Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 14:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ca1597ce4dc21fdc60a22cdee7165f78e2ae29132874edda94cc82805af8089aN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ca1597ce4dc21fdc60a22cdee7165f78e2ae29132874edda94cc82805af8089aN.exe
-
Size
454KB
-
MD5
06fbfe19d79362d9215b79482301c2c0
-
SHA1
c557b2d969967ce2f886184b42e062304bd01463
-
SHA256
ca1597ce4dc21fdc60a22cdee7165f78e2ae29132874edda94cc82805af8089a
-
SHA512
1847b4c4cb5cb048b41417ebedc4f11f641f4862292e18946477578970420e36238e9c3b725cfbe83630d63a3b477dd341a16fa94cb7c1c89e5ff85f8e61bf09
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/4312-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/600-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-1467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-1942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 600 vpddj.exe 1852 tntnhh.exe 1252 jvddj.exe 2248 djvvd.exe 4944 ppvpd.exe 1920 hbhbbb.exe 2792 7jpjp.exe 1784 htbbhb.exe 208 vpvpd.exe 1056 btbnhh.exe 2260 jvdvp.exe 812 5pvpd.exe 636 rlfrlff.exe 3996 bhnhbt.exe 2648 pvddj.exe 3468 3bnhhn.exe 2856 ppjdv.exe 984 rrrlfxx.exe 2168 hbthbb.exe 1608 dpdvp.exe 4444 jdpjj.exe 4744 3hbtnn.exe 4200 bntnhh.exe 5108 7xfxrrr.exe 5092 bbhbbb.exe 4808 nnttnt.exe 3744 xrxrlll.exe 2192 1xfrllx.exe 872 tnttnn.exe 1148 jpvdv.exe 4976 pjjjd.exe 2188 rrrllll.exe 336 pppvv.exe 4352 fxrlllf.exe 4728 nthbtt.exe 2184 1jjpp.exe 3460 rfffxrl.exe 1264 hhtttt.exe 1188 vvjjp.exe 2880 7xxrlll.exe 1316 7ntnnb.exe 2572 1jjdv.exe 3612 jvdvp.exe 436 lrrxxff.exe 3368 thbttn.exe 3936 rllfrrl.exe 1832 7lxxlrx.exe 1684 tntnhh.exe 4324 1tbttt.exe 4840 jjpjp.exe 4536 lrfxxxf.exe 4948 9xfxxxr.exe 4152 tnbthb.exe 2464 vvppp.exe 3660 7xffrrr.exe 3544 llxxffx.exe 4944 hhbhnn.exe 2208 djpjj.exe 1008 fffxrrl.exe 3364 7ffxrrl.exe 1784 hbbtnn.exe 1384 dvddd.exe 1124 fxxllff.exe 3088 9llfffx.exe -
resource yara_rule behavioral2/memory/4312-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/600-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-675-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4312 wrote to memory of 600 4312 ca1597ce4dc21fdc60a22cdee7165f78e2ae29132874edda94cc82805af8089aN.exe 84 PID 4312 wrote to memory of 600 4312 ca1597ce4dc21fdc60a22cdee7165f78e2ae29132874edda94cc82805af8089aN.exe 84 PID 4312 wrote to memory of 600 4312 ca1597ce4dc21fdc60a22cdee7165f78e2ae29132874edda94cc82805af8089aN.exe 84 PID 600 wrote to memory of 1852 600 vpddj.exe 85 PID 600 wrote to memory of 1852 600 vpddj.exe 85 PID 600 wrote to memory of 1852 600 vpddj.exe 85 PID 1852 wrote to memory of 1252 1852 tntnhh.exe 86 PID 1852 wrote to memory of 1252 1852 tntnhh.exe 86 PID 1852 wrote to memory of 1252 1852 tntnhh.exe 86 PID 1252 wrote to memory of 2248 1252 jvddj.exe 87 PID 1252 wrote to memory of 2248 1252 jvddj.exe 87 PID 1252 wrote to memory of 2248 1252 jvddj.exe 87 PID 2248 wrote to memory of 4944 2248 djvvd.exe 88 PID 2248 wrote to memory of 4944 2248 djvvd.exe 88 PID 2248 wrote to memory of 4944 2248 djvvd.exe 88 PID 4944 wrote to memory of 1920 4944 ppvpd.exe 89 PID 4944 wrote to memory of 1920 4944 ppvpd.exe 89 PID 4944 wrote to memory of 1920 4944 ppvpd.exe 89 PID 1920 wrote to memory of 2792 1920 hbhbbb.exe 90 PID 1920 wrote to memory of 2792 1920 hbhbbb.exe 90 PID 1920 wrote to memory of 2792 1920 hbhbbb.exe 90 PID 2792 wrote to memory of 1784 2792 7jpjp.exe 91 PID 2792 wrote to memory of 1784 2792 7jpjp.exe 91 PID 2792 wrote to memory of 1784 2792 7jpjp.exe 91 PID 1784 wrote to memory of 208 1784 htbbhb.exe 92 PID 1784 wrote to memory of 208 1784 htbbhb.exe 92 PID 1784 wrote to memory of 208 1784 htbbhb.exe 92 PID 208 wrote to memory of 1056 208 vpvpd.exe 93 PID 208 wrote to memory of 1056 208 vpvpd.exe 93 PID 208 wrote to memory of 1056 208 vpvpd.exe 93 PID 1056 wrote to memory of 2260 1056 btbnhh.exe 94 PID 1056 wrote to memory of 2260 1056 btbnhh.exe 94 PID 1056 wrote to memory of 2260 1056 btbnhh.exe 94 PID 2260 wrote to memory of 812 2260 jvdvp.exe 95 PID 2260 wrote to memory of 812 2260 jvdvp.exe 95 PID 2260 wrote to memory of 812 2260 jvdvp.exe 95 PID 812 wrote to memory of 636 812 5pvpd.exe 96 PID 812 wrote to memory of 636 812 5pvpd.exe 96 PID 812 wrote to memory of 636 812 5pvpd.exe 96 PID 636 wrote to memory of 3996 636 rlfrlff.exe 97 PID 636 wrote to memory of 3996 636 rlfrlff.exe 97 PID 636 wrote to memory of 3996 636 rlfrlff.exe 97 PID 3996 wrote to memory of 2648 3996 bhnhbt.exe 98 PID 3996 wrote to memory of 2648 3996 bhnhbt.exe 98 PID 3996 wrote to memory of 2648 3996 bhnhbt.exe 98 PID 2648 wrote to memory of 3468 2648 pvddj.exe 99 PID 2648 wrote to memory of 3468 2648 pvddj.exe 99 PID 2648 wrote to memory of 3468 2648 pvddj.exe 99 PID 3468 wrote to memory of 2856 3468 3bnhhn.exe 100 PID 3468 wrote to memory of 2856 3468 3bnhhn.exe 100 PID 3468 wrote to memory of 2856 3468 3bnhhn.exe 100 PID 2856 wrote to memory of 984 2856 ppjdv.exe 101 PID 2856 wrote to memory of 984 2856 ppjdv.exe 101 PID 2856 wrote to memory of 984 2856 ppjdv.exe 101 PID 984 wrote to memory of 2168 984 rrrlfxx.exe 102 PID 984 wrote to memory of 2168 984 rrrlfxx.exe 102 PID 984 wrote to memory of 2168 984 rrrlfxx.exe 102 PID 2168 wrote to memory of 1608 2168 hbthbb.exe 103 PID 2168 wrote to memory of 1608 2168 hbthbb.exe 103 PID 2168 wrote to memory of 1608 2168 hbthbb.exe 103 PID 1608 wrote to memory of 4444 1608 dpdvp.exe 104 PID 1608 wrote to memory of 4444 1608 dpdvp.exe 104 PID 1608 wrote to memory of 4444 1608 dpdvp.exe 104 PID 4444 wrote to memory of 4744 4444 jdpjj.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca1597ce4dc21fdc60a22cdee7165f78e2ae29132874edda94cc82805af8089aN.exe"C:\Users\Admin\AppData\Local\Temp\ca1597ce4dc21fdc60a22cdee7165f78e2ae29132874edda94cc82805af8089aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\vpddj.exec:\vpddj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:600 -
\??\c:\tntnhh.exec:\tntnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\jvddj.exec:\jvddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\djvvd.exec:\djvvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\ppvpd.exec:\ppvpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\hbhbbb.exec:\hbhbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\7jpjp.exec:\7jpjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\htbbhb.exec:\htbbhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\vpvpd.exec:\vpvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\btbnhh.exec:\btbnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\jvdvp.exec:\jvdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\5pvpd.exec:\5pvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\rlfrlff.exec:\rlfrlff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\bhnhbt.exec:\bhnhbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\pvddj.exec:\pvddj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\3bnhhn.exec:\3bnhhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\ppjdv.exec:\ppjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\rrrlfxx.exec:\rrrlfxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\hbthbb.exec:\hbthbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\dpdvp.exec:\dpdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\jdpjj.exec:\jdpjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\3hbtnn.exec:\3hbtnn.exe23⤵
- Executes dropped EXE
PID:4744 -
\??\c:\bntnhh.exec:\bntnhh.exe24⤵
- Executes dropped EXE
PID:4200 -
\??\c:\7xfxrrr.exec:\7xfxrrr.exe25⤵
- Executes dropped EXE
PID:5108 -
\??\c:\bbhbbb.exec:\bbhbbb.exe26⤵
- Executes dropped EXE
PID:5092 -
\??\c:\nnttnt.exec:\nnttnt.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4808 -
\??\c:\xrxrlll.exec:\xrxrlll.exe28⤵
- Executes dropped EXE
PID:3744 -
\??\c:\1xfrllx.exec:\1xfrllx.exe29⤵
- Executes dropped EXE
PID:2192 -
\??\c:\tnttnn.exec:\tnttnn.exe30⤵
- Executes dropped EXE
PID:872 -
\??\c:\jpvdv.exec:\jpvdv.exe31⤵
- Executes dropped EXE
PID:1148 -
\??\c:\pjjjd.exec:\pjjjd.exe32⤵
- Executes dropped EXE
PID:4976 -
\??\c:\rrrllll.exec:\rrrllll.exe33⤵
- Executes dropped EXE
PID:2188 -
\??\c:\pppvv.exec:\pppvv.exe34⤵
- Executes dropped EXE
PID:336 -
\??\c:\fxrlllf.exec:\fxrlllf.exe35⤵
- Executes dropped EXE
PID:4352 -
\??\c:\nthbtt.exec:\nthbtt.exe36⤵
- Executes dropped EXE
PID:4728 -
\??\c:\1jjpp.exec:\1jjpp.exe37⤵
- Executes dropped EXE
PID:2184 -
\??\c:\rfffxrl.exec:\rfffxrl.exe38⤵
- Executes dropped EXE
PID:3460 -
\??\c:\hhtttt.exec:\hhtttt.exe39⤵
- Executes dropped EXE
PID:1264 -
\??\c:\vvjjp.exec:\vvjjp.exe40⤵
- Executes dropped EXE
PID:1188 -
\??\c:\7xxrlll.exec:\7xxrlll.exe41⤵
- Executes dropped EXE
PID:2880 -
\??\c:\7ntnnb.exec:\7ntnnb.exe42⤵
- Executes dropped EXE
PID:1316 -
\??\c:\1jjdv.exec:\1jjdv.exe43⤵
- Executes dropped EXE
PID:2572 -
\??\c:\jvdvp.exec:\jvdvp.exe44⤵
- Executes dropped EXE
PID:3612 -
\??\c:\lrrxxff.exec:\lrrxxff.exe45⤵
- Executes dropped EXE
PID:436 -
\??\c:\thbttn.exec:\thbttn.exe46⤵
- Executes dropped EXE
PID:3368 -
\??\c:\rllfrrl.exec:\rllfrrl.exe47⤵
- Executes dropped EXE
PID:3936 -
\??\c:\7lxxlrx.exec:\7lxxlrx.exe48⤵
- Executes dropped EXE
PID:1832 -
\??\c:\tntnhh.exec:\tntnhh.exe49⤵
- Executes dropped EXE
PID:1684 -
\??\c:\1tbttt.exec:\1tbttt.exe50⤵
- Executes dropped EXE
PID:4324 -
\??\c:\jjpjp.exec:\jjpjp.exe51⤵
- Executes dropped EXE
PID:4840 -
\??\c:\lrfxxxf.exec:\lrfxxxf.exe52⤵
- Executes dropped EXE
PID:4536 -
\??\c:\9xfxxxr.exec:\9xfxxxr.exe53⤵
- Executes dropped EXE
PID:4948 -
\??\c:\tnbthb.exec:\tnbthb.exe54⤵
- Executes dropped EXE
PID:4152 -
\??\c:\vvppp.exec:\vvppp.exe55⤵
- Executes dropped EXE
PID:2464 -
\??\c:\7xffrrr.exec:\7xffrrr.exe56⤵
- Executes dropped EXE
PID:3660 -
\??\c:\llxxffx.exec:\llxxffx.exe57⤵
- Executes dropped EXE
PID:3544 -
\??\c:\hhbhnn.exec:\hhbhnn.exe58⤵
- Executes dropped EXE
PID:4944 -
\??\c:\djpjj.exec:\djpjj.exe59⤵
- Executes dropped EXE
PID:2208 -
\??\c:\fffxrrl.exec:\fffxrrl.exe60⤵
- Executes dropped EXE
PID:1008 -
\??\c:\7ffxrrl.exec:\7ffxrrl.exe61⤵
- Executes dropped EXE
PID:3364 -
\??\c:\hbbtnn.exec:\hbbtnn.exe62⤵
- Executes dropped EXE
PID:1784 -
\??\c:\dvddd.exec:\dvddd.exe63⤵
- Executes dropped EXE
PID:1384 -
\??\c:\fxxllff.exec:\fxxllff.exe64⤵
- Executes dropped EXE
PID:1124 -
\??\c:\9llfffx.exec:\9llfffx.exe65⤵
- Executes dropped EXE
PID:3088 -
\??\c:\thtnhb.exec:\thtnhb.exe66⤵PID:3448
-
\??\c:\9pvvv.exec:\9pvvv.exe67⤵PID:4328
-
\??\c:\9vpjd.exec:\9vpjd.exe68⤵PID:812
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe69⤵PID:3472
-
\??\c:\btbtnt.exec:\btbtnt.exe70⤵PID:636
-
\??\c:\jjpjj.exec:\jjpjj.exe71⤵PID:1408
-
\??\c:\5fxrrrr.exec:\5fxrrrr.exe72⤵PID:424
-
\??\c:\lllrrll.exec:\lllrrll.exe73⤵PID:4472
-
\??\c:\9bnntt.exec:\9bnntt.exe74⤵PID:2280
-
\??\c:\5jpjd.exec:\5jpjd.exe75⤵PID:2856
-
\??\c:\jdvpp.exec:\jdvpp.exe76⤵PID:460
-
\??\c:\rlfrrxf.exec:\rlfrrxf.exe77⤵PID:728
-
\??\c:\bbbtnh.exec:\bbbtnh.exe78⤵PID:1736
-
\??\c:\thtthh.exec:\thtthh.exe79⤵PID:928
-
\??\c:\vpdvp.exec:\vpdvp.exe80⤵PID:4444
-
\??\c:\lllfffx.exec:\lllfffx.exe81⤵PID:4440
-
\??\c:\hbhbbt.exec:\hbhbbt.exe82⤵PID:4348
-
\??\c:\pjvpj.exec:\pjvpj.exe83⤵PID:1692
-
\??\c:\pppdv.exec:\pppdv.exe84⤵PID:5012
-
\??\c:\3frlllf.exec:\3frlllf.exe85⤵PID:1980
-
\??\c:\tbnttn.exec:\tbnttn.exe86⤵PID:3616
-
\??\c:\jvjdd.exec:\jvjdd.exe87⤵PID:4492
-
\??\c:\ffrlxxr.exec:\ffrlxxr.exe88⤵PID:4056
-
\??\c:\1hhnhn.exec:\1hhnhn.exe89⤵PID:2088
-
\??\c:\1jpjv.exec:\1jpjv.exe90⤵PID:3640
-
\??\c:\jddvp.exec:\jddvp.exe91⤵PID:4572
-
\??\c:\fxrllll.exec:\fxrllll.exe92⤵PID:3524
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe93⤵PID:2008
-
\??\c:\ntbtnn.exec:\ntbtnn.exe94⤵PID:4032
-
\??\c:\5djjp.exec:\5djjp.exe95⤵PID:2768
-
\??\c:\ffrlfff.exec:\ffrlfff.exe96⤵PID:3584
-
\??\c:\ntbttt.exec:\ntbttt.exe97⤵PID:4352
-
\??\c:\1hhbbb.exec:\1hhbbb.exe98⤵PID:2400
-
\??\c:\9ppjd.exec:\9ppjd.exe99⤵PID:3432
-
\??\c:\xlrlxxx.exec:\xlrlxxx.exe100⤵PID:1836
-
\??\c:\tntnhh.exec:\tntnhh.exe101⤵PID:1828
-
\??\c:\tnbtnh.exec:\tnbtnh.exe102⤵PID:2072
-
\??\c:\3djjv.exec:\3djjv.exe103⤵PID:1272
-
\??\c:\5jpjj.exec:\5jpjj.exe104⤵PID:3992
-
\??\c:\xlrrfff.exec:\xlrrfff.exe105⤵PID:4880
-
\??\c:\tnttbb.exec:\tnttbb.exe106⤵PID:4048
-
\??\c:\vpjdv.exec:\vpjdv.exe107⤵PID:536
-
\??\c:\dddvp.exec:\dddvp.exe108⤵PID:3664
-
\??\c:\lxrlfxr.exec:\lxrlfxr.exe109⤵PID:532
-
\??\c:\tttnnt.exec:\tttnnt.exe110⤵PID:4672
-
\??\c:\tnthbh.exec:\tnthbh.exe111⤵PID:4332
-
\??\c:\3vpjj.exec:\3vpjj.exe112⤵PID:1604
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe113⤵PID:1768
-
\??\c:\btbtnt.exec:\btbtnt.exe114⤵PID:3912
-
\??\c:\hnhhbb.exec:\hnhhbb.exe115⤵
- System Location Discovery: System Language Discovery
PID:2308 -
\??\c:\dvpjd.exec:\dvpjd.exe116⤵PID:2128
-
\??\c:\lffxrll.exec:\lffxrll.exe117⤵PID:3028
-
\??\c:\thhhbb.exec:\thhhbb.exe118⤵PID:4760
-
\??\c:\ppvpp.exec:\ppvpp.exe119⤵PID:3660
-
\??\c:\xxrlrrl.exec:\xxrlrrl.exe120⤵PID:3544
-
\??\c:\btttnn.exec:\btttnn.exe121⤵PID:1892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-