Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 22:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e73a344287bd4e222c28ffe24403dc01aef2ceb994bb048710df4b936b838df.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3e73a344287bd4e222c28ffe24403dc01aef2ceb994bb048710df4b936b838df.exe
-
Size
454KB
-
MD5
4f9604edcba62cd104f1018cb1a57fa3
-
SHA1
76b66710f7db57f7a14cf605af1a9de1f1f70bed
-
SHA256
3e73a344287bd4e222c28ffe24403dc01aef2ceb994bb048710df4b936b838df
-
SHA512
133c83df26636e6a6fe38897ff1d3b0c3d5ffc31bcb27598e9447df252cf7dc1a50398fcec7afe73a2aa5faac148a81bfb98ec5ed8244a1b8f973f0cb5b8db9a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3164-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-845-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-883-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-1122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-1279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-1508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-1539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4504 jppdp.exe 3252 nhthhb.exe 524 pjpdj.exe 2732 80226.exe 2272 600448.exe 2448 7vpdp.exe 1060 vjpdp.exe 4544 84280.exe 1372 a8088.exe 4580 ntbnhb.exe 2032 vdjdp.exe 2908 4882480.exe 4896 60600.exe 3880 862604.exe 3576 dvdvd.exe 3000 rrfrxlf.exe 552 602800.exe 3572 5hthbb.exe 3052 rffrlfx.exe 1908 0660408.exe 1076 dvpdv.exe 1972 82864.exe 1408 028882.exe 1412 866082.exe 3476 u626044.exe 2420 xxrlffx.exe 5100 04666.exe 5092 4888226.exe 4100 9pppp.exe 720 2068882.exe 184 0088822.exe 1864 9lfxllf.exe 3636 dvvdv.exe 4828 088266.exe 3160 5vdpp.exe 3744 vjpjd.exe 2620 nttnbh.exe 1044 82488.exe 692 xllfxxr.exe 5116 86062.exe 2400 422828.exe 1056 04442.exe 364 9ntnnn.exe 4288 bnnhbb.exe 3144 i248006.exe 2384 dppjv.exe 1900 60082.exe 392 bhnbtt.exe 1904 xlrllfx.exe 4444 9bbhbn.exe 316 80260.exe 3016 pdvpj.exe 1520 6248260.exe 1232 m6828.exe 4148 htttnh.exe 3340 bhthbb.exe 4152 646600.exe 396 04644.exe 3300 rxfxrrl.exe 2448 808448.exe 1000 rfffxxx.exe 3396 vvppp.exe 1300 4804888.exe 2440 vdjdp.exe -
resource yara_rule behavioral2/memory/3164-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-845-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-864-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-883-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-1122-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u688884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2246042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8026608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8460444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 4504 3164 3e73a344287bd4e222c28ffe24403dc01aef2ceb994bb048710df4b936b838df.exe 82 PID 3164 wrote to memory of 4504 3164 3e73a344287bd4e222c28ffe24403dc01aef2ceb994bb048710df4b936b838df.exe 82 PID 3164 wrote to memory of 4504 3164 3e73a344287bd4e222c28ffe24403dc01aef2ceb994bb048710df4b936b838df.exe 82 PID 4504 wrote to memory of 3252 4504 jppdp.exe 83 PID 4504 wrote to memory of 3252 4504 jppdp.exe 83 PID 4504 wrote to memory of 3252 4504 jppdp.exe 83 PID 3252 wrote to memory of 524 3252 nhthhb.exe 84 PID 3252 wrote to memory of 524 3252 nhthhb.exe 84 PID 3252 wrote to memory of 524 3252 nhthhb.exe 84 PID 524 wrote to memory of 2732 524 pjpdj.exe 85 PID 524 wrote to memory of 2732 524 pjpdj.exe 85 PID 524 wrote to memory of 2732 524 pjpdj.exe 85 PID 2732 wrote to memory of 2272 2732 80226.exe 86 PID 2732 wrote to memory of 2272 2732 80226.exe 86 PID 2732 wrote to memory of 2272 2732 80226.exe 86 PID 2272 wrote to memory of 2448 2272 600448.exe 87 PID 2272 wrote to memory of 2448 2272 600448.exe 87 PID 2272 wrote to memory of 2448 2272 600448.exe 87 PID 2448 wrote to memory of 1060 2448 7vpdp.exe 88 PID 2448 wrote to memory of 1060 2448 7vpdp.exe 88 PID 2448 wrote to memory of 1060 2448 7vpdp.exe 88 PID 1060 wrote to memory of 4544 1060 vjpdp.exe 89 PID 1060 wrote to memory of 4544 1060 vjpdp.exe 89 PID 1060 wrote to memory of 4544 1060 vjpdp.exe 89 PID 4544 wrote to memory of 1372 4544 84280.exe 90 PID 4544 wrote to memory of 1372 4544 84280.exe 90 PID 4544 wrote to memory of 1372 4544 84280.exe 90 PID 1372 wrote to memory of 4580 1372 a8088.exe 91 PID 1372 wrote to memory of 4580 1372 a8088.exe 91 PID 1372 wrote to memory of 4580 1372 a8088.exe 91 PID 4580 wrote to memory of 2032 4580 ntbnhb.exe 92 PID 4580 wrote to memory of 2032 4580 ntbnhb.exe 92 PID 4580 wrote to memory of 2032 4580 ntbnhb.exe 92 PID 2032 wrote to memory of 2908 2032 vdjdp.exe 93 PID 2032 wrote to memory of 2908 2032 vdjdp.exe 93 PID 2032 wrote to memory of 2908 2032 vdjdp.exe 93 PID 2908 wrote to memory of 4896 2908 4882480.exe 94 PID 2908 wrote to memory of 4896 2908 4882480.exe 94 PID 2908 wrote to memory of 4896 2908 4882480.exe 94 PID 4896 wrote to memory of 3880 4896 60600.exe 95 PID 4896 wrote to memory of 3880 4896 60600.exe 95 PID 4896 wrote to memory of 3880 4896 60600.exe 95 PID 3880 wrote to memory of 3576 3880 862604.exe 96 PID 3880 wrote to memory of 3576 3880 862604.exe 96 PID 3880 wrote to memory of 3576 3880 862604.exe 96 PID 3576 wrote to memory of 3000 3576 dvdvd.exe 97 PID 3576 wrote to memory of 3000 3576 dvdvd.exe 97 PID 3576 wrote to memory of 3000 3576 dvdvd.exe 97 PID 3000 wrote to memory of 552 3000 rrfrxlf.exe 98 PID 3000 wrote to memory of 552 3000 rrfrxlf.exe 98 PID 3000 wrote to memory of 552 3000 rrfrxlf.exe 98 PID 552 wrote to memory of 3572 552 602800.exe 99 PID 552 wrote to memory of 3572 552 602800.exe 99 PID 552 wrote to memory of 3572 552 602800.exe 99 PID 3572 wrote to memory of 3052 3572 5hthbb.exe 100 PID 3572 wrote to memory of 3052 3572 5hthbb.exe 100 PID 3572 wrote to memory of 3052 3572 5hthbb.exe 100 PID 3052 wrote to memory of 1908 3052 rffrlfx.exe 101 PID 3052 wrote to memory of 1908 3052 rffrlfx.exe 101 PID 3052 wrote to memory of 1908 3052 rffrlfx.exe 101 PID 1908 wrote to memory of 1076 1908 0660408.exe 102 PID 1908 wrote to memory of 1076 1908 0660408.exe 102 PID 1908 wrote to memory of 1076 1908 0660408.exe 102 PID 1076 wrote to memory of 1972 1076 dvpdv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e73a344287bd4e222c28ffe24403dc01aef2ceb994bb048710df4b936b838df.exe"C:\Users\Admin\AppData\Local\Temp\3e73a344287bd4e222c28ffe24403dc01aef2ceb994bb048710df4b936b838df.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\jppdp.exec:\jppdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\nhthhb.exec:\nhthhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\pjpdj.exec:\pjpdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
\??\c:\80226.exec:\80226.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\600448.exec:\600448.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\7vpdp.exec:\7vpdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\vjpdp.exec:\vjpdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\84280.exec:\84280.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\a8088.exec:\a8088.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\ntbnhb.exec:\ntbnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\vdjdp.exec:\vdjdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\4882480.exec:\4882480.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\60600.exec:\60600.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\862604.exec:\862604.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\dvdvd.exec:\dvdvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\rrfrxlf.exec:\rrfrxlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\602800.exec:\602800.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\5hthbb.exec:\5hthbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\rffrlfx.exec:\rffrlfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\0660408.exec:\0660408.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\dvpdv.exec:\dvpdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\82864.exec:\82864.exe23⤵
- Executes dropped EXE
PID:1972 -
\??\c:\028882.exec:\028882.exe24⤵
- Executes dropped EXE
PID:1408 -
\??\c:\866082.exec:\866082.exe25⤵
- Executes dropped EXE
PID:1412 -
\??\c:\u626044.exec:\u626044.exe26⤵
- Executes dropped EXE
PID:3476 -
\??\c:\xxrlffx.exec:\xxrlffx.exe27⤵
- Executes dropped EXE
PID:2420 -
\??\c:\04666.exec:\04666.exe28⤵
- Executes dropped EXE
PID:5100 -
\??\c:\4888226.exec:\4888226.exe29⤵
- Executes dropped EXE
PID:5092 -
\??\c:\9pppp.exec:\9pppp.exe30⤵
- Executes dropped EXE
PID:4100 -
\??\c:\2068882.exec:\2068882.exe31⤵
- Executes dropped EXE
PID:720 -
\??\c:\0088822.exec:\0088822.exe32⤵
- Executes dropped EXE
PID:184 -
\??\c:\9lfxllf.exec:\9lfxllf.exe33⤵
- Executes dropped EXE
PID:1864 -
\??\c:\dvvdv.exec:\dvvdv.exe34⤵
- Executes dropped EXE
PID:3636 -
\??\c:\088266.exec:\088266.exe35⤵
- Executes dropped EXE
PID:4828 -
\??\c:\5vdpp.exec:\5vdpp.exe36⤵
- Executes dropped EXE
PID:3160 -
\??\c:\vjpjd.exec:\vjpjd.exe37⤵
- Executes dropped EXE
PID:3744 -
\??\c:\nttnbh.exec:\nttnbh.exe38⤵
- Executes dropped EXE
PID:2620 -
\??\c:\82488.exec:\82488.exe39⤵
- Executes dropped EXE
PID:1044 -
\??\c:\xllfxxr.exec:\xllfxxr.exe40⤵
- Executes dropped EXE
PID:692 -
\??\c:\86062.exec:\86062.exe41⤵
- Executes dropped EXE
PID:5116 -
\??\c:\422828.exec:\422828.exe42⤵
- Executes dropped EXE
PID:2400 -
\??\c:\04442.exec:\04442.exe43⤵
- Executes dropped EXE
PID:1056 -
\??\c:\9ntnnn.exec:\9ntnnn.exe44⤵
- Executes dropped EXE
PID:364 -
\??\c:\bnnhbb.exec:\bnnhbb.exe45⤵
- Executes dropped EXE
PID:4288 -
\??\c:\i248006.exec:\i248006.exe46⤵
- Executes dropped EXE
PID:3144 -
\??\c:\dppjv.exec:\dppjv.exe47⤵
- Executes dropped EXE
PID:2384 -
\??\c:\60082.exec:\60082.exe48⤵
- Executes dropped EXE
PID:1900 -
\??\c:\bhnbtt.exec:\bhnbtt.exe49⤵
- Executes dropped EXE
PID:392 -
\??\c:\xlrllfx.exec:\xlrllfx.exe50⤵
- Executes dropped EXE
PID:1904 -
\??\c:\9bbhbn.exec:\9bbhbn.exe51⤵
- Executes dropped EXE
PID:4444 -
\??\c:\80260.exec:\80260.exe52⤵
- Executes dropped EXE
PID:316 -
\??\c:\pdvpj.exec:\pdvpj.exe53⤵
- Executes dropped EXE
PID:3016 -
\??\c:\6248260.exec:\6248260.exe54⤵
- Executes dropped EXE
PID:1520 -
\??\c:\m6828.exec:\m6828.exe55⤵
- Executes dropped EXE
PID:1232 -
\??\c:\htttnh.exec:\htttnh.exe56⤵
- Executes dropped EXE
PID:4148 -
\??\c:\bhthbb.exec:\bhthbb.exe57⤵
- Executes dropped EXE
PID:3340 -
\??\c:\646600.exec:\646600.exe58⤵
- Executes dropped EXE
PID:4152 -
\??\c:\04644.exec:\04644.exe59⤵
- Executes dropped EXE
PID:396 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe60⤵
- Executes dropped EXE
PID:3300 -
\??\c:\808448.exec:\808448.exe61⤵
- Executes dropped EXE
PID:2448 -
\??\c:\rfffxxx.exec:\rfffxxx.exe62⤵
- Executes dropped EXE
PID:1000 -
\??\c:\vvppp.exec:\vvppp.exe63⤵
- Executes dropped EXE
PID:3396 -
\??\c:\4804888.exec:\4804888.exe64⤵
- Executes dropped EXE
PID:1300 -
\??\c:\vdjdp.exec:\vdjdp.exe65⤵
- Executes dropped EXE
PID:2440 -
\??\c:\060626.exec:\060626.exe66⤵PID:2888
-
\??\c:\m6208.exec:\m6208.exe67⤵
- System Location Discovery: System Language Discovery
PID:3232 -
\??\c:\jpvvd.exec:\jpvvd.exe68⤵PID:3824
-
\??\c:\nnbtbh.exec:\nnbtbh.exe69⤵PID:1780
-
\??\c:\440404.exec:\440404.exe70⤵PID:2160
-
\??\c:\e22266.exec:\e22266.exe71⤵PID:4672
-
\??\c:\k44822.exec:\k44822.exe72⤵PID:2476
-
\??\c:\bttthn.exec:\bttthn.exe73⤵PID:4072
-
\??\c:\42868.exec:\42868.exe74⤵PID:3724
-
\??\c:\btbbbh.exec:\btbbbh.exe75⤵PID:660
-
\??\c:\vvjdv.exec:\vvjdv.exe76⤵PID:3784
-
\??\c:\5bbtbh.exec:\5bbtbh.exe77⤵PID:216
-
\??\c:\fxfllfr.exec:\fxfllfr.exe78⤵PID:528
-
\??\c:\e22488.exec:\e22488.exe79⤵PID:3076
-
\??\c:\rrlfrrr.exec:\rrlfrrr.exe80⤵PID:4652
-
\??\c:\6022008.exec:\6022008.exe81⤵PID:1596
-
\??\c:\fffxxfl.exec:\fffxxfl.exe82⤵PID:4340
-
\??\c:\7hhbtt.exec:\7hhbtt.exe83⤵PID:1988
-
\??\c:\1jpjp.exec:\1jpjp.exe84⤵PID:4648
-
\??\c:\dpvvv.exec:\dpvvv.exe85⤵PID:2848
-
\??\c:\7dvvp.exec:\7dvvp.exe86⤵PID:4404
-
\??\c:\606448.exec:\606448.exe87⤵PID:1364
-
\??\c:\bhthbb.exec:\bhthbb.exe88⤵PID:2324
-
\??\c:\6008282.exec:\6008282.exe89⤵PID:4108
-
\??\c:\w22262.exec:\w22262.exe90⤵PID:1864
-
\??\c:\i208480.exec:\i208480.exe91⤵PID:4604
-
\??\c:\frrlllf.exec:\frrlllf.exe92⤵PID:2288
-
\??\c:\066600.exec:\066600.exe93⤵PID:4992
-
\??\c:\a4488.exec:\a4488.exe94⤵PID:2120
-
\??\c:\1bnbbb.exec:\1bnbbb.exe95⤵PID:3192
-
\??\c:\64466.exec:\64466.exe96⤵PID:2556
-
\??\c:\7vppj.exec:\7vppj.exe97⤵PID:2444
-
\??\c:\088648.exec:\088648.exe98⤵PID:3024
-
\??\c:\a4824.exec:\a4824.exe99⤵PID:2016
-
\??\c:\nbnbbb.exec:\nbnbbb.exe100⤵PID:4560
-
\??\c:\pvdjv.exec:\pvdjv.exe101⤵PID:4920
-
\??\c:\k68462.exec:\k68462.exe102⤵PID:4440
-
\??\c:\846460.exec:\846460.exe103⤵PID:1144
-
\??\c:\82888.exec:\82888.exe104⤵PID:4756
-
\??\c:\8844826.exec:\8844826.exe105⤵PID:2940
-
\??\c:\u688884.exec:\u688884.exe106⤵
- System Location Discovery: System Language Discovery
PID:1292 -
\??\c:\400422.exec:\400422.exe107⤵PID:1904
-
\??\c:\046004.exec:\046004.exe108⤵PID:4740
-
\??\c:\pvjjj.exec:\pvjjj.exe109⤵PID:4004
-
\??\c:\lfxflfr.exec:\lfxflfr.exe110⤵PID:3016
-
\??\c:\42264.exec:\42264.exe111⤵PID:3760
-
\??\c:\8020048.exec:\8020048.exe112⤵PID:4504
-
\??\c:\84640.exec:\84640.exe113⤵PID:460
-
\??\c:\a0662.exec:\a0662.exe114⤵PID:3520
-
\??\c:\220644.exec:\220644.exe115⤵PID:4956
-
\??\c:\3ddvp.exec:\3ddvp.exe116⤵PID:2968
-
\??\c:\46608.exec:\46608.exe117⤵PID:3532
-
\??\c:\240826.exec:\240826.exe118⤵PID:3672
-
\??\c:\rflffxr.exec:\rflffxr.exe119⤵PID:1280
-
\??\c:\tnhtht.exec:\tnhtht.exe120⤵PID:4084
-
\??\c:\1ddjp.exec:\1ddjp.exe121⤵PID:3580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-