Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 03:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe
-
Size
454KB
-
MD5
3fb5a98edeadf8ebe864ffb15eb38127
-
SHA1
90cd09ff227538ecf13bfb81584ee945f0a6072f
-
SHA256
c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678
-
SHA512
5bac707f6fe5a6deaaa2e0388bf24c4338536323878ff45d16ca96a4aaed64dc04eeba4ef4006c3555edcd87e184408906bbaed7d6c352cc6076731503e7139d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3508-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-778-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-933-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-1075-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-1398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 212 vpdvv.exe 208 5hhhbb.exe 4364 vpvpj.exe 4984 1ppdv.exe 4072 5hhbhb.exe 1148 fxllrfr.exe 2368 thhbtn.exe 3732 bntnhh.exe 1460 jdvpp.exe 4556 xfxrlfl.exe 4584 tnnhhb.exe 2356 jddvj.exe 4660 rrxrlfx.exe 2060 hhnbtt.exe 1912 bnbttb.exe 840 7htnnh.exe 2972 fxfrlff.exe 1676 jvvdv.exe 5016 thnhtt.exe 1564 vjvpj.exe 4488 dvvpj.exe 4992 lfrllff.exe 3356 thnhbb.exe 1920 hbbnhb.exe 3920 pjjjd.exe 2436 flrlflx.exe 3424 btthbt.exe 2740 xrlxrfr.exe 5072 hbhtth.exe 464 lfrfrll.exe 3276 bbnbhb.exe 2664 ffrlfrl.exe 388 ttbnbn.exe 3244 xxfrlfr.exe 3468 fxfrxrf.exe 2168 pddpd.exe 4552 rrxllfr.exe 2536 lrxrlfx.exe 3328 1ttnhh.exe 3156 jvvpv.exe 3636 lfxrfff.exe 2600 lffxlfx.exe 3200 nhnbtb.exe 2092 9pjdv.exe 980 rllrlrl.exe 3508 jvjjv.exe 4932 pdpdj.exe 4296 rrrlxxl.exe 4208 9nnhbt.exe 1012 jddpd.exe 4084 9lxllff.exe 1984 btthbb.exe 1420 jjvpp.exe 4072 rfrrffx.exe 4856 7hbbtt.exe 2520 bbthhb.exe 2904 7vvpj.exe 1544 lrrfrlf.exe 1460 bhbnbt.exe 4308 pvdvj.exe 4556 jvjdp.exe 2392 bttnhb.exe 2356 nbhtnb.exe 456 vppdv.exe -
resource yara_rule behavioral2/memory/212-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-933-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3508 wrote to memory of 212 3508 c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe 82 PID 3508 wrote to memory of 212 3508 c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe 82 PID 3508 wrote to memory of 212 3508 c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe 82 PID 212 wrote to memory of 208 212 vpdvv.exe 83 PID 212 wrote to memory of 208 212 vpdvv.exe 83 PID 212 wrote to memory of 208 212 vpdvv.exe 83 PID 208 wrote to memory of 4364 208 5hhhbb.exe 84 PID 208 wrote to memory of 4364 208 5hhhbb.exe 84 PID 208 wrote to memory of 4364 208 5hhhbb.exe 84 PID 4364 wrote to memory of 4984 4364 vpvpj.exe 85 PID 4364 wrote to memory of 4984 4364 vpvpj.exe 85 PID 4364 wrote to memory of 4984 4364 vpvpj.exe 85 PID 4984 wrote to memory of 4072 4984 1ppdv.exe 86 PID 4984 wrote to memory of 4072 4984 1ppdv.exe 86 PID 4984 wrote to memory of 4072 4984 1ppdv.exe 86 PID 4072 wrote to memory of 1148 4072 5hhbhb.exe 87 PID 4072 wrote to memory of 1148 4072 5hhbhb.exe 87 PID 4072 wrote to memory of 1148 4072 5hhbhb.exe 87 PID 1148 wrote to memory of 2368 1148 fxllrfr.exe 88 PID 1148 wrote to memory of 2368 1148 fxllrfr.exe 88 PID 1148 wrote to memory of 2368 1148 fxllrfr.exe 88 PID 2368 wrote to memory of 3732 2368 thhbtn.exe 89 PID 2368 wrote to memory of 3732 2368 thhbtn.exe 89 PID 2368 wrote to memory of 3732 2368 thhbtn.exe 89 PID 3732 wrote to memory of 1460 3732 bntnhh.exe 90 PID 3732 wrote to memory of 1460 3732 bntnhh.exe 90 PID 3732 wrote to memory of 1460 3732 bntnhh.exe 90 PID 1460 wrote to memory of 4556 1460 jdvpp.exe 91 PID 1460 wrote to memory of 4556 1460 jdvpp.exe 91 PID 1460 wrote to memory of 4556 1460 jdvpp.exe 91 PID 4556 wrote to memory of 4584 4556 xfxrlfl.exe 92 PID 4556 wrote to memory of 4584 4556 xfxrlfl.exe 92 PID 4556 wrote to memory of 4584 4556 xfxrlfl.exe 92 PID 4584 wrote to memory of 2356 4584 tnnhhb.exe 93 PID 4584 wrote to memory of 2356 4584 tnnhhb.exe 93 PID 4584 wrote to memory of 2356 4584 tnnhhb.exe 93 PID 2356 wrote to memory of 4660 2356 jddvj.exe 94 PID 2356 wrote to memory of 4660 2356 jddvj.exe 94 PID 2356 wrote to memory of 4660 2356 jddvj.exe 94 PID 4660 wrote to memory of 2060 4660 rrxrlfx.exe 95 PID 4660 wrote to memory of 2060 4660 rrxrlfx.exe 95 PID 4660 wrote to memory of 2060 4660 rrxrlfx.exe 95 PID 2060 wrote to memory of 1912 2060 hhnbtt.exe 96 PID 2060 wrote to memory of 1912 2060 hhnbtt.exe 96 PID 2060 wrote to memory of 1912 2060 hhnbtt.exe 96 PID 1912 wrote to memory of 840 1912 bnbttb.exe 97 PID 1912 wrote to memory of 840 1912 bnbttb.exe 97 PID 1912 wrote to memory of 840 1912 bnbttb.exe 97 PID 840 wrote to memory of 2972 840 7htnnh.exe 98 PID 840 wrote to memory of 2972 840 7htnnh.exe 98 PID 840 wrote to memory of 2972 840 7htnnh.exe 98 PID 2972 wrote to memory of 1676 2972 fxfrlff.exe 99 PID 2972 wrote to memory of 1676 2972 fxfrlff.exe 99 PID 2972 wrote to memory of 1676 2972 fxfrlff.exe 99 PID 1676 wrote to memory of 5016 1676 jvvdv.exe 100 PID 1676 wrote to memory of 5016 1676 jvvdv.exe 100 PID 1676 wrote to memory of 5016 1676 jvvdv.exe 100 PID 5016 wrote to memory of 1564 5016 thnhtt.exe 101 PID 5016 wrote to memory of 1564 5016 thnhtt.exe 101 PID 5016 wrote to memory of 1564 5016 thnhtt.exe 101 PID 1564 wrote to memory of 4488 1564 vjvpj.exe 102 PID 1564 wrote to memory of 4488 1564 vjvpj.exe 102 PID 1564 wrote to memory of 4488 1564 vjvpj.exe 102 PID 4488 wrote to memory of 4992 4488 dvvpj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe"C:\Users\Admin\AppData\Local\Temp\c665faee6f58ecab516b0558c608a51c53de81c085dba3cb88145802118a9678.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\vpdvv.exec:\vpdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\5hhhbb.exec:\5hhhbb.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\vpvpj.exec:\vpvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\1ppdv.exec:\1ppdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\5hhbhb.exec:\5hhbhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\fxllrfr.exec:\fxllrfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\thhbtn.exec:\thhbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\bntnhh.exec:\bntnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\jdvpp.exec:\jdvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\xfxrlfl.exec:\xfxrlfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\tnnhhb.exec:\tnnhhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\jddvj.exec:\jddvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\rrxrlfx.exec:\rrxrlfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\hhnbtt.exec:\hhnbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\bnbttb.exec:\bnbttb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\7htnnh.exec:\7htnnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\fxfrlff.exec:\fxfrlff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\jvvdv.exec:\jvvdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\thnhtt.exec:\thnhtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\vjvpj.exec:\vjvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\dvvpj.exec:\dvvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\lfrllff.exec:\lfrllff.exe23⤵
- Executes dropped EXE
PID:4992 -
\??\c:\thnhbb.exec:\thnhbb.exe24⤵
- Executes dropped EXE
PID:3356 -
\??\c:\hbbnhb.exec:\hbbnhb.exe25⤵
- Executes dropped EXE
PID:1920 -
\??\c:\pjjjd.exec:\pjjjd.exe26⤵
- Executes dropped EXE
PID:3920 -
\??\c:\flrlflx.exec:\flrlflx.exe27⤵
- Executes dropped EXE
PID:2436 -
\??\c:\btthbt.exec:\btthbt.exe28⤵
- Executes dropped EXE
PID:3424 -
\??\c:\xrlxrfr.exec:\xrlxrfr.exe29⤵
- Executes dropped EXE
PID:2740 -
\??\c:\hbhtth.exec:\hbhtth.exe30⤵
- Executes dropped EXE
PID:5072 -
\??\c:\lfrfrll.exec:\lfrfrll.exe31⤵
- Executes dropped EXE
PID:464 -
\??\c:\bbnbhb.exec:\bbnbhb.exe32⤵
- Executes dropped EXE
PID:3276 -
\??\c:\ffrlfrl.exec:\ffrlfrl.exe33⤵
- Executes dropped EXE
PID:2664 -
\??\c:\ttbnbn.exec:\ttbnbn.exe34⤵
- Executes dropped EXE
PID:388 -
\??\c:\xxfrlfr.exec:\xxfrlfr.exe35⤵
- Executes dropped EXE
PID:3244 -
\??\c:\fxfrxrf.exec:\fxfrxrf.exe36⤵
- Executes dropped EXE
PID:3468 -
\??\c:\pddpd.exec:\pddpd.exe37⤵
- Executes dropped EXE
PID:2168 -
\??\c:\rrxllfr.exec:\rrxllfr.exe38⤵
- Executes dropped EXE
PID:4552 -
\??\c:\lrxrlfx.exec:\lrxrlfx.exe39⤵
- Executes dropped EXE
PID:2536 -
\??\c:\1ttnhh.exec:\1ttnhh.exe40⤵
- Executes dropped EXE
PID:3328 -
\??\c:\jvvpv.exec:\jvvpv.exe41⤵
- Executes dropped EXE
PID:3156 -
\??\c:\lfxrfff.exec:\lfxrfff.exe42⤵
- Executes dropped EXE
PID:3636 -
\??\c:\lffxlfx.exec:\lffxlfx.exe43⤵
- Executes dropped EXE
PID:2600 -
\??\c:\nhnbtb.exec:\nhnbtb.exe44⤵
- Executes dropped EXE
PID:3200 -
\??\c:\9pjdv.exec:\9pjdv.exe45⤵
- Executes dropped EXE
PID:2092 -
\??\c:\rllrlrl.exec:\rllrlrl.exe46⤵
- Executes dropped EXE
PID:980 -
\??\c:\tnnhbh.exec:\tnnhbh.exe47⤵PID:4480
-
\??\c:\jvjjv.exec:\jvjjv.exe48⤵
- Executes dropped EXE
PID:3508 -
\??\c:\pdpdj.exec:\pdpdj.exe49⤵
- Executes dropped EXE
PID:4932 -
\??\c:\rrrlxxl.exec:\rrrlxxl.exe50⤵
- Executes dropped EXE
PID:4296 -
\??\c:\9nnhbt.exec:\9nnhbt.exe51⤵
- Executes dropped EXE
PID:4208 -
\??\c:\jddpd.exec:\jddpd.exe52⤵
- Executes dropped EXE
PID:1012 -
\??\c:\9lxllff.exec:\9lxllff.exe53⤵
- Executes dropped EXE
PID:4084 -
\??\c:\btthbb.exec:\btthbb.exe54⤵
- Executes dropped EXE
PID:1984 -
\??\c:\jjvpp.exec:\jjvpp.exe55⤵
- Executes dropped EXE
PID:1420 -
\??\c:\rfrrffx.exec:\rfrrffx.exe56⤵
- Executes dropped EXE
PID:4072 -
\??\c:\7hbbtt.exec:\7hbbtt.exe57⤵
- Executes dropped EXE
PID:4856 -
\??\c:\bbthhb.exec:\bbthhb.exe58⤵
- Executes dropped EXE
PID:2520 -
\??\c:\7vvpj.exec:\7vvpj.exe59⤵
- Executes dropped EXE
PID:2904 -
\??\c:\lrrfrlf.exec:\lrrfrlf.exe60⤵
- Executes dropped EXE
PID:1544 -
\??\c:\bhbnbt.exec:\bhbnbt.exe61⤵
- Executes dropped EXE
PID:1460 -
\??\c:\pvdvj.exec:\pvdvj.exe62⤵
- Executes dropped EXE
PID:4308 -
\??\c:\jvjdp.exec:\jvjdp.exe63⤵
- Executes dropped EXE
PID:4556 -
\??\c:\bttnhb.exec:\bttnhb.exe64⤵
- Executes dropped EXE
PID:2392 -
\??\c:\nbhtnb.exec:\nbhtnb.exe65⤵
- Executes dropped EXE
PID:2356 -
\??\c:\vppdv.exec:\vppdv.exe66⤵
- Executes dropped EXE
PID:456 -
\??\c:\frfxrll.exec:\frfxrll.exe67⤵PID:1892
-
\??\c:\bhnnhb.exec:\bhnnhb.exe68⤵PID:1952
-
\??\c:\1hhbnn.exec:\1hhbnn.exe69⤵PID:3756
-
\??\c:\jppjp.exec:\jppjp.exe70⤵
- System Location Discovery: System Language Discovery
PID:1292 -
\??\c:\fxxlxrf.exec:\fxxlxrf.exe71⤵PID:4852
-
\??\c:\tttnhb.exec:\tttnhb.exe72⤵
- System Location Discovery: System Language Discovery
PID:4140 -
\??\c:\dpvpp.exec:\dpvpp.exe73⤵PID:3376
-
\??\c:\fflfrrl.exec:\fflfrrl.exe74⤵PID:2920
-
\??\c:\3ntnhn.exec:\3ntnhn.exe75⤵PID:1960
-
\??\c:\jvjdp.exec:\jvjdp.exe76⤵PID:4488
-
\??\c:\dvdvp.exec:\dvdvp.exe77⤵PID:1516
-
\??\c:\xllfrrf.exec:\xllfrrf.exe78⤵PID:2452
-
\??\c:\lxxrxrx.exec:\lxxrxrx.exe79⤵PID:3288
-
\??\c:\5bhthh.exec:\5bhthh.exe80⤵PID:4884
-
\??\c:\jjjvj.exec:\jjjvj.exe81⤵PID:2540
-
\??\c:\jpvjv.exec:\jpvjv.exe82⤵PID:5080
-
\??\c:\9ffxxxx.exec:\9ffxxxx.exe83⤵PID:1288
-
\??\c:\bntnnn.exec:\bntnnn.exe84⤵PID:4788
-
\??\c:\pvdvj.exec:\pvdvj.exe85⤵PID:2012
-
\??\c:\pjpjv.exec:\pjpjv.exe86⤵PID:1404
-
\??\c:\7rxrrlf.exec:\7rxrrlf.exe87⤵PID:4440
-
\??\c:\bbnhtt.exec:\bbnhtt.exe88⤵PID:4092
-
\??\c:\5pdpj.exec:\5pdpj.exe89⤵PID:2560
-
\??\c:\xfffrrl.exec:\xfffrrl.exe90⤵PID:4600
-
\??\c:\lfrlffx.exec:\lfrlffx.exe91⤵PID:1540
-
\??\c:\hbhbbt.exec:\hbhbbt.exe92⤵PID:1648
-
\??\c:\dvddv.exec:\dvddv.exe93⤵PID:536
-
\??\c:\rrrlxxr.exec:\rrrlxxr.exe94⤵PID:1724
-
\??\c:\rrrlfxr.exec:\rrrlfxr.exe95⤵PID:4428
-
\??\c:\bttnbb.exec:\bttnbb.exe96⤵PID:888
-
\??\c:\vjppd.exec:\vjppd.exe97⤵PID:4944
-
\??\c:\rrxrllf.exec:\rrxrllf.exe98⤵PID:2292
-
\??\c:\rxfxrlf.exec:\rxfxrlf.exe99⤵PID:3764
-
\??\c:\tttnhb.exec:\tttnhb.exe100⤵PID:1796
-
\??\c:\jddvv.exec:\jddvv.exe101⤵PID:2188
-
\??\c:\xxxrffl.exec:\xxxrffl.exe102⤵PID:4316
-
\??\c:\xrrlfff.exec:\xrrlfff.exe103⤵PID:1720
-
\??\c:\nthtnh.exec:\nthtnh.exe104⤵PID:2092
-
\??\c:\jjvpv.exec:\jjvpv.exe105⤵PID:552
-
\??\c:\jvjjd.exec:\jvjjd.exe106⤵PID:4284
-
\??\c:\1lrlfff.exec:\1lrlfff.exe107⤵PID:1052
-
\??\c:\5nnhbt.exec:\5nnhbt.exe108⤵PID:4000
-
\??\c:\5jdjp.exec:\5jdjp.exe109⤵PID:2200
-
\??\c:\lflffff.exec:\lflffff.exe110⤵PID:4364
-
\??\c:\nhhtnh.exec:\nhhtnh.exe111⤵PID:1880
-
\??\c:\7vvjj.exec:\7vvjj.exe112⤵PID:4568
-
\??\c:\vjpjv.exec:\vjpjv.exe113⤵PID:2032
-
\??\c:\flxlxrf.exec:\flxlxrf.exe114⤵PID:3780
-
\??\c:\9bbthh.exec:\9bbthh.exe115⤵PID:3004
-
\??\c:\jdvdv.exec:\jdvdv.exe116⤵PID:4924
-
\??\c:\djdpj.exec:\djdpj.exe117⤵PID:3096
-
\??\c:\rlrllll.exec:\rlrllll.exe118⤵PID:3732
-
\??\c:\5nhnhh.exec:\5nhnhh.exe119⤵PID:2288
-
\??\c:\jjjjd.exec:\jjjjd.exe120⤵PID:2380
-
\??\c:\pjjdp.exec:\pjjdp.exe121⤵PID:4240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-