Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 20:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe
-
Size
456KB
-
MD5
b8b06189ddbb0454b6b3fd2c8261bd22
-
SHA1
a011dc28a25e5eef6deb7470f087a9a6f63d158b
-
SHA256
52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb
-
SHA512
e25cd2652e59b314e54b4920690f697dcec1f66eee3cb7eddeb3934577f6b9afe94ac2f54d16dcce91727f56ef7753bb8106d0d91ba09ae8e62cf44372de4d4b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeSi:q7Tc2NYHUrAwfMp3CDSi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/4624-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-1285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-1830-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4624 frfrfrf.exe 3816 044204.exe 3492 0882284.exe 748 vpjdj.exe 4648 thhthh.exe 3796 2020480.exe 2124 e02604.exe 1280 nbtnnb.exe 4296 xrxrxxx.exe 3856 60420.exe 344 4286646.exe 3832 pvpdp.exe 2100 bhhthh.exe 1488 4208608.exe 4100 66864.exe 3404 428226.exe 1344 280682.exe 1648 3pjdv.exe 3052 402082.exe 4000 884264.exe 1716 vpjvj.exe 2012 468826.exe 4520 48264.exe 2588 86642.exe 3960 nhhthh.exe 4532 vpdjj.exe 1028 1ffxllx.exe 1532 e24820.exe 3636 jdpdp.exe 2320 jvdpv.exe 2300 hnbtnh.exe 2896 pddpp.exe 4352 3flrrrr.exe 5000 04600.exe 2060 6022260.exe 2900 9llfxrf.exe 3028 xlfrllx.exe 2172 2864826.exe 2384 rlfrfrf.exe 2940 thnbth.exe 3516 rxrfrlf.exe 4416 4226442.exe 392 ddjpj.exe 2072 868248.exe 4432 pjdpj.exe 1980 1jdpd.exe 2456 2022882.exe 1872 668826.exe 2920 88486.exe 4776 htnhtt.exe 2152 e84286.exe 2640 28226.exe 2100 nhbtnh.exe 452 vdjvj.exe 2836 nbhbbt.exe 4192 xlxlrlr.exe 2804 1rfxlfr.exe 5092 3rfxxll.exe 4256 ntthtn.exe 2324 0006060.exe 2012 hhhthb.exe 4584 844026.exe 944 flrfxrl.exe 1664 08402.exe -
resource yara_rule behavioral2/memory/4624-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-507-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0626004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2848608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e46482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c620482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2020480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q04826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5000 wrote to memory of 4624 5000 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 87 PID 5000 wrote to memory of 4624 5000 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 87 PID 5000 wrote to memory of 4624 5000 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 87 PID 4624 wrote to memory of 3816 4624 frfrfrf.exe 88 PID 4624 wrote to memory of 3816 4624 frfrfrf.exe 88 PID 4624 wrote to memory of 3816 4624 frfrfrf.exe 88 PID 3816 wrote to memory of 3492 3816 044204.exe 89 PID 3816 wrote to memory of 3492 3816 044204.exe 89 PID 3816 wrote to memory of 3492 3816 044204.exe 89 PID 3492 wrote to memory of 748 3492 0882284.exe 90 PID 3492 wrote to memory of 748 3492 0882284.exe 90 PID 3492 wrote to memory of 748 3492 0882284.exe 90 PID 748 wrote to memory of 4648 748 vpjdj.exe 92 PID 748 wrote to memory of 4648 748 vpjdj.exe 92 PID 748 wrote to memory of 4648 748 vpjdj.exe 92 PID 4648 wrote to memory of 3796 4648 thhthh.exe 93 PID 4648 wrote to memory of 3796 4648 thhthh.exe 93 PID 4648 wrote to memory of 3796 4648 thhthh.exe 93 PID 3796 wrote to memory of 2124 3796 2020480.exe 95 PID 3796 wrote to memory of 2124 3796 2020480.exe 95 PID 3796 wrote to memory of 2124 3796 2020480.exe 95 PID 2124 wrote to memory of 1280 2124 e02604.exe 96 PID 2124 wrote to memory of 1280 2124 e02604.exe 96 PID 2124 wrote to memory of 1280 2124 e02604.exe 96 PID 1280 wrote to memory of 4296 1280 nbtnnb.exe 98 PID 1280 wrote to memory of 4296 1280 nbtnnb.exe 98 PID 1280 wrote to memory of 4296 1280 nbtnnb.exe 98 PID 4296 wrote to memory of 3856 4296 xrxrxxx.exe 99 PID 4296 wrote to memory of 3856 4296 xrxrxxx.exe 99 PID 4296 wrote to memory of 3856 4296 xrxrxxx.exe 99 PID 3856 wrote to memory of 344 3856 60420.exe 100 PID 3856 wrote to memory of 344 3856 60420.exe 100 PID 3856 wrote to memory of 344 3856 60420.exe 100 PID 344 wrote to memory of 3832 344 4286646.exe 101 PID 344 wrote to memory of 3832 344 4286646.exe 101 PID 344 wrote to memory of 3832 344 4286646.exe 101 PID 3832 wrote to memory of 2100 3832 pvpdp.exe 102 PID 3832 wrote to memory of 2100 3832 pvpdp.exe 102 PID 3832 wrote to memory of 2100 3832 pvpdp.exe 102 PID 2100 wrote to memory of 1488 2100 bhhthh.exe 103 PID 2100 wrote to memory of 1488 2100 bhhthh.exe 103 PID 2100 wrote to memory of 1488 2100 bhhthh.exe 103 PID 1488 wrote to memory of 4100 1488 4208608.exe 104 PID 1488 wrote to memory of 4100 1488 4208608.exe 104 PID 1488 wrote to memory of 4100 1488 4208608.exe 104 PID 4100 wrote to memory of 3404 4100 66864.exe 105 PID 4100 wrote to memory of 3404 4100 66864.exe 105 PID 4100 wrote to memory of 3404 4100 66864.exe 105 PID 3404 wrote to memory of 1344 3404 428226.exe 106 PID 3404 wrote to memory of 1344 3404 428226.exe 106 PID 3404 wrote to memory of 1344 3404 428226.exe 106 PID 1344 wrote to memory of 1648 1344 280682.exe 107 PID 1344 wrote to memory of 1648 1344 280682.exe 107 PID 1344 wrote to memory of 1648 1344 280682.exe 107 PID 1648 wrote to memory of 3052 1648 3pjdv.exe 108 PID 1648 wrote to memory of 3052 1648 3pjdv.exe 108 PID 1648 wrote to memory of 3052 1648 3pjdv.exe 108 PID 3052 wrote to memory of 4000 3052 402082.exe 109 PID 3052 wrote to memory of 4000 3052 402082.exe 109 PID 3052 wrote to memory of 4000 3052 402082.exe 109 PID 4000 wrote to memory of 1716 4000 884264.exe 110 PID 4000 wrote to memory of 1716 4000 884264.exe 110 PID 4000 wrote to memory of 1716 4000 884264.exe 110 PID 1716 wrote to memory of 2012 1716 vpjvj.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe"C:\Users\Admin\AppData\Local\Temp\52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\frfrfrf.exec:\frfrfrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\044204.exec:\044204.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\0882284.exec:\0882284.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\vpjdj.exec:\vpjdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\thhthh.exec:\thhthh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\2020480.exec:\2020480.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3796 -
\??\c:\e02604.exec:\e02604.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\nbtnnb.exec:\nbtnnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\xrxrxxx.exec:\xrxrxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\60420.exec:\60420.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\4286646.exec:\4286646.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:344 -
\??\c:\pvpdp.exec:\pvpdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\bhhthh.exec:\bhhthh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\4208608.exec:\4208608.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\66864.exec:\66864.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\428226.exec:\428226.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\280682.exec:\280682.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\3pjdv.exec:\3pjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\402082.exec:\402082.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\884264.exec:\884264.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\vpjvj.exec:\vpjvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\468826.exec:\468826.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012 -
\??\c:\48264.exec:\48264.exe24⤵
- Executes dropped EXE
PID:4520 -
\??\c:\86642.exec:\86642.exe25⤵
- Executes dropped EXE
PID:2588 -
\??\c:\nhhthh.exec:\nhhthh.exe26⤵
- Executes dropped EXE
PID:3960 -
\??\c:\vpdjj.exec:\vpdjj.exe27⤵
- Executes dropped EXE
PID:4532 -
\??\c:\1ffxllx.exec:\1ffxllx.exe28⤵
- Executes dropped EXE
PID:1028 -
\??\c:\e24820.exec:\e24820.exe29⤵
- Executes dropped EXE
PID:1532 -
\??\c:\jdpdp.exec:\jdpdp.exe30⤵
- Executes dropped EXE
PID:3636 -
\??\c:\jvdpv.exec:\jvdpv.exe31⤵
- Executes dropped EXE
PID:2320 -
\??\c:\hnbtnh.exec:\hnbtnh.exe32⤵
- Executes dropped EXE
PID:2300 -
\??\c:\pddpp.exec:\pddpp.exe33⤵
- Executes dropped EXE
PID:2896 -
\??\c:\3flrrrr.exec:\3flrrrr.exe34⤵
- Executes dropped EXE
PID:4352 -
\??\c:\04600.exec:\04600.exe35⤵
- Executes dropped EXE
PID:5000 -
\??\c:\6022260.exec:\6022260.exe36⤵
- Executes dropped EXE
PID:2060 -
\??\c:\9llfxrf.exec:\9llfxrf.exe37⤵
- Executes dropped EXE
PID:2900 -
\??\c:\xlfrllx.exec:\xlfrllx.exe38⤵
- Executes dropped EXE
PID:3028 -
\??\c:\2864826.exec:\2864826.exe39⤵
- Executes dropped EXE
PID:2172 -
\??\c:\rlfrfrf.exec:\rlfrfrf.exe40⤵
- Executes dropped EXE
PID:2384 -
\??\c:\thnbth.exec:\thnbth.exe41⤵
- Executes dropped EXE
PID:2940 -
\??\c:\rxrfrlf.exec:\rxrfrlf.exe42⤵
- Executes dropped EXE
PID:3516 -
\??\c:\4226442.exec:\4226442.exe43⤵
- Executes dropped EXE
PID:4416 -
\??\c:\ddjpj.exec:\ddjpj.exe44⤵
- Executes dropped EXE
PID:392 -
\??\c:\868248.exec:\868248.exe45⤵
- Executes dropped EXE
PID:2072 -
\??\c:\pjdpj.exec:\pjdpj.exe46⤵
- Executes dropped EXE
PID:4432 -
\??\c:\1jdpd.exec:\1jdpd.exe47⤵
- Executes dropped EXE
PID:1980 -
\??\c:\2022882.exec:\2022882.exe48⤵
- Executes dropped EXE
PID:2456 -
\??\c:\668826.exec:\668826.exe49⤵
- Executes dropped EXE
PID:1872 -
\??\c:\88486.exec:\88486.exe50⤵
- Executes dropped EXE
PID:2920 -
\??\c:\htnhtt.exec:\htnhtt.exe51⤵
- Executes dropped EXE
PID:4776 -
\??\c:\e84286.exec:\e84286.exe52⤵
- Executes dropped EXE
PID:2152 -
\??\c:\28226.exec:\28226.exe53⤵
- Executes dropped EXE
PID:2640 -
\??\c:\nhbtnh.exec:\nhbtnh.exe54⤵
- Executes dropped EXE
PID:2100 -
\??\c:\vdjvj.exec:\vdjvj.exe55⤵
- Executes dropped EXE
PID:452 -
\??\c:\nbhbbt.exec:\nbhbbt.exe56⤵
- Executes dropped EXE
PID:2836 -
\??\c:\xlxlrlr.exec:\xlxlrlr.exe57⤵
- Executes dropped EXE
PID:4192 -
\??\c:\1rfxlfr.exec:\1rfxlfr.exe58⤵
- Executes dropped EXE
PID:2804 -
\??\c:\3rfxxll.exec:\3rfxxll.exe59⤵
- Executes dropped EXE
PID:5092 -
\??\c:\ntthtn.exec:\ntthtn.exe60⤵
- Executes dropped EXE
PID:4256 -
\??\c:\0006060.exec:\0006060.exe61⤵
- Executes dropped EXE
PID:2324 -
\??\c:\hhhthb.exec:\hhhthb.exe62⤵
- Executes dropped EXE
PID:2012 -
\??\c:\844026.exec:\844026.exe63⤵
- Executes dropped EXE
PID:4584 -
\??\c:\flrfxrl.exec:\flrfxrl.exe64⤵
- Executes dropped EXE
PID:944 -
\??\c:\08402.exec:\08402.exe65⤵
- Executes dropped EXE
PID:1664 -
\??\c:\tbhtnn.exec:\tbhtnn.exe66⤵PID:3500
-
\??\c:\626080.exec:\626080.exe67⤵PID:2824
-
\??\c:\04886.exec:\04886.exe68⤵PID:4532
-
\??\c:\206046.exec:\206046.exe69⤵PID:1500
-
\??\c:\hhnhbn.exec:\hhnhbn.exe70⤵PID:4476
-
\??\c:\c860826.exec:\c860826.exe71⤵PID:1532
-
\??\c:\3dvpd.exec:\3dvpd.exe72⤵PID:3968
-
\??\c:\8604082.exec:\8604082.exe73⤵PID:2968
-
\??\c:\bnnnbb.exec:\bnnnbb.exe74⤵PID:1120
-
\??\c:\frrfrlx.exec:\frrfrlx.exe75⤵PID:2948
-
\??\c:\1jpjj.exec:\1jpjj.exe76⤵PID:2896
-
\??\c:\5flxxrx.exec:\5flxxrx.exe77⤵PID:596
-
\??\c:\0260084.exec:\0260084.exe78⤵PID:4332
-
\??\c:\hnthth.exec:\hnthth.exe79⤵PID:4624
-
\??\c:\6004822.exec:\6004822.exe80⤵PID:2332
-
\??\c:\jjjvd.exec:\jjjvd.exe81⤵PID:4076
-
\??\c:\bbhtbb.exec:\bbhtbb.exe82⤵PID:4980
-
\??\c:\0004208.exec:\0004208.exe83⤵PID:2940
-
\??\c:\btbntn.exec:\btbntn.exe84⤵PID:3516
-
\??\c:\rlrlxfr.exec:\rlrlxfr.exe85⤵PID:3108
-
\??\c:\8604262.exec:\8604262.exe86⤵PID:2288
-
\??\c:\46444.exec:\46444.exe87⤵PID:5076
-
\??\c:\dvjdv.exec:\dvjdv.exe88⤵PID:3192
-
\??\c:\hththt.exec:\hththt.exe89⤵PID:1980
-
\??\c:\thhttn.exec:\thhttn.exe90⤵PID:3976
-
\??\c:\rrrfxxr.exec:\rrrfxxr.exe91⤵PID:1804
-
\??\c:\jpvpj.exec:\jpvpj.exe92⤵PID:4524
-
\??\c:\djjdp.exec:\djjdp.exe93⤵PID:2396
-
\??\c:\60620.exec:\60620.exe94⤵PID:3384
-
\??\c:\42608.exec:\42608.exe95⤵PID:980
-
\??\c:\pjjpd.exec:\pjjpd.exe96⤵PID:2192
-
\??\c:\822644.exec:\822644.exe97⤵PID:3048
-
\??\c:\pddpv.exec:\pddpv.exe98⤵PID:1732
-
\??\c:\7vpdj.exec:\7vpdj.exe99⤵PID:3784
-
\??\c:\jdjpv.exec:\jdjpv.exe100⤵PID:4192
-
\??\c:\djppd.exec:\djppd.exe101⤵PID:1584
-
\??\c:\lxfxrlr.exec:\lxfxrlr.exe102⤵PID:1096
-
\??\c:\606048.exec:\606048.exe103⤵PID:1812
-
\??\c:\k40426.exec:\k40426.exe104⤵PID:1608
-
\??\c:\dvvjp.exec:\dvvjp.exe105⤵PID:4520
-
\??\c:\88260.exec:\88260.exe106⤵PID:4928
-
\??\c:\2664208.exec:\2664208.exe107⤵PID:1524
-
\??\c:\pddpd.exec:\pddpd.exe108⤵PID:1912
-
\??\c:\ntbhth.exec:\ntbhth.exe109⤵PID:2692
-
\??\c:\08488.exec:\08488.exe110⤵PID:2884
-
\??\c:\6642644.exec:\6642644.exe111⤵PID:5048
-
\??\c:\4004222.exec:\4004222.exe112⤵PID:4856
-
\??\c:\1nhtnh.exec:\1nhtnh.exe113⤵PID:3652
-
\??\c:\ddjvj.exec:\ddjvj.exe114⤵PID:1780
-
\??\c:\thtbbn.exec:\thtbbn.exe115⤵PID:3968
-
\??\c:\jpjvv.exec:\jpjvv.exe116⤵PID:2968
-
\??\c:\xxrfrrx.exec:\xxrfrrx.exe117⤵PID:4348
-
\??\c:\vjjvp.exec:\vjjvp.exe118⤵PID:4324
-
\??\c:\c846086.exec:\c846086.exe119⤵PID:3352
-
\??\c:\864860.exec:\864860.exe120⤵PID:3244
-
\??\c:\vjdpv.exec:\vjdpv.exe121⤵PID:596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-