Analysis
-
max time kernel
120s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 15:08
Behavioral task
behavioral1
Sample
e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
General
-
Target
e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe
-
Size
3.7MB
-
MD5
e43ed5e8cbf3fc1c2be1cfd902a42610
-
SHA1
3c8127f9e677b7a290948b1710d185969959b493
-
SHA256
e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6f
-
SHA512
85196882da91d9904abd981761fe10ab13ad3cb0c15e452dad0fcee6e5b59b693139714dcc4dc8b7caf4583a5959742176c91b1447f5e15258f7f30702baff59
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98g:U6XLq/qPPslzKx/dJg1ErmNj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4936-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/556-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/516-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2400-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3672-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1624-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3220-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2860-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3016-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3440-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2608-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2424-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3276-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3412-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3960-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4460-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2400-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3924-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2460-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1640-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3716-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3128-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1928-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1112-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2440-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2436-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2268-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4236-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3844-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2428-417-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-427-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3916-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-451-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3836-458-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1288-507-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-511-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3808-566-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3156-588-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-643-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-656-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-702-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1572-718-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2352-767-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-1677-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-1979-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 556 vdpdp.exe 516 5jvvp.exe 4316 hbnhbh.exe 2384 bthhbn.exe 4600 7ppdv.exe 2400 tthnnt.exe 1624 dvvpj.exe 3672 pdddp.exe 1996 rrxrxxx.exe 3220 rfllfll.exe 2860 bbtnhb.exe 1584 xflfxrl.exe 3016 vjvpd.exe 2024 frrlxxx.exe 3440 tbhhbn.exe 4856 5vpjd.exe 2608 flrlffx.exe 4244 dvdvv.exe 1200 xxxxrfx.exe 3980 rrrxrrl.exe 2484 tthbnn.exe 4516 xlrllfx.exe 2424 xllfxxf.exe 3276 lfrfxfr.exe 516 tbbthh.exe 3412 vdddd.exe 4280 rlfxxxr.exe 3960 nnhhbb.exe 4460 jpdjd.exe 2004 bhtbth.exe 4084 jdjdv.exe 2400 vjvpv.exe 720 pjdpj.exe 3672 pdpjd.exe 3924 7dppp.exe 4364 djjjd.exe 2460 5fxxxxr.exe 3580 xxxrxxx.exe 4428 5xxxrrl.exe 4664 fxxrlfx.exe 1640 flxrrrr.exe 3204 lxxrfxr.exe 3716 3rxrxrr.exe 4860 lrffxrr.exe 1724 lxrlfxr.exe 4552 tbhhbb.exe 3128 5thhhh.exe 1928 jjjjj.exe 3096 pddjv.exe 1112 7jdvd.exe 2684 vpjdj.exe 4936 hbhbbh.exe 1280 9bbhnb.exe 3276 thnnbn.exe 4644 nbnnht.exe 3136 nbnhbb.exe 2696 bbnntn.exe 3464 3btbbb.exe 2440 5hbhnn.exe 2436 ttbtnh.exe 2268 hhhbtt.exe 2632 thhnbt.exe 4280 rrxrxrf.exe 2300 fxlxrlf.exe -
resource yara_rule behavioral2/memory/4936-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b54-3.dat upx behavioral2/memory/4936-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/556-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b68-11.dat upx behavioral2/memory/516-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6a-14.dat upx behavioral2/memory/4316-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4316-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b65-25.dat upx behavioral2/files/0x000a000000023b6b-28.dat upx behavioral2/memory/4600-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2384-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6c-35.dat upx behavioral2/files/0x000a000000023b6d-40.dat upx behavioral2/memory/2400-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6e-47.dat upx behavioral2/memory/3672-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1624-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6f-53.dat upx behavioral2/files/0x0013000000023a16-58.dat upx behavioral2/memory/1996-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b70-64.dat upx behavioral2/memory/3220-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2860-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b71-72.dat upx behavioral2/files/0x00140000000239dc-76.dat upx behavioral2/memory/3016-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0015000000023a13-84.dat upx behavioral2/files/0x00290000000239ff-88.dat upx behavioral2/files/0x0010000000023a14-92.dat upx behavioral2/memory/3440-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b74-98.dat upx behavioral2/memory/4856-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b75-104.dat upx behavioral2/memory/2608-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4244-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b77-112.dat upx behavioral2/files/0x000b000000023b78-116.dat upx behavioral2/files/0x000b000000023b7a-121.dat upx behavioral2/memory/3980-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-127.dat upx behavioral2/files/0x000a000000023b7d-132.dat upx behavioral2/files/0x000a000000023b7e-137.dat upx behavioral2/memory/2424-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b7f-142.dat upx behavioral2/memory/3276-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b80-148.dat upx behavioral2/memory/3412-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b81-153.dat upx behavioral2/files/0x000a000000023b82-159.dat upx behavioral2/memory/3960-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4280-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-166.dat upx behavioral2/files/0x000a000000023b84-171.dat upx behavioral2/memory/4460-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-177.dat upx behavioral2/files/0x000a000000023b86-183.dat upx behavioral2/memory/2400-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4364-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3924-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2460-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3580-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1640-220-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3btbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4936 wrote to memory of 556 4936 e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe 86 PID 4936 wrote to memory of 556 4936 e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe 86 PID 4936 wrote to memory of 556 4936 e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe 86 PID 556 wrote to memory of 516 556 vdpdp.exe 87 PID 556 wrote to memory of 516 556 vdpdp.exe 87 PID 556 wrote to memory of 516 556 vdpdp.exe 87 PID 516 wrote to memory of 4316 516 5jvvp.exe 88 PID 516 wrote to memory of 4316 516 5jvvp.exe 88 PID 516 wrote to memory of 4316 516 5jvvp.exe 88 PID 4316 wrote to memory of 2384 4316 hbnhbh.exe 90 PID 4316 wrote to memory of 2384 4316 hbnhbh.exe 90 PID 4316 wrote to memory of 2384 4316 hbnhbh.exe 90 PID 2384 wrote to memory of 4600 2384 bthhbn.exe 91 PID 2384 wrote to memory of 4600 2384 bthhbn.exe 91 PID 2384 wrote to memory of 4600 2384 bthhbn.exe 91 PID 4600 wrote to memory of 2400 4600 7ppdv.exe 92 PID 4600 wrote to memory of 2400 4600 7ppdv.exe 92 PID 4600 wrote to memory of 2400 4600 7ppdv.exe 92 PID 2400 wrote to memory of 1624 2400 tthnnt.exe 93 PID 2400 wrote to memory of 1624 2400 tthnnt.exe 93 PID 2400 wrote to memory of 1624 2400 tthnnt.exe 93 PID 1624 wrote to memory of 3672 1624 dvvpj.exe 94 PID 1624 wrote to memory of 3672 1624 dvvpj.exe 94 PID 1624 wrote to memory of 3672 1624 dvvpj.exe 94 PID 3672 wrote to memory of 1996 3672 pdddp.exe 97 PID 3672 wrote to memory of 1996 3672 pdddp.exe 97 PID 3672 wrote to memory of 1996 3672 pdddp.exe 97 PID 1996 wrote to memory of 3220 1996 rrxrxxx.exe 98 PID 1996 wrote to memory of 3220 1996 rrxrxxx.exe 98 PID 1996 wrote to memory of 3220 1996 rrxrxxx.exe 98 PID 3220 wrote to memory of 2860 3220 rfllfll.exe 99 PID 3220 wrote to memory of 2860 3220 rfllfll.exe 99 PID 3220 wrote to memory of 2860 3220 rfllfll.exe 99 PID 2860 wrote to memory of 1584 2860 bbtnhb.exe 100 PID 2860 wrote to memory of 1584 2860 bbtnhb.exe 100 PID 2860 wrote to memory of 1584 2860 bbtnhb.exe 100 PID 1584 wrote to memory of 3016 1584 xflfxrl.exe 102 PID 1584 wrote to memory of 3016 1584 xflfxrl.exe 102 PID 1584 wrote to memory of 3016 1584 xflfxrl.exe 102 PID 3016 wrote to memory of 2024 3016 vjvpd.exe 103 PID 3016 wrote to memory of 2024 3016 vjvpd.exe 103 PID 3016 wrote to memory of 2024 3016 vjvpd.exe 103 PID 2024 wrote to memory of 3440 2024 frrlxxx.exe 105 PID 2024 wrote to memory of 3440 2024 frrlxxx.exe 105 PID 2024 wrote to memory of 3440 2024 frrlxxx.exe 105 PID 3440 wrote to memory of 4856 3440 tbhhbn.exe 106 PID 3440 wrote to memory of 4856 3440 tbhhbn.exe 106 PID 3440 wrote to memory of 4856 3440 tbhhbn.exe 106 PID 4856 wrote to memory of 2608 4856 5vpjd.exe 107 PID 4856 wrote to memory of 2608 4856 5vpjd.exe 107 PID 4856 wrote to memory of 2608 4856 5vpjd.exe 107 PID 2608 wrote to memory of 4244 2608 flrlffx.exe 108 PID 2608 wrote to memory of 4244 2608 flrlffx.exe 108 PID 2608 wrote to memory of 4244 2608 flrlffx.exe 108 PID 4244 wrote to memory of 1200 4244 dvdvv.exe 109 PID 4244 wrote to memory of 1200 4244 dvdvv.exe 109 PID 4244 wrote to memory of 1200 4244 dvdvv.exe 109 PID 1200 wrote to memory of 3980 1200 xxxxrfx.exe 110 PID 1200 wrote to memory of 3980 1200 xxxxrfx.exe 110 PID 1200 wrote to memory of 3980 1200 xxxxrfx.exe 110 PID 3980 wrote to memory of 2484 3980 rrrxrrl.exe 111 PID 3980 wrote to memory of 2484 3980 rrrxrrl.exe 111 PID 3980 wrote to memory of 2484 3980 rrrxrrl.exe 111 PID 2484 wrote to memory of 4516 2484 tthbnn.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe"C:\Users\Admin\AppData\Local\Temp\e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\vdpdp.exec:\vdpdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\5jvvp.exec:\5jvvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\hbnhbh.exec:\hbnhbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\bthhbn.exec:\bthhbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\7ppdv.exec:\7ppdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\tthnnt.exec:\tthnnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\dvvpj.exec:\dvvpj.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\pdddp.exec:\pdddp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\rrxrxxx.exec:\rrxrxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\rfllfll.exec:\rfllfll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\bbtnhb.exec:\bbtnhb.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\xflfxrl.exec:\xflfxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\vjvpd.exec:\vjvpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\frrlxxx.exec:\frrlxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\tbhhbn.exec:\tbhhbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\5vpjd.exec:\5vpjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\flrlffx.exec:\flrlffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\dvdvv.exec:\dvdvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\xxxxrfx.exec:\xxxxrfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\rrrxrrl.exec:\rrrxrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\tthbnn.exec:\tthbnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\xlrllfx.exec:\xlrllfx.exe23⤵
- Executes dropped EXE
PID:4516 -
\??\c:\xllfxxf.exec:\xllfxxf.exe24⤵
- Executes dropped EXE
PID:2424 -
\??\c:\lfrfxfr.exec:\lfrfxfr.exe25⤵
- Executes dropped EXE
PID:3276 -
\??\c:\tbbthh.exec:\tbbthh.exe26⤵
- Executes dropped EXE
PID:516 -
\??\c:\vdddd.exec:\vdddd.exe27⤵
- Executes dropped EXE
PID:3412 -
\??\c:\rlfxxxr.exec:\rlfxxxr.exe28⤵
- Executes dropped EXE
PID:4280 -
\??\c:\nnhhbb.exec:\nnhhbb.exe29⤵
- Executes dropped EXE
PID:3960 -
\??\c:\jpdjd.exec:\jpdjd.exe30⤵
- Executes dropped EXE
PID:4460 -
\??\c:\bhtbth.exec:\bhtbth.exe31⤵
- Executes dropped EXE
PID:2004 -
\??\c:\jdjdv.exec:\jdjdv.exe32⤵
- Executes dropped EXE
PID:4084 -
\??\c:\vjvpv.exec:\vjvpv.exe33⤵
- Executes dropped EXE
PID:2400 -
\??\c:\pjdpj.exec:\pjdpj.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:720 -
\??\c:\pdpjd.exec:\pdpjd.exe35⤵
- Executes dropped EXE
PID:3672 -
\??\c:\7dppp.exec:\7dppp.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3924 -
\??\c:\djjjd.exec:\djjjd.exe37⤵
- Executes dropped EXE
PID:4364 -
\??\c:\5fxxxxr.exec:\5fxxxxr.exe38⤵
- Executes dropped EXE
PID:2460 -
\??\c:\xxxrxxx.exec:\xxxrxxx.exe39⤵
- Executes dropped EXE
PID:3580 -
\??\c:\5xxxrrl.exec:\5xxxrrl.exe40⤵
- Executes dropped EXE
PID:4428 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4664 -
\??\c:\flxrrrr.exec:\flxrrrr.exe42⤵
- Executes dropped EXE
PID:1640 -
\??\c:\lxxrfxr.exec:\lxxrfxr.exe43⤵
- Executes dropped EXE
PID:3204 -
\??\c:\3rxrxrr.exec:\3rxrxrr.exe44⤵
- Executes dropped EXE
PID:3716 -
\??\c:\lrffxrr.exec:\lrffxrr.exe45⤵
- Executes dropped EXE
PID:4860 -
\??\c:\lxrlfxr.exec:\lxrlfxr.exe46⤵
- Executes dropped EXE
PID:1724 -
\??\c:\tbhhbb.exec:\tbhhbb.exe47⤵
- Executes dropped EXE
PID:4552 -
\??\c:\5thhhh.exec:\5thhhh.exe48⤵
- Executes dropped EXE
PID:3128 -
\??\c:\jjjjj.exec:\jjjjj.exe49⤵
- Executes dropped EXE
PID:1928 -
\??\c:\pddjv.exec:\pddjv.exe50⤵
- Executes dropped EXE
PID:3096 -
\??\c:\7jdvd.exec:\7jdvd.exe51⤵
- Executes dropped EXE
PID:1112 -
\??\c:\vpjdj.exec:\vpjdj.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
\??\c:\hbhbbh.exec:\hbhbbh.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4936 -
\??\c:\9bbhnb.exec:\9bbhnb.exe54⤵
- Executes dropped EXE
PID:1280 -
\??\c:\thnnbn.exec:\thnnbn.exe55⤵
- Executes dropped EXE
PID:3276 -
\??\c:\nbnnht.exec:\nbnnht.exe56⤵
- Executes dropped EXE
PID:4644 -
\??\c:\nbnhbb.exec:\nbnhbb.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3136 -
\??\c:\bbnntn.exec:\bbnntn.exe58⤵
- Executes dropped EXE
PID:2696 -
\??\c:\3btbbb.exec:\3btbbb.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3464 -
\??\c:\5hbhnn.exec:\5hbhnn.exe60⤵
- Executes dropped EXE
PID:2440 -
\??\c:\ttbtnh.exec:\ttbtnh.exe61⤵
- Executes dropped EXE
PID:2436 -
\??\c:\hhhbtt.exec:\hhhbtt.exe62⤵
- Executes dropped EXE
PID:2268 -
\??\c:\thhnbt.exec:\thhnbt.exe63⤵
- Executes dropped EXE
PID:2632 -
\??\c:\rrxrxrf.exec:\rrxrxrf.exe64⤵
- Executes dropped EXE
PID:4280 -
\??\c:\fxlxrlf.exec:\fxlxrlf.exe65⤵
- Executes dropped EXE
PID:2300 -
\??\c:\lxfxxxr.exec:\lxfxxxr.exe66⤵PID:4236
-
\??\c:\5xxfxxx.exec:\5xxfxxx.exe67⤵PID:4408
-
\??\c:\xrlfrlx.exec:\xrlfrlx.exe68⤵PID:4204
-
\??\c:\pjpjv.exec:\pjpjv.exe69⤵PID:532
-
\??\c:\vjdpj.exec:\vjdpj.exe70⤵
- System Location Discovery: System Language Discovery
PID:3444 -
\??\c:\jjdvv.exec:\jjdvv.exe71⤵PID:1632
-
\??\c:\jvpjd.exec:\jvpjd.exe72⤵PID:2296
-
\??\c:\pvjdd.exec:\pvjdd.exe73⤵PID:1360
-
\??\c:\jdppj.exec:\jdppj.exe74⤵PID:3556
-
\??\c:\tnbbnn.exec:\tnbbnn.exe75⤵PID:4776
-
\??\c:\9pdvp.exec:\9pdvp.exe76⤵PID:4796
-
\??\c:\nntnhb.exec:\nntnhb.exe77⤵PID:2192
-
\??\c:\3tbttn.exec:\3tbttn.exe78⤵PID:4856
-
\??\c:\btnnhb.exec:\btnnhb.exe79⤵PID:2608
-
\??\c:\1nhnhb.exec:\1nhnhb.exe80⤵PID:3492
-
\??\c:\7nhbnh.exec:\7nhbnh.exe81⤵PID:2272
-
\??\c:\tbbtnh.exec:\tbbtnh.exe82⤵PID:1932
-
\??\c:\xxflfff.exec:\xxflfff.exe83⤵PID:2200
-
\??\c:\frrlxrx.exec:\frrlxrx.exe84⤵PID:1260
-
\??\c:\xflfxrx.exec:\xflfxrx.exe85⤵PID:2712
-
\??\c:\rxlflfl.exec:\rxlflfl.exe86⤵PID:3128
-
\??\c:\pddvp.exec:\pddvp.exe87⤵PID:4044
-
\??\c:\jdvdj.exec:\jdvdj.exe88⤵PID:3096
-
\??\c:\9djdv.exec:\9djdv.exe89⤵PID:1112
-
\??\c:\hthtnn.exec:\hthtnn.exe90⤵PID:2684
-
\??\c:\nbnhtb.exec:\nbnhtb.exe91⤵PID:4936
-
\??\c:\nhbtnb.exec:\nhbtnb.exe92⤵
- System Location Discovery: System Language Discovery
PID:3844 -
\??\c:\bbhhhb.exec:\bbhhhb.exe93⤵
- System Location Discovery: System Language Discovery
PID:1628 -
\??\c:\nbtntn.exec:\nbtntn.exe94⤵PID:3196
-
\??\c:\tttnbb.exec:\tttnbb.exe95⤵PID:3136
-
\??\c:\3btbbt.exec:\3btbbt.exe96⤵PID:1992
-
\??\c:\1ffxxxx.exec:\1ffxxxx.exe97⤵PID:2948
-
\??\c:\xfrllff.exec:\xfrllff.exe98⤵PID:2696
-
\??\c:\xrfrxxf.exec:\xrfrxxf.exe99⤵PID:2868
-
\??\c:\9rlfxff.exec:\9rlfxff.exe100⤵PID:2784
-
\??\c:\lrxxllf.exec:\lrxxllf.exe101⤵PID:516
-
\??\c:\xxlxrfr.exec:\xxlxrfr.exe102⤵PID:2428
-
\??\c:\lfrrlfx.exec:\lfrrlfx.exe103⤵PID:2312
-
\??\c:\9lflffx.exec:\9lflffx.exe104⤵PID:976
-
\??\c:\rrxxrll.exec:\rrxxrll.exe105⤵PID:3648
-
\??\c:\ffxrrrl.exec:\ffxrrrl.exe106⤵PID:3916
-
\??\c:\9dvdv.exec:\9dvdv.exe107⤵PID:2004
-
\??\c:\dvpjj.exec:\dvpjj.exe108⤵
- System Location Discovery: System Language Discovery
PID:4204 -
\??\c:\9jvvv.exec:\9jvvv.exe109⤵
- System Location Discovery: System Language Discovery
PID:2748 -
\??\c:\3vdjd.exec:\3vdjd.exe110⤵PID:4724
-
\??\c:\jvdvp.exec:\jvdvp.exe111⤵PID:3924
-
\??\c:\vdjjd.exec:\vdjjd.exe112⤵PID:2680
-
\??\c:\1jddv.exec:\1jddv.exe113⤵PID:2024
-
\??\c:\ppvpp.exec:\ppvpp.exe114⤵PID:3836
-
\??\c:\dvvpj.exec:\dvvpj.exe115⤵PID:4840
-
\??\c:\btbthh.exec:\btbthh.exe116⤵
- System Location Discovery: System Language Discovery
PID:4428 -
\??\c:\nttnhn.exec:\nttnhn.exe117⤵PID:4664
-
\??\c:\tbnhbb.exec:\tbnhbb.exe118⤵PID:1160
-
\??\c:\tbtnhh.exec:\tbtnhh.exe119⤵PID:4976
-
\??\c:\1ntnhh.exec:\1ntnhh.exe120⤵PID:4244
-
\??\c:\ttttnh.exec:\ttttnh.exe121⤵PID:1576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-