Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 15:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe
-
Size
454KB
-
MD5
71d15315b7e75d78da8bbc4bfc2daef2
-
SHA1
b69b8df734ed6321c5be9d9d6b570727e94a9df7
-
SHA256
5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b
-
SHA512
51584613d82ba8d0fe83b61ab0933a31cf40370978f96c997eae1cae2cc2fb36146194ddcded50a9aa5c1433f7b488a6f4c84e4e8e9fd77c5b2d9986345c3a65
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAber:q7Tc2NYHUrAwfMp3CDr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2348-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-758-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-790-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-830-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-1002-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-1241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-1377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-1823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2792 vddpd.exe 4608 bnhtbt.exe 5036 xxrfxrf.exe 2208 jpjvj.exe 1264 lrlxlfx.exe 4872 1pdpj.exe 4016 5hhthb.exe 2564 jvdpd.exe 1060 tttntt.exe 8 vjpdv.exe 2284 nnhttb.exe 2360 jpvdj.exe 1228 vjjpj.exe 2388 htttnh.exe 5080 pjdpd.exe 4836 tbthbt.exe 4304 pdpjv.exe 720 5rlxlxr.exe 2524 tnnbth.exe 1352 xrxrrrl.exe 5016 3nhthb.exe 4920 jppdp.exe 448 nbbhth.exe 2184 5nhthb.exe 1776 pvvjv.exe 2384 hnnbnh.exe 516 fllfrlx.exe 4956 xxrlxrl.exe 540 nhhthb.exe 2880 9vjvj.exe 4908 9nnbtt.exe 4516 9dvjv.exe 3008 5rlxfxr.exe 3312 hnnhtn.exe 2696 vdvpp.exe 4704 flxrlfx.exe 4588 bbbnbn.exe 620 pdjdd.exe 3124 vvvjd.exe 3752 9frlrrl.exe 2896 nnhtnh.exe 4364 tbhbtt.exe 3380 dvddv.exe 2724 7lflfrl.exe 2964 nhhbtn.exe 4384 rxlfrrl.exe 4780 nbhbnn.exe 3688 3jjdv.exe 3024 1pjvj.exe 4644 xxxxrrr.exe 4604 5tnhbb.exe 4312 bthnbb.exe 2836 vppjp.exe 716 lrlrfrf.exe 4816 nhhhhh.exe 2128 tthbbh.exe 3288 vjvpp.exe 3056 pdjvv.exe 4216 lfrlxxl.exe 3532 dpjvp.exe 4340 fflxrrl.exe 2932 3rrlflr.exe 2744 nhnhhh.exe 4432 jdvvp.exe -
resource yara_rule behavioral2/memory/2348-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-774-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2792 2348 5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe 82 PID 2348 wrote to memory of 2792 2348 5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe 82 PID 2348 wrote to memory of 2792 2348 5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe 82 PID 2792 wrote to memory of 4608 2792 vddpd.exe 83 PID 2792 wrote to memory of 4608 2792 vddpd.exe 83 PID 2792 wrote to memory of 4608 2792 vddpd.exe 83 PID 4608 wrote to memory of 5036 4608 bnhtbt.exe 84 PID 4608 wrote to memory of 5036 4608 bnhtbt.exe 84 PID 4608 wrote to memory of 5036 4608 bnhtbt.exe 84 PID 5036 wrote to memory of 2208 5036 xxrfxrf.exe 85 PID 5036 wrote to memory of 2208 5036 xxrfxrf.exe 85 PID 5036 wrote to memory of 2208 5036 xxrfxrf.exe 85 PID 2208 wrote to memory of 1264 2208 jpjvj.exe 86 PID 2208 wrote to memory of 1264 2208 jpjvj.exe 86 PID 2208 wrote to memory of 1264 2208 jpjvj.exe 86 PID 1264 wrote to memory of 4872 1264 lrlxlfx.exe 87 PID 1264 wrote to memory of 4872 1264 lrlxlfx.exe 87 PID 1264 wrote to memory of 4872 1264 lrlxlfx.exe 87 PID 4872 wrote to memory of 4016 4872 1pdpj.exe 88 PID 4872 wrote to memory of 4016 4872 1pdpj.exe 88 PID 4872 wrote to memory of 4016 4872 1pdpj.exe 88 PID 4016 wrote to memory of 2564 4016 5hhthb.exe 89 PID 4016 wrote to memory of 2564 4016 5hhthb.exe 89 PID 4016 wrote to memory of 2564 4016 5hhthb.exe 89 PID 2564 wrote to memory of 1060 2564 jvdpd.exe 90 PID 2564 wrote to memory of 1060 2564 jvdpd.exe 90 PID 2564 wrote to memory of 1060 2564 jvdpd.exe 90 PID 1060 wrote to memory of 8 1060 tttntt.exe 91 PID 1060 wrote to memory of 8 1060 tttntt.exe 91 PID 1060 wrote to memory of 8 1060 tttntt.exe 91 PID 8 wrote to memory of 2284 8 vjpdv.exe 92 PID 8 wrote to memory of 2284 8 vjpdv.exe 92 PID 8 wrote to memory of 2284 8 vjpdv.exe 92 PID 2284 wrote to memory of 2360 2284 nnhttb.exe 93 PID 2284 wrote to memory of 2360 2284 nnhttb.exe 93 PID 2284 wrote to memory of 2360 2284 nnhttb.exe 93 PID 2360 wrote to memory of 1228 2360 jpvdj.exe 94 PID 2360 wrote to memory of 1228 2360 jpvdj.exe 94 PID 2360 wrote to memory of 1228 2360 jpvdj.exe 94 PID 1228 wrote to memory of 2388 1228 vjjpj.exe 95 PID 1228 wrote to memory of 2388 1228 vjjpj.exe 95 PID 1228 wrote to memory of 2388 1228 vjjpj.exe 95 PID 2388 wrote to memory of 5080 2388 htttnh.exe 96 PID 2388 wrote to memory of 5080 2388 htttnh.exe 96 PID 2388 wrote to memory of 5080 2388 htttnh.exe 96 PID 5080 wrote to memory of 4836 5080 pjdpd.exe 97 PID 5080 wrote to memory of 4836 5080 pjdpd.exe 97 PID 5080 wrote to memory of 4836 5080 pjdpd.exe 97 PID 4836 wrote to memory of 4304 4836 tbthbt.exe 98 PID 4836 wrote to memory of 4304 4836 tbthbt.exe 98 PID 4836 wrote to memory of 4304 4836 tbthbt.exe 98 PID 4304 wrote to memory of 720 4304 pdpjv.exe 99 PID 4304 wrote to memory of 720 4304 pdpjv.exe 99 PID 4304 wrote to memory of 720 4304 pdpjv.exe 99 PID 720 wrote to memory of 2524 720 5rlxlxr.exe 100 PID 720 wrote to memory of 2524 720 5rlxlxr.exe 100 PID 720 wrote to memory of 2524 720 5rlxlxr.exe 100 PID 2524 wrote to memory of 1352 2524 tnnbth.exe 101 PID 2524 wrote to memory of 1352 2524 tnnbth.exe 101 PID 2524 wrote to memory of 1352 2524 tnnbth.exe 101 PID 1352 wrote to memory of 5016 1352 xrxrrrl.exe 102 PID 1352 wrote to memory of 5016 1352 xrxrrrl.exe 102 PID 1352 wrote to memory of 5016 1352 xrxrrrl.exe 102 PID 5016 wrote to memory of 4920 5016 3nhthb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe"C:\Users\Admin\AppData\Local\Temp\5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\vddpd.exec:\vddpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\bnhtbt.exec:\bnhtbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\xxrfxrf.exec:\xxrfxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\jpjvj.exec:\jpjvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\lrlxlfx.exec:\lrlxlfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\1pdpj.exec:\1pdpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\5hhthb.exec:\5hhthb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\jvdpd.exec:\jvdpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\tttntt.exec:\tttntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\vjpdv.exec:\vjpdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\nnhttb.exec:\nnhttb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\jpvdj.exec:\jpvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\vjjpj.exec:\vjjpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\htttnh.exec:\htttnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\pjdpd.exec:\pjdpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\tbthbt.exec:\tbthbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\pdpjv.exec:\pdpjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\5rlxlxr.exec:\5rlxlxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\tnnbth.exec:\tnnbth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\xrxrrrl.exec:\xrxrrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\3nhthb.exec:\3nhthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\jppdp.exec:\jppdp.exe23⤵
- Executes dropped EXE
PID:4920 -
\??\c:\nbbhth.exec:\nbbhth.exe24⤵
- Executes dropped EXE
PID:448 -
\??\c:\5nhthb.exec:\5nhthb.exe25⤵
- Executes dropped EXE
PID:2184 -
\??\c:\pvvjv.exec:\pvvjv.exe26⤵
- Executes dropped EXE
PID:1776 -
\??\c:\hnnbnh.exec:\hnnbnh.exe27⤵
- Executes dropped EXE
PID:2384 -
\??\c:\fllfrlx.exec:\fllfrlx.exe28⤵
- Executes dropped EXE
PID:516 -
\??\c:\xxrlxrl.exec:\xxrlxrl.exe29⤵
- Executes dropped EXE
PID:4956 -
\??\c:\nhhthb.exec:\nhhthb.exe30⤵
- Executes dropped EXE
PID:540 -
\??\c:\9vjvj.exec:\9vjvj.exe31⤵
- Executes dropped EXE
PID:2880 -
\??\c:\9nnbtt.exec:\9nnbtt.exe32⤵
- Executes dropped EXE
PID:4908 -
\??\c:\9dvjv.exec:\9dvjv.exe33⤵
- Executes dropped EXE
PID:4516 -
\??\c:\5rlxfxr.exec:\5rlxfxr.exe34⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hnnhtn.exec:\hnnhtn.exe35⤵
- Executes dropped EXE
PID:3312 -
\??\c:\vdvpp.exec:\vdvpp.exe36⤵
- Executes dropped EXE
PID:2696 -
\??\c:\flxrlfx.exec:\flxrlfx.exe37⤵
- Executes dropped EXE
PID:4704 -
\??\c:\bbbnbn.exec:\bbbnbn.exe38⤵
- Executes dropped EXE
PID:4588 -
\??\c:\pdjdd.exec:\pdjdd.exe39⤵
- Executes dropped EXE
PID:620 -
\??\c:\vvvjd.exec:\vvvjd.exe40⤵
- Executes dropped EXE
PID:3124 -
\??\c:\9frlrrl.exec:\9frlrrl.exe41⤵
- Executes dropped EXE
PID:3752 -
\??\c:\nnhtnh.exec:\nnhtnh.exe42⤵
- Executes dropped EXE
PID:2896 -
\??\c:\tbhbtt.exec:\tbhbtt.exe43⤵
- Executes dropped EXE
PID:4364 -
\??\c:\dvddv.exec:\dvddv.exe44⤵
- Executes dropped EXE
PID:3380 -
\??\c:\7lflfrl.exec:\7lflfrl.exe45⤵
- Executes dropped EXE
PID:2724 -
\??\c:\nhhbtn.exec:\nhhbtn.exe46⤵
- Executes dropped EXE
PID:2964 -
\??\c:\rxlfrrl.exec:\rxlfrrl.exe47⤵
- Executes dropped EXE
PID:4384 -
\??\c:\nbhbnn.exec:\nbhbnn.exe48⤵
- Executes dropped EXE
PID:4780 -
\??\c:\3jjdv.exec:\3jjdv.exe49⤵
- Executes dropped EXE
PID:3688 -
\??\c:\1pjvj.exec:\1pjvj.exe50⤵
- Executes dropped EXE
PID:3024 -
\??\c:\xxxxrrr.exec:\xxxxrrr.exe51⤵
- Executes dropped EXE
PID:4644 -
\??\c:\5tnhbb.exec:\5tnhbb.exe52⤵
- Executes dropped EXE
PID:4604 -
\??\c:\bthnbb.exec:\bthnbb.exe53⤵
- Executes dropped EXE
PID:4312 -
\??\c:\vppjp.exec:\vppjp.exe54⤵
- Executes dropped EXE
PID:2836 -
\??\c:\lrlrfrf.exec:\lrlrfrf.exe55⤵
- Executes dropped EXE
PID:716 -
\??\c:\nhhhhh.exec:\nhhhhh.exe56⤵
- Executes dropped EXE
PID:4816 -
\??\c:\tthbbh.exec:\tthbbh.exe57⤵
- Executes dropped EXE
PID:2128 -
\??\c:\vjvpp.exec:\vjvpp.exe58⤵
- Executes dropped EXE
PID:3288 -
\??\c:\pdjvv.exec:\pdjvv.exe59⤵
- Executes dropped EXE
PID:3056 -
\??\c:\lfrlxxl.exec:\lfrlxxl.exe60⤵
- Executes dropped EXE
PID:4216 -
\??\c:\dpjvp.exec:\dpjvp.exe61⤵
- Executes dropped EXE
PID:3532 -
\??\c:\fflxrrl.exec:\fflxrrl.exe62⤵
- Executes dropped EXE
PID:4340 -
\??\c:\3rrlflr.exec:\3rrlflr.exe63⤵
- Executes dropped EXE
PID:2932 -
\??\c:\nhnhhh.exec:\nhnhhh.exe64⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jdvvp.exec:\jdvvp.exe65⤵
- Executes dropped EXE
PID:4432 -
\??\c:\5llfffr.exec:\5llfffr.exe66⤵PID:2780
-
\??\c:\lxfxrll.exec:\lxfxrll.exe67⤵PID:664
-
\??\c:\dppdd.exec:\dppdd.exe68⤵PID:2432
-
\??\c:\vjjdp.exec:\vjjdp.exe69⤵PID:1780
-
\??\c:\9llrfxl.exec:\9llrfxl.exe70⤵PID:5108
-
\??\c:\hbbtnn.exec:\hbbtnn.exe71⤵PID:4204
-
\??\c:\jjppj.exec:\jjppj.exe72⤵PID:3364
-
\??\c:\fxxrllf.exec:\fxxrllf.exe73⤵PID:4772
-
\??\c:\lffxxxx.exec:\lffxxxx.exe74⤵PID:2760
-
\??\c:\nhhthb.exec:\nhhthb.exe75⤵PID:628
-
\??\c:\ddvvp.exec:\ddvvp.exe76⤵PID:4208
-
\??\c:\jjpjd.exec:\jjpjd.exe77⤵PID:1668
-
\??\c:\rflxfxr.exec:\rflxfxr.exe78⤵PID:2976
-
\??\c:\thbbnh.exec:\thbbnh.exe79⤵PID:3892
-
\??\c:\5pjvj.exec:\5pjvj.exe80⤵PID:448
-
\??\c:\rxfxllf.exec:\rxfxllf.exe81⤵PID:1584
-
\??\c:\xxxxllf.exec:\xxxxllf.exe82⤵PID:1772
-
\??\c:\tthhbt.exec:\tthhbt.exe83⤵PID:1776
-
\??\c:\1dvpd.exec:\1dvpd.exe84⤵
- System Location Discovery: System Language Discovery
PID:3000 -
\??\c:\lrrlrfx.exec:\lrrlrfx.exe85⤵PID:516
-
\??\c:\hnhtnh.exec:\hnhtnh.exe86⤵PID:4932
-
\??\c:\thnhbb.exec:\thnhbb.exe87⤵PID:1972
-
\??\c:\dpdvv.exec:\dpdvv.exe88⤵PID:1532
-
\??\c:\ddddv.exec:\ddddv.exe89⤵PID:3580
-
\??\c:\9fllflf.exec:\9fllflf.exe90⤵PID:412
-
\??\c:\tbnhbb.exec:\tbnhbb.exe91⤵PID:2628
-
\??\c:\vvjvp.exec:\vvjvp.exe92⤵PID:4004
-
\??\c:\jdpjj.exec:\jdpjj.exe93⤵PID:5044
-
\??\c:\frfrlll.exec:\frfrlll.exe94⤵PID:2824
-
\??\c:\fflfxxr.exec:\fflfxxr.exe95⤵PID:1800
-
\??\c:\ntnttt.exec:\ntnttt.exe96⤵PID:4704
-
\??\c:\pjdvj.exec:\pjdvj.exe97⤵PID:2372
-
\??\c:\1rlfrxr.exec:\1rlfrxr.exe98⤵PID:1420
-
\??\c:\9tnnhn.exec:\9tnnhn.exe99⤵PID:4860
-
\??\c:\ppvjj.exec:\ppvjj.exe100⤵PID:3852
-
\??\c:\ppvjv.exec:\ppvjv.exe101⤵PID:908
-
\??\c:\xlxlfxf.exec:\xlxlfxf.exe102⤵PID:3064
-
\??\c:\5htnnn.exec:\5htnnn.exe103⤵PID:216
-
\??\c:\vdvpv.exec:\vdvpv.exe104⤵PID:4484
-
\??\c:\rllxlfr.exec:\rllxlfr.exe105⤵PID:3800
-
\??\c:\7nthhb.exec:\7nthhb.exe106⤵PID:2832
-
\??\c:\nhbtnh.exec:\nhbtnh.exe107⤵PID:3092
-
\??\c:\pppjj.exec:\pppjj.exe108⤵PID:4456
-
\??\c:\7xrfrlx.exec:\7xrfrlx.exe109⤵PID:3656
-
\??\c:\5nhbnh.exec:\5nhbnh.exe110⤵PID:4968
-
\??\c:\djdvj.exec:\djdvj.exe111⤵PID:2208
-
\??\c:\1vvjd.exec:\1vvjd.exe112⤵PID:4272
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe113⤵PID:3036
-
\??\c:\ttbtnh.exec:\ttbtnh.exe114⤵PID:4264
-
\??\c:\5nbntn.exec:\5nbntn.exe115⤵PID:3004
-
\??\c:\vjvdd.exec:\vjvdd.exe116⤵PID:5088
-
\??\c:\xxfxxxr.exec:\xxfxxxr.exe117⤵PID:932
-
\??\c:\xllfxxf.exec:\xllfxxf.exe118⤵PID:3440
-
\??\c:\7bbtnh.exec:\7bbtnh.exe119⤵PID:1644
-
\??\c:\htbtbb.exec:\htbtbb.exe120⤵PID:4296
-
\??\c:\frrxrlx.exec:\frrxrlx.exe121⤵PID:4928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-