXE
PID:2744 -
\??\c:\lxrxlrx.exec:\lxrxlrx.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1140 -
\??\c:\xflfrxl.exec:\xflfrxl.exe23⤵
- Executes dropped EXE
PID:1340 -
\??\c:\xxrfrxl.exec:\xxrfrxl.exe24⤵
- Executes dropped EXE
PID:1724 -
\??\c:\hbhhth.exec:\hbhhth.exe25⤵
- Executes dropped EXE
PID:2460 -
\??\c:\ddpvj.exec:\ddpvj.exe26⤵
- Executes dropped EXE
PID:1648 -
\??\c:\llrxflx.exec:\llrxflx.exe27⤵
- Executes dropped EXE
PID:1704 -
\??\c:\lrlxfrf.exec:\lrlxfrf.exe28⤵
- Executes dropped EXE
PID:1844 -
\??\c:\1lffrxf.exec:\1lffrxf.exe29⤵
- Executes dropped EXE
PID:2764 -
\??\c:\dddjj.exec:\dddjj.exe30⤵
- Executes dropped EXE
PID:2860 -
\??\c:\rxflxfr.exec:\rxflxfr.exe31⤵
- Executes dropped EXE
PID:1748 -
\??\c:\9vdjp.exec:\9vdjp.exe32⤵
- Executes dropped EXE
PID:3000 -
\??\c:\frlxflr.exec:\frlxflr.exe33⤵
- Executes dropped EXE
PID:2056 -
\??\c:\vvjjp.exec:\vvjjp.exe34⤵
- Executes dropped EXE
PID:1700 -
\??\c:\rfrrffr.exec:\rfrrffr.exe35⤵
- Executes dropped EXE
PID:1196 -
\??\c:\xllxxxl.exec:\xllxxxl.exe36⤵
- Executes dropped EXE
PID:2452 -
\??\c:\5nbbbt.exec:\5nbbbt.exe37⤵
- Executes dropped EXE
PID:3060 -
\??\c:\9pvpp.exec:\9pvpp.exe38⤵
- Executes dropped EXE
PID:2404 -
\??\c:\jjjjj.exec:\jjjjj.exe39⤵
- Executes dropped EXE
PID:2696 -
\??\c:\rxfflrx.exec:\rxfflrx.exe40⤵
- Executes dropped EXE
PID:2796 -
\??\c:\1tnnbt.exec:\1tnnbt.exe41⤵
- Executes dropped EXE
PID:2780 -
\??\c:\5pvdp.exec:\5pvdp.exe42⤵
- Executes dropped EXE
PID:2864 -
\??\c:\vvvdd.exec:\vvvdd.exe43⤵
- Executes dropped EXE
PID:2168 -
\??\c:\3rlrxxl.exec:\3rlrxxl.exe44⤵
- Executes dropped EXE
PID:2652 -
\??\c:\bnbhnn.exec:\bnbhnn.exe45⤵
- Executes dropped EXE
PID:2500 -
\??\c:\7nntnt.exec:\7nntnt.exe46⤵
- Executes dropped EXE
PID:2300 -
\??\c:\3vdpj.exec:\3vdpj.exe47⤵
- Executes dropped EXE
PID:2320 -
\??\c:\lrxxxlf.exec:\lrxxxlf.exe48⤵
- Executes dropped EXE
PID:1308 -
\??\c:\xrffxfl.exec:\xrffxfl.exe49⤵
- Executes dropped EXE
PID:1028 -
\??\c:\bbbhhn.exec:\bbbhhn.exe50⤵
- Executes dropped EXE
PID:2392 -
\??\c:\9vddd.exec:\9vddd.exe51⤵
- Executes dropped EXE
PID:2020 -
\??\c:\9xrxllx.exec:\9xrxllx.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956 -
\??\c:\ntnhtb.exec:\ntnhtb.exe53⤵
- Executes dropped EXE
PID:1952 -
\??\c:\7hntnt.exec:\7hntnt.exe54⤵
- Executes dropped EXE
PID:2548 -
\??\c:\djjpd.exec:\djjpd.exe55⤵
- Executes dropped EXE
PID:2748 -
\??\c:\rffrrxl.exec:\rffrrxl.exe56⤵
- Executes dropped EXE
PID:2332 -
\??\c:\hbnbtb.exec:\hbnbtb.exe57⤵
- Executes dropped EXE
PID:2076 -
\??\c:\nnntbh.exec:\nnntbh.exe58⤵
- Executes dropped EXE
PID:624 -
\??\c:\ddvvd.exec:\ddvvd.exe59⤵
- Executes dropped EXE
PID:1476 -
\??\c:\xlxxffr.exec:\xlxxffr.exe60⤵
- Executes dropped EXE
PID:772 -
\??\c:\bhnnhh.exec:\bhnnhh.exe61⤵
- Executes dropped EXE
PID:1260 -
\??\c:\hnhbnn.exec:\hnhbnn.exe62⤵
- Executes dropped EXE
PID:1140 -
\??\c:\vpdjv.exec:\vpdjv.exe63⤵
- Executes dropped EXE
PID:1396 -
\??\c:\rxlrrxf.exec:\rxlrrxf.exe64⤵
- Executes dropped EXE
PID:2128 -
\??\c:\5lfxllr.exec:\5lfxllr.exe65⤵
- Executes dropped EXE
PID:2876 -
\??\c:\tbnthn.exec:\tbnthn.exe66⤵PID:2588
-
\??\c:\jdjvd.exec:\jdjvd.exe67⤵PID:1648
-
\??\c:\lrxfrxl.exec:\lrxfrxl.exe68⤵PID:2904
-
\??\c:\ntnthn.exec:\ntnthn.exe69⤵PID:1844
-
\??\c:\1pvjp.exec:\1pvjp.exe70⤵PID:984
-
\??\c:\vjvvj.exec:\vjvvj.exe71⤵PID:2264
-
\??\c:\ffrfrrx.exec:\ffrfrrx.exe72⤵PID:2860
-
\??\c:\ttbbnt.exec:\ttbbnt.exe73⤵PID:2188
-
\??\c:\ntbhbn.exec:\ntbhbn.exe74⤵PID:1516
-
\??\c:\ppjpp.exec:\ppjpp.exe75⤵PID:2256
-
\??\c:\rfrfffx.exec:\rfrfffx.exe76⤵PID:2056
-
\??\c:\thttbh.exec:\thttbh.exe77⤵PID:2132
-
\??\c:\nthhnt.exec:\nthhnt.exe78⤵PID:3036
-
\??\c:\pdpvd.exec:\pdpvd.exe79⤵PID:2100
-
\??\c:\3fxfrxl.exec:\3fxfrxl.exe80⤵PID:2580
-
\??\c:\rrxrrxf.exec:\rrxrrxf.exe81⤵PID:2720
-
\??\c:\hhtbnt.exec:\hhtbnt.exe82⤵PID:2592
-
\??\c:\vdpvp.exec:\vdpvp.exe83⤵PID:2796
-
\??\c:\llxrfff.exec:\llxrfff.exe84⤵PID:2780
-
\??\c:\rxfrflx.exec:\rxfrflx.exe85⤵PID:2836
-
\??\c:\nnbntb.exec:\nnbntb.exe86⤵PID:2816
-
\??\c:\jdvdp.exec:\jdvdp.exe87⤵PID:2544
-
\??\c:\llxlfxf.exec:\llxlfxf.exe88⤵PID:2944
-
\??\c:\ffrxfxf.exec:\ffrxfxf.exe89⤵PID:2540
-
\??\c:\hnbhnb.exec:\hnbhnb.exe90⤵PID:2236
-
\??\c:\dpddd.exec:\dpddd.exe91⤵PID:800
-
\??\c:\ffrflrf.exec:\ffrflrf.exe92⤵PID:484
-
\??\c:\fxlrlxl.exec:\fxlrlxl.exe93⤵PID:2416
-
\??\c:\tbnhnt.exec:\tbnhnt.exe94⤵PID:1996
-
\??\c:\pvjpd.exec:\pvjpd.exe95⤵PID:1152
-
\??\c:\xxrrxfr.exec:\xxrrxfr.exe96⤵PID:1764
-
\??\c:\fxxlxxf.exec:\fxxlxxf.exe97⤵PID:1288
-
\??\c:\tbthbb.exec:\tbthbb.exe98⤵PID:3068
-
\??\c:\dvjjv.exec:\dvjjv.exe99⤵PID:2380
-
\??\c:\xrflrxf.exec:\xrflrxf.exe100⤵PID:2192
-
\??\c:\5hbnbh.exec:\5hbnbh.exe101⤵PID:528
-
\??\c:\5vvvd.exec:\5vvvd.exe102⤵PID:2328
-
\??\c:\5dvjp.exec:\5dvjp.exe103⤵PID:2744
-
\??\c:\9lflxfl.exec:\9lflxfl.exe104⤵PID:1572
-
\??\c:\nhhntt.exec:\nhhntt.exe105⤵PID:1508
-
\??\c:\jjpvd.exec:\jjpvd.exe106⤵PID:2344
-
\??\c:\pjvdj.exec:\pjvdj.exe107⤵PID:1532
-
\??\c:\rrrfflx.exec:\rrrfflx.exe108⤵PID:1332
-
\??\c:\nnnhbb.exec:\nnnhbb.exe109⤵PID:1776
-
\??\c:\vjddp.exec:\vjddp.exe110⤵PID:1712
-
\??\c:\vdvdv.exec:\vdvdv.exe111⤵PID:3044
-
\??\c:\7flrxxl.exec:\7flrxxl.exe112⤵PID:568
-
\??\c:\bhnhtb.exec:\bhnhtb.exe113⤵PID:2216
-
\??\c:\9tthbh.exec:\9tthbh.exe114⤵PID:1652
-
\??\c:\ppdpv.exec:\ppdpv.exe115⤵PID:2152
-
\??\c:\flxrlrx.exec:\flxrlrx.exe116⤵PID:2932
-
\??\c:\htnthh.exec:\htnthh.exe117⤵PID:1804
-
\??\c:\ntbtbt.exec:\ntbtbt.exe118⤵PID:3000
-
\??\c:\jdvvd.exec:\jdvvd.exe119⤵PID:2060
-
\??\c:\xlrfrfl.exec:\xlrfrfl.exe120⤵PID:1696
-
\??\c:\xxfrlrf.exec:\xxfrlrf.exe121⤵PID:1196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-