Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
32638d56ee0dd78a6e480813d334e84f7ea5a45e855abf0567646c0227b9ba9dN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
32638d56ee0dd78a6e480813d334e84f7ea5a45e855abf0567646c0227b9ba9dN.exe
-
Size
455KB
-
MD5
eddf5278334f62a134bd4ab6d6c2c7f0
-
SHA1
be691a82e0e5909e2f2cc6a57189138d16d1f4d8
-
SHA256
32638d56ee0dd78a6e480813d334e84f7ea5a45e855abf0567646c0227b9ba9d
-
SHA512
d29aa8d6b78bf91b18eef52aaeaa8d4995518ae3b856f51eddc8276da07b0f7f53eb12fcf6a5869715e375bfe30cd244acf828da76eb1f2914e7b8049569321f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeZ:q7Tc2NYHUrAwfMp3CDZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4160-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/472-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-1535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-1850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4160 vjdvp.exe 3088 rffxxxx.exe 2012 jddvv.exe 3160 7rrllll.exe 1844 nnbhtt.exe 1100 vppvj.exe 2564 rlxrffr.exe 1880 3ffxxxx.exe 3000 9ddpj.exe 3972 lffxrrl.exe 2288 ppvpj.exe 4116 hhhbtn.exe 3980 9ntnnn.exe 3408 pdppv.exe 4816 bnhbtb.exe 1456 1vvjv.exe 4976 rlrfxrr.exe 1648 hbnnnn.exe 3284 xrxrllr.exe 2196 lflfllx.exe 3872 bbbbtt.exe 4708 rrrrrxx.exe 2236 nnnhht.exe 2524 ttbttt.exe 4556 hnnhtn.exe 1516 lfllffx.exe 4276 bhnhhh.exe 4396 rrlxffr.exe 5100 1ffxrrr.exe 4244 3xlffff.exe 2360 pjdvp.exe 4856 xllfxxf.exe 3868 xxlllxr.exe 4604 tbhbtt.exe 3580 hnnnhn.exe 4236 lfxxxff.exe 1092 hbbttt.exe 1952 htthhb.exe 3176 xrxlxxx.exe 2216 ffrxrrr.exe 2700 hntnnn.exe 1312 5jjpj.exe 4736 hbbhtn.exe 3428 pddpj.exe 3864 xrrllff.exe 2536 3hbtnt.exe 1772 bnbhbh.exe 3128 3rrllfx.exe 4444 nhhhhb.exe 4228 dpvdv.exe 3600 djvpp.exe 1144 rxrlrlf.exe 1840 nhnntn.exe 4812 ppjjd.exe 4404 lfllffl.exe 1160 9hhhhh.exe 2140 jjjdv.exe 1344 rflfrlf.exe 2896 hbnntn.exe 1968 9vddd.exe 1780 rllffxx.exe 1100 nthhnb.exe 4564 jddvp.exe 3884 ddjdv.exe -
resource yara_rule behavioral2/memory/4160-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/472-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-700-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1004 wrote to memory of 4160 1004 32638d56ee0dd78a6e480813d334e84f7ea5a45e855abf0567646c0227b9ba9dN.exe 82 PID 1004 wrote to memory of 4160 1004 32638d56ee0dd78a6e480813d334e84f7ea5a45e855abf0567646c0227b9ba9dN.exe 82 PID 1004 wrote to memory of 4160 1004 32638d56ee0dd78a6e480813d334e84f7ea5a45e855abf0567646c0227b9ba9dN.exe 82 PID 4160 wrote to memory of 3088 4160 vjdvp.exe 83 PID 4160 wrote to memory of 3088 4160 vjdvp.exe 83 PID 4160 wrote to memory of 3088 4160 vjdvp.exe 83 PID 3088 wrote to memory of 2012 3088 rffxxxx.exe 84 PID 3088 wrote to memory of 2012 3088 rffxxxx.exe 84 PID 3088 wrote to memory of 2012 3088 rffxxxx.exe 84 PID 2012 wrote to memory of 3160 2012 jddvv.exe 85 PID 2012 wrote to memory of 3160 2012 jddvv.exe 85 PID 2012 wrote to memory of 3160 2012 jddvv.exe 85 PID 3160 wrote to memory of 1844 3160 7rrllll.exe 86 PID 3160 wrote to memory of 1844 3160 7rrllll.exe 86 PID 3160 wrote to memory of 1844 3160 7rrllll.exe 86 PID 1844 wrote to memory of 1100 1844 nnbhtt.exe 87 PID 1844 wrote to memory of 1100 1844 nnbhtt.exe 87 PID 1844 wrote to memory of 1100 1844 nnbhtt.exe 87 PID 1100 wrote to memory of 2564 1100 vppvj.exe 88 PID 1100 wrote to memory of 2564 1100 vppvj.exe 88 PID 1100 wrote to memory of 2564 1100 vppvj.exe 88 PID 2564 wrote to memory of 1880 2564 rlxrffr.exe 89 PID 2564 wrote to memory of 1880 2564 rlxrffr.exe 89 PID 2564 wrote to memory of 1880 2564 rlxrffr.exe 89 PID 1880 wrote to memory of 3000 1880 3ffxxxx.exe 90 PID 1880 wrote to memory of 3000 1880 3ffxxxx.exe 90 PID 1880 wrote to memory of 3000 1880 3ffxxxx.exe 90 PID 3000 wrote to memory of 3972 3000 9ddpj.exe 91 PID 3000 wrote to memory of 3972 3000 9ddpj.exe 91 PID 3000 wrote to memory of 3972 3000 9ddpj.exe 91 PID 3972 wrote to memory of 2288 3972 lffxrrl.exe 92 PID 3972 wrote to memory of 2288 3972 lffxrrl.exe 92 PID 3972 wrote to memory of 2288 3972 lffxrrl.exe 92 PID 2288 wrote to memory of 4116 2288 ppvpj.exe 93 PID 2288 wrote to memory of 4116 2288 ppvpj.exe 93 PID 2288 wrote to memory of 4116 2288 ppvpj.exe 93 PID 4116 wrote to memory of 3980 4116 hhhbtn.exe 94 PID 4116 wrote to memory of 3980 4116 hhhbtn.exe 94 PID 4116 wrote to memory of 3980 4116 hhhbtn.exe 94 PID 3980 wrote to memory of 3408 3980 9ntnnn.exe 95 PID 3980 wrote to memory of 3408 3980 9ntnnn.exe 95 PID 3980 wrote to memory of 3408 3980 9ntnnn.exe 95 PID 3408 wrote to memory of 4816 3408 pdppv.exe 96 PID 3408 wrote to memory of 4816 3408 pdppv.exe 96 PID 3408 wrote to memory of 4816 3408 pdppv.exe 96 PID 4816 wrote to memory of 1456 4816 bnhbtb.exe 97 PID 4816 wrote to memory of 1456 4816 bnhbtb.exe 97 PID 4816 wrote to memory of 1456 4816 bnhbtb.exe 97 PID 1456 wrote to memory of 4976 1456 1vvjv.exe 98 PID 1456 wrote to memory of 4976 1456 1vvjv.exe 98 PID 1456 wrote to memory of 4976 1456 1vvjv.exe 98 PID 4976 wrote to memory of 1648 4976 rlrfxrr.exe 99 PID 4976 wrote to memory of 1648 4976 rlrfxrr.exe 99 PID 4976 wrote to memory of 1648 4976 rlrfxrr.exe 99 PID 1648 wrote to memory of 3284 1648 hbnnnn.exe 100 PID 1648 wrote to memory of 3284 1648 hbnnnn.exe 100 PID 1648 wrote to memory of 3284 1648 hbnnnn.exe 100 PID 3284 wrote to memory of 2196 3284 xrxrllr.exe 101 PID 3284 wrote to memory of 2196 3284 xrxrllr.exe 101 PID 3284 wrote to memory of 2196 3284 xrxrllr.exe 101 PID 2196 wrote to memory of 3872 2196 lflfllx.exe 102 PID 2196 wrote to memory of 3872 2196 lflfllx.exe 102 PID 2196 wrote to memory of 3872 2196 lflfllx.exe 102 PID 3872 wrote to memory of 4708 3872 bbbbtt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\32638d56ee0dd78a6e480813d334e84f7ea5a45e855abf0567646c0227b9ba9dN.exe"C:\Users\Admin\AppData\Local\Temp\32638d56ee0dd78a6e480813d334e84f7ea5a45e855abf0567646c0227b9ba9dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\vjdvp.exec:\vjdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\rffxxxx.exec:\rffxxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\jddvv.exec:\jddvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\7rrllll.exec:\7rrllll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
\??\c:\nnbhtt.exec:\nnbhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\vppvj.exec:\vppvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\rlxrffr.exec:\rlxrffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\3ffxxxx.exec:\3ffxxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\9ddpj.exec:\9ddpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\lffxrrl.exec:\lffxrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\ppvpj.exec:\ppvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\hhhbtn.exec:\hhhbtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\9ntnnn.exec:\9ntnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\pdppv.exec:\pdppv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\bnhbtb.exec:\bnhbtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\1vvjv.exec:\1vvjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\rlrfxrr.exec:\rlrfxrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\hbnnnn.exec:\hbnnnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\xrxrllr.exec:\xrxrllr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\lflfllx.exec:\lflfllx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\bbbbtt.exec:\bbbbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\rrrrrxx.exec:\rrrrrxx.exe23⤵
- Executes dropped EXE
PID:4708 -
\??\c:\nnnhht.exec:\nnnhht.exe24⤵
- Executes dropped EXE
PID:2236 -
\??\c:\ttbttt.exec:\ttbttt.exe25⤵
- Executes dropped EXE
PID:2524 -
\??\c:\hnnhtn.exec:\hnnhtn.exe26⤵
- Executes dropped EXE
PID:4556 -
\??\c:\lfllffx.exec:\lfllffx.exe27⤵
- Executes dropped EXE
PID:1516 -
\??\c:\bhnhhh.exec:\bhnhhh.exe28⤵
- Executes dropped EXE
PID:4276 -
\??\c:\rrlxffr.exec:\rrlxffr.exe29⤵
- Executes dropped EXE
PID:4396 -
\??\c:\1ffxrrr.exec:\1ffxrrr.exe30⤵
- Executes dropped EXE
PID:5100 -
\??\c:\3xlffff.exec:\3xlffff.exe31⤵
- Executes dropped EXE
PID:4244 -
\??\c:\pjdvp.exec:\pjdvp.exe32⤵
- Executes dropped EXE
PID:2360 -
\??\c:\xllfxxf.exec:\xllfxxf.exe33⤵
- Executes dropped EXE
PID:4856 -
\??\c:\xxlllxr.exec:\xxlllxr.exe34⤵
- Executes dropped EXE
PID:3868 -
\??\c:\tbhbtt.exec:\tbhbtt.exe35⤵
- Executes dropped EXE
PID:4604 -
\??\c:\hnnnhn.exec:\hnnnhn.exe36⤵
- Executes dropped EXE
PID:3580 -
\??\c:\lfxxxff.exec:\lfxxxff.exe37⤵
- Executes dropped EXE
PID:4236 -
\??\c:\hbbttt.exec:\hbbttt.exe38⤵
- Executes dropped EXE
PID:1092 -
\??\c:\htthhb.exec:\htthhb.exe39⤵
- Executes dropped EXE
PID:1952 -
\??\c:\xrxlxxx.exec:\xrxlxxx.exe40⤵
- Executes dropped EXE
PID:3176 -
\??\c:\ffrxrrr.exec:\ffrxrrr.exe41⤵
- Executes dropped EXE
PID:2216 -
\??\c:\hntnnn.exec:\hntnnn.exe42⤵
- Executes dropped EXE
PID:2700 -
\??\c:\5jjpj.exec:\5jjpj.exe43⤵
- Executes dropped EXE
PID:1312 -
\??\c:\hbbhtn.exec:\hbbhtn.exe44⤵
- Executes dropped EXE
PID:4736 -
\??\c:\pddpj.exec:\pddpj.exe45⤵
- Executes dropped EXE
PID:3428 -
\??\c:\xrrllff.exec:\xrrllff.exe46⤵
- Executes dropped EXE
PID:3864 -
\??\c:\3hbtnt.exec:\3hbtnt.exe47⤵
- Executes dropped EXE
PID:2536 -
\??\c:\bnbhbh.exec:\bnbhbh.exe48⤵
- Executes dropped EXE
PID:1772 -
\??\c:\3rrllfx.exec:\3rrllfx.exe49⤵
- Executes dropped EXE
PID:3128 -
\??\c:\nhhhhb.exec:\nhhhhb.exe50⤵
- Executes dropped EXE
PID:4444 -
\??\c:\dpvdv.exec:\dpvdv.exe51⤵
- Executes dropped EXE
PID:4228 -
\??\c:\djvpp.exec:\djvpp.exe52⤵
- Executes dropped EXE
PID:3600 -
\??\c:\rxrlrlf.exec:\rxrlrlf.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1144 -
\??\c:\nhnntn.exec:\nhnntn.exe54⤵
- Executes dropped EXE
PID:1840 -
\??\c:\ppjjd.exec:\ppjjd.exe55⤵
- Executes dropped EXE
PID:4812 -
\??\c:\lfllffl.exec:\lfllffl.exe56⤵
- Executes dropped EXE
PID:4404 -
\??\c:\9hhhhh.exec:\9hhhhh.exe57⤵
- Executes dropped EXE
PID:1160 -
\??\c:\jjjdv.exec:\jjjdv.exe58⤵
- Executes dropped EXE
PID:2140 -
\??\c:\rflfrlf.exec:\rflfrlf.exe59⤵
- Executes dropped EXE
PID:1344 -
\??\c:\hbnntn.exec:\hbnntn.exe60⤵
- Executes dropped EXE
PID:2896 -
\??\c:\9vddd.exec:\9vddd.exe61⤵
- Executes dropped EXE
PID:1968 -
\??\c:\rllffxx.exec:\rllffxx.exe62⤵
- Executes dropped EXE
PID:1780 -
\??\c:\nthhnb.exec:\nthhnb.exe63⤵
- Executes dropped EXE
PID:1100 -
\??\c:\jddvp.exec:\jddvp.exe64⤵
- Executes dropped EXE
PID:4564 -
\??\c:\ddjdv.exec:\ddjdv.exe65⤵
- Executes dropped EXE
PID:3884 -
\??\c:\bhhbbh.exec:\bhhbbh.exe66⤵PID:348
-
\??\c:\nhnbht.exec:\nhnbht.exe67⤵PID:2988
-
\??\c:\1djdp.exec:\1djdp.exe68⤵PID:3000
-
\??\c:\lfrllfx.exec:\lfrllfx.exe69⤵PID:2976
-
\??\c:\tnbbtn.exec:\tnbbtn.exe70⤵PID:4612
-
\??\c:\vpdpj.exec:\vpdpj.exe71⤵PID:3780
-
\??\c:\3ffxxff.exec:\3ffxxff.exe72⤵PID:4116
-
\??\c:\xxxrllf.exec:\xxxrllf.exe73⤵PID:3980
-
\??\c:\jvvpd.exec:\jvvpd.exe74⤵PID:4924
-
\??\c:\pvdvd.exec:\pvdvd.exe75⤵PID:5020
-
\??\c:\1xrrxxr.exec:\1xrrxxr.exe76⤵PID:1720
-
\??\c:\3vdpp.exec:\3vdpp.exe77⤵PID:3220
-
\??\c:\pjjdj.exec:\pjjdj.exe78⤵PID:3676
-
\??\c:\fxrrxff.exec:\fxrrxff.exe79⤵PID:1876
-
\??\c:\3bbbbb.exec:\3bbbbb.exe80⤵PID:1568
-
\??\c:\9djjd.exec:\9djjd.exe81⤵PID:2664
-
\??\c:\3rxfxxr.exec:\3rxfxxr.exe82⤵PID:3728
-
\??\c:\nhnhnt.exec:\nhnhnt.exe83⤵PID:3928
-
\??\c:\jdjjp.exec:\jdjjp.exe84⤵PID:748
-
\??\c:\lfxlxrx.exec:\lfxlxrx.exe85⤵PID:5088
-
\??\c:\nhhbtn.exec:\nhhbtn.exe86⤵PID:4968
-
\??\c:\pdjdv.exec:\pdjdv.exe87⤵PID:768
-
\??\c:\pjvvv.exec:\pjvvv.exe88⤵PID:5104
-
\??\c:\flrrxrl.exec:\flrrxrl.exe89⤵PID:3604
-
\??\c:\nhhnhh.exec:\nhhnhh.exe90⤵PID:3200
-
\??\c:\jdvpj.exec:\jdvpj.exe91⤵PID:4556
-
\??\c:\dpjpj.exec:\dpjpj.exe92⤵PID:4224
-
\??\c:\xrrlffx.exec:\xrrlffx.exe93⤵PID:4800
-
\??\c:\vdpdv.exec:\vdpdv.exe94⤵PID:452
-
\??\c:\fxrxrrr.exec:\fxrxrrr.exe95⤵PID:3212
-
\??\c:\xxlrllr.exec:\xxlrllr.exe96⤵PID:1576
-
\??\c:\nhhbtn.exec:\nhhbtn.exe97⤵PID:876
-
\??\c:\ddddd.exec:\ddddd.exe98⤵PID:2264
-
\??\c:\flrrrrl.exec:\flrrrrl.exe99⤵PID:2476
-
\??\c:\7bbbtb.exec:\7bbbtb.exe100⤵PID:1316
-
\??\c:\dpddd.exec:\dpddd.exe101⤵PID:2388
-
\??\c:\7xfxxff.exec:\7xfxxff.exe102⤵PID:4200
-
\??\c:\rflfxxx.exec:\rflfxxx.exe103⤵PID:4936
-
\??\c:\hhbbth.exec:\hhbbth.exe104⤵PID:400
-
\??\c:\dvjdv.exec:\dvjdv.exe105⤵PID:4356
-
\??\c:\3llfflf.exec:\3llfflf.exe106⤵PID:1872
-
\??\c:\hbbbhh.exec:\hbbbhh.exe107⤵PID:2068
-
\??\c:\vjppd.exec:\vjppd.exe108⤵PID:2348
-
\??\c:\xxxrrrx.exec:\xxxrrrx.exe109⤵PID:4140
-
\??\c:\nnnnhh.exec:\nnnnhh.exe110⤵PID:4792
-
\??\c:\ntnhhb.exec:\ntnhhb.exe111⤵PID:1312
-
\??\c:\fxxrlff.exec:\fxxrlff.exe112⤵PID:4736
-
\??\c:\flfrrxx.exec:\flfrrxx.exe113⤵PID:3428
-
\??\c:\9hhbbt.exec:\9hhbbt.exe114⤵PID:1672
-
\??\c:\jpvvj.exec:\jpvvj.exe115⤵PID:3244
-
\??\c:\xrrrrrr.exec:\xrrrrrr.exe116⤵PID:4440
-
\??\c:\nhnnht.exec:\nhnnht.exe117⤵
- System Location Discovery: System Language Discovery
PID:2176 -
\??\c:\pdvdv.exec:\pdvdv.exe118⤵PID:3844
-
\??\c:\rfxxfrr.exec:\rfxxfrr.exe119⤵PID:4060
-
\??\c:\rlxxxrl.exec:\rlxxxrl.exe120⤵PID:3240
-
\??\c:\bbttbh.exec:\bbttbh.exe121⤵PID:2376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-