Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 19:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e72a51c9f629ad22df9d871b1f2b2475f7e9dfb2edb88fa80a6239f3bfd8840f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e72a51c9f629ad22df9d871b1f2b2475f7e9dfb2edb88fa80a6239f3bfd8840f.exe
-
Size
453KB
-
MD5
1f2a727f70d9dd22ed42f519a1b13b45
-
SHA1
22994df526fb5d83064e1489608ffba7746050e8
-
SHA256
e72a51c9f629ad22df9d871b1f2b2475f7e9dfb2edb88fa80a6239f3bfd8840f
-
SHA512
111c36b813438fcf1189559bab1bd880821bd2ea73637adc96bcd513f1a1ae8dcd191639a0340fa139ec4d5b1ee262cdbdb9907f2e64bd03218d7f7271a43430
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1500-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-736-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-877-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-1025-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-1066-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-1070-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-1293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-1588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2528 vpddj.exe 4576 5tbtth.exe 3312 tnnthh.exe 2960 jvpjd.exe 960 tthbbt.exe 3220 rffxrrl.exe 1564 dpvpp.exe 1228 rxlfxxr.exe 3804 htbtbb.exe 3148 1pvpp.exe 4808 vvjjd.exe 2496 jjdvv.exe 208 xflfxrl.exe 4916 nhnnhh.exe 4724 3xxrlxr.exe 4156 tbbttt.exe 3500 jvddd.exe 2120 5rfflrx.exe 4896 htnnhh.exe 1432 1jjdv.exe 4496 httnnh.exe 4720 lflfrlf.exe 3692 hbbtbb.exe 4468 9tbtnn.exe 3676 rlrllfr.exe 3512 jpdvd.exe 4120 7rxlfxr.exe 4772 rfrfxxx.exe 4728 tntntn.exe 3508 dvdvv.exe 2008 rllfflf.exe 3764 hhnhbh.exe 2124 xllfrrf.exe 3484 vpjdd.exe 4020 lxrlfrx.exe 1072 nhhhbh.exe 4648 jppjj.exe 4908 vjpdv.exe 3640 9xxrrrl.exe 4988 htbbtt.exe 4268 vpdpd.exe 1948 rllxrlx.exe 5004 fxflxlf.exe 3560 bhtnbb.exe 1632 vdpdv.exe 1760 fxlfxfx.exe 4324 llfxxfx.exe 2936 ntnhbn.exe 1188 dpvpj.exe 448 lxxrllf.exe 2028 rffxrlf.exe 3204 htthbb.exe 1892 vvjvv.exe 3800 lfffxxr.exe 3620 bnnhbt.exe 2768 httnbb.exe 3460 jpvjd.exe 960 xrfrxxx.exe 532 tbhtnh.exe 1008 1vdpd.exe 1352 jpvpd.exe 3200 xflxflf.exe 4064 nbhtnt.exe 2940 thhbtt.exe -
resource yara_rule behavioral2/memory/1500-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-1025-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-1062-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-1066-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1500 wrote to memory of 2528 1500 e72a51c9f629ad22df9d871b1f2b2475f7e9dfb2edb88fa80a6239f3bfd8840f.exe 82 PID 1500 wrote to memory of 2528 1500 e72a51c9f629ad22df9d871b1f2b2475f7e9dfb2edb88fa80a6239f3bfd8840f.exe 82 PID 1500 wrote to memory of 2528 1500 e72a51c9f629ad22df9d871b1f2b2475f7e9dfb2edb88fa80a6239f3bfd8840f.exe 82 PID 2528 wrote to memory of 4576 2528 vpddj.exe 83 PID 2528 wrote to memory of 4576 2528 vpddj.exe 83 PID 2528 wrote to memory of 4576 2528 vpddj.exe 83 PID 4576 wrote to memory of 3312 4576 5tbtth.exe 84 PID 4576 wrote to memory of 3312 4576 5tbtth.exe 84 PID 4576 wrote to memory of 3312 4576 5tbtth.exe 84 PID 3312 wrote to memory of 2960 3312 tnnthh.exe 85 PID 3312 wrote to memory of 2960 3312 tnnthh.exe 85 PID 3312 wrote to memory of 2960 3312 tnnthh.exe 85 PID 2960 wrote to memory of 960 2960 jvpjd.exe 86 PID 2960 wrote to memory of 960 2960 jvpjd.exe 86 PID 2960 wrote to memory of 960 2960 jvpjd.exe 86 PID 960 wrote to memory of 3220 960 tthbbt.exe 87 PID 960 wrote to memory of 3220 960 tthbbt.exe 87 PID 960 wrote to memory of 3220 960 tthbbt.exe 87 PID 3220 wrote to memory of 1564 3220 rffxrrl.exe 88 PID 3220 wrote to memory of 1564 3220 rffxrrl.exe 88 PID 3220 wrote to memory of 1564 3220 rffxrrl.exe 88 PID 1564 wrote to memory of 1228 1564 dpvpp.exe 89 PID 1564 wrote to memory of 1228 1564 dpvpp.exe 89 PID 1564 wrote to memory of 1228 1564 dpvpp.exe 89 PID 1228 wrote to memory of 3804 1228 rxlfxxr.exe 90 PID 1228 wrote to memory of 3804 1228 rxlfxxr.exe 90 PID 1228 wrote to memory of 3804 1228 rxlfxxr.exe 90 PID 3804 wrote to memory of 3148 3804 htbtbb.exe 91 PID 3804 wrote to memory of 3148 3804 htbtbb.exe 91 PID 3804 wrote to memory of 3148 3804 htbtbb.exe 91 PID 3148 wrote to memory of 4808 3148 1pvpp.exe 92 PID 3148 wrote to memory of 4808 3148 1pvpp.exe 92 PID 3148 wrote to memory of 4808 3148 1pvpp.exe 92 PID 4808 wrote to memory of 2496 4808 vvjjd.exe 93 PID 4808 wrote to memory of 2496 4808 vvjjd.exe 93 PID 4808 wrote to memory of 2496 4808 vvjjd.exe 93 PID 2496 wrote to memory of 208 2496 jjdvv.exe 94 PID 2496 wrote to memory of 208 2496 jjdvv.exe 94 PID 2496 wrote to memory of 208 2496 jjdvv.exe 94 PID 208 wrote to memory of 4916 208 xflfxrl.exe 95 PID 208 wrote to memory of 4916 208 xflfxrl.exe 95 PID 208 wrote to memory of 4916 208 xflfxrl.exe 95 PID 4916 wrote to memory of 4724 4916 nhnnhh.exe 96 PID 4916 wrote to memory of 4724 4916 nhnnhh.exe 96 PID 4916 wrote to memory of 4724 4916 nhnnhh.exe 96 PID 4724 wrote to memory of 4156 4724 3xxrlxr.exe 97 PID 4724 wrote to memory of 4156 4724 3xxrlxr.exe 97 PID 4724 wrote to memory of 4156 4724 3xxrlxr.exe 97 PID 4156 wrote to memory of 3500 4156 tbbttt.exe 98 PID 4156 wrote to memory of 3500 4156 tbbttt.exe 98 PID 4156 wrote to memory of 3500 4156 tbbttt.exe 98 PID 3500 wrote to memory of 2120 3500 jvddd.exe 99 PID 3500 wrote to memory of 2120 3500 jvddd.exe 99 PID 3500 wrote to memory of 2120 3500 jvddd.exe 99 PID 2120 wrote to memory of 4896 2120 5rfflrx.exe 100 PID 2120 wrote to memory of 4896 2120 5rfflrx.exe 100 PID 2120 wrote to memory of 4896 2120 5rfflrx.exe 100 PID 4896 wrote to memory of 1432 4896 htnnhh.exe 101 PID 4896 wrote to memory of 1432 4896 htnnhh.exe 101 PID 4896 wrote to memory of 1432 4896 htnnhh.exe 101 PID 1432 wrote to memory of 4496 1432 1jjdv.exe 102 PID 1432 wrote to memory of 4496 1432 1jjdv.exe 102 PID 1432 wrote to memory of 4496 1432 1jjdv.exe 102 PID 4496 wrote to memory of 4720 4496 httnnh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e72a51c9f629ad22df9d871b1f2b2475f7e9dfb2edb88fa80a6239f3bfd8840f.exe"C:\Users\Admin\AppData\Local\Temp\e72a51c9f629ad22df9d871b1f2b2475f7e9dfb2edb88fa80a6239f3bfd8840f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\vpddj.exec:\vpddj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\5tbtth.exec:\5tbtth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\tnnthh.exec:\tnnthh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\jvpjd.exec:\jvpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\tthbbt.exec:\tthbbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\rffxrrl.exec:\rffxrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\dpvpp.exec:\dpvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\rxlfxxr.exec:\rxlfxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\htbtbb.exec:\htbtbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
\??\c:\1pvpp.exec:\1pvpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\vvjjd.exec:\vvjjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\jjdvv.exec:\jjdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\xflfxrl.exec:\xflfxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\nhnnhh.exec:\nhnnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\3xxrlxr.exec:\3xxrlxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\tbbttt.exec:\tbbttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\jvddd.exec:\jvddd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\5rfflrx.exec:\5rfflrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\htnnhh.exec:\htnnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\1jjdv.exec:\1jjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\httnnh.exec:\httnnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\lflfrlf.exec:\lflfrlf.exe23⤵
- Executes dropped EXE
PID:4720 -
\??\c:\hbbtbb.exec:\hbbtbb.exe24⤵
- Executes dropped EXE
PID:3692 -
\??\c:\9tbtnn.exec:\9tbtnn.exe25⤵
- Executes dropped EXE
PID:4468 -
\??\c:\rlrllfr.exec:\rlrllfr.exe26⤵
- Executes dropped EXE
PID:3676 -
\??\c:\jpdvd.exec:\jpdvd.exe27⤵
- Executes dropped EXE
PID:3512 -
\??\c:\7rxlfxr.exec:\7rxlfxr.exe28⤵
- Executes dropped EXE
PID:4120 -
\??\c:\rfrfxxx.exec:\rfrfxxx.exe29⤵
- Executes dropped EXE
PID:4772 -
\??\c:\tntntn.exec:\tntntn.exe30⤵
- Executes dropped EXE
PID:4728 -
\??\c:\dvdvv.exec:\dvdvv.exe31⤵
- Executes dropped EXE
PID:3508 -
\??\c:\rllfflf.exec:\rllfflf.exe32⤵
- Executes dropped EXE
PID:2008 -
\??\c:\hhnhbh.exec:\hhnhbh.exe33⤵
- Executes dropped EXE
PID:3764 -
\??\c:\xllfrrf.exec:\xllfrrf.exe34⤵
- Executes dropped EXE
PID:2124 -
\??\c:\vpjdd.exec:\vpjdd.exe35⤵
- Executes dropped EXE
PID:3484 -
\??\c:\lxrlfrx.exec:\lxrlfrx.exe36⤵
- Executes dropped EXE
PID:4020 -
\??\c:\nhhhbh.exec:\nhhhbh.exe37⤵
- Executes dropped EXE
PID:1072 -
\??\c:\jppjj.exec:\jppjj.exe38⤵
- Executes dropped EXE
PID:4648 -
\??\c:\vjpdv.exec:\vjpdv.exe39⤵
- Executes dropped EXE
PID:4908 -
\??\c:\9xxrrrl.exec:\9xxrrrl.exe40⤵
- Executes dropped EXE
PID:3640 -
\??\c:\htbbtt.exec:\htbbtt.exe41⤵
- Executes dropped EXE
PID:4988 -
\??\c:\vpdpd.exec:\vpdpd.exe42⤵
- Executes dropped EXE
PID:4268 -
\??\c:\rllxrlx.exec:\rllxrlx.exe43⤵
- Executes dropped EXE
PID:1948 -
\??\c:\fxflxlf.exec:\fxflxlf.exe44⤵
- Executes dropped EXE
PID:5004 -
\??\c:\bhtnbb.exec:\bhtnbb.exe45⤵
- Executes dropped EXE
PID:3560 -
\??\c:\vdpdv.exec:\vdpdv.exe46⤵
- Executes dropped EXE
PID:1632 -
\??\c:\fxlfxfx.exec:\fxlfxfx.exe47⤵
- Executes dropped EXE
PID:1760 -
\??\c:\llfxxfx.exec:\llfxxfx.exe48⤵
- Executes dropped EXE
PID:4324 -
\??\c:\ntnhbn.exec:\ntnhbn.exe49⤵
- Executes dropped EXE
PID:2936 -
\??\c:\dpvpj.exec:\dpvpj.exe50⤵
- Executes dropped EXE
PID:1188 -
\??\c:\lxxrllf.exec:\lxxrllf.exe51⤵
- Executes dropped EXE
PID:448 -
\??\c:\rffxrlf.exec:\rffxrlf.exe52⤵
- Executes dropped EXE
PID:2028 -
\??\c:\htthbb.exec:\htthbb.exe53⤵
- Executes dropped EXE
PID:3204 -
\??\c:\vvjvv.exec:\vvjvv.exe54⤵
- Executes dropped EXE
PID:1892 -
\??\c:\lfffxxr.exec:\lfffxxr.exe55⤵
- Executes dropped EXE
PID:3800 -
\??\c:\bnnhbt.exec:\bnnhbt.exe56⤵
- Executes dropped EXE
PID:3620 -
\??\c:\httnbb.exec:\httnbb.exe57⤵
- Executes dropped EXE
PID:2768 -
\??\c:\jpvjd.exec:\jpvjd.exe58⤵
- Executes dropped EXE
PID:3460 -
\??\c:\xrfrxxx.exec:\xrfrxxx.exe59⤵
- Executes dropped EXE
PID:960 -
\??\c:\tbhtnh.exec:\tbhtnh.exe60⤵
- Executes dropped EXE
PID:532 -
\??\c:\1vdpd.exec:\1vdpd.exe61⤵
- Executes dropped EXE
PID:1008 -
\??\c:\jpvpd.exec:\jpvpd.exe62⤵
- Executes dropped EXE
PID:1352 -
\??\c:\xflxflf.exec:\xflxflf.exe63⤵
- Executes dropped EXE
PID:3200 -
\??\c:\nbhtnt.exec:\nbhtnt.exe64⤵
- Executes dropped EXE
PID:4064 -
\??\c:\thhbtt.exec:\thhbtt.exe65⤵
- Executes dropped EXE
PID:2940 -
\??\c:\dvdvv.exec:\dvdvv.exe66⤵PID:868
-
\??\c:\rrlfxrr.exec:\rrlfxrr.exe67⤵PID:1552
-
\??\c:\nhhbnh.exec:\nhhbnh.exe68⤵PID:4072
-
\??\c:\jddpj.exec:\jddpj.exe69⤵PID:3064
-
\??\c:\pvjvj.exec:\pvjvj.exe70⤵PID:1620
-
\??\c:\fxfxfxf.exec:\fxfxfxf.exe71⤵PID:232
-
\??\c:\bnnhbt.exec:\bnnhbt.exe72⤵PID:1820
-
\??\c:\ddjdv.exec:\ddjdv.exe73⤵PID:5112
-
\??\c:\lflffxf.exec:\lflffxf.exe74⤵PID:2836
-
\??\c:\tnbtnh.exec:\tnbtnh.exe75⤵PID:4916
-
\??\c:\9jdpj.exec:\9jdpj.exe76⤵PID:2032
-
\??\c:\rxlxrlf.exec:\rxlxrlf.exe77⤵PID:5104
-
\??\c:\rffxffr.exec:\rffxffr.exe78⤵PID:3500
-
\??\c:\nthbtt.exec:\nthbtt.exe79⤵PID:3988
-
\??\c:\vpjdv.exec:\vpjdv.exe80⤵PID:768
-
\??\c:\fflflll.exec:\fflflll.exe81⤵PID:4456
-
\??\c:\1tbbnn.exec:\1tbbnn.exe82⤵PID:2620
-
\??\c:\pjvvp.exec:\pjvvp.exe83⤵PID:1624
-
\??\c:\rfxrlrf.exec:\rfxrlrf.exe84⤵PID:1096
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe85⤵PID:952
-
\??\c:\nbhbtn.exec:\nbhbtn.exe86⤵PID:4888
-
\??\c:\dvjjd.exec:\dvjjd.exe87⤵PID:1520
-
\??\c:\dvjdd.exec:\dvjdd.exe88⤵PID:2536
-
\??\c:\rxlfxxf.exec:\rxlfxxf.exe89⤵PID:3704
-
\??\c:\flrfllf.exec:\flrfllf.exe90⤵PID:4016
-
\??\c:\9nnnth.exec:\9nnnth.exe91⤵PID:4440
-
\??\c:\1pjvj.exec:\1pjvj.exe92⤵PID:396
-
\??\c:\fxfrlfr.exec:\fxfrlfr.exe93⤵PID:432
-
\??\c:\bttnhh.exec:\bttnhh.exe94⤵
- System Location Discovery: System Language Discovery
PID:4364 -
\??\c:\5nthnb.exec:\5nthnb.exe95⤵PID:2228
-
\??\c:\9vdvp.exec:\9vdvp.exe96⤵PID:2044
-
\??\c:\ffxrrlf.exec:\ffxrrlf.exe97⤵PID:2268
-
\??\c:\xrrlfll.exec:\xrrlfll.exe98⤵PID:3348
-
\??\c:\tbnbth.exec:\tbnbth.exe99⤵PID:1824
-
\??\c:\jvddd.exec:\jvddd.exe100⤵PID:1496
-
\??\c:\xxlffff.exec:\xxlffff.exe101⤵PID:1772
-
\??\c:\htbtbn.exec:\htbtbn.exe102⤵PID:1696
-
\??\c:\vjpdv.exec:\vjpdv.exe103⤵PID:1324
-
\??\c:\vdvpv.exec:\vdvpv.exe104⤵PID:1968
-
\??\c:\3ffxffx.exec:\3ffxffx.exe105⤵PID:1856
-
\??\c:\hbtbtb.exec:\hbtbtb.exe106⤵PID:860
-
\??\c:\dpvpj.exec:\dpvpj.exe107⤵PID:1748
-
\??\c:\jdjpp.exec:\jdjpp.exe108⤵PID:4452
-
\??\c:\3tnhbt.exec:\3tnhbt.exe109⤵PID:4268
-
\??\c:\tnnnhh.exec:\tnnnhh.exe110⤵PID:1048
-
\??\c:\1vpjd.exec:\1vpjd.exe111⤵PID:2460
-
\??\c:\lfllfxr.exec:\lfllfxr.exe112⤵PID:4504
-
\??\c:\nhhtnh.exec:\nhhtnh.exe113⤵PID:3560
-
\??\c:\7bnbtt.exec:\7bnbtt.exe114⤵PID:1632
-
\??\c:\7pjdp.exec:\7pjdp.exe115⤵PID:4320
-
\??\c:\rflfxrr.exec:\rflfxrr.exe116⤵PID:1396
-
\??\c:\9xfxfxl.exec:\9xfxfxl.exe117⤵PID:2936
-
\??\c:\7ntnbb.exec:\7ntnbb.exe118⤵PID:1188
-
\??\c:\5dvpd.exec:\5dvpd.exe119⤵PID:3324
-
\??\c:\lfflfxx.exec:\lfflfxx.exe120⤵PID:2276
-
\??\c:\xlxxlfr.exec:\xlxxlfr.exe121⤵PID:3204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-