Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 15:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a329da412d79fda5b7f1a67b901f471e399111de884263e0a508ca53e9d1978f.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a329da412d79fda5b7f1a67b901f471e399111de884263e0a508ca53e9d1978f.exe
-
Size
454KB
-
MD5
c0392c0ff101d60b76bfb77cc11a67e5
-
SHA1
e01deb98191bc1816ffc673dd02f4a3f6214e4c6
-
SHA256
a329da412d79fda5b7f1a67b901f471e399111de884263e0a508ca53e9d1978f
-
SHA512
3051f5e8afe40ec5e8ce33ceba06f491dde3df1e27428419545c09086f0667642adbecbd827c6eeb6ee9047ced2b3c048542940de06ffd5700ed3ceb1db950ec
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTl:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1572-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-1181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-1595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-1903-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4584 xxfxrrf.exe 4364 ddddd.exe 1812 1rrrrff.exe 2248 lxxfrll.exe 932 7dddv.exe 2100 nnbbbh.exe 1108 dvddd.exe 1116 hnhhhh.exe 2276 llrrxxr.exe 1908 vvddd.exe 4376 hhhbtt.exe 4388 vpppp.exe 1764 3dppv.exe 2076 pvjjd.exe 860 xlllfxr.exe 4552 hbttnn.exe 4564 xxrrlff.exe 1664 xrllrxl.exe 4800 tbtthn.exe 2404 vvdjd.exe 5072 jpddj.exe 4672 nhhnhn.exe 4656 jpjjj.exe 4976 9bbbtb.exe 1536 lflrlrr.exe 2168 xfllxff.exe 4888 ddddj.exe 1768 7xffxxf.exe 3504 lrfrfxl.exe 8 7ppjv.exe 4728 lllllll.exe 4720 nntttb.exe 2136 nntnhh.exe 3740 tthhht.exe 4512 lrrrlll.exe 2184 hbtbbt.exe 1308 ppvvv.exe 4796 rrxxlrf.exe 532 bbttnt.exe 3672 ppdvp.exe 3184 frfxlxl.exe 4156 1hhhbh.exe 1088 ddjdd.exe 4308 pjjdd.exe 2844 fffxxxx.exe 4748 5nnntb.exe 2112 dpvpp.exe 1480 ddppv.exe 4584 5rxrxff.exe 2344 bnbnbb.exe 2580 vvvvv.exe 2108 fllllll.exe 1812 nntttn.exe 1620 jjpdj.exe 4804 vvdjj.exe 932 rxfxxxl.exe 2088 nbbhbh.exe 3516 jjvvj.exe 5024 dddjj.exe 3744 tbhhbb.exe 1832 5bnhht.exe 2192 jjdjd.exe 3984 fxfxxll.exe 2484 httnnh.exe -
resource yara_rule behavioral2/memory/1572-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-1181-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1572 wrote to memory of 4584 1572 a329da412d79fda5b7f1a67b901f471e399111de884263e0a508ca53e9d1978f.exe 83 PID 1572 wrote to memory of 4584 1572 a329da412d79fda5b7f1a67b901f471e399111de884263e0a508ca53e9d1978f.exe 83 PID 1572 wrote to memory of 4584 1572 a329da412d79fda5b7f1a67b901f471e399111de884263e0a508ca53e9d1978f.exe 83 PID 4584 wrote to memory of 4364 4584 xxfxrrf.exe 84 PID 4584 wrote to memory of 4364 4584 xxfxrrf.exe 84 PID 4584 wrote to memory of 4364 4584 xxfxrrf.exe 84 PID 4364 wrote to memory of 1812 4364 ddddd.exe 85 PID 4364 wrote to memory of 1812 4364 ddddd.exe 85 PID 4364 wrote to memory of 1812 4364 ddddd.exe 85 PID 1812 wrote to memory of 2248 1812 1rrrrff.exe 86 PID 1812 wrote to memory of 2248 1812 1rrrrff.exe 86 PID 1812 wrote to memory of 2248 1812 1rrrrff.exe 86 PID 2248 wrote to memory of 932 2248 lxxfrll.exe 87 PID 2248 wrote to memory of 932 2248 lxxfrll.exe 87 PID 2248 wrote to memory of 932 2248 lxxfrll.exe 87 PID 932 wrote to memory of 2100 932 7dddv.exe 88 PID 932 wrote to memory of 2100 932 7dddv.exe 88 PID 932 wrote to memory of 2100 932 7dddv.exe 88 PID 2100 wrote to memory of 1108 2100 nnbbbh.exe 89 PID 2100 wrote to memory of 1108 2100 nnbbbh.exe 89 PID 2100 wrote to memory of 1108 2100 nnbbbh.exe 89 PID 1108 wrote to memory of 1116 1108 dvddd.exe 90 PID 1108 wrote to memory of 1116 1108 dvddd.exe 90 PID 1108 wrote to memory of 1116 1108 dvddd.exe 90 PID 1116 wrote to memory of 2276 1116 hnhhhh.exe 91 PID 1116 wrote to memory of 2276 1116 hnhhhh.exe 91 PID 1116 wrote to memory of 2276 1116 hnhhhh.exe 91 PID 2276 wrote to memory of 1908 2276 llrrxxr.exe 92 PID 2276 wrote to memory of 1908 2276 llrrxxr.exe 92 PID 2276 wrote to memory of 1908 2276 llrrxxr.exe 92 PID 1908 wrote to memory of 4376 1908 vvddd.exe 93 PID 1908 wrote to memory of 4376 1908 vvddd.exe 93 PID 1908 wrote to memory of 4376 1908 vvddd.exe 93 PID 4376 wrote to memory of 4388 4376 hhhbtt.exe 94 PID 4376 wrote to memory of 4388 4376 hhhbtt.exe 94 PID 4376 wrote to memory of 4388 4376 hhhbtt.exe 94 PID 4388 wrote to memory of 1764 4388 vpppp.exe 95 PID 4388 wrote to memory of 1764 4388 vpppp.exe 95 PID 4388 wrote to memory of 1764 4388 vpppp.exe 95 PID 1764 wrote to memory of 2076 1764 3dppv.exe 96 PID 1764 wrote to memory of 2076 1764 3dppv.exe 96 PID 1764 wrote to memory of 2076 1764 3dppv.exe 96 PID 2076 wrote to memory of 860 2076 pvjjd.exe 97 PID 2076 wrote to memory of 860 2076 pvjjd.exe 97 PID 2076 wrote to memory of 860 2076 pvjjd.exe 97 PID 860 wrote to memory of 4552 860 xlllfxr.exe 98 PID 860 wrote to memory of 4552 860 xlllfxr.exe 98 PID 860 wrote to memory of 4552 860 xlllfxr.exe 98 PID 4552 wrote to memory of 4564 4552 hbttnn.exe 99 PID 4552 wrote to memory of 4564 4552 hbttnn.exe 99 PID 4552 wrote to memory of 4564 4552 hbttnn.exe 99 PID 4564 wrote to memory of 1664 4564 xxrrlff.exe 100 PID 4564 wrote to memory of 1664 4564 xxrrlff.exe 100 PID 4564 wrote to memory of 1664 4564 xxrrlff.exe 100 PID 1664 wrote to memory of 4800 1664 xrllrxl.exe 101 PID 1664 wrote to memory of 4800 1664 xrllrxl.exe 101 PID 1664 wrote to memory of 4800 1664 xrllrxl.exe 101 PID 4800 wrote to memory of 2404 4800 tbtthn.exe 102 PID 4800 wrote to memory of 2404 4800 tbtthn.exe 102 PID 4800 wrote to memory of 2404 4800 tbtthn.exe 102 PID 2404 wrote to memory of 5072 2404 vvdjd.exe 103 PID 2404 wrote to memory of 5072 2404 vvdjd.exe 103 PID 2404 wrote to memory of 5072 2404 vvdjd.exe 103 PID 5072 wrote to memory of 4672 5072 jpddj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a329da412d79fda5b7f1a67b901f471e399111de884263e0a508ca53e9d1978f.exe"C:\Users\Admin\AppData\Local\Temp\a329da412d79fda5b7f1a67b901f471e399111de884263e0a508ca53e9d1978f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\xxfxrrf.exec:\xxfxrrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\ddddd.exec:\ddddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\1rrrrff.exec:\1rrrrff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\lxxfrll.exec:\lxxfrll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\7dddv.exec:\7dddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\nnbbbh.exec:\nnbbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\dvddd.exec:\dvddd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\hnhhhh.exec:\hnhhhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\llrrxxr.exec:\llrrxxr.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\vvddd.exec:\vvddd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\hhhbtt.exec:\hhhbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\vpppp.exec:\vpppp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\3dppv.exec:\3dppv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\pvjjd.exec:\pvjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\xlllfxr.exec:\xlllfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\hbttnn.exec:\hbttnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\xxrrlff.exec:\xxrrlff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\xrllrxl.exec:\xrllrxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\tbtthn.exec:\tbtthn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\vvdjd.exec:\vvdjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\jpddj.exec:\jpddj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\nhhnhn.exec:\nhhnhn.exe23⤵
- Executes dropped EXE
PID:4672 -
\??\c:\jpjjj.exec:\jpjjj.exe24⤵
- Executes dropped EXE
PID:4656 -
\??\c:\9bbbtb.exec:\9bbbtb.exe25⤵
- Executes dropped EXE
PID:4976 -
\??\c:\lflrlrr.exec:\lflrlrr.exe26⤵
- Executes dropped EXE
PID:1536 -
\??\c:\xfllxff.exec:\xfllxff.exe27⤵
- Executes dropped EXE
PID:2168 -
\??\c:\ddddj.exec:\ddddj.exe28⤵
- Executes dropped EXE
PID:4888 -
\??\c:\7xffxxf.exec:\7xffxxf.exe29⤵
- Executes dropped EXE
PID:1768 -
\??\c:\lrfrfxl.exec:\lrfrfxl.exe30⤵
- Executes dropped EXE
PID:3504 -
\??\c:\7ppjv.exec:\7ppjv.exe31⤵
- Executes dropped EXE
PID:8 -
\??\c:\lllllll.exec:\lllllll.exe32⤵
- Executes dropped EXE
PID:4728 -
\??\c:\nntttb.exec:\nntttb.exe33⤵
- Executes dropped EXE
PID:4720 -
\??\c:\nntnhh.exec:\nntnhh.exe34⤵
- Executes dropped EXE
PID:2136 -
\??\c:\tthhht.exec:\tthhht.exe35⤵
- Executes dropped EXE
PID:3740 -
\??\c:\lrrrlll.exec:\lrrrlll.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4512 -
\??\c:\hbtbbt.exec:\hbtbbt.exe37⤵
- Executes dropped EXE
PID:2184 -
\??\c:\ppvvv.exec:\ppvvv.exe38⤵
- Executes dropped EXE
PID:1308 -
\??\c:\rrxxlrf.exec:\rrxxlrf.exe39⤵
- Executes dropped EXE
PID:4796 -
\??\c:\bbttnt.exec:\bbttnt.exe40⤵
- Executes dropped EXE
PID:532 -
\??\c:\ppdvp.exec:\ppdvp.exe41⤵
- Executes dropped EXE
PID:3672 -
\??\c:\frfxlxl.exec:\frfxlxl.exe42⤵
- Executes dropped EXE
PID:3184 -
\??\c:\1hhhbh.exec:\1hhhbh.exe43⤵
- Executes dropped EXE
PID:4156 -
\??\c:\ddjdd.exec:\ddjdd.exe44⤵
- Executes dropped EXE
PID:1088 -
\??\c:\pjjdd.exec:\pjjdd.exe45⤵
- Executes dropped EXE
PID:4308 -
\??\c:\fffxxxx.exec:\fffxxxx.exe46⤵
- Executes dropped EXE
PID:2844 -
\??\c:\5nnntb.exec:\5nnntb.exe47⤵
- Executes dropped EXE
PID:4748 -
\??\c:\dpvpp.exec:\dpvpp.exe48⤵
- Executes dropped EXE
PID:2112 -
\??\c:\ddppv.exec:\ddppv.exe49⤵
- Executes dropped EXE
PID:1480 -
\??\c:\5rxrxff.exec:\5rxrxff.exe50⤵
- Executes dropped EXE
PID:4584 -
\??\c:\bnbnbb.exec:\bnbnbb.exe51⤵
- Executes dropped EXE
PID:2344 -
\??\c:\vvvvv.exec:\vvvvv.exe52⤵
- Executes dropped EXE
PID:2580 -
\??\c:\fllllll.exec:\fllllll.exe53⤵
- Executes dropped EXE
PID:2108 -
\??\c:\nntttn.exec:\nntttn.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1812 -
\??\c:\jjpdj.exec:\jjpdj.exe55⤵
- Executes dropped EXE
PID:1620 -
\??\c:\vvdjj.exec:\vvdjj.exe56⤵
- Executes dropped EXE
PID:4804 -
\??\c:\rxfxxxl.exec:\rxfxxxl.exe57⤵
- Executes dropped EXE
PID:932 -
\??\c:\nbbhbh.exec:\nbbhbh.exe58⤵
- Executes dropped EXE
PID:2088 -
\??\c:\jjvvj.exec:\jjvvj.exe59⤵
- Executes dropped EXE
PID:3516 -
\??\c:\dddjj.exec:\dddjj.exe60⤵
- Executes dropped EXE
PID:5024 -
\??\c:\tbhhbb.exec:\tbhhbb.exe61⤵
- Executes dropped EXE
PID:3744 -
\??\c:\5bnhht.exec:\5bnhht.exe62⤵
- Executes dropped EXE
PID:1832 -
\??\c:\jjdjd.exec:\jjdjd.exe63⤵
- Executes dropped EXE
PID:2192 -
\??\c:\fxfxxll.exec:\fxfxxll.exe64⤵
- Executes dropped EXE
PID:3984 -
\??\c:\httnnh.exec:\httnnh.exe65⤵
- Executes dropped EXE
PID:2484 -
\??\c:\1jjjp.exec:\1jjjp.exe66⤵PID:1784
-
\??\c:\ffxxxxx.exec:\ffxxxxx.exe67⤵PID:728
-
\??\c:\tnbbbb.exec:\tnbbbb.exe68⤵PID:5116
-
\??\c:\ddjjd.exec:\ddjjd.exe69⤵
- System Location Discovery: System Language Discovery
PID:4772 -
\??\c:\1vddv.exec:\1vddv.exe70⤵PID:3108
-
\??\c:\3rfxrxx.exec:\3rfxrxx.exe71⤵PID:4008
-
\??\c:\bhnhhb.exec:\bhnhhb.exe72⤵PID:3216
-
\??\c:\pvdjp.exec:\pvdjp.exe73⤵PID:4564
-
\??\c:\xxllffr.exec:\xxllffr.exe74⤵PID:3148
-
\??\c:\lxfxrrx.exec:\lxfxrrx.exe75⤵PID:2424
-
\??\c:\hntttt.exec:\hntttt.exe76⤵PID:2288
-
\??\c:\pjjjd.exec:\pjjjd.exe77⤵PID:4732
-
\??\c:\1rrllrf.exec:\1rrllrf.exe78⤵PID:624
-
\??\c:\bnnnnt.exec:\bnnnnt.exe79⤵PID:3712
-
\??\c:\nhhtnn.exec:\nhhtnn.exe80⤵PID:4220
-
\??\c:\pdppv.exec:\pdppv.exe81⤵PID:4672
-
\??\c:\9xxfxxx.exec:\9xxfxxx.exe82⤵PID:2924
-
\??\c:\1btnbb.exec:\1btnbb.exe83⤵PID:4724
-
\??\c:\vvjdp.exec:\vvjdp.exe84⤵PID:3168
-
\??\c:\lrxxlrx.exec:\lrxxlrx.exe85⤵PID:1916
-
\??\c:\bhbbnn.exec:\bhbbnn.exe86⤵PID:4384
-
\??\c:\ddjdd.exec:\ddjdd.exe87⤵PID:2252
-
\??\c:\rxllrxx.exec:\rxllrxx.exe88⤵PID:4960
-
\??\c:\ttnhbn.exec:\ttnhbn.exe89⤵PID:396
-
\??\c:\nbtnhh.exec:\nbtnhh.exe90⤵PID:1280
-
\??\c:\jjvvp.exec:\jjvvp.exe91⤵PID:4428
-
\??\c:\rfxrrrl.exec:\rfxrrrl.exe92⤵PID:3944
-
\??\c:\bbbnhb.exec:\bbbnhb.exe93⤵PID:4588
-
\??\c:\pjjdd.exec:\pjjdd.exe94⤵PID:3004
-
\??\c:\rxlfffx.exec:\rxlfffx.exe95⤵PID:5036
-
\??\c:\hhttbb.exec:\hhttbb.exe96⤵PID:4720
-
\??\c:\pjvvv.exec:\pjvvv.exe97⤵PID:2136
-
\??\c:\5vvvp.exec:\5vvvp.exe98⤵PID:4964
-
\??\c:\ffrlrrf.exec:\ffrlrrf.exe99⤵PID:4816
-
\??\c:\7hhbbb.exec:\7hhbbb.exe100⤵PID:632
-
\??\c:\jpdvp.exec:\jpdvp.exe101⤵PID:1948
-
\??\c:\rxfxxxx.exec:\rxfxxxx.exe102⤵PID:2316
-
\??\c:\xlflxxf.exec:\xlflxxf.exe103⤵
- System Location Discovery: System Language Discovery
PID:3128 -
\??\c:\nhbthh.exec:\nhbthh.exe104⤵PID:3564
-
\??\c:\jjjjd.exec:\jjjjd.exe105⤵PID:4296
-
\??\c:\fxxrffr.exec:\fxxrffr.exe106⤵PID:2352
-
\??\c:\hhbbtt.exec:\hhbbtt.exe107⤵PID:2044
-
\??\c:\vpvvv.exec:\vpvvv.exe108⤵PID:4288
-
\??\c:\jdjdj.exec:\jdjdj.exe109⤵PID:3780
-
\??\c:\fffrlll.exec:\fffrlll.exe110⤵PID:1312
-
\??\c:\hnttth.exec:\hnttth.exe111⤵PID:4544
-
\??\c:\5vpjj.exec:\5vpjj.exe112⤵PID:4488
-
\??\c:\djddj.exec:\djddj.exe113⤵PID:2920
-
\??\c:\ffrlrfx.exec:\ffrlrfx.exe114⤵PID:1804
-
\??\c:\nnnnnn.exec:\nnnnnn.exe115⤵PID:2580
-
\??\c:\ntnnhh.exec:\ntnnhh.exe116⤵PID:4432
-
\??\c:\jppjd.exec:\jppjd.exe117⤵PID:2248
-
\??\c:\rlrrllr.exec:\rlrrllr.exe118⤵
- System Location Discovery: System Language Discovery
PID:2560 -
\??\c:\btbbbb.exec:\btbbbb.exe119⤵PID:4804
-
\??\c:\ppppp.exec:\ppppp.exe120⤵PID:3420
-
\??\c:\pjdvp.exec:\pjdvp.exe121⤵PID:3064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-