Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a81c5564ee07436f831e8f6bda74784b807372c28bc3998be7b6368acaaa1255.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a81c5564ee07436f831e8f6bda74784b807372c28bc3998be7b6368acaaa1255.exe
-
Size
454KB
-
MD5
8ce3a6cf2aa5afc0cd0997eab56af00e
-
SHA1
b10cb77e1f7a9dd80320d2a25e4222b39e01421d
-
SHA256
a81c5564ee07436f831e8f6bda74784b807372c28bc3998be7b6368acaaa1255
-
SHA512
f3890e805d647a3005ee27cbd67eb9e622d6dc85dd4ab183fa3ab3198a6503c1cdae8ee70239daf387a584af712aef582614601f42099f61fd33acda0caba982
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4468-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/788-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-882-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2016 vpdvv.exe 4828 hhhhhh.exe 3872 pdpjj.exe 4972 xxrlrrx.exe 4316 hhhhbb.exe 2792 hthnnt.exe 3836 3dvvd.exe 2640 ffxrlfx.exe 1108 xfffxfl.exe 4724 1djdd.exe 2776 xxllxxx.exe 5008 lxrrlff.exe 1968 5frlfff.exe 4032 5tbtnn.exe 3968 ttnnnh.exe 3132 3djdv.exe 3392 hbttnn.exe 3676 jjjdd.exe 1948 thhbbt.exe 1080 llffxfx.exe 208 rrlfrlf.exe 2568 jdjdv.exe 2768 nhtbtn.exe 2452 dddpv.exe 992 lfrfxxl.exe 512 nhbhhn.exe 2720 xrxrffr.exe 5080 ddpjv.exe 1832 bhttnh.exe 4540 7lllfff.exe 3020 dvppj.exe 3956 bnbbtb.exe 4084 5lrlfff.exe 3396 tnbntt.exe 1464 tttttt.exe 2024 jdppj.exe 5040 lxxrrrf.exe 5096 btbbhb.exe 788 rlfxrrl.exe 4964 rxfxxrl.exe 3984 vvjjp.exe 1444 rlrlllf.exe 4796 9bttbb.exe 4472 pvdjp.exe 2796 flllrrl.exe 3576 5ttnnt.exe 3920 dvdvj.exe 3220 xffllll.exe 3952 5lffxxx.exe 3500 bbbbtn.exe 2580 7vvvp.exe 3948 fxxxrrr.exe 4524 hhttnn.exe 232 pppjv.exe 1824 xfxrxxf.exe 1132 frxrrxx.exe 4592 bntnhb.exe 1060 5jvpp.exe 1416 xxfffxx.exe 904 nbhbtn.exe 3108 7hnnbb.exe 4456 dvvvv.exe 2164 fflllff.exe 4032 hthbhh.exe -
resource yara_rule behavioral2/memory/4468-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/788-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-779-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flxlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4468 wrote to memory of 2016 4468 a81c5564ee07436f831e8f6bda74784b807372c28bc3998be7b6368acaaa1255.exe 83 PID 4468 wrote to memory of 2016 4468 a81c5564ee07436f831e8f6bda74784b807372c28bc3998be7b6368acaaa1255.exe 83 PID 4468 wrote to memory of 2016 4468 a81c5564ee07436f831e8f6bda74784b807372c28bc3998be7b6368acaaa1255.exe 83 PID 2016 wrote to memory of 4828 2016 vpdvv.exe 84 PID 2016 wrote to memory of 4828 2016 vpdvv.exe 84 PID 2016 wrote to memory of 4828 2016 vpdvv.exe 84 PID 4828 wrote to memory of 3872 4828 hhhhhh.exe 85 PID 4828 wrote to memory of 3872 4828 hhhhhh.exe 85 PID 4828 wrote to memory of 3872 4828 hhhhhh.exe 85 PID 3872 wrote to memory of 4972 3872 pdpjj.exe 86 PID 3872 wrote to memory of 4972 3872 pdpjj.exe 86 PID 3872 wrote to memory of 4972 3872 pdpjj.exe 86 PID 4972 wrote to memory of 4316 4972 xxrlrrx.exe 87 PID 4972 wrote to memory of 4316 4972 xxrlrrx.exe 87 PID 4972 wrote to memory of 4316 4972 xxrlrrx.exe 87 PID 4316 wrote to memory of 2792 4316 hhhhbb.exe 88 PID 4316 wrote to memory of 2792 4316 hhhhbb.exe 88 PID 4316 wrote to memory of 2792 4316 hhhhbb.exe 88 PID 2792 wrote to memory of 3836 2792 hthnnt.exe 89 PID 2792 wrote to memory of 3836 2792 hthnnt.exe 89 PID 2792 wrote to memory of 3836 2792 hthnnt.exe 89 PID 3836 wrote to memory of 2640 3836 3dvvd.exe 90 PID 3836 wrote to memory of 2640 3836 3dvvd.exe 90 PID 3836 wrote to memory of 2640 3836 3dvvd.exe 90 PID 2640 wrote to memory of 1108 2640 ffxrlfx.exe 91 PID 2640 wrote to memory of 1108 2640 ffxrlfx.exe 91 PID 2640 wrote to memory of 1108 2640 ffxrlfx.exe 91 PID 1108 wrote to memory of 4724 1108 xfffxfl.exe 92 PID 1108 wrote to memory of 4724 1108 xfffxfl.exe 92 PID 1108 wrote to memory of 4724 1108 xfffxfl.exe 92 PID 4724 wrote to memory of 2776 4724 1djdd.exe 93 PID 4724 wrote to memory of 2776 4724 1djdd.exe 93 PID 4724 wrote to memory of 2776 4724 1djdd.exe 93 PID 2776 wrote to memory of 5008 2776 xxllxxx.exe 94 PID 2776 wrote to memory of 5008 2776 xxllxxx.exe 94 PID 2776 wrote to memory of 5008 2776 xxllxxx.exe 94 PID 5008 wrote to memory of 1968 5008 lxrrlff.exe 95 PID 5008 wrote to memory of 1968 5008 lxrrlff.exe 95 PID 5008 wrote to memory of 1968 5008 lxrrlff.exe 95 PID 1968 wrote to memory of 4032 1968 5frlfff.exe 96 PID 1968 wrote to memory of 4032 1968 5frlfff.exe 96 PID 1968 wrote to memory of 4032 1968 5frlfff.exe 96 PID 4032 wrote to memory of 3968 4032 5tbtnn.exe 97 PID 4032 wrote to memory of 3968 4032 5tbtnn.exe 97 PID 4032 wrote to memory of 3968 4032 5tbtnn.exe 97 PID 3968 wrote to memory of 3132 3968 ttnnnh.exe 98 PID 3968 wrote to memory of 3132 3968 ttnnnh.exe 98 PID 3968 wrote to memory of 3132 3968 ttnnnh.exe 98 PID 3132 wrote to memory of 3392 3132 3djdv.exe 99 PID 3132 wrote to memory of 3392 3132 3djdv.exe 99 PID 3132 wrote to memory of 3392 3132 3djdv.exe 99 PID 3392 wrote to memory of 3676 3392 hbttnn.exe 100 PID 3392 wrote to memory of 3676 3392 hbttnn.exe 100 PID 3392 wrote to memory of 3676 3392 hbttnn.exe 100 PID 3676 wrote to memory of 1948 3676 jjjdd.exe 101 PID 3676 wrote to memory of 1948 3676 jjjdd.exe 101 PID 3676 wrote to memory of 1948 3676 jjjdd.exe 101 PID 1948 wrote to memory of 1080 1948 thhbbt.exe 102 PID 1948 wrote to memory of 1080 1948 thhbbt.exe 102 PID 1948 wrote to memory of 1080 1948 thhbbt.exe 102 PID 1080 wrote to memory of 208 1080 llffxfx.exe 103 PID 1080 wrote to memory of 208 1080 llffxfx.exe 103 PID 1080 wrote to memory of 208 1080 llffxfx.exe 103 PID 208 wrote to memory of 2568 208 rrlfrlf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a81c5564ee07436f831e8f6bda74784b807372c28bc3998be7b6368acaaa1255.exe"C:\Users\Admin\AppData\Local\Temp\a81c5564ee07436f831e8f6bda74784b807372c28bc3998be7b6368acaaa1255.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\vpdvv.exec:\vpdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\hhhhhh.exec:\hhhhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\pdpjj.exec:\pdpjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\xxrlrrx.exec:\xxrlrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\hhhhbb.exec:\hhhhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\hthnnt.exec:\hthnnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\3dvvd.exec:\3dvvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\xfffxfl.exec:\xfffxfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\1djdd.exec:\1djdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\xxllxxx.exec:\xxllxxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\lxrrlff.exec:\lxrrlff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\5frlfff.exec:\5frlfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\5tbtnn.exec:\5tbtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\ttnnnh.exec:\ttnnnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\3djdv.exec:\3djdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\hbttnn.exec:\hbttnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\jjjdd.exec:\jjjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\thhbbt.exec:\thhbbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\llffxfx.exec:\llffxfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\rrlfrlf.exec:\rrlfrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\jdjdv.exec:\jdjdv.exe23⤵
- Executes dropped EXE
PID:2568 -
\??\c:\nhtbtn.exec:\nhtbtn.exe24⤵
- Executes dropped EXE
PID:2768 -
\??\c:\dddpv.exec:\dddpv.exe25⤵
- Executes dropped EXE
PID:2452 -
\??\c:\lfrfxxl.exec:\lfrfxxl.exe26⤵
- Executes dropped EXE
PID:992 -
\??\c:\nhbhhn.exec:\nhbhhn.exe27⤵
- Executes dropped EXE
PID:512 -
\??\c:\xrxrffr.exec:\xrxrffr.exe28⤵
- Executes dropped EXE
PID:2720 -
\??\c:\ddpjv.exec:\ddpjv.exe29⤵
- Executes dropped EXE
PID:5080 -
\??\c:\bhttnh.exec:\bhttnh.exe30⤵
- Executes dropped EXE
PID:1832 -
\??\c:\7lllfff.exec:\7lllfff.exe31⤵
- Executes dropped EXE
PID:4540 -
\??\c:\dvppj.exec:\dvppj.exe32⤵
- Executes dropped EXE
PID:3020 -
\??\c:\bnbbtb.exec:\bnbbtb.exe33⤵
- Executes dropped EXE
PID:3956 -
\??\c:\5lrlfff.exec:\5lrlfff.exe34⤵
- Executes dropped EXE
PID:4084 -
\??\c:\tnbntt.exec:\tnbntt.exe35⤵
- Executes dropped EXE
PID:3396 -
\??\c:\tttttt.exec:\tttttt.exe36⤵
- Executes dropped EXE
PID:1464 -
\??\c:\jdppj.exec:\jdppj.exe37⤵
- Executes dropped EXE
PID:2024 -
\??\c:\lxxrrrf.exec:\lxxrrrf.exe38⤵
- Executes dropped EXE
PID:5040 -
\??\c:\btbbhb.exec:\btbbhb.exe39⤵
- Executes dropped EXE
PID:5096 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe40⤵
- Executes dropped EXE
PID:788 -
\??\c:\rxfxxrl.exec:\rxfxxrl.exe41⤵
- Executes dropped EXE
PID:4964 -
\??\c:\vvjjp.exec:\vvjjp.exe42⤵
- Executes dropped EXE
PID:3984 -
\??\c:\rlrlllf.exec:\rlrlllf.exe43⤵
- Executes dropped EXE
PID:1444 -
\??\c:\9bttbb.exec:\9bttbb.exe44⤵
- Executes dropped EXE
PID:4796 -
\??\c:\hthbbt.exec:\hthbbt.exe45⤵PID:4532
-
\??\c:\pvdjp.exec:\pvdjp.exe46⤵
- Executes dropped EXE
PID:4472 -
\??\c:\flllrrl.exec:\flllrrl.exe47⤵
- Executes dropped EXE
PID:2796 -
\??\c:\5ttnnt.exec:\5ttnnt.exe48⤵
- Executes dropped EXE
PID:3576 -
\??\c:\dvdvj.exec:\dvdvj.exe49⤵
- Executes dropped EXE
PID:3920 -
\??\c:\xffllll.exec:\xffllll.exe50⤵
- Executes dropped EXE
PID:3220 -
\??\c:\5lffxxx.exec:\5lffxxx.exe51⤵
- Executes dropped EXE
PID:3952 -
\??\c:\bbbbtn.exec:\bbbbtn.exe52⤵
- Executes dropped EXE
PID:3500 -
\??\c:\7vvvp.exec:\7vvvp.exe53⤵
- Executes dropped EXE
PID:2580 -
\??\c:\fxxxrrr.exec:\fxxxrrr.exe54⤵
- Executes dropped EXE
PID:3948 -
\??\c:\hhttnn.exec:\hhttnn.exe55⤵
- Executes dropped EXE
PID:4524 -
\??\c:\pppjv.exec:\pppjv.exe56⤵
- Executes dropped EXE
PID:232 -
\??\c:\xfxrxxf.exec:\xfxrxxf.exe57⤵
- Executes dropped EXE
PID:1824 -
\??\c:\frxrrxx.exec:\frxrrxx.exe58⤵
- Executes dropped EXE
PID:1132 -
\??\c:\bntnhb.exec:\bntnhb.exe59⤵
- Executes dropped EXE
PID:4592 -
\??\c:\5jvpp.exec:\5jvpp.exe60⤵
- Executes dropped EXE
PID:1060 -
\??\c:\xxfffxx.exec:\xxfffxx.exe61⤵
- Executes dropped EXE
PID:1416 -
\??\c:\nbhbtn.exec:\nbhbtn.exe62⤵
- Executes dropped EXE
PID:904 -
\??\c:\7hnnbb.exec:\7hnnbb.exe63⤵
- Executes dropped EXE
PID:3108 -
\??\c:\dvvvv.exec:\dvvvv.exe64⤵
- Executes dropped EXE
PID:4456 -
\??\c:\fflllff.exec:\fflllff.exe65⤵
- Executes dropped EXE
PID:2164 -
\??\c:\hthbhh.exec:\hthbhh.exe66⤵
- Executes dropped EXE
PID:4032 -
\??\c:\5ppvd.exec:\5ppvd.exe67⤵PID:3032
-
\??\c:\lflfrrr.exec:\lflfrrr.exe68⤵PID:212
-
\??\c:\thbtnn.exec:\thbtnn.exe69⤵PID:3192
-
\??\c:\vpvpv.exec:\vpvpv.exe70⤵PID:3392
-
\??\c:\dvvvv.exec:\dvvvv.exe71⤵PID:1692
-
\??\c:\lfxxxrx.exec:\lfxxxrx.exe72⤵PID:5060
-
\??\c:\5htnbb.exec:\5htnbb.exe73⤵PID:1948
-
\??\c:\tttntt.exec:\tttntt.exe74⤵PID:1524
-
\??\c:\dvvvp.exec:\dvvvp.exe75⤵PID:740
-
\??\c:\5xrrlff.exec:\5xrrlff.exe76⤵PID:2524
-
\??\c:\btbtnn.exec:\btbtnn.exe77⤵PID:3492
-
\??\c:\pjjdv.exec:\pjjdv.exe78⤵PID:4244
-
\??\c:\5fxrlff.exec:\5fxrlff.exe79⤵PID:3120
-
\??\c:\rxlxfxf.exec:\rxlxfxf.exe80⤵PID:2488
-
\??\c:\jpddd.exec:\jpddd.exe81⤵PID:4400
-
\??\c:\vpvdd.exec:\vpvdd.exe82⤵PID:4908
-
\??\c:\rxrrrrr.exec:\rxrrrrr.exe83⤵PID:1748
-
\??\c:\nhnntt.exec:\nhnntt.exe84⤵PID:3680
-
\??\c:\ddppp.exec:\ddppp.exe85⤵PID:4460
-
\??\c:\llrfrxr.exec:\llrfrxr.exe86⤵PID:3080
-
\??\c:\bbnnbb.exec:\bbnnbb.exe87⤵PID:708
-
\??\c:\jpjdv.exec:\jpjdv.exe88⤵PID:3664
-
\??\c:\vpvvp.exec:\vpvvp.exe89⤵PID:4860
-
\??\c:\xrxrlll.exec:\xrxrlll.exe90⤵PID:2440
-
\??\c:\hhbbhn.exec:\hhbbhn.exe91⤵PID:812
-
\??\c:\9nbnnn.exec:\9nbnnn.exe92⤵PID:4656
-
\??\c:\1jppj.exec:\1jppj.exe93⤵PID:1776
-
\??\c:\7frllrx.exec:\7frllrx.exe94⤵PID:4956
-
\??\c:\hhtntn.exec:\hhtntn.exe95⤵PID:1216
-
\??\c:\djvvd.exec:\djvvd.exe96⤵PID:2020
-
\??\c:\xrxxxff.exec:\xrxxxff.exe97⤵PID:3104
-
\??\c:\7nnnhh.exec:\7nnnhh.exe98⤵PID:1924
-
\??\c:\hthtth.exec:\hthtth.exe99⤵PID:2696
-
\??\c:\dpvjj.exec:\dpvjj.exe100⤵PID:3428
-
\??\c:\llrrrxx.exec:\llrrrxx.exe101⤵PID:4380
-
\??\c:\bbhnhn.exec:\bbhnhn.exe102⤵PID:3960
-
\??\c:\pddpd.exec:\pddpd.exe103⤵PID:2248
-
\??\c:\rxfxrxx.exec:\rxfxrxx.exe104⤵PID:2796
-
\??\c:\nhhnnn.exec:\nhhnnn.exe105⤵PID:4044
-
\??\c:\jpdvd.exec:\jpdvd.exe106⤵PID:2624
-
\??\c:\ppvvd.exec:\ppvvd.exe107⤵PID:3124
-
\??\c:\lxlffxr.exec:\lxlffxr.exe108⤵PID:4932
-
\??\c:\tbtthn.exec:\tbtthn.exe109⤵
- System Location Discovery: System Language Discovery
PID:3424 -
\??\c:\ppddd.exec:\ppddd.exe110⤵PID:3596
-
\??\c:\xrflrll.exec:\xrflrll.exe111⤵PID:4404
-
\??\c:\hnnbbb.exec:\hnnbbb.exe112⤵PID:3316
-
\??\c:\vpvpj.exec:\vpvpj.exe113⤵PID:1888
-
\??\c:\lfrrflf.exec:\lfrrflf.exe114⤵PID:2176
-
\??\c:\ffffflf.exec:\ffffflf.exe115⤵PID:1680
-
\??\c:\7hhhhb.exec:\7hhhhb.exe116⤵PID:3620
-
\??\c:\ppvpp.exec:\ppvpp.exe117⤵PID:4328
-
\??\c:\rffrrlr.exec:\rffrrlr.exe118⤵PID:2384
-
\??\c:\hbhbbb.exec:\hbhbbb.exe119⤵PID:2080
-
\??\c:\btnhnn.exec:\btnhnn.exe120⤵PID:1168
-
\??\c:\dpppv.exec:\dpppv.exe121⤵PID:1416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-