Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 23:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe
-
Size
453KB
-
MD5
1e3bb767d7287c1473fb2d9b9529736f
-
SHA1
86f3675f465380c75eebcbe98eeb10128bef3e40
-
SHA256
8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47
-
SHA512
4f91bf2aacb4174b6794ba2c186fb522ff31789e45ab6ebc407c60fa1418811b14a4243823b9679acb5f6c75ff40448b8c93e0d07e18798f7cdd8e3831ceec90
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2428-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/352-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-892-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-987-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-1196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-1389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-1595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-1915-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5004 vvjdd.exe 868 5tnbth.exe 4580 1fxrrrr.exe 4916 bhbttt.exe 1224 httnnn.exe 2964 llfxrlr.exe 3932 djvpj.exe 3896 tnnbtt.exe 5012 ffxxxrl.exe 4708 htttnn.exe 228 rfrfxrl.exe 2288 vdvpd.exe 2008 xlxlxlf.exe 2200 vjppj.exe 2228 3tbnhh.exe 3124 pvppp.exe 216 jdpjp.exe 3464 7xrlflx.exe 3540 nhhbtt.exe 4480 3btnhh.exe 3504 5ntnhb.exe 5084 ntbbtn.exe 5024 7lrfxxl.exe 2996 tnhnbb.exe 3284 fxxrllf.exe 2740 tbhbtn.exe 4576 jvdvp.exe 3032 nbhhtt.exe 4928 pjvvv.exe 4524 xlxlfxr.exe 536 5xlffxx.exe 676 vvppj.exe 2012 xfflxxr.exe 4620 nhhtnh.exe 1848 jjvvj.exe 2024 rxfxrrl.exe 3604 7flxfff.exe 2780 thnhtt.exe 772 pvjvj.exe 1276 dppvj.exe 3004 xrxxrrr.exe 1044 hhthnn.exe 1568 tbhbtn.exe 3412 pjvdv.exe 5080 xffxrlf.exe 3408 3bhtnn.exe 516 ddjjp.exe 3128 rfxxxxr.exe 1556 nnnnhn.exe 388 vjpdv.exe 3920 xfffrlf.exe 4740 bbtnhh.exe 1220 vvppj.exe 3612 pvdjd.exe 2232 xffxrrl.exe 4088 bnbnnn.exe 4540 dvddj.exe 1224 vpjdp.exe 400 7ffxxxr.exe 1948 bnnbnh.exe 3484 dddpd.exe 3656 xxrlfxf.exe 4820 nhbtnh.exe 3620 pddpj.exe -
resource yara_rule behavioral2/memory/2428-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/352-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-987-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-1196-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvppp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 5004 2428 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 82 PID 2428 wrote to memory of 5004 2428 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 82 PID 2428 wrote to memory of 5004 2428 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 82 PID 5004 wrote to memory of 868 5004 vvjdd.exe 83 PID 5004 wrote to memory of 868 5004 vvjdd.exe 83 PID 5004 wrote to memory of 868 5004 vvjdd.exe 83 PID 868 wrote to memory of 4580 868 5tnbth.exe 84 PID 868 wrote to memory of 4580 868 5tnbth.exe 84 PID 868 wrote to memory of 4580 868 5tnbth.exe 84 PID 4580 wrote to memory of 4916 4580 1fxrrrr.exe 85 PID 4580 wrote to memory of 4916 4580 1fxrrrr.exe 85 PID 4580 wrote to memory of 4916 4580 1fxrrrr.exe 85 PID 4916 wrote to memory of 1224 4916 bhbttt.exe 86 PID 4916 wrote to memory of 1224 4916 bhbttt.exe 86 PID 4916 wrote to memory of 1224 4916 bhbttt.exe 86 PID 1224 wrote to memory of 2964 1224 httnnn.exe 87 PID 1224 wrote to memory of 2964 1224 httnnn.exe 87 PID 1224 wrote to memory of 2964 1224 httnnn.exe 87 PID 2964 wrote to memory of 3932 2964 llfxrlr.exe 88 PID 2964 wrote to memory of 3932 2964 llfxrlr.exe 88 PID 2964 wrote to memory of 3932 2964 llfxrlr.exe 88 PID 3932 wrote to memory of 3896 3932 djvpj.exe 89 PID 3932 wrote to memory of 3896 3932 djvpj.exe 89 PID 3932 wrote to memory of 3896 3932 djvpj.exe 89 PID 3896 wrote to memory of 5012 3896 tnnbtt.exe 90 PID 3896 wrote to memory of 5012 3896 tnnbtt.exe 90 PID 3896 wrote to memory of 5012 3896 tnnbtt.exe 90 PID 5012 wrote to memory of 4708 5012 ffxxxrl.exe 91 PID 5012 wrote to memory of 4708 5012 ffxxxrl.exe 91 PID 5012 wrote to memory of 4708 5012 ffxxxrl.exe 91 PID 4708 wrote to memory of 228 4708 htttnn.exe 92 PID 4708 wrote to memory of 228 4708 htttnn.exe 92 PID 4708 wrote to memory of 228 4708 htttnn.exe 92 PID 228 wrote to memory of 2288 228 rfrfxrl.exe 93 PID 228 wrote to memory of 2288 228 rfrfxrl.exe 93 PID 228 wrote to memory of 2288 228 rfrfxrl.exe 93 PID 2288 wrote to memory of 2008 2288 vdvpd.exe 94 PID 2288 wrote to memory of 2008 2288 vdvpd.exe 94 PID 2288 wrote to memory of 2008 2288 vdvpd.exe 94 PID 2008 wrote to memory of 2200 2008 xlxlxlf.exe 95 PID 2008 wrote to memory of 2200 2008 xlxlxlf.exe 95 PID 2008 wrote to memory of 2200 2008 xlxlxlf.exe 95 PID 2200 wrote to memory of 2228 2200 vjppj.exe 96 PID 2200 wrote to memory of 2228 2200 vjppj.exe 96 PID 2200 wrote to memory of 2228 2200 vjppj.exe 96 PID 2228 wrote to memory of 3124 2228 3tbnhh.exe 97 PID 2228 wrote to memory of 3124 2228 3tbnhh.exe 97 PID 2228 wrote to memory of 3124 2228 3tbnhh.exe 97 PID 3124 wrote to memory of 216 3124 pvppp.exe 98 PID 3124 wrote to memory of 216 3124 pvppp.exe 98 PID 3124 wrote to memory of 216 3124 pvppp.exe 98 PID 216 wrote to memory of 3464 216 jdpjp.exe 99 PID 216 wrote to memory of 3464 216 jdpjp.exe 99 PID 216 wrote to memory of 3464 216 jdpjp.exe 99 PID 3464 wrote to memory of 3540 3464 7xrlflx.exe 100 PID 3464 wrote to memory of 3540 3464 7xrlflx.exe 100 PID 3464 wrote to memory of 3540 3464 7xrlflx.exe 100 PID 3540 wrote to memory of 4480 3540 nhhbtt.exe 101 PID 3540 wrote to memory of 4480 3540 nhhbtt.exe 101 PID 3540 wrote to memory of 4480 3540 nhhbtt.exe 101 PID 4480 wrote to memory of 3504 4480 3btnhh.exe 102 PID 4480 wrote to memory of 3504 4480 3btnhh.exe 102 PID 4480 wrote to memory of 3504 4480 3btnhh.exe 102 PID 3504 wrote to memory of 5084 3504 5ntnhb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe"C:\Users\Admin\AppData\Local\Temp\8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\vvjdd.exec:\vvjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\5tnbth.exec:\5tnbth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\1fxrrrr.exec:\1fxrrrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\bhbttt.exec:\bhbttt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\httnnn.exec:\httnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\llfxrlr.exec:\llfxrlr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\djvpj.exec:\djvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\tnnbtt.exec:\tnnbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\ffxxxrl.exec:\ffxxxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\htttnn.exec:\htttnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\rfrfxrl.exec:\rfrfxrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\vdvpd.exec:\vdvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\xlxlxlf.exec:\xlxlxlf.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\vjppj.exec:\vjppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\3tbnhh.exec:\3tbnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\pvppp.exec:\pvppp.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\jdpjp.exec:\jdpjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\7xrlflx.exec:\7xrlflx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\nhhbtt.exec:\nhhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\3btnhh.exec:\3btnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\5ntnhb.exec:\5ntnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\ntbbtn.exec:\ntbbtn.exe23⤵
- Executes dropped EXE
PID:5084 -
\??\c:\7lrfxxl.exec:\7lrfxxl.exe24⤵
- Executes dropped EXE
PID:5024 -
\??\c:\tnhnbb.exec:\tnhnbb.exe25⤵
- Executes dropped EXE
PID:2996 -
\??\c:\fxxrllf.exec:\fxxrllf.exe26⤵
- Executes dropped EXE
PID:3284 -
\??\c:\tbhbtn.exec:\tbhbtn.exe27⤵
- Executes dropped EXE
PID:2740 -
\??\c:\jvdvp.exec:\jvdvp.exe28⤵
- Executes dropped EXE
PID:4576 -
\??\c:\nbhhtt.exec:\nbhhtt.exe29⤵
- Executes dropped EXE
PID:3032 -
\??\c:\pjvvv.exec:\pjvvv.exe30⤵
- Executes dropped EXE
PID:4928 -
\??\c:\xlxlfxr.exec:\xlxlfxr.exe31⤵
- Executes dropped EXE
PID:4524 -
\??\c:\5xlffxx.exec:\5xlffxx.exe32⤵
- Executes dropped EXE
PID:536 -
\??\c:\vvppj.exec:\vvppj.exe33⤵
- Executes dropped EXE
PID:676 -
\??\c:\xfflxxr.exec:\xfflxxr.exe34⤵
- Executes dropped EXE
PID:2012 -
\??\c:\nhhtnh.exec:\nhhtnh.exe35⤵
- Executes dropped EXE
PID:4620 -
\??\c:\jjvvj.exec:\jjvvj.exe36⤵
- Executes dropped EXE
PID:1848 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe37⤵
- Executes dropped EXE
PID:2024 -
\??\c:\7flxfff.exec:\7flxfff.exe38⤵
- Executes dropped EXE
PID:3604 -
\??\c:\thnhtt.exec:\thnhtt.exe39⤵
- Executes dropped EXE
PID:2780 -
\??\c:\pvjvj.exec:\pvjvj.exe40⤵
- Executes dropped EXE
PID:772 -
\??\c:\dppvj.exec:\dppvj.exe41⤵
- Executes dropped EXE
PID:1276 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe42⤵
- Executes dropped EXE
PID:3004 -
\??\c:\hhthnn.exec:\hhthnn.exe43⤵
- Executes dropped EXE
PID:1044 -
\??\c:\tbhbtn.exec:\tbhbtn.exe44⤵
- Executes dropped EXE
PID:1568 -
\??\c:\pjvdv.exec:\pjvdv.exe45⤵
- Executes dropped EXE
PID:3412 -
\??\c:\xffxrlf.exec:\xffxrlf.exe46⤵
- Executes dropped EXE
PID:5080 -
\??\c:\3bhtnn.exec:\3bhtnn.exe47⤵
- Executes dropped EXE
PID:3408 -
\??\c:\ddjjp.exec:\ddjjp.exe48⤵
- Executes dropped EXE
PID:516 -
\??\c:\rfxxxxr.exec:\rfxxxxr.exe49⤵
- Executes dropped EXE
PID:3128 -
\??\c:\nnnnhn.exec:\nnnnhn.exe50⤵
- Executes dropped EXE
PID:1556 -
\??\c:\pppdv.exec:\pppdv.exe51⤵PID:2700
-
\??\c:\vjpdv.exec:\vjpdv.exe52⤵
- Executes dropped EXE
PID:388 -
\??\c:\xfffrlf.exec:\xfffrlf.exe53⤵
- Executes dropped EXE
PID:3920 -
\??\c:\bbtnhh.exec:\bbtnhh.exe54⤵
- Executes dropped EXE
PID:4740 -
\??\c:\vvppj.exec:\vvppj.exe55⤵
- Executes dropped EXE
PID:1220 -
\??\c:\pvdjd.exec:\pvdjd.exe56⤵
- Executes dropped EXE
PID:3612 -
\??\c:\xffxrrl.exec:\xffxrrl.exe57⤵
- Executes dropped EXE
PID:2232 -
\??\c:\bnbnnn.exec:\bnbnnn.exe58⤵
- Executes dropped EXE
PID:4088 -
\??\c:\dvddj.exec:\dvddj.exe59⤵
- Executes dropped EXE
PID:4540 -
\??\c:\vpjdp.exec:\vpjdp.exe60⤵
- Executes dropped EXE
PID:1224 -
\??\c:\7ffxxxr.exec:\7ffxxxr.exe61⤵
- Executes dropped EXE
PID:400 -
\??\c:\bnnbnh.exec:\bnnbnh.exe62⤵
- Executes dropped EXE
PID:1948 -
\??\c:\dddpd.exec:\dddpd.exe63⤵
- Executes dropped EXE
PID:3484 -
\??\c:\xxrlfxf.exec:\xxrlfxf.exe64⤵
- Executes dropped EXE
PID:3656 -
\??\c:\nhbtnh.exec:\nhbtnh.exe65⤵
- Executes dropped EXE
PID:4820 -
\??\c:\pddpj.exec:\pddpj.exe66⤵
- Executes dropped EXE
PID:3620 -
\??\c:\frxlfxr.exec:\frxlfxr.exe67⤵PID:3652
-
\??\c:\lxxflfl.exec:\lxxflfl.exe68⤵PID:352
-
\??\c:\nntnnn.exec:\nntnnn.exe69⤵PID:212
-
\??\c:\vjpdv.exec:\vjpdv.exe70⤵PID:2292
-
\??\c:\llrlfxr.exec:\llrlfxr.exe71⤵PID:5112
-
\??\c:\ttbtnh.exec:\ttbtnh.exe72⤵PID:5020
-
\??\c:\nbbnhb.exec:\nbbnhb.exe73⤵PID:4616
-
\??\c:\9vvpj.exec:\9vvpj.exe74⤵PID:2688
-
\??\c:\lxrrlrf.exec:\lxrrlrf.exe75⤵PID:624
-
\??\c:\tbbttn.exec:\tbbttn.exe76⤵PID:4120
-
\??\c:\pjvvd.exec:\pjvvd.exe77⤵PID:2432
-
\??\c:\jdjdj.exec:\jdjdj.exe78⤵PID:4636
-
\??\c:\lxlffxx.exec:\lxlffxx.exe79⤵PID:920
-
\??\c:\9tttbt.exec:\9tttbt.exe80⤵PID:2756
-
\??\c:\dvvpp.exec:\dvvpp.exe81⤵PID:3404
-
\??\c:\flxlrxx.exec:\flxlrxx.exe82⤵PID:4712
-
\??\c:\1tbbbb.exec:\1tbbbb.exe83⤵PID:2804
-
\??\c:\vdjpj.exec:\vdjpj.exe84⤵PID:3936
-
\??\c:\fxlfxxf.exec:\fxlfxxf.exe85⤵PID:1396
-
\??\c:\lfflfxr.exec:\lfflfxr.exe86⤵PID:3028
-
\??\c:\ttbnht.exec:\ttbnht.exe87⤵PID:4892
-
\??\c:\jdjdv.exec:\jdjdv.exe88⤵PID:4028
-
\??\c:\jdvpj.exec:\jdvpj.exe89⤵PID:1952
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe90⤵PID:4104
-
\??\c:\bhhbtt.exec:\bhhbtt.exe91⤵
- System Location Discovery: System Language Discovery
PID:4064 -
\??\c:\htttnn.exec:\htttnn.exe92⤵PID:4108
-
\??\c:\vvjpj.exec:\vvjpj.exe93⤵PID:4440
-
\??\c:\flfxrfx.exec:\flfxrfx.exe94⤵PID:1776
-
\??\c:\bhnnhb.exec:\bhnnhb.exe95⤵PID:412
-
\??\c:\pjjvp.exec:\pjjvp.exe96⤵PID:1084
-
\??\c:\jddvd.exec:\jddvd.exe97⤵PID:2388
-
\??\c:\1ffxrrl.exec:\1ffxrrl.exe98⤵PID:1480
-
\??\c:\nnbtnh.exec:\nnbtnh.exe99⤵PID:4620
-
\??\c:\pvdpj.exec:\pvdpj.exe100⤵PID:4428
-
\??\c:\9vpjv.exec:\9vpjv.exe101⤵PID:2024
-
\??\c:\7fxrfxl.exec:\7fxrfxl.exe102⤵PID:4448
-
\??\c:\frxrrlr.exec:\frxrrlr.exe103⤵PID:952
-
\??\c:\tbhbtn.exec:\tbhbtn.exe104⤵PID:3336
-
\??\c:\dvpjv.exec:\dvpjv.exe105⤵PID:4960
-
\??\c:\rfffxrf.exec:\rfffxrf.exe106⤵PID:2564
-
\??\c:\frrlfxr.exec:\frrlfxr.exe107⤵PID:3596
-
\??\c:\nbbtnh.exec:\nbbtnh.exe108⤵PID:2816
-
\??\c:\vpjdv.exec:\vpjdv.exe109⤵PID:1744
-
\??\c:\lrlfrxl.exec:\lrlfrxl.exe110⤵PID:716
-
\??\c:\frfxrxr.exec:\frfxrxr.exe111⤵PID:4588
-
\??\c:\vdjdp.exec:\vdjdp.exe112⤵PID:4640
-
\??\c:\vjppj.exec:\vjppj.exe113⤵PID:4396
-
\??\c:\xffxrrx.exec:\xffxrrx.exe114⤵PID:4536
-
\??\c:\7tnbnn.exec:\7tnbnn.exe115⤵PID:3252
-
\??\c:\pvdvv.exec:\pvdvv.exe116⤵PID:2864
-
\??\c:\vdpjd.exec:\vdpjd.exe117⤵PID:3920
-
\??\c:\xllfrlx.exec:\xllfrlx.exe118⤵PID:4504
-
\??\c:\bnhnhn.exec:\bnhnhn.exe119⤵PID:5092
-
\??\c:\vjvpp.exec:\vjvpp.exe120⤵PID:4544
-
\??\c:\rrxrrlx.exec:\rrxrrlx.exe121⤵PID:4184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-