Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 21:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29349e7078b7124233b2d73ad272ec3c82e5e8238125d19769924475c7418fdd.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
29349e7078b7124233b2d73ad272ec3c82e5e8238125d19769924475c7418fdd.exe
-
Size
456KB
-
MD5
c2989940ec88530d98b3d7ccac0c4753
-
SHA1
95cae86808b3a58e4d6d0e7e1d7363c5b1d5e56b
-
SHA256
29349e7078b7124233b2d73ad272ec3c82e5e8238125d19769924475c7418fdd
-
SHA512
35b96bfa9f004c5b4c432c10ab0a3d8e3f007359327dd726314f974964cd968ea7ec26db755e48c334f96fa6a554ad1304fe75bd9da9e23b5d5b8d318db8a539
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR0:q7Tc2NYHUrAwfMp3CDR0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1964-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-1521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1516 5jdpv.exe 3732 xxlfxrl.exe 3452 ttttth.exe 4492 9flfffl.exe 4104 djdjv.exe 4544 9tnhbb.exe 2412 lllfflf.exe 1220 1ddvp.exe 4176 dpvpp.exe 232 tbbtnh.exe 3176 1pjdv.exe 2568 jdvpj.exe 2224 3lfxrxr.exe 4640 tttnhb.exe 4736 5djdd.exe 652 vpvjj.exe 3244 5fxrlll.exe 4916 hbhbtt.exe 4504 ddvjv.exe 3428 jpvpj.exe 2588 lrxrrrl.exe 1036 5hnhhh.exe 3020 vpjdv.exe 764 vpdvp.exe 4740 lfrflfl.exe 5084 nbnbtt.exe 2296 bbnhtb.exe 3788 9vdpj.exe 2220 lxfxrlf.exe 3652 xfffxxr.exe 60 1nnhbh.exe 3912 tnbttn.exe 2276 vdjdp.exe 1408 rllfffx.exe 3156 xlxffxr.exe 3256 nhnntn.exe 5004 ddpjp.exe 4920 ddjdp.exe 4340 3ffxrrr.exe 3524 9ttnbb.exe 3216 tttnnn.exe 3724 jddvp.exe 1400 3rrlffx.exe 3704 rllfffx.exe 3436 tnnnhh.exe 804 1nntnt.exe 4624 jvddv.exe 452 3fllfxr.exe 2420 1lrlffx.exe 4376 3ntnnn.exe 4452 5jjdv.exe 1668 xffxxrr.exe 1020 3rrrrll.exe 3980 ntbtbb.exe 1892 1pdpv.exe 1884 7flxfxf.exe 3040 hbhhhb.exe 4036 jdvdp.exe 3068 3xrrllf.exe 4820 3xlrllx.exe 4368 7bbthh.exe 968 3vpdv.exe 1220 llrfxrl.exe 4176 rxxlfxl.exe -
resource yara_rule behavioral2/memory/1964-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-877-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1516 1964 29349e7078b7124233b2d73ad272ec3c82e5e8238125d19769924475c7418fdd.exe 82 PID 1964 wrote to memory of 1516 1964 29349e7078b7124233b2d73ad272ec3c82e5e8238125d19769924475c7418fdd.exe 82 PID 1964 wrote to memory of 1516 1964 29349e7078b7124233b2d73ad272ec3c82e5e8238125d19769924475c7418fdd.exe 82 PID 1516 wrote to memory of 3732 1516 5jdpv.exe 83 PID 1516 wrote to memory of 3732 1516 5jdpv.exe 83 PID 1516 wrote to memory of 3732 1516 5jdpv.exe 83 PID 3732 wrote to memory of 3452 3732 xxlfxrl.exe 84 PID 3732 wrote to memory of 3452 3732 xxlfxrl.exe 84 PID 3732 wrote to memory of 3452 3732 xxlfxrl.exe 84 PID 3452 wrote to memory of 4492 3452 ttttth.exe 85 PID 3452 wrote to memory of 4492 3452 ttttth.exe 85 PID 3452 wrote to memory of 4492 3452 ttttth.exe 85 PID 4492 wrote to memory of 4104 4492 9flfffl.exe 86 PID 4492 wrote to memory of 4104 4492 9flfffl.exe 86 PID 4492 wrote to memory of 4104 4492 9flfffl.exe 86 PID 4104 wrote to memory of 4544 4104 djdjv.exe 87 PID 4104 wrote to memory of 4544 4104 djdjv.exe 87 PID 4104 wrote to memory of 4544 4104 djdjv.exe 87 PID 4544 wrote to memory of 2412 4544 9tnhbb.exe 88 PID 4544 wrote to memory of 2412 4544 9tnhbb.exe 88 PID 4544 wrote to memory of 2412 4544 9tnhbb.exe 88 PID 2412 wrote to memory of 1220 2412 lllfflf.exe 89 PID 2412 wrote to memory of 1220 2412 lllfflf.exe 89 PID 2412 wrote to memory of 1220 2412 lllfflf.exe 89 PID 1220 wrote to memory of 4176 1220 1ddvp.exe 90 PID 1220 wrote to memory of 4176 1220 1ddvp.exe 90 PID 1220 wrote to memory of 4176 1220 1ddvp.exe 90 PID 4176 wrote to memory of 232 4176 dpvpp.exe 91 PID 4176 wrote to memory of 232 4176 dpvpp.exe 91 PID 4176 wrote to memory of 232 4176 dpvpp.exe 91 PID 232 wrote to memory of 3176 232 tbbtnh.exe 92 PID 232 wrote to memory of 3176 232 tbbtnh.exe 92 PID 232 wrote to memory of 3176 232 tbbtnh.exe 92 PID 3176 wrote to memory of 2568 3176 1pjdv.exe 93 PID 3176 wrote to memory of 2568 3176 1pjdv.exe 93 PID 3176 wrote to memory of 2568 3176 1pjdv.exe 93 PID 2568 wrote to memory of 2224 2568 jdvpj.exe 94 PID 2568 wrote to memory of 2224 2568 jdvpj.exe 94 PID 2568 wrote to memory of 2224 2568 jdvpj.exe 94 PID 2224 wrote to memory of 4640 2224 3lfxrxr.exe 95 PID 2224 wrote to memory of 4640 2224 3lfxrxr.exe 95 PID 2224 wrote to memory of 4640 2224 3lfxrxr.exe 95 PID 4640 wrote to memory of 4736 4640 tttnhb.exe 96 PID 4640 wrote to memory of 4736 4640 tttnhb.exe 96 PID 4640 wrote to memory of 4736 4640 tttnhb.exe 96 PID 4736 wrote to memory of 652 4736 5djdd.exe 97 PID 4736 wrote to memory of 652 4736 5djdd.exe 97 PID 4736 wrote to memory of 652 4736 5djdd.exe 97 PID 652 wrote to memory of 3244 652 vpvjj.exe 98 PID 652 wrote to memory of 3244 652 vpvjj.exe 98 PID 652 wrote to memory of 3244 652 vpvjj.exe 98 PID 3244 wrote to memory of 4916 3244 5fxrlll.exe 99 PID 3244 wrote to memory of 4916 3244 5fxrlll.exe 99 PID 3244 wrote to memory of 4916 3244 5fxrlll.exe 99 PID 4916 wrote to memory of 4504 4916 hbhbtt.exe 100 PID 4916 wrote to memory of 4504 4916 hbhbtt.exe 100 PID 4916 wrote to memory of 4504 4916 hbhbtt.exe 100 PID 4504 wrote to memory of 3428 4504 ddvjv.exe 101 PID 4504 wrote to memory of 3428 4504 ddvjv.exe 101 PID 4504 wrote to memory of 3428 4504 ddvjv.exe 101 PID 3428 wrote to memory of 2588 3428 jpvpj.exe 102 PID 3428 wrote to memory of 2588 3428 jpvpj.exe 102 PID 3428 wrote to memory of 2588 3428 jpvpj.exe 102 PID 2588 wrote to memory of 1036 2588 lrxrrrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\29349e7078b7124233b2d73ad272ec3c82e5e8238125d19769924475c7418fdd.exe"C:\Users\Admin\AppData\Local\Temp\29349e7078b7124233b2d73ad272ec3c82e5e8238125d19769924475c7418fdd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\5jdpv.exec:\5jdpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\xxlfxrl.exec:\xxlfxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\ttttth.exec:\ttttth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\9flfffl.exec:\9flfffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\djdjv.exec:\djdjv.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\9tnhbb.exec:\9tnhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\lllfflf.exec:\lllfflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\1ddvp.exec:\1ddvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\dpvpp.exec:\dpvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\tbbtnh.exec:\tbbtnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\1pjdv.exec:\1pjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\jdvpj.exec:\jdvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\3lfxrxr.exec:\3lfxrxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\tttnhb.exec:\tttnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\5djdd.exec:\5djdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\vpvjj.exec:\vpvjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\5fxrlll.exec:\5fxrlll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\hbhbtt.exec:\hbhbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\ddvjv.exec:\ddvjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\jpvpj.exec:\jpvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\lrxrrrl.exec:\lrxrrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\5hnhhh.exec:\5hnhhh.exe23⤵
- Executes dropped EXE
PID:1036 -
\??\c:\vpjdv.exec:\vpjdv.exe24⤵
- Executes dropped EXE
PID:3020 -
\??\c:\vpdvp.exec:\vpdvp.exe25⤵
- Executes dropped EXE
PID:764 -
\??\c:\lfrflfl.exec:\lfrflfl.exe26⤵
- Executes dropped EXE
PID:4740 -
\??\c:\nbnbtt.exec:\nbnbtt.exe27⤵
- Executes dropped EXE
PID:5084 -
\??\c:\bbnhtb.exec:\bbnhtb.exe28⤵
- Executes dropped EXE
PID:2296 -
\??\c:\9vdpj.exec:\9vdpj.exe29⤵
- Executes dropped EXE
PID:3788 -
\??\c:\lxfxrlf.exec:\lxfxrlf.exe30⤵
- Executes dropped EXE
PID:2220 -
\??\c:\xfffxxr.exec:\xfffxxr.exe31⤵
- Executes dropped EXE
PID:3652 -
\??\c:\1nnhbh.exec:\1nnhbh.exe32⤵
- Executes dropped EXE
PID:60 -
\??\c:\tnbttn.exec:\tnbttn.exe33⤵
- Executes dropped EXE
PID:3912 -
\??\c:\vdjdp.exec:\vdjdp.exe34⤵
- Executes dropped EXE
PID:2276 -
\??\c:\rllfffx.exec:\rllfffx.exe35⤵
- Executes dropped EXE
PID:1408 -
\??\c:\xlxffxr.exec:\xlxffxr.exe36⤵
- Executes dropped EXE
PID:3156 -
\??\c:\nhnntn.exec:\nhnntn.exe37⤵
- Executes dropped EXE
PID:3256 -
\??\c:\ddpjp.exec:\ddpjp.exe38⤵
- Executes dropped EXE
PID:5004 -
\??\c:\ddjdp.exec:\ddjdp.exe39⤵
- Executes dropped EXE
PID:4920 -
\??\c:\3ffxrrr.exec:\3ffxrrr.exe40⤵
- Executes dropped EXE
PID:4340 -
\??\c:\9ttnbb.exec:\9ttnbb.exe41⤵
- Executes dropped EXE
PID:3524 -
\??\c:\tttnnn.exec:\tttnnn.exe42⤵
- Executes dropped EXE
PID:3216 -
\??\c:\jddvp.exec:\jddvp.exe43⤵
- Executes dropped EXE
PID:3724 -
\??\c:\3rrlffx.exec:\3rrlffx.exe44⤵
- Executes dropped EXE
PID:1400 -
\??\c:\rllfffx.exec:\rllfffx.exe45⤵
- Executes dropped EXE
PID:3704 -
\??\c:\tnnnhh.exec:\tnnnhh.exe46⤵
- Executes dropped EXE
PID:3436 -
\??\c:\1nntnt.exec:\1nntnt.exe47⤵
- Executes dropped EXE
PID:804 -
\??\c:\jvddv.exec:\jvddv.exe48⤵
- Executes dropped EXE
PID:4624 -
\??\c:\3fllfxr.exec:\3fllfxr.exe49⤵
- Executes dropped EXE
PID:452 -
\??\c:\1lrlffx.exec:\1lrlffx.exe50⤵
- Executes dropped EXE
PID:2420 -
\??\c:\3ntnnn.exec:\3ntnnn.exe51⤵
- Executes dropped EXE
PID:4376 -
\??\c:\5jjdv.exec:\5jjdv.exe52⤵
- Executes dropped EXE
PID:4452 -
\??\c:\xffxxrr.exec:\xffxxrr.exe53⤵
- Executes dropped EXE
PID:1668 -
\??\c:\dvvpj.exec:\dvvpj.exe54⤵PID:3080
-
\??\c:\3rrrrll.exec:\3rrrrll.exe55⤵
- Executes dropped EXE
PID:1020 -
\??\c:\ntbtbb.exec:\ntbtbb.exe56⤵
- Executes dropped EXE
PID:3980 -
\??\c:\1pdpv.exec:\1pdpv.exe57⤵
- Executes dropped EXE
PID:1892 -
\??\c:\7flxfxf.exec:\7flxfxf.exe58⤵
- Executes dropped EXE
PID:1884 -
\??\c:\hbhhhb.exec:\hbhhhb.exe59⤵
- Executes dropped EXE
PID:3040 -
\??\c:\jdvdp.exec:\jdvdp.exe60⤵
- Executes dropped EXE
PID:4036 -
\??\c:\3xrrllf.exec:\3xrrllf.exe61⤵
- Executes dropped EXE
PID:3068 -
\??\c:\3xlrllx.exec:\3xlrllx.exe62⤵
- Executes dropped EXE
PID:4820 -
\??\c:\7bbthh.exec:\7bbthh.exe63⤵
- Executes dropped EXE
PID:4368 -
\??\c:\3vpdv.exec:\3vpdv.exe64⤵
- Executes dropped EXE
PID:968 -
\??\c:\llrfxrl.exec:\llrfxrl.exe65⤵
- Executes dropped EXE
PID:1220 -
\??\c:\rxxlfxl.exec:\rxxlfxl.exe66⤵
- Executes dropped EXE
PID:4176 -
\??\c:\9hnhbn.exec:\9hnhbn.exe67⤵PID:744
-
\??\c:\vdvvp.exec:\vdvvp.exe68⤵PID:3220
-
\??\c:\rrfxxxx.exec:\rrfxxxx.exe69⤵PID:3160
-
\??\c:\nhnhhb.exec:\nhnhhb.exe70⤵PID:4000
-
\??\c:\jdjdv.exec:\jdjdv.exe71⤵PID:2500
-
\??\c:\rfxrxxx.exec:\rfxrxxx.exe72⤵PID:2224
-
\??\c:\httnbt.exec:\httnbt.exe73⤵PID:2200
-
\??\c:\pjvvd.exec:\pjvvd.exe74⤵PID:800
-
\??\c:\lflfxrr.exec:\lflfxrr.exe75⤵PID:3496
-
\??\c:\7fxllfl.exec:\7fxllfl.exe76⤵PID:1108
-
\??\c:\dpvpp.exec:\dpvpp.exe77⤵PID:2644
-
\??\c:\frxrlfx.exec:\frxrlfx.exe78⤵PID:2956
-
\??\c:\9vppd.exec:\9vppd.exe79⤵PID:4504
-
\??\c:\3pdvj.exec:\3pdvj.exe80⤵PID:1552
-
\??\c:\rflfxrl.exec:\rflfxrl.exe81⤵PID:3280
-
\??\c:\7hnnhh.exec:\7hnnhh.exe82⤵PID:5044
-
\??\c:\vppjp.exec:\vppjp.exe83⤵PID:4572
-
\??\c:\lfrxrrx.exec:\lfrxrrx.exe84⤵PID:2828
-
\??\c:\nbhtnh.exec:\nbhtnh.exe85⤵PID:4740
-
\??\c:\lrxlrlx.exec:\lrxlrlx.exe86⤵PID:1016
-
\??\c:\thnhbb.exec:\thnhbb.exe87⤵PID:2856
-
\??\c:\3hhbtn.exec:\3hhbtn.exe88⤵PID:3540
-
\??\c:\1vpvp.exec:\1vpvp.exe89⤵PID:2220
-
\??\c:\rffrfrx.exec:\rffrfrx.exe90⤵PID:4904
-
\??\c:\fxrrlff.exec:\fxrrlff.exe91⤵PID:4860
-
\??\c:\5thhtt.exec:\5thhtt.exe92⤵PID:396
-
\??\c:\jvppp.exec:\jvppp.exe93⤵PID:1940
-
\??\c:\7vvjd.exec:\7vvjd.exe94⤵PID:936
-
\??\c:\rlfrfrl.exec:\rlfrfrl.exe95⤵PID:1664
-
\??\c:\nttnbt.exec:\nttnbt.exe96⤵PID:4744
-
\??\c:\3vdvj.exec:\3vdvj.exe97⤵PID:5004
-
\??\c:\lxfxrfx.exec:\lxfxrfx.exe98⤵PID:1208
-
\??\c:\9nhnbn.exec:\9nhnbn.exe99⤵PID:3616
-
\??\c:\pddpj.exec:\pddpj.exe100⤵PID:1684
-
\??\c:\vdvjv.exec:\vdvjv.exe101⤵PID:2004
-
\??\c:\flfrxlx.exec:\flfrxlx.exe102⤵PID:2396
-
\??\c:\hthbbb.exec:\hthbbb.exe103⤵PID:1308
-
\??\c:\vjpjd.exec:\vjpjd.exe104⤵
- System Location Discovery: System Language Discovery
PID:3772 -
\??\c:\frxlfxr.exec:\frxlfxr.exe105⤵PID:2440
-
\??\c:\bbbtnh.exec:\bbbtnh.exe106⤵PID:3296
-
\??\c:\1bnthh.exec:\1bnthh.exe107⤵PID:3664
-
\??\c:\vppdp.exec:\vppdp.exe108⤵PID:3992
-
\??\c:\frxrllx.exec:\frxrllx.exe109⤵PID:828
-
\??\c:\bntnhb.exec:\bntnhb.exe110⤵PID:3188
-
\??\c:\tthhnh.exec:\tthhnh.exe111⤵PID:4772
-
\??\c:\pjjjd.exec:\pjjjd.exe112⤵PID:1792
-
\??\c:\rllfrrl.exec:\rllfrrl.exe113⤵PID:4128
-
\??\c:\tbbtnh.exec:\tbbtnh.exe114⤵PID:3956
-
\??\c:\nhhttn.exec:\nhhttn.exe115⤵PID:432
-
\??\c:\ppjpp.exec:\ppjpp.exe116⤵PID:1956
-
\??\c:\3lfrxlf.exec:\3lfrxlf.exe117⤵PID:2640
-
\??\c:\hhnbnh.exec:\hhnbnh.exe118⤵PID:2844
-
\??\c:\vjjdj.exec:\vjjdj.exe119⤵PID:2032
-
\??\c:\pddpj.exec:\pddpj.exe120⤵PID:4232
-
\??\c:\xllflfr.exec:\xllflfr.exe121⤵PID:4652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-