Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe
-
Size
455KB
-
MD5
fe90074b77b4f211c2a73b2ffa0a0dd0
-
SHA1
50905d03c3d9199fb3881c84cb266987c05dd5eb
-
SHA256
e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637
-
SHA512
cb33d4c4226b93eb1abb048885393b3968a74ae3b01035ec669228b910a4819e716acb04ab4fac7a14c873b88c7c4ca379b84800e0ecad0fe3ccd4325f838f4f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTI:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3944-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-913-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-959-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-1080-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-1664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4828 vpdvv.exe 3820 vpvpd.exe 4336 hbttnn.exe 3592 tttttt.exe 2300 1ddvv.exe 1656 fxlrxxl.exe 2128 3bbhbb.exe 1460 fxfxfll.exe 5064 nhtntt.exe 4856 pddvv.exe 3404 jvvvp.exe 220 lxlfrrl.exe 1524 hbbnnt.exe 2584 vvjvp.exe 536 bnnhhh.exe 4780 5nbbnt.exe 3984 lrffxrr.exe 2216 tbbbtt.exe 2808 ppjvp.exe 652 1llfrrr.exe 404 bbbtnt.exe 1944 3xllxfl.exe 4552 thhbtn.exe 2104 ddjdd.exe 2960 xlxxrrr.exe 4572 htnhbt.exe 4292 vppjj.exe 4116 rrrllff.exe 4324 vpdvp.exe 3244 fxrlffr.exe 1788 vvjjd.exe 716 fffxrlf.exe 1200 vdppp.exe 3300 vpjjd.exe 1156 rlrlllr.exe 2632 9tnhbt.exe 4664 jvdvd.exe 4836 lflfxxx.exe 2708 lrxrlff.exe 4672 nbnhbt.exe 4508 pvpjd.exe 5076 ppvdv.exe 4156 9xfxrrl.exe 3112 bnhhth.exe 4984 djpjj.exe 3396 fffrxfl.exe 4648 5hhbnn.exe 2488 jjjjj.exe 4380 rxfxrrl.exe 232 3bhbbb.exe 4484 nntnhb.exe 640 jjjpj.exe 1036 xffxrrf.exe 756 hbbhbb.exe 2672 pjjdd.exe 3820 xrlflll.exe 2372 nnbbbb.exe 2888 pjjvp.exe 5024 lfxrrlr.exe 3344 hhtnbb.exe 372 vpppj.exe 2556 9jpdv.exe 3720 9rlfxrl.exe 3980 hbhbnn.exe -
resource yara_rule behavioral2/memory/3944-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-855-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-869-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-913-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbttn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3944 wrote to memory of 4828 3944 e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe 82 PID 3944 wrote to memory of 4828 3944 e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe 82 PID 3944 wrote to memory of 4828 3944 e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe 82 PID 4828 wrote to memory of 3820 4828 vpdvv.exe 83 PID 4828 wrote to memory of 3820 4828 vpdvv.exe 83 PID 4828 wrote to memory of 3820 4828 vpdvv.exe 83 PID 3820 wrote to memory of 4336 3820 vpvpd.exe 84 PID 3820 wrote to memory of 4336 3820 vpvpd.exe 84 PID 3820 wrote to memory of 4336 3820 vpvpd.exe 84 PID 4336 wrote to memory of 3592 4336 hbttnn.exe 85 PID 4336 wrote to memory of 3592 4336 hbttnn.exe 85 PID 4336 wrote to memory of 3592 4336 hbttnn.exe 85 PID 3592 wrote to memory of 2300 3592 tttttt.exe 86 PID 3592 wrote to memory of 2300 3592 tttttt.exe 86 PID 3592 wrote to memory of 2300 3592 tttttt.exe 86 PID 2300 wrote to memory of 1656 2300 1ddvv.exe 87 PID 2300 wrote to memory of 1656 2300 1ddvv.exe 87 PID 2300 wrote to memory of 1656 2300 1ddvv.exe 87 PID 1656 wrote to memory of 2128 1656 fxlrxxl.exe 88 PID 1656 wrote to memory of 2128 1656 fxlrxxl.exe 88 PID 1656 wrote to memory of 2128 1656 fxlrxxl.exe 88 PID 2128 wrote to memory of 1460 2128 3bbhbb.exe 89 PID 2128 wrote to memory of 1460 2128 3bbhbb.exe 89 PID 2128 wrote to memory of 1460 2128 3bbhbb.exe 89 PID 1460 wrote to memory of 5064 1460 fxfxfll.exe 90 PID 1460 wrote to memory of 5064 1460 fxfxfll.exe 90 PID 1460 wrote to memory of 5064 1460 fxfxfll.exe 90 PID 5064 wrote to memory of 4856 5064 nhtntt.exe 91 PID 5064 wrote to memory of 4856 5064 nhtntt.exe 91 PID 5064 wrote to memory of 4856 5064 nhtntt.exe 91 PID 4856 wrote to memory of 3404 4856 pddvv.exe 92 PID 4856 wrote to memory of 3404 4856 pddvv.exe 92 PID 4856 wrote to memory of 3404 4856 pddvv.exe 92 PID 3404 wrote to memory of 220 3404 jvvvp.exe 93 PID 3404 wrote to memory of 220 3404 jvvvp.exe 93 PID 3404 wrote to memory of 220 3404 jvvvp.exe 93 PID 220 wrote to memory of 1524 220 lxlfrrl.exe 94 PID 220 wrote to memory of 1524 220 lxlfrrl.exe 94 PID 220 wrote to memory of 1524 220 lxlfrrl.exe 94 PID 1524 wrote to memory of 2584 1524 hbbnnt.exe 95 PID 1524 wrote to memory of 2584 1524 hbbnnt.exe 95 PID 1524 wrote to memory of 2584 1524 hbbnnt.exe 95 PID 2584 wrote to memory of 536 2584 vvjvp.exe 96 PID 2584 wrote to memory of 536 2584 vvjvp.exe 96 PID 2584 wrote to memory of 536 2584 vvjvp.exe 96 PID 536 wrote to memory of 4780 536 bnnhhh.exe 97 PID 536 wrote to memory of 4780 536 bnnhhh.exe 97 PID 536 wrote to memory of 4780 536 bnnhhh.exe 97 PID 4780 wrote to memory of 3984 4780 5nbbnt.exe 98 PID 4780 wrote to memory of 3984 4780 5nbbnt.exe 98 PID 4780 wrote to memory of 3984 4780 5nbbnt.exe 98 PID 3984 wrote to memory of 2216 3984 lrffxrr.exe 99 PID 3984 wrote to memory of 2216 3984 lrffxrr.exe 99 PID 3984 wrote to memory of 2216 3984 lrffxrr.exe 99 PID 2216 wrote to memory of 2808 2216 tbbbtt.exe 100 PID 2216 wrote to memory of 2808 2216 tbbbtt.exe 100 PID 2216 wrote to memory of 2808 2216 tbbbtt.exe 100 PID 2808 wrote to memory of 652 2808 ppjvp.exe 101 PID 2808 wrote to memory of 652 2808 ppjvp.exe 101 PID 2808 wrote to memory of 652 2808 ppjvp.exe 101 PID 652 wrote to memory of 404 652 1llfrrr.exe 102 PID 652 wrote to memory of 404 652 1llfrrr.exe 102 PID 652 wrote to memory of 404 652 1llfrrr.exe 102 PID 404 wrote to memory of 1944 404 bbbtnt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe"C:\Users\Admin\AppData\Local\Temp\e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\vpdvv.exec:\vpdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\vpvpd.exec:\vpvpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\hbttnn.exec:\hbttnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\tttttt.exec:\tttttt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\1ddvv.exec:\1ddvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\fxlrxxl.exec:\fxlrxxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\3bbhbb.exec:\3bbhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\fxfxfll.exec:\fxfxfll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\nhtntt.exec:\nhtntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\pddvv.exec:\pddvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\jvvvp.exec:\jvvvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\lxlfrrl.exec:\lxlfrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\hbbnnt.exec:\hbbnnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\vvjvp.exec:\vvjvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\bnnhhh.exec:\bnnhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\5nbbnt.exec:\5nbbnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\lrffxrr.exec:\lrffxrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\tbbbtt.exec:\tbbbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\ppjvp.exec:\ppjvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\1llfrrr.exec:\1llfrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\bbbtnt.exec:\bbbtnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\3xllxfl.exec:\3xllxfl.exe23⤵
- Executes dropped EXE
PID:1944 -
\??\c:\thhbtn.exec:\thhbtn.exe24⤵
- Executes dropped EXE
PID:4552 -
\??\c:\ddjdd.exec:\ddjdd.exe25⤵
- Executes dropped EXE
PID:2104 -
\??\c:\xlxxrrr.exec:\xlxxrrr.exe26⤵
- Executes dropped EXE
PID:2960 -
\??\c:\htnhbt.exec:\htnhbt.exe27⤵
- Executes dropped EXE
PID:4572 -
\??\c:\vppjj.exec:\vppjj.exe28⤵
- Executes dropped EXE
PID:4292 -
\??\c:\rrrllff.exec:\rrrllff.exe29⤵
- Executes dropped EXE
PID:4116 -
\??\c:\vpdvp.exec:\vpdvp.exe30⤵
- Executes dropped EXE
PID:4324 -
\??\c:\fxrlffr.exec:\fxrlffr.exe31⤵
- Executes dropped EXE
PID:3244 -
\??\c:\vvjjd.exec:\vvjjd.exe32⤵
- Executes dropped EXE
PID:1788 -
\??\c:\fffxrlf.exec:\fffxrlf.exe33⤵
- Executes dropped EXE
PID:716 -
\??\c:\vdppp.exec:\vdppp.exe34⤵
- Executes dropped EXE
PID:1200 -
\??\c:\vpjjd.exec:\vpjjd.exe35⤵
- Executes dropped EXE
PID:3300 -
\??\c:\rlrlllr.exec:\rlrlllr.exe36⤵
- Executes dropped EXE
PID:1156 -
\??\c:\9tnhbt.exec:\9tnhbt.exe37⤵
- Executes dropped EXE
PID:2632 -
\??\c:\jvdvd.exec:\jvdvd.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4664 -
\??\c:\lflfxxx.exec:\lflfxxx.exe39⤵
- Executes dropped EXE
PID:4836 -
\??\c:\lrxrlff.exec:\lrxrlff.exe40⤵
- Executes dropped EXE
PID:2708 -
\??\c:\nbnhbt.exec:\nbnhbt.exe41⤵
- Executes dropped EXE
PID:4672 -
\??\c:\pvpjd.exec:\pvpjd.exe42⤵
- Executes dropped EXE
PID:4508 -
\??\c:\ppvdv.exec:\ppvdv.exe43⤵
- Executes dropped EXE
PID:5076 -
\??\c:\9xfxrrl.exec:\9xfxrrl.exe44⤵
- Executes dropped EXE
PID:4156 -
\??\c:\bnhhth.exec:\bnhhth.exe45⤵
- Executes dropped EXE
PID:3112 -
\??\c:\djpjj.exec:\djpjj.exe46⤵
- Executes dropped EXE
PID:4984 -
\??\c:\fffrxfl.exec:\fffrxfl.exe47⤵
- Executes dropped EXE
PID:3396 -
\??\c:\5hhbnn.exec:\5hhbnn.exe48⤵
- Executes dropped EXE
PID:4648 -
\??\c:\jjjjj.exec:\jjjjj.exe49⤵
- Executes dropped EXE
PID:2488 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe50⤵
- Executes dropped EXE
PID:4380 -
\??\c:\3bhbbb.exec:\3bhbbb.exe51⤵
- Executes dropped EXE
PID:232 -
\??\c:\nntnhb.exec:\nntnhb.exe52⤵
- Executes dropped EXE
PID:4484 -
\??\c:\jjjpj.exec:\jjjpj.exe53⤵
- Executes dropped EXE
PID:640 -
\??\c:\xffxrrf.exec:\xffxrrf.exe54⤵
- Executes dropped EXE
PID:1036 -
\??\c:\hbbhbb.exec:\hbbhbb.exe55⤵
- Executes dropped EXE
PID:756 -
\??\c:\pjjdd.exec:\pjjdd.exe56⤵
- Executes dropped EXE
PID:2672 -
\??\c:\xrlflll.exec:\xrlflll.exe57⤵
- Executes dropped EXE
PID:3820 -
\??\c:\nnbbbb.exec:\nnbbbb.exe58⤵
- Executes dropped EXE
PID:2372 -
\??\c:\pjjvp.exec:\pjjvp.exe59⤵
- Executes dropped EXE
PID:2888 -
\??\c:\lfxrrlr.exec:\lfxrrlr.exe60⤵
- Executes dropped EXE
PID:5024 -
\??\c:\hhtnbb.exec:\hhtnbb.exe61⤵
- Executes dropped EXE
PID:3344 -
\??\c:\vpppj.exec:\vpppj.exe62⤵
- Executes dropped EXE
PID:372 -
\??\c:\9jpdv.exec:\9jpdv.exe63⤵
- Executes dropped EXE
PID:2556 -
\??\c:\9rlfxrl.exec:\9rlfxrl.exe64⤵
- Executes dropped EXE
PID:3720 -
\??\c:\hbhbnn.exec:\hbhbnn.exe65⤵
- Executes dropped EXE
PID:3980 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe66⤵PID:2288
-
\??\c:\hntnhb.exec:\hntnhb.exe67⤵PID:4712
-
\??\c:\jddvv.exec:\jddvv.exe68⤵PID:5004
-
\??\c:\7jpjd.exec:\7jpjd.exe69⤵PID:3108
-
\??\c:\fllfxxl.exec:\fllfxxl.exe70⤵PID:3488
-
\??\c:\ttnbtn.exec:\ttnbtn.exe71⤵PID:3264
-
\??\c:\nhbtbb.exec:\nhbtbb.exe72⤵PID:3640
-
\??\c:\jddvj.exec:\jddvj.exe73⤵PID:4568
-
\??\c:\rllfrlf.exec:\rllfrlf.exe74⤵PID:3100
-
\??\c:\1hbbtt.exec:\1hbbtt.exe75⤵PID:4864
-
\??\c:\htbbth.exec:\htbbth.exe76⤵PID:2124
-
\??\c:\dvpjj.exec:\dvpjj.exe77⤵PID:4452
-
\??\c:\xfrlfxx.exec:\xfrlfxx.exe78⤵PID:412
-
\??\c:\fxfrrrl.exec:\fxfrrrl.exe79⤵PID:4140
-
\??\c:\hhnhbh.exec:\hhnhbh.exe80⤵PID:4656
-
\??\c:\jjjdv.exec:\jjjdv.exe81⤵PID:4852
-
\??\c:\xrxfxrr.exec:\xrxfxrr.exe82⤵
- System Location Discovery: System Language Discovery
PID:2620 -
\??\c:\hhnhhh.exec:\hhnhhh.exe83⤵PID:1696
-
\??\c:\djpjd.exec:\djpjd.exe84⤵PID:404
-
\??\c:\dvpvj.exec:\dvpvj.exe85⤵PID:3680
-
\??\c:\fllfrrf.exec:\fllfrrf.exe86⤵PID:4076
-
\??\c:\nhbbbb.exec:\nhbbbb.exe87⤵PID:1584
-
\??\c:\pjdvp.exec:\pjdvp.exe88⤵PID:3032
-
\??\c:\3rrlxxr.exec:\3rrlxxr.exe89⤵PID:4540
-
\??\c:\nnnhbb.exec:\nnnhbb.exe90⤵PID:4012
-
\??\c:\hbhbtn.exec:\hbhbtn.exe91⤵PID:2208
-
\??\c:\jdjdv.exec:\jdjdv.exe92⤵PID:4876
-
\??\c:\1rlfrrl.exec:\1rlfrrl.exe93⤵PID:4112
-
\??\c:\nbhbtn.exec:\nbhbtn.exe94⤵PID:4056
-
\??\c:\dpvpj.exec:\dpvpj.exe95⤵PID:4960
-
\??\c:\3dddd.exec:\3dddd.exe96⤵PID:2580
-
\??\c:\rflfxfx.exec:\rflfxfx.exe97⤵PID:380
-
\??\c:\5tbtbt.exec:\5tbtbt.exe98⤵PID:1788
-
\??\c:\vjppj.exec:\vjppj.exe99⤵PID:2740
-
\??\c:\lllfxrl.exec:\lllfxrl.exe100⤵PID:3580
-
\??\c:\1lrxllf.exec:\1lrxllf.exe101⤵PID:2304
-
\??\c:\nthhtn.exec:\nthhtn.exe102⤵PID:2160
-
\??\c:\jpvpj.exec:\jpvpj.exe103⤵PID:1916
-
\??\c:\lrlxrxx.exec:\lrlxrxx.exe104⤵PID:2412
-
\??\c:\nbnnbt.exec:\nbnnbt.exe105⤵PID:2316
-
\??\c:\vvvpj.exec:\vvvpj.exe106⤵PID:3952
-
\??\c:\rxffxxx.exec:\rxffxxx.exe107⤵PID:3324
-
\??\c:\btbtnh.exec:\btbtnh.exe108⤵PID:3684
-
\??\c:\bhnntn.exec:\bhnntn.exe109⤵PID:4508
-
\??\c:\dpvpj.exec:\dpvpj.exe110⤵PID:5076
-
\??\c:\1xxxrxx.exec:\1xxxrxx.exe111⤵PID:2212
-
\??\c:\rrxrlfx.exec:\rrxrlfx.exe112⤵PID:3964
-
\??\c:\hbnhnh.exec:\hbnhnh.exe113⤵PID:4028
-
\??\c:\ppdpj.exec:\ppdpj.exe114⤵PID:4976
-
\??\c:\1frfllr.exec:\1frfllr.exe115⤵PID:2872
-
\??\c:\rffxrlf.exec:\rffxrlf.exe116⤵PID:4264
-
\??\c:\hhnnhh.exec:\hhnnhh.exe117⤵PID:4460
-
\??\c:\jvjdv.exec:\jvjdv.exe118⤵PID:232
-
\??\c:\vdpjd.exec:\vdpjd.exe119⤵PID:3944
-
\??\c:\5rrlxfx.exec:\5rrlxfx.exe120⤵PID:4416
-
\??\c:\hthbbb.exec:\hthbbb.exe121⤵PID:4828
-
\??\c:\dvjdj.exec:\dvjdj.exe122⤵PID:4768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-