Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe
-
Size
454KB
-
MD5
5cae64eadc91e549abb82441b729e80e
-
SHA1
003aca3fbfd579f4cb62c3d3d7c0dcf9a893632c
-
SHA256
ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509
-
SHA512
9358fa00056e0eebc5c0652a1a06474f8c863fd462d7072ac647235a2bf785f6f1eb7ff00dbd79acbc560c147689761ab22a1f12f5ae3fbf7547c655cf58ae78
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1212-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-989-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-1372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4496 hnhnht.exe 1792 5pddd.exe 2328 ddpvp.exe 3552 vdddj.exe 4256 nbhbth.exe 4548 rrfxllr.exe 4928 hbnnnn.exe 3884 jpvvp.exe 4312 lrlfrlf.exe 756 tnhbnn.exe 4524 lrxrrrr.exe 4948 1nbbbb.exe 3064 nnnhhh.exe 5040 ddpjj.exe 2372 vdjjd.exe 4216 xlxrrrl.exe 4868 jjjdd.exe 540 rflfxxr.exe 920 xlrlffx.exe 1348 7ntnhn.exe 2480 jjpjd.exe 244 fffrrff.exe 2340 xrlfllr.exe 4456 bnbtnn.exe 3676 vdppj.exe 1600 jjdvp.exe 516 fxffxxx.exe 4432 hhnhbt.exe 4512 btnnnt.exe 2720 3dvpp.exe 2256 rlfrxxf.exe 224 3xxrrxx.exe 4364 5hhtnn.exe 748 pppjj.exe 1104 djjvv.exe 4956 rrxxrrf.exe 4940 7hhbbb.exe 4336 htbthn.exe 1824 djpjj.exe 2160 lxlrfrx.exe 2736 nhnbtb.exe 4208 jdpdp.exe 4716 dvjjj.exe 4788 xrlxrlf.exe 4580 nntnbt.exe 2192 5jdvv.exe 5104 jvdjd.exe 864 ffrlfrr.exe 1008 fllfrrr.exe 4504 bhhbtt.exe 1944 pvdvp.exe 396 vvvpp.exe 3172 rffllff.exe 1440 nbtbnn.exe 4496 jpvpv.exe 5008 1nnnnt.exe 3896 xlrrlfx.exe 1876 nttttt.exe 3868 ppjvp.exe 4588 flxrxlf.exe 2448 vpvvp.exe 3956 lffrrlf.exe 4928 pjvpv.exe 2224 9vpvp.exe -
resource yara_rule behavioral2/memory/1212-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-700-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1212 wrote to memory of 4496 1212 ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe 82 PID 1212 wrote to memory of 4496 1212 ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe 82 PID 1212 wrote to memory of 4496 1212 ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe 82 PID 4496 wrote to memory of 1792 4496 hnhnht.exe 83 PID 4496 wrote to memory of 1792 4496 hnhnht.exe 83 PID 4496 wrote to memory of 1792 4496 hnhnht.exe 83 PID 1792 wrote to memory of 2328 1792 5pddd.exe 84 PID 1792 wrote to memory of 2328 1792 5pddd.exe 84 PID 1792 wrote to memory of 2328 1792 5pddd.exe 84 PID 2328 wrote to memory of 3552 2328 ddpvp.exe 85 PID 2328 wrote to memory of 3552 2328 ddpvp.exe 85 PID 2328 wrote to memory of 3552 2328 ddpvp.exe 85 PID 3552 wrote to memory of 4256 3552 vdddj.exe 86 PID 3552 wrote to memory of 4256 3552 vdddj.exe 86 PID 3552 wrote to memory of 4256 3552 vdddj.exe 86 PID 4256 wrote to memory of 4548 4256 nbhbth.exe 87 PID 4256 wrote to memory of 4548 4256 nbhbth.exe 87 PID 4256 wrote to memory of 4548 4256 nbhbth.exe 87 PID 4548 wrote to memory of 4928 4548 rrfxllr.exe 88 PID 4548 wrote to memory of 4928 4548 rrfxllr.exe 88 PID 4548 wrote to memory of 4928 4548 rrfxllr.exe 88 PID 4928 wrote to memory of 3884 4928 hbnnnn.exe 89 PID 4928 wrote to memory of 3884 4928 hbnnnn.exe 89 PID 4928 wrote to memory of 3884 4928 hbnnnn.exe 89 PID 3884 wrote to memory of 4312 3884 jpvvp.exe 90 PID 3884 wrote to memory of 4312 3884 jpvvp.exe 90 PID 3884 wrote to memory of 4312 3884 jpvvp.exe 90 PID 4312 wrote to memory of 756 4312 lrlfrlf.exe 91 PID 4312 wrote to memory of 756 4312 lrlfrlf.exe 91 PID 4312 wrote to memory of 756 4312 lrlfrlf.exe 91 PID 756 wrote to memory of 4524 756 tnhbnn.exe 92 PID 756 wrote to memory of 4524 756 tnhbnn.exe 92 PID 756 wrote to memory of 4524 756 tnhbnn.exe 92 PID 4524 wrote to memory of 4948 4524 lrxrrrr.exe 93 PID 4524 wrote to memory of 4948 4524 lrxrrrr.exe 93 PID 4524 wrote to memory of 4948 4524 lrxrrrr.exe 93 PID 4948 wrote to memory of 3064 4948 1nbbbb.exe 94 PID 4948 wrote to memory of 3064 4948 1nbbbb.exe 94 PID 4948 wrote to memory of 3064 4948 1nbbbb.exe 94 PID 3064 wrote to memory of 5040 3064 nnnhhh.exe 95 PID 3064 wrote to memory of 5040 3064 nnnhhh.exe 95 PID 3064 wrote to memory of 5040 3064 nnnhhh.exe 95 PID 5040 wrote to memory of 2372 5040 ddpjj.exe 96 PID 5040 wrote to memory of 2372 5040 ddpjj.exe 96 PID 5040 wrote to memory of 2372 5040 ddpjj.exe 96 PID 2372 wrote to memory of 4216 2372 vdjjd.exe 97 PID 2372 wrote to memory of 4216 2372 vdjjd.exe 97 PID 2372 wrote to memory of 4216 2372 vdjjd.exe 97 PID 4216 wrote to memory of 4868 4216 xlxrrrl.exe 98 PID 4216 wrote to memory of 4868 4216 xlxrrrl.exe 98 PID 4216 wrote to memory of 4868 4216 xlxrrrl.exe 98 PID 4868 wrote to memory of 540 4868 jjjdd.exe 99 PID 4868 wrote to memory of 540 4868 jjjdd.exe 99 PID 4868 wrote to memory of 540 4868 jjjdd.exe 99 PID 540 wrote to memory of 920 540 rflfxxr.exe 100 PID 540 wrote to memory of 920 540 rflfxxr.exe 100 PID 540 wrote to memory of 920 540 rflfxxr.exe 100 PID 920 wrote to memory of 1348 920 xlrlffx.exe 101 PID 920 wrote to memory of 1348 920 xlrlffx.exe 101 PID 920 wrote to memory of 1348 920 xlrlffx.exe 101 PID 1348 wrote to memory of 2480 1348 7ntnhn.exe 102 PID 1348 wrote to memory of 2480 1348 7ntnhn.exe 102 PID 1348 wrote to memory of 2480 1348 7ntnhn.exe 102 PID 2480 wrote to memory of 244 2480 jjpjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe"C:\Users\Admin\AppData\Local\Temp\ae49e822114eb8cb0e0990d6e893564cca3e002cd944df4294468ae223416509.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\hnhnht.exec:\hnhnht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\5pddd.exec:\5pddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\ddpvp.exec:\ddpvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\vdddj.exec:\vdddj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\nbhbth.exec:\nbhbth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\rrfxllr.exec:\rrfxllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\hbnnnn.exec:\hbnnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\jpvvp.exec:\jpvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\lrlfrlf.exec:\lrlfrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\tnhbnn.exec:\tnhbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\lrxrrrr.exec:\lrxrrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\1nbbbb.exec:\1nbbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\nnnhhh.exec:\nnnhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\ddpjj.exec:\ddpjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\vdjjd.exec:\vdjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\xlxrrrl.exec:\xlxrrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\jjjdd.exec:\jjjdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\rflfxxr.exec:\rflfxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\xlrlffx.exec:\xlrlffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\7ntnhn.exec:\7ntnhn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\jjpjd.exec:\jjpjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\fffrrff.exec:\fffrrff.exe23⤵
- Executes dropped EXE
PID:244 -
\??\c:\xrlfllr.exec:\xrlfllr.exe24⤵
- Executes dropped EXE
PID:2340 -
\??\c:\bnbtnn.exec:\bnbtnn.exe25⤵
- Executes dropped EXE
PID:4456 -
\??\c:\vdppj.exec:\vdppj.exe26⤵
- Executes dropped EXE
PID:3676 -
\??\c:\jjdvp.exec:\jjdvp.exe27⤵
- Executes dropped EXE
PID:1600 -
\??\c:\fxffxxx.exec:\fxffxxx.exe28⤵
- Executes dropped EXE
PID:516 -
\??\c:\hhnhbt.exec:\hhnhbt.exe29⤵
- Executes dropped EXE
PID:4432 -
\??\c:\btnnnt.exec:\btnnnt.exe30⤵
- Executes dropped EXE
PID:4512 -
\??\c:\3dvpp.exec:\3dvpp.exe31⤵
- Executes dropped EXE
PID:2720 -
\??\c:\rlfrxxf.exec:\rlfrxxf.exe32⤵
- Executes dropped EXE
PID:2256 -
\??\c:\3xxrrxx.exec:\3xxrrxx.exe33⤵
- Executes dropped EXE
PID:224 -
\??\c:\5hhtnn.exec:\5hhtnn.exe34⤵
- Executes dropped EXE
PID:4364 -
\??\c:\pppjj.exec:\pppjj.exe35⤵
- Executes dropped EXE
PID:748 -
\??\c:\djjvv.exec:\djjvv.exe36⤵
- Executes dropped EXE
PID:1104 -
\??\c:\rrxxrrf.exec:\rrxxrrf.exe37⤵
- Executes dropped EXE
PID:4956 -
\??\c:\7hhbbb.exec:\7hhbbb.exe38⤵
- Executes dropped EXE
PID:4940 -
\??\c:\htbthn.exec:\htbthn.exe39⤵
- Executes dropped EXE
PID:4336 -
\??\c:\djpjj.exec:\djpjj.exe40⤵
- Executes dropped EXE
PID:1824 -
\??\c:\lxlrfrx.exec:\lxlrfrx.exe41⤵
- Executes dropped EXE
PID:2160 -
\??\c:\nhnbtb.exec:\nhnbtb.exe42⤵
- Executes dropped EXE
PID:2736 -
\??\c:\jdpdp.exec:\jdpdp.exe43⤵
- Executes dropped EXE
PID:4208 -
\??\c:\dvjjj.exec:\dvjjj.exe44⤵
- Executes dropped EXE
PID:4716 -
\??\c:\xrlxrlf.exec:\xrlxrlf.exe45⤵
- Executes dropped EXE
PID:4788 -
\??\c:\nntnbt.exec:\nntnbt.exe46⤵
- Executes dropped EXE
PID:4580 -
\??\c:\5jdvv.exec:\5jdvv.exe47⤵
- Executes dropped EXE
PID:2192 -
\??\c:\jvdjd.exec:\jvdjd.exe48⤵
- Executes dropped EXE
PID:5104 -
\??\c:\ffrlfrr.exec:\ffrlfrr.exe49⤵
- Executes dropped EXE
PID:864 -
\??\c:\fllfrrr.exec:\fllfrrr.exe50⤵
- Executes dropped EXE
PID:1008 -
\??\c:\bhhbtt.exec:\bhhbtt.exe51⤵
- Executes dropped EXE
PID:4504 -
\??\c:\pvdvp.exec:\pvdvp.exe52⤵
- Executes dropped EXE
PID:1944 -
\??\c:\vvvpp.exec:\vvvpp.exe53⤵
- Executes dropped EXE
PID:396 -
\??\c:\rffllff.exec:\rffllff.exe54⤵
- Executes dropped EXE
PID:3172 -
\??\c:\nbtbnn.exec:\nbtbnn.exe55⤵
- Executes dropped EXE
PID:1440 -
\??\c:\jpvpv.exec:\jpvpv.exe56⤵
- Executes dropped EXE
PID:4496 -
\??\c:\1nnnnt.exec:\1nnnnt.exe57⤵
- Executes dropped EXE
PID:5008 -
\??\c:\xlrrlfx.exec:\xlrrlfx.exe58⤵
- Executes dropped EXE
PID:3896 -
\??\c:\nttttt.exec:\nttttt.exe59⤵
- Executes dropped EXE
PID:1876 -
\??\c:\ppjvp.exec:\ppjvp.exe60⤵
- Executes dropped EXE
PID:3868 -
\??\c:\flxrxlf.exec:\flxrxlf.exe61⤵
- Executes dropped EXE
PID:4588 -
\??\c:\vpvvp.exec:\vpvvp.exe62⤵
- Executes dropped EXE
PID:2448 -
\??\c:\lffrrlf.exec:\lffrrlf.exe63⤵
- Executes dropped EXE
PID:3956 -
\??\c:\pjvpv.exec:\pjvpv.exe64⤵
- Executes dropped EXE
PID:4928 -
\??\c:\9vpvp.exec:\9vpvp.exe65⤵
- Executes dropped EXE
PID:2224 -
\??\c:\lllfffx.exec:\lllfffx.exe66⤵PID:2308
-
\??\c:\pjvvj.exec:\pjvvj.exe67⤵PID:3720
-
\??\c:\jdjjv.exec:\jdjjv.exe68⤵PID:2744
-
\??\c:\3xxrxxx.exec:\3xxrxxx.exe69⤵PID:4212
-
\??\c:\rllfxrr.exec:\rllfxrr.exe70⤵PID:3268
-
\??\c:\nbtnhh.exec:\nbtnhh.exe71⤵PID:2052
-
\??\c:\dppjd.exec:\dppjd.exe72⤵PID:3132
-
\??\c:\dpppv.exec:\dpppv.exe73⤵PID:3148
-
\??\c:\fxxfxxf.exec:\fxxfxxf.exe74⤵PID:3220
-
\??\c:\hnbbtt.exec:\hnbbtt.exe75⤵PID:2432
-
\??\c:\jdddv.exec:\jdddv.exe76⤵PID:676
-
\??\c:\lflflfl.exec:\lflflfl.exe77⤵PID:540
-
\??\c:\7nbttn.exec:\7nbttn.exe78⤵PID:4032
-
\??\c:\5vvpd.exec:\5vvpd.exe79⤵PID:5100
-
\??\c:\5rrlxxx.exec:\5rrlxxx.exe80⤵PID:1140
-
\??\c:\7bhhbh.exec:\7bhhbh.exe81⤵PID:5108
-
\??\c:\9tbttt.exec:\9tbttt.exe82⤵PID:3756
-
\??\c:\pppdp.exec:\pppdp.exe83⤵PID:1592
-
\??\c:\rllxxrf.exec:\rllxxrf.exe84⤵PID:3200
-
\??\c:\tnnhhh.exec:\tnnhhh.exe85⤵PID:4980
-
\??\c:\tntnhb.exec:\tntnhb.exe86⤵PID:1644
-
\??\c:\5ddvv.exec:\5ddvv.exe87⤵PID:2104
-
\??\c:\lrlxxlf.exec:\lrlxxlf.exe88⤵PID:5056
-
\??\c:\thtnhn.exec:\thtnhn.exe89⤵PID:3388
-
\??\c:\thhhbt.exec:\thhhbt.exe90⤵PID:4512
-
\??\c:\5vpjj.exec:\5vpjj.exe91⤵PID:2720
-
\??\c:\rlxrrrl.exec:\rlxrrrl.exe92⤵PID:4008
-
\??\c:\9hhbtt.exec:\9hhbtt.exe93⤵PID:1232
-
\??\c:\ttbtnn.exec:\ttbtnn.exe94⤵PID:2420
-
\??\c:\dvdvp.exec:\dvdvp.exe95⤵PID:2032
-
\??\c:\lxlfrrf.exec:\lxlfrrf.exe96⤵PID:4736
-
\??\c:\htbbtn.exec:\htbbtn.exe97⤵PID:3716
-
\??\c:\1nbnnt.exec:\1nbnnt.exe98⤵PID:1048
-
\??\c:\jdjjd.exec:\jdjjd.exe99⤵PID:4220
-
\??\c:\3xlfllr.exec:\3xlfllr.exe100⤵PID:4684
-
\??\c:\nttnhh.exec:\nttnhh.exe101⤵PID:1824
-
\??\c:\1ppdp.exec:\1ppdp.exe102⤵PID:3420
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe103⤵PID:3224
-
\??\c:\1lrlfxx.exec:\1lrlfxx.exe104⤵PID:4208
-
\??\c:\btttnt.exec:\btttnt.exe105⤵PID:4716
-
\??\c:\dpdvp.exec:\dpdvp.exe106⤵PID:1416
-
\??\c:\xrfxxfx.exec:\xrfxxfx.exe107⤵PID:3516
-
\??\c:\flrlxxr.exec:\flrlxxr.exe108⤵PID:968
-
\??\c:\btbbnn.exec:\btbbnn.exe109⤵PID:2192
-
\??\c:\ppjdp.exec:\ppjdp.exe110⤵
- System Location Discovery: System Language Discovery
PID:2956 -
\??\c:\rrfxxrl.exec:\rrfxxrl.exe111⤵PID:4792
-
\??\c:\lxxrlxx.exec:\lxxrlxx.exe112⤵PID:1684
-
\??\c:\hthbtt.exec:\hthbtt.exe113⤵PID:1864
-
\??\c:\1ddpj.exec:\1ddpj.exe114⤵PID:856
-
\??\c:\3rllxxf.exec:\3rllxxf.exe115⤵PID:3672
-
\??\c:\hhntnb.exec:\hhntnb.exe116⤵PID:2600
-
\??\c:\3nbntt.exec:\3nbntt.exe117⤵PID:1016
-
\??\c:\5jjdv.exec:\5jjdv.exe118⤵PID:5036
-
\??\c:\7xfxxxx.exec:\7xfxxxx.exe119⤵PID:4272
-
\??\c:\1hhbtn.exec:\1hhbtn.exe120⤵PID:3680
-
\??\c:\ddpjd.exec:\ddpjd.exe121⤵PID:2672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-