Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe
-
Size
452KB
-
MD5
9fb45cb4881e004f47e19f5dc623b948
-
SHA1
a1b0a3d67c0556f92f61a541fe879030ab06a590
-
SHA256
0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c
-
SHA512
6a672cc56f109a25bb1772aece23ca370bd83fb8c9590f5d427b77235337b166d97cf97dd5b6760de709b3d5166cf76dd254c5486ffcd92714901c27bc3738d8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2808-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-1314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-1528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2616 vpjdd.exe 5092 rfxxxxx.exe 1400 tnhhhb.exe 1160 bbntbb.exe 220 jvpjp.exe 616 lllxlxr.exe 3952 hnbtnh.exe 2232 tnnbth.exe 1608 vvvvv.exe 1448 xlrfxrl.exe 4008 lxllfff.exe 3760 nbthbt.exe 1832 pvdvj.exe 3980 jjvpp.exe 4656 llrlfxr.exe 4812 nbthtn.exe 3108 hbbtbb.exe 3888 ddvvp.exe 4284 xrlffxx.exe 4648 rllffll.exe 2344 thnnnn.exe 1904 vpvpj.exe 1916 vvdvp.exe 4996 lflfxrl.exe 2800 bnnbtn.exe 704 vppdd.exe 1348 jdvpd.exe 1912 5xfxrlf.exe 4744 bbhntt.exe 1828 tthhbb.exe 3596 jpvpj.exe 4132 1xlflfx.exe 1044 3lrlffx.exe 4616 5nnnnn.exe 2908 ppvvp.exe 1256 jdpjd.exe 4252 lflfffl.exe 1552 btnhbt.exe 3404 bhthbt.exe 1712 djvjd.exe 1924 frxrlfx.exe 4260 llxlfxf.exe 1596 9hbthh.exe 4856 thnhtt.exe 4600 pvjdv.exe 4920 rxffxxr.exe 4580 tnttnb.exe 5064 nnntnn.exe 3040 vpdvv.exe 1064 vppdv.exe 468 xrllllf.exe 3400 hbbttn.exe 804 dvjdv.exe 3192 vvpjv.exe 2848 rrxlrlf.exe 4644 7nttnt.exe 2532 tntnhn.exe 4588 vjjdv.exe 1964 xlfrrlr.exe 4964 hhhbnn.exe 3336 pjdvp.exe 1728 7vvjd.exe 4484 lfffxxr.exe 2468 tthbnn.exe -
resource yara_rule behavioral2/memory/2808-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/616-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-791-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rffrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2616 2808 0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe 83 PID 2808 wrote to memory of 2616 2808 0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe 83 PID 2808 wrote to memory of 2616 2808 0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe 83 PID 2616 wrote to memory of 5092 2616 vpjdd.exe 84 PID 2616 wrote to memory of 5092 2616 vpjdd.exe 84 PID 2616 wrote to memory of 5092 2616 vpjdd.exe 84 PID 5092 wrote to memory of 1400 5092 rfxxxxx.exe 85 PID 5092 wrote to memory of 1400 5092 rfxxxxx.exe 85 PID 5092 wrote to memory of 1400 5092 rfxxxxx.exe 85 PID 1400 wrote to memory of 1160 1400 tnhhhb.exe 86 PID 1400 wrote to memory of 1160 1400 tnhhhb.exe 86 PID 1400 wrote to memory of 1160 1400 tnhhhb.exe 86 PID 1160 wrote to memory of 220 1160 bbntbb.exe 87 PID 1160 wrote to memory of 220 1160 bbntbb.exe 87 PID 1160 wrote to memory of 220 1160 bbntbb.exe 87 PID 220 wrote to memory of 616 220 jvpjp.exe 88 PID 220 wrote to memory of 616 220 jvpjp.exe 88 PID 220 wrote to memory of 616 220 jvpjp.exe 88 PID 616 wrote to memory of 3952 616 lllxlxr.exe 89 PID 616 wrote to memory of 3952 616 lllxlxr.exe 89 PID 616 wrote to memory of 3952 616 lllxlxr.exe 89 PID 3952 wrote to memory of 2232 3952 hnbtnh.exe 90 PID 3952 wrote to memory of 2232 3952 hnbtnh.exe 90 PID 3952 wrote to memory of 2232 3952 hnbtnh.exe 90 PID 2232 wrote to memory of 1608 2232 tnnbth.exe 91 PID 2232 wrote to memory of 1608 2232 tnnbth.exe 91 PID 2232 wrote to memory of 1608 2232 tnnbth.exe 91 PID 1608 wrote to memory of 1448 1608 vvvvv.exe 92 PID 1608 wrote to memory of 1448 1608 vvvvv.exe 92 PID 1608 wrote to memory of 1448 1608 vvvvv.exe 92 PID 1448 wrote to memory of 4008 1448 xlrfxrl.exe 93 PID 1448 wrote to memory of 4008 1448 xlrfxrl.exe 93 PID 1448 wrote to memory of 4008 1448 xlrfxrl.exe 93 PID 4008 wrote to memory of 3760 4008 lxllfff.exe 94 PID 4008 wrote to memory of 3760 4008 lxllfff.exe 94 PID 4008 wrote to memory of 3760 4008 lxllfff.exe 94 PID 3760 wrote to memory of 1832 3760 nbthbt.exe 95 PID 3760 wrote to memory of 1832 3760 nbthbt.exe 95 PID 3760 wrote to memory of 1832 3760 nbthbt.exe 95 PID 1832 wrote to memory of 3980 1832 pvdvj.exe 96 PID 1832 wrote to memory of 3980 1832 pvdvj.exe 96 PID 1832 wrote to memory of 3980 1832 pvdvj.exe 96 PID 3980 wrote to memory of 4656 3980 jjvpp.exe 97 PID 3980 wrote to memory of 4656 3980 jjvpp.exe 97 PID 3980 wrote to memory of 4656 3980 jjvpp.exe 97 PID 4656 wrote to memory of 4812 4656 llrlfxr.exe 157 PID 4656 wrote to memory of 4812 4656 llrlfxr.exe 157 PID 4656 wrote to memory of 4812 4656 llrlfxr.exe 157 PID 4812 wrote to memory of 3108 4812 nbthtn.exe 99 PID 4812 wrote to memory of 3108 4812 nbthtn.exe 99 PID 4812 wrote to memory of 3108 4812 nbthtn.exe 99 PID 3108 wrote to memory of 3888 3108 hbbtbb.exe 100 PID 3108 wrote to memory of 3888 3108 hbbtbb.exe 100 PID 3108 wrote to memory of 3888 3108 hbbtbb.exe 100 PID 3888 wrote to memory of 4284 3888 ddvvp.exe 160 PID 3888 wrote to memory of 4284 3888 ddvvp.exe 160 PID 3888 wrote to memory of 4284 3888 ddvvp.exe 160 PID 4284 wrote to memory of 4648 4284 xrlffxx.exe 102 PID 4284 wrote to memory of 4648 4284 xrlffxx.exe 102 PID 4284 wrote to memory of 4648 4284 xrlffxx.exe 102 PID 4648 wrote to memory of 2344 4648 rllffll.exe 161 PID 4648 wrote to memory of 2344 4648 rllffll.exe 161 PID 4648 wrote to memory of 2344 4648 rllffll.exe 161 PID 2344 wrote to memory of 1904 2344 thnnnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe"C:\Users\Admin\AppData\Local\Temp\0d28a30a78bbddfa24f3702c66b7f0dd2ad4807922159df24b24be7a4fd8102c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\vpjdd.exec:\vpjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\rfxxxxx.exec:\rfxxxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\tnhhhb.exec:\tnhhhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\bbntbb.exec:\bbntbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\jvpjp.exec:\jvpjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\lllxlxr.exec:\lllxlxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616 -
\??\c:\hnbtnh.exec:\hnbtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\tnnbth.exec:\tnnbth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\vvvvv.exec:\vvvvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\xlrfxrl.exec:\xlrfxrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\lxllfff.exec:\lxllfff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\nbthbt.exec:\nbthbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\pvdvj.exec:\pvdvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\jjvpp.exec:\jjvpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\llrlfxr.exec:\llrlfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\nbthtn.exec:\nbthtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\hbbtbb.exec:\hbbtbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\ddvvp.exec:\ddvvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\xrlffxx.exec:\xrlffxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\rllffll.exec:\rllffll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\thnnnn.exec:\thnnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\vpvpj.exec:\vpvpj.exe23⤵
- Executes dropped EXE
PID:1904 -
\??\c:\vvdvp.exec:\vvdvp.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1916 -
\??\c:\lflfxrl.exec:\lflfxrl.exe25⤵
- Executes dropped EXE
PID:4996 -
\??\c:\bnnbtn.exec:\bnnbtn.exe26⤵
- Executes dropped EXE
PID:2800 -
\??\c:\vppdd.exec:\vppdd.exe27⤵
- Executes dropped EXE
PID:704 -
\??\c:\jdvpd.exec:\jdvpd.exe28⤵
- Executes dropped EXE
PID:1348 -
\??\c:\5xfxrlf.exec:\5xfxrlf.exe29⤵
- Executes dropped EXE
PID:1912 -
\??\c:\bbhntt.exec:\bbhntt.exe30⤵
- Executes dropped EXE
PID:4744 -
\??\c:\tthhbb.exec:\tthhbb.exe31⤵
- Executes dropped EXE
PID:1828 -
\??\c:\jpvpj.exec:\jpvpj.exe32⤵
- Executes dropped EXE
PID:3596 -
\??\c:\1xlflfx.exec:\1xlflfx.exe33⤵
- Executes dropped EXE
PID:4132 -
\??\c:\3lrlffx.exec:\3lrlffx.exe34⤵
- Executes dropped EXE
PID:1044 -
\??\c:\5nnnnn.exec:\5nnnnn.exe35⤵
- Executes dropped EXE
PID:4616 -
\??\c:\ppvvp.exec:\ppvvp.exe36⤵
- Executes dropped EXE
PID:2908 -
\??\c:\jdpjd.exec:\jdpjd.exe37⤵
- Executes dropped EXE
PID:1256 -
\??\c:\lflfffl.exec:\lflfffl.exe38⤵
- Executes dropped EXE
PID:4252 -
\??\c:\btnhbt.exec:\btnhbt.exe39⤵
- Executes dropped EXE
PID:1552 -
\??\c:\bhthbt.exec:\bhthbt.exe40⤵
- Executes dropped EXE
PID:3404 -
\??\c:\djvjd.exec:\djvjd.exe41⤵
- Executes dropped EXE
PID:1712 -
\??\c:\frxrlfx.exec:\frxrlfx.exe42⤵
- Executes dropped EXE
PID:1924 -
\??\c:\llxlfxf.exec:\llxlfxf.exe43⤵
- Executes dropped EXE
PID:4260 -
\??\c:\9hbthh.exec:\9hbthh.exe44⤵
- Executes dropped EXE
PID:1596 -
\??\c:\thnhtt.exec:\thnhtt.exe45⤵
- Executes dropped EXE
PID:4856 -
\??\c:\pvjdv.exec:\pvjdv.exe46⤵
- Executes dropped EXE
PID:4600 -
\??\c:\rxffxxr.exec:\rxffxxr.exe47⤵
- Executes dropped EXE
PID:4920 -
\??\c:\tnttnb.exec:\tnttnb.exe48⤵
- Executes dropped EXE
PID:4580 -
\??\c:\nnntnn.exec:\nnntnn.exe49⤵
- Executes dropped EXE
PID:5064 -
\??\c:\vpdvv.exec:\vpdvv.exe50⤵
- Executes dropped EXE
PID:3040 -
\??\c:\vppdv.exec:\vppdv.exe51⤵
- Executes dropped EXE
PID:1064 -
\??\c:\xrllllf.exec:\xrllllf.exe52⤵
- Executes dropped EXE
PID:468 -
\??\c:\hbbttn.exec:\hbbttn.exe53⤵
- Executes dropped EXE
PID:3400 -
\??\c:\dvjdv.exec:\dvjdv.exe54⤵
- Executes dropped EXE
PID:804 -
\??\c:\vvpjv.exec:\vvpjv.exe55⤵
- Executes dropped EXE
PID:3192 -
\??\c:\rrxlrlf.exec:\rrxlrlf.exe56⤵
- Executes dropped EXE
PID:2848 -
\??\c:\7nttnt.exec:\7nttnt.exe57⤵
- Executes dropped EXE
PID:4644 -
\??\c:\tntnhn.exec:\tntnhn.exe58⤵
- Executes dropped EXE
PID:2532 -
\??\c:\vjjdv.exec:\vjjdv.exe59⤵
- Executes dropped EXE
PID:4588 -
\??\c:\xrxlfxr.exec:\xrxlfxr.exe60⤵PID:4476
-
\??\c:\xlfrrlr.exec:\xlfrrlr.exe61⤵
- Executes dropped EXE
PID:1964 -
\??\c:\hhhbnn.exec:\hhhbnn.exe62⤵
- Executes dropped EXE
PID:4964 -
\??\c:\pjdvp.exec:\pjdvp.exe63⤵
- Executes dropped EXE
PID:3336 -
\??\c:\7vvjd.exec:\7vvjd.exe64⤵
- Executes dropped EXE
PID:1728 -
\??\c:\lfffxxr.exec:\lfffxxr.exe65⤵
- Executes dropped EXE
PID:4484 -
\??\c:\tthbnn.exec:\tthbnn.exe66⤵
- Executes dropped EXE
PID:2468 -
\??\c:\vvvpj.exec:\vvvpj.exe67⤵PID:620
-
\??\c:\lxxrfrl.exec:\lxxrfrl.exe68⤵PID:3984
-
\??\c:\frlfffx.exec:\frlfffx.exe69⤵PID:3916
-
\??\c:\hbhbbh.exec:\hbhbbh.exe70⤵PID:1432
-
\??\c:\djvpp.exec:\djvpp.exe71⤵PID:3204
-
\??\c:\xlxrrrr.exec:\xlxrrrr.exe72⤵PID:4104
-
\??\c:\fxxlffx.exec:\fxxlffx.exe73⤵PID:4428
-
\??\c:\thnhbb.exec:\thnhbb.exe74⤵PID:2512
-
\??\c:\xrlrfxr.exec:\xrlrfxr.exe75⤵PID:856
-
\??\c:\ntbbtb.exec:\ntbbtb.exe76⤵PID:4812
-
\??\c:\pvdvp.exec:\pvdvp.exe77⤵PID:5008
-
\??\c:\fxxrlff.exec:\fxxrlff.exe78⤵PID:5116
-
\??\c:\tnnhnh.exec:\tnnhnh.exe79⤵PID:4284
-
\??\c:\vjjdv.exec:\vjjdv.exe80⤵PID:2344
-
\??\c:\vvvdv.exec:\vvvdv.exe81⤵PID:3004
-
\??\c:\lfrrxxr.exec:\lfrrxxr.exe82⤵PID:1916
-
\??\c:\nhnnhh.exec:\nhnnhh.exe83⤵PID:1276
-
\??\c:\7pjdv.exec:\7pjdv.exe84⤵PID:2800
-
\??\c:\lxfrrrl.exec:\lxfrrrl.exe85⤵PID:1760
-
\??\c:\hhhnht.exec:\hhhnht.exe86⤵PID:1912
-
\??\c:\dvjdj.exec:\dvjdj.exe87⤵PID:3484
-
\??\c:\xlrlllf.exec:\xlrlllf.exe88⤵PID:4228
-
\??\c:\3ttnhh.exec:\3ttnhh.exe89⤵PID:2676
-
\??\c:\httnnh.exec:\httnnh.exe90⤵PID:4024
-
\??\c:\dppjd.exec:\dppjd.exe91⤵PID:3064
-
\??\c:\flxrfll.exec:\flxrfll.exe92⤵PID:3720
-
\??\c:\xrrrffx.exec:\xrrrffx.exe93⤵PID:2908
-
\??\c:\thhhhh.exec:\thhhhh.exe94⤵PID:1256
-
\??\c:\jvpjd.exec:\jvpjd.exe95⤵PID:4432
-
\??\c:\rfxrlfx.exec:\rfxrlfx.exe96⤵PID:4028
-
\??\c:\9bbtnn.exec:\9bbtnn.exe97⤵PID:2300
-
\??\c:\dvvjv.exec:\dvvjv.exe98⤵PID:3100
-
\??\c:\fxlfxrl.exec:\fxlfxrl.exe99⤵PID:4856
-
\??\c:\bhhnnh.exec:\bhhnnh.exe100⤵PID:1080
-
\??\c:\thhbnh.exec:\thhbnh.exe101⤵PID:2136
-
\??\c:\flrlxrl.exec:\flrlxrl.exe102⤵PID:1508
-
\??\c:\tntnnh.exec:\tntnnh.exe103⤵PID:1748
-
\??\c:\pjdvj.exec:\pjdvj.exe104⤵PID:448
-
\??\c:\ddvpj.exec:\ddvpj.exe105⤵PID:1460
-
\??\c:\xlxrrrr.exec:\xlxrrrr.exe106⤵PID:1064
-
\??\c:\nhhbtn.exec:\nhhbtn.exe107⤵PID:2396
-
\??\c:\jjddp.exec:\jjddp.exe108⤵PID:3192
-
\??\c:\xfrllfl.exec:\xfrllfl.exe109⤵PID:808
-
\??\c:\rxfxlff.exec:\rxfxlff.exe110⤵PID:5024
-
\??\c:\btthbb.exec:\btthbb.exe111⤵PID:4012
-
\??\c:\vpjdv.exec:\vpjdv.exe112⤵PID:2932
-
\??\c:\xflfxrl.exec:\xflfxrl.exe113⤵PID:1648
-
\??\c:\nhnnhh.exec:\nhnnhh.exe114⤵PID:872
-
\??\c:\tbbbtt.exec:\tbbbtt.exe115⤵PID:4752
-
\??\c:\xllffxr.exec:\xllffxr.exe116⤵PID:5056
-
\??\c:\tbhbnb.exec:\tbhbnb.exe117⤵PID:3992
-
\??\c:\jpppj.exec:\jpppj.exe118⤵PID:4328
-
\??\c:\xfllrxr.exec:\xfllrxr.exe119⤵PID:3584
-
\??\c:\bttnhn.exec:\bttnhn.exe120⤵PID:4560
-
\??\c:\dpvjd.exec:\dpvjd.exe121⤵PID:1224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-