Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 04:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0829a2c00d58c231653c30380fa62623e86c0f1464932a100594b1f0beaa886N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e0829a2c00d58c231653c30380fa62623e86c0f1464932a100594b1f0beaa886N.exe
-
Size
454KB
-
MD5
421d2a75a6ac51faa655fd916c253000
-
SHA1
6eb113e876829cb66fe8ef582ccebdaa7b7b3417
-
SHA256
e0829a2c00d58c231653c30380fa62623e86c0f1464932a100594b1f0beaa886
-
SHA512
df16774ff525b54c59650510dbb7fb2c0dfd2739d6047535625a0b8b2b8e2bbd7d76376aa05d767ca15c95b932f16796d6552e05615f42858988ff263b50cb7a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2520-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-1475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-1896-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4992 vvddp.exe 2732 3jjdd.exe 3660 7tbnhh.exe 2348 vppdp.exe 3188 3ddvp.exe 5000 xrllllr.exe 3664 xlrrlrr.exe 2868 btnnnn.exe 2620 lxrlflf.exe 1336 thhnhb.exe 3132 hhbnhh.exe 4036 frffxxr.exe 2528 lxxxrrl.exe 4012 nnbbbb.exe 232 5vvpv.exe 1632 nhbbbn.exe 3184 1vppj.exe 2948 jpppd.exe 4020 1xfxxxx.exe 2124 9nhhbb.exe 2860 5djdv.exe 1424 dpvpv.exe 1992 5jpjd.exe 1888 xrlrlll.exe 1296 bbntbn.exe 5116 1rxxxfr.exe 3532 bhhbtt.exe 2216 pjvjj.exe 4200 pvdvv.exe 2964 llllffx.exe 4840 nbhhbb.exe 5052 7vddd.exe 3484 xrlflll.exe 1640 5tnnhh.exe 4976 pjjdv.exe 2940 llffxxr.exe 3008 nhbttt.exe 960 jvvdd.exe 2100 pdjdj.exe 4520 xrrlrrx.exe 2784 bbhhbh.exe 2520 xrfxxxx.exe 4992 flfffff.exe 2352 bhttnn.exe 1088 5fxllll.exe 3660 nhhttt.exe 3708 9pppj.exe 3112 fffrlxx.exe 2140 ntnthn.exe 1100 vjvdd.exe 516 rfrffxr.exe 3720 nnbtbb.exe 3412 1ppjd.exe 2428 9lffllr.exe 1312 nbbtnn.exe 2560 7jddv.exe 4280 dvjdd.exe 3132 lxxxrrl.exe 976 nnnnbb.exe 2400 1dvdv.exe 624 lxffrrf.exe 4084 bhbtnh.exe 232 jpppj.exe 512 lffxrfx.exe -
resource yara_rule behavioral2/memory/2520-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-532-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2520 wrote to memory of 4992 2520 e0829a2c00d58c231653c30380fa62623e86c0f1464932a100594b1f0beaa886N.exe 86 PID 2520 wrote to memory of 4992 2520 e0829a2c00d58c231653c30380fa62623e86c0f1464932a100594b1f0beaa886N.exe 86 PID 2520 wrote to memory of 4992 2520 e0829a2c00d58c231653c30380fa62623e86c0f1464932a100594b1f0beaa886N.exe 86 PID 4992 wrote to memory of 2732 4992 vvddp.exe 87 PID 4992 wrote to memory of 2732 4992 vvddp.exe 87 PID 4992 wrote to memory of 2732 4992 vvddp.exe 87 PID 2732 wrote to memory of 3660 2732 3jjdd.exe 88 PID 2732 wrote to memory of 3660 2732 3jjdd.exe 88 PID 2732 wrote to memory of 3660 2732 3jjdd.exe 88 PID 3660 wrote to memory of 2348 3660 7tbnhh.exe 89 PID 3660 wrote to memory of 2348 3660 7tbnhh.exe 89 PID 3660 wrote to memory of 2348 3660 7tbnhh.exe 89 PID 2348 wrote to memory of 3188 2348 vppdp.exe 90 PID 2348 wrote to memory of 3188 2348 vppdp.exe 90 PID 2348 wrote to memory of 3188 2348 vppdp.exe 90 PID 3188 wrote to memory of 5000 3188 3ddvp.exe 91 PID 3188 wrote to memory of 5000 3188 3ddvp.exe 91 PID 3188 wrote to memory of 5000 3188 3ddvp.exe 91 PID 5000 wrote to memory of 3664 5000 xrllllr.exe 92 PID 5000 wrote to memory of 3664 5000 xrllllr.exe 92 PID 5000 wrote to memory of 3664 5000 xrllllr.exe 92 PID 3664 wrote to memory of 2868 3664 xlrrlrr.exe 93 PID 3664 wrote to memory of 2868 3664 xlrrlrr.exe 93 PID 3664 wrote to memory of 2868 3664 xlrrlrr.exe 93 PID 2868 wrote to memory of 2620 2868 btnnnn.exe 94 PID 2868 wrote to memory of 2620 2868 btnnnn.exe 94 PID 2868 wrote to memory of 2620 2868 btnnnn.exe 94 PID 2620 wrote to memory of 1336 2620 lxrlflf.exe 95 PID 2620 wrote to memory of 1336 2620 lxrlflf.exe 95 PID 2620 wrote to memory of 1336 2620 lxrlflf.exe 95 PID 1336 wrote to memory of 3132 1336 thhnhb.exe 96 PID 1336 wrote to memory of 3132 1336 thhnhb.exe 96 PID 1336 wrote to memory of 3132 1336 thhnhb.exe 96 PID 3132 wrote to memory of 4036 3132 hhbnhh.exe 97 PID 3132 wrote to memory of 4036 3132 hhbnhh.exe 97 PID 3132 wrote to memory of 4036 3132 hhbnhh.exe 97 PID 4036 wrote to memory of 2528 4036 frffxxr.exe 98 PID 4036 wrote to memory of 2528 4036 frffxxr.exe 98 PID 4036 wrote to memory of 2528 4036 frffxxr.exe 98 PID 2528 wrote to memory of 4012 2528 lxxxrrl.exe 99 PID 2528 wrote to memory of 4012 2528 lxxxrrl.exe 99 PID 2528 wrote to memory of 4012 2528 lxxxrrl.exe 99 PID 4012 wrote to memory of 232 4012 nnbbbb.exe 100 PID 4012 wrote to memory of 232 4012 nnbbbb.exe 100 PID 4012 wrote to memory of 232 4012 nnbbbb.exe 100 PID 232 wrote to memory of 1632 232 5vvpv.exe 101 PID 232 wrote to memory of 1632 232 5vvpv.exe 101 PID 232 wrote to memory of 1632 232 5vvpv.exe 101 PID 1632 wrote to memory of 3184 1632 nhbbbn.exe 102 PID 1632 wrote to memory of 3184 1632 nhbbbn.exe 102 PID 1632 wrote to memory of 3184 1632 nhbbbn.exe 102 PID 3184 wrote to memory of 2948 3184 1vppj.exe 103 PID 3184 wrote to memory of 2948 3184 1vppj.exe 103 PID 3184 wrote to memory of 2948 3184 1vppj.exe 103 PID 2948 wrote to memory of 4020 2948 jpppd.exe 104 PID 2948 wrote to memory of 4020 2948 jpppd.exe 104 PID 2948 wrote to memory of 4020 2948 jpppd.exe 104 PID 4020 wrote to memory of 2124 4020 1xfxxxx.exe 105 PID 4020 wrote to memory of 2124 4020 1xfxxxx.exe 105 PID 4020 wrote to memory of 2124 4020 1xfxxxx.exe 105 PID 2124 wrote to memory of 2860 2124 9nhhbb.exe 106 PID 2124 wrote to memory of 2860 2124 9nhhbb.exe 106 PID 2124 wrote to memory of 2860 2124 9nhhbb.exe 106 PID 2860 wrote to memory of 1424 2860 5djdv.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0829a2c00d58c231653c30380fa62623e86c0f1464932a100594b1f0beaa886N.exe"C:\Users\Admin\AppData\Local\Temp\e0829a2c00d58c231653c30380fa62623e86c0f1464932a100594b1f0beaa886N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\vvddp.exec:\vvddp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\3jjdd.exec:\3jjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\7tbnhh.exec:\7tbnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\vppdp.exec:\vppdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\3ddvp.exec:\3ddvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\xrllllr.exec:\xrllllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\xlrrlrr.exec:\xlrrlrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\btnnnn.exec:\btnnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\lxrlflf.exec:\lxrlflf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\thhnhb.exec:\thhnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\hhbnhh.exec:\hhbnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\frffxxr.exec:\frffxxr.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\lxxxrrl.exec:\lxxxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\nnbbbb.exec:\nnbbbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\5vvpv.exec:\5vvpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\nhbbbn.exec:\nhbbbn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\1vppj.exec:\1vppj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\jpppd.exec:\jpppd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\1xfxxxx.exec:\1xfxxxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\9nhhbb.exec:\9nhhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\5djdv.exec:\5djdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\dpvpv.exec:\dpvpv.exe23⤵
- Executes dropped EXE
PID:1424 -
\??\c:\5jpjd.exec:\5jpjd.exe24⤵
- Executes dropped EXE
PID:1992 -
\??\c:\xrlrlll.exec:\xrlrlll.exe25⤵
- Executes dropped EXE
PID:1888 -
\??\c:\bbntbn.exec:\bbntbn.exe26⤵
- Executes dropped EXE
PID:1296 -
\??\c:\1rxxxfr.exec:\1rxxxfr.exe27⤵
- Executes dropped EXE
PID:5116 -
\??\c:\bhhbtt.exec:\bhhbtt.exe28⤵
- Executes dropped EXE
PID:3532 -
\??\c:\pjvjj.exec:\pjvjj.exe29⤵
- Executes dropped EXE
PID:2216 -
\??\c:\pvdvv.exec:\pvdvv.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4200 -
\??\c:\llllffx.exec:\llllffx.exe31⤵
- Executes dropped EXE
PID:2964 -
\??\c:\nbhhbb.exec:\nbhhbb.exe32⤵
- Executes dropped EXE
PID:4840 -
\??\c:\7vddd.exec:\7vddd.exe33⤵
- Executes dropped EXE
PID:5052 -
\??\c:\xrlflll.exec:\xrlflll.exe34⤵
- Executes dropped EXE
PID:3484 -
\??\c:\5tnnhh.exec:\5tnnhh.exe35⤵
- Executes dropped EXE
PID:1640 -
\??\c:\pjjdv.exec:\pjjdv.exe36⤵
- Executes dropped EXE
PID:4976 -
\??\c:\llffxxr.exec:\llffxxr.exe37⤵
- Executes dropped EXE
PID:2940 -
\??\c:\nhbttt.exec:\nhbttt.exe38⤵
- Executes dropped EXE
PID:3008 -
\??\c:\jvvdd.exec:\jvvdd.exe39⤵
- Executes dropped EXE
PID:960 -
\??\c:\pdjdj.exec:\pdjdj.exe40⤵
- Executes dropped EXE
PID:2100 -
\??\c:\xrrlrrx.exec:\xrrlrrx.exe41⤵
- Executes dropped EXE
PID:4520 -
\??\c:\bbhhbh.exec:\bbhhbh.exe42⤵
- Executes dropped EXE
PID:2784 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe43⤵
- Executes dropped EXE
PID:2520 -
\??\c:\flfffff.exec:\flfffff.exe44⤵
- Executes dropped EXE
PID:4992 -
\??\c:\bhttnn.exec:\bhttnn.exe45⤵
- Executes dropped EXE
PID:2352 -
\??\c:\5fxllll.exec:\5fxllll.exe46⤵
- Executes dropped EXE
PID:1088 -
\??\c:\nhhttt.exec:\nhhttt.exe47⤵
- Executes dropped EXE
PID:3660 -
\??\c:\9pppj.exec:\9pppj.exe48⤵
- Executes dropped EXE
PID:3708 -
\??\c:\fffrlxx.exec:\fffrlxx.exe49⤵
- Executes dropped EXE
PID:3112 -
\??\c:\ntnthn.exec:\ntnthn.exe50⤵
- Executes dropped EXE
PID:2140 -
\??\c:\vjvdd.exec:\vjvdd.exe51⤵
- Executes dropped EXE
PID:1100 -
\??\c:\rfrffxr.exec:\rfrffxr.exe52⤵
- Executes dropped EXE
PID:516 -
\??\c:\nnbtbb.exec:\nnbtbb.exe53⤵
- Executes dropped EXE
PID:3720 -
\??\c:\1ppjd.exec:\1ppjd.exe54⤵
- Executes dropped EXE
PID:3412 -
\??\c:\9lffllr.exec:\9lffllr.exe55⤵
- Executes dropped EXE
PID:2428 -
\??\c:\nbbtnn.exec:\nbbtnn.exe56⤵
- Executes dropped EXE
PID:1312 -
\??\c:\7jddv.exec:\7jddv.exe57⤵
- Executes dropped EXE
PID:2560 -
\??\c:\dvjdd.exec:\dvjdd.exe58⤵
- Executes dropped EXE
PID:4280 -
\??\c:\lxxxrrl.exec:\lxxxrrl.exe59⤵
- Executes dropped EXE
PID:3132 -
\??\c:\nnnnbb.exec:\nnnnbb.exe60⤵
- Executes dropped EXE
PID:976 -
\??\c:\1dvdv.exec:\1dvdv.exe61⤵
- Executes dropped EXE
PID:2400 -
\??\c:\lxffrrf.exec:\lxffrrf.exe62⤵
- Executes dropped EXE
PID:624 -
\??\c:\bhbtnh.exec:\bhbtnh.exe63⤵
- Executes dropped EXE
PID:4084 -
\??\c:\jpppj.exec:\jpppj.exe64⤵
- Executes dropped EXE
PID:232 -
\??\c:\lffxrfx.exec:\lffxrfx.exe65⤵
- Executes dropped EXE
PID:512 -
\??\c:\btnbtn.exec:\btnbtn.exe66⤵PID:4380
-
\??\c:\pvdjd.exec:\pvdjd.exe67⤵PID:4780
-
\??\c:\pdjdv.exec:\pdjdv.exe68⤵PID:3220
-
\??\c:\rxffffx.exec:\rxffffx.exe69⤵PID:1308
-
\??\c:\hnbttt.exec:\hnbttt.exe70⤵PID:3692
-
\??\c:\3jpjj.exec:\3jpjj.exe71⤵PID:2980
-
\??\c:\rrrrrxx.exec:\rrrrrxx.exe72⤵PID:4688
-
\??\c:\tbhbtn.exec:\tbhbtn.exe73⤵PID:944
-
\??\c:\dvppv.exec:\dvppv.exe74⤵PID:4616
-
\??\c:\fxrlxxx.exec:\fxrlxxx.exe75⤵PID:2976
-
\??\c:\nnhbtn.exec:\nnhbtn.exe76⤵PID:2760
-
\??\c:\9vvpj.exec:\9vvpj.exe77⤵PID:3016
-
\??\c:\vdpvp.exec:\vdpvp.exe78⤵PID:2752
-
\??\c:\5lxrxxr.exec:\5lxrxxr.exe79⤵PID:1360
-
\??\c:\1tnhhn.exec:\1tnhhn.exe80⤵PID:2460
-
\??\c:\vjpjd.exec:\vjpjd.exe81⤵PID:4784
-
\??\c:\xllffrr.exec:\xllffrr.exe82⤵PID:2368
-
\??\c:\nhhbbb.exec:\nhhbbb.exe83⤵PID:4176
-
\??\c:\vpvpj.exec:\vpvpj.exe84⤵PID:4856
-
\??\c:\lrrfxrl.exec:\lrrfxrl.exe85⤵PID:2856
-
\??\c:\hnbnth.exec:\hnbnth.exe86⤵PID:3592
-
\??\c:\vpdpj.exec:\vpdpj.exe87⤵PID:4664
-
\??\c:\lfflffx.exec:\lfflffx.exe88⤵PID:3484
-
\??\c:\ttbtbb.exec:\ttbtbb.exe89⤵PID:3476
-
\??\c:\ttnhnn.exec:\ttnhnn.exe90⤵PID:3716
-
\??\c:\1pppv.exec:\1pppv.exe91⤵PID:2716
-
\??\c:\rlffrrl.exec:\rlffrrl.exe92⤵PID:3104
-
\??\c:\hbbttn.exec:\hbbttn.exe93⤵PID:3008
-
\??\c:\djvjj.exec:\djvjj.exe94⤵PID:4516
-
\??\c:\3rrlfrl.exec:\3rrlfrl.exe95⤵PID:4524
-
\??\c:\bnnhbt.exec:\bnnhbt.exe96⤵PID:1496
-
\??\c:\jpvvp.exec:\jpvvp.exe97⤵PID:2276
-
\??\c:\dddvp.exec:\dddvp.exe98⤵PID:4376
-
\??\c:\7lffffx.exec:\7lffffx.exe99⤵PID:4964
-
\??\c:\hhhbtt.exec:\hhhbtt.exe100⤵PID:2732
-
\??\c:\ppvvp.exec:\ppvvp.exe101⤵PID:64
-
\??\c:\rlxfrrr.exec:\rlxfrrr.exe102⤵PID:1084
-
\??\c:\rrlrrlf.exec:\rrlrrlf.exe103⤵PID:3188
-
\??\c:\bntnhn.exec:\bntnhn.exe104⤵PID:3816
-
\??\c:\djdpv.exec:\djdpv.exe105⤵PID:5000
-
\??\c:\frfxrll.exec:\frfxrll.exe106⤵PID:1100
-
\??\c:\hntnhh.exec:\hntnhh.exe107⤵PID:640
-
\??\c:\vvdvd.exec:\vvdvd.exe108⤵PID:1168
-
\??\c:\xfrrfll.exec:\xfrrfll.exe109⤵PID:3196
-
\??\c:\7tthhb.exec:\7tthhb.exe110⤵PID:948
-
\??\c:\jpjdv.exec:\jpjdv.exe111⤵PID:3864
-
\??\c:\lllffff.exec:\lllffff.exe112⤵PID:2144
-
\??\c:\xxxxrrf.exec:\xxxxrrf.exe113⤵PID:2116
-
\??\c:\bnnhbb.exec:\bnnhbb.exe114⤵PID:1900
-
\??\c:\pjdvv.exec:\pjdvv.exe115⤵PID:3436
-
\??\c:\1flfxxr.exec:\1flfxxr.exe116⤵PID:2528
-
\??\c:\btbbtn.exec:\btbbtn.exe117⤵PID:4408
-
\??\c:\dvjdv.exec:\dvjdv.exe118⤵PID:2864
-
\??\c:\lrxxllx.exec:\lrxxllx.exe119⤵PID:532
-
\??\c:\ttthnh.exec:\ttthnh.exe120⤵PID:512
-
\??\c:\thbhth.exec:\thbhth.exe121⤵PID:4768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-