Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 05:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe
-
Size
454KB
-
MD5
274a1fcae472dba4b609fb93f6bff0f2
-
SHA1
e9d7de4676f38184195d19ae4d26c034b79c956d
-
SHA256
ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae
-
SHA512
f0ad51de354726370bf6e8696c38e9b9316d056af559809c2de2346c8a99d14f8ceee3fce2f15cfea48abf0b98cda99889037ac792d347fa55cafb26b0a6e2c2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2868-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1232-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-204-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1628-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/444-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/280-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-384-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2532-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-399-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1816-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-433-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1612-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-503-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/800-510-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1688-524-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1328-593-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2840-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1328-595-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2596-636-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2904-691-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1704-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-736-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1880-789-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2976-892-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-1024-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2672-1083-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2596-1189-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2112 pdppd.exe 1232 fxllxxl.exe 2928 nbnntn.exe 2128 frfflfl.exe 1956 xlfflll.exe 2996 dpvvp.exe 2700 fxlrxfr.exe 2644 ffrxflr.exe 2772 bnbbhb.exe 2520 vjpjp.exe 2432 1nbtnh.exe 2524 pdvvp.exe 2000 5rlrffl.exe 632 1tnntt.exe 1804 vpvvp.exe 2300 3rrllrr.exe 752 5tbhhh.exe 1260 jvjjp.exe 2284 xxlflrf.exe 2396 9ttbhn.exe 1628 vvppv.exe 3068 tnhnbh.exe 2104 hbnntb.exe 1880 lrlrfxf.exe 444 3nbhhh.exe 1728 ppjjj.exe 280 hbbhnt.exe 2220 ddjpv.exe 580 xflrlrx.exe 2160 bbntbb.exe 1048 5djvv.exe 2868 thtbhh.exe 1228 dpjjd.exe 2876 fxllrrx.exe 2932 nbhhnh.exe 2896 jvpjj.exe 1964 pjvdj.exe 2376 lxffxxf.exe 2820 thtbhh.exe 2600 ttnnnn.exe 2712 vvjjp.exe 2740 jdjjd.exe 2624 xlxxxff.exe 2644 1nttbh.exe 2580 3nthnn.exe 2532 jvpdj.exe 2496 rllfxxf.exe 2432 fffxlfl.exe 2180 bnnnnn.exe 832 vpddj.exe 1816 lxllxxl.exe 1740 1ntttb.exe 296 hhtnnt.exe 2464 vvjdj.exe 1284 rlxxlfl.exe 808 5rxxfxl.exe 1296 httttt.exe 1528 htnbtt.exe 864 dvppp.exe 1764 7frlllr.exe 1612 5hnhnb.exe 3068 5nnnnn.exe 2336 pvpjv.exe 800 1rlflrr.exe -
resource yara_rule behavioral1/memory/2868-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/280-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/740-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-636-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2516-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-1037-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-1090-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-1164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-1190-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2112 2868 ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe 28 PID 2868 wrote to memory of 2112 2868 ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe 28 PID 2868 wrote to memory of 2112 2868 ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe 28 PID 2868 wrote to memory of 2112 2868 ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe 28 PID 2112 wrote to memory of 1232 2112 pdppd.exe 29 PID 2112 wrote to memory of 1232 2112 pdppd.exe 29 PID 2112 wrote to memory of 1232 2112 pdppd.exe 29 PID 2112 wrote to memory of 1232 2112 pdppd.exe 29 PID 1232 wrote to memory of 2928 1232 fxllxxl.exe 30 PID 1232 wrote to memory of 2928 1232 fxllxxl.exe 30 PID 1232 wrote to memory of 2928 1232 fxllxxl.exe 30 PID 1232 wrote to memory of 2928 1232 fxllxxl.exe 30 PID 2928 wrote to memory of 2128 2928 nbnntn.exe 31 PID 2928 wrote to memory of 2128 2928 nbnntn.exe 31 PID 2928 wrote to memory of 2128 2928 nbnntn.exe 31 PID 2928 wrote to memory of 2128 2928 nbnntn.exe 31 PID 2128 wrote to memory of 1956 2128 frfflfl.exe 32 PID 2128 wrote to memory of 1956 2128 frfflfl.exe 32 PID 2128 wrote to memory of 1956 2128 frfflfl.exe 32 PID 2128 wrote to memory of 1956 2128 frfflfl.exe 32 PID 1956 wrote to memory of 2996 1956 xlfflll.exe 33 PID 1956 wrote to memory of 2996 1956 xlfflll.exe 33 PID 1956 wrote to memory of 2996 1956 xlfflll.exe 33 PID 1956 wrote to memory of 2996 1956 xlfflll.exe 33 PID 2996 wrote to memory of 2700 2996 dpvvp.exe 34 PID 2996 wrote to memory of 2700 2996 dpvvp.exe 34 PID 2996 wrote to memory of 2700 2996 dpvvp.exe 34 PID 2996 wrote to memory of 2700 2996 dpvvp.exe 34 PID 2700 wrote to memory of 2644 2700 fxlrxfr.exe 35 PID 2700 wrote to memory of 2644 2700 fxlrxfr.exe 35 PID 2700 wrote to memory of 2644 2700 fxlrxfr.exe 35 PID 2700 wrote to memory of 2644 2700 fxlrxfr.exe 35 PID 2644 wrote to memory of 2772 2644 ffrxflr.exe 36 PID 2644 wrote to memory of 2772 2644 ffrxflr.exe 36 PID 2644 wrote to memory of 2772 2644 ffrxflr.exe 36 PID 2644 wrote to memory of 2772 2644 ffrxflr.exe 36 PID 2772 wrote to memory of 2520 2772 bnbbhb.exe 37 PID 2772 wrote to memory of 2520 2772 bnbbhb.exe 37 PID 2772 wrote to memory of 2520 2772 bnbbhb.exe 37 PID 2772 wrote to memory of 2520 2772 bnbbhb.exe 37 PID 2520 wrote to memory of 2432 2520 vjpjp.exe 38 PID 2520 wrote to memory of 2432 2520 vjpjp.exe 38 PID 2520 wrote to memory of 2432 2520 vjpjp.exe 38 PID 2520 wrote to memory of 2432 2520 vjpjp.exe 38 PID 2432 wrote to memory of 2524 2432 1nbtnh.exe 39 PID 2432 wrote to memory of 2524 2432 1nbtnh.exe 39 PID 2432 wrote to memory of 2524 2432 1nbtnh.exe 39 PID 2432 wrote to memory of 2524 2432 1nbtnh.exe 39 PID 2524 wrote to memory of 2000 2524 pdvvp.exe 40 PID 2524 wrote to memory of 2000 2524 pdvvp.exe 40 PID 2524 wrote to memory of 2000 2524 pdvvp.exe 40 PID 2524 wrote to memory of 2000 2524 pdvvp.exe 40 PID 2000 wrote to memory of 632 2000 5rlrffl.exe 41 PID 2000 wrote to memory of 632 2000 5rlrffl.exe 41 PID 2000 wrote to memory of 632 2000 5rlrffl.exe 41 PID 2000 wrote to memory of 632 2000 5rlrffl.exe 41 PID 632 wrote to memory of 1804 632 1tnntt.exe 42 PID 632 wrote to memory of 1804 632 1tnntt.exe 42 PID 632 wrote to memory of 1804 632 1tnntt.exe 42 PID 632 wrote to memory of 1804 632 1tnntt.exe 42 PID 1804 wrote to memory of 2300 1804 vpvvp.exe 43 PID 1804 wrote to memory of 2300 1804 vpvvp.exe 43 PID 1804 wrote to memory of 2300 1804 vpvvp.exe 43 PID 1804 wrote to memory of 2300 1804 vpvvp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe"C:\Users\Admin\AppData\Local\Temp\ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\pdppd.exec:\pdppd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\fxllxxl.exec:\fxllxxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\nbnntn.exec:\nbnntn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\frfflfl.exec:\frfflfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\xlfflll.exec:\xlfflll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\dpvvp.exec:\dpvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\fxlrxfr.exec:\fxlrxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\ffrxflr.exec:\ffrxflr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\bnbbhb.exec:\bnbbhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\vjpjp.exec:\vjpjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\1nbtnh.exec:\1nbtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\pdvvp.exec:\pdvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\5rlrffl.exec:\5rlrffl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\1tnntt.exec:\1tnntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\vpvvp.exec:\vpvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\3rrllrr.exec:\3rrllrr.exe17⤵
- Executes dropped EXE
PID:2300 -
\??\c:\5tbhhh.exec:\5tbhhh.exe18⤵
- Executes dropped EXE
PID:752 -
\??\c:\jvjjp.exec:\jvjjp.exe19⤵
- Executes dropped EXE
PID:1260 -
\??\c:\xxlflrf.exec:\xxlflrf.exe20⤵
- Executes dropped EXE
PID:2284 -
\??\c:\9ttbhn.exec:\9ttbhn.exe21⤵
- Executes dropped EXE
PID:2396 -
\??\c:\vvppv.exec:\vvppv.exe22⤵
- Executes dropped EXE
PID:1628 -
\??\c:\tnhnbh.exec:\tnhnbh.exe23⤵
- Executes dropped EXE
PID:3068 -
\??\c:\hbnntb.exec:\hbnntb.exe24⤵
- Executes dropped EXE
PID:2104 -
\??\c:\lrlrfxf.exec:\lrlrfxf.exe25⤵
- Executes dropped EXE
PID:1880 -
\??\c:\3nbhhh.exec:\3nbhhh.exe26⤵
- Executes dropped EXE
PID:444 -
\??\c:\ppjjj.exec:\ppjjj.exe27⤵
- Executes dropped EXE
PID:1728 -
\??\c:\hbbhnt.exec:\hbbhnt.exe28⤵
- Executes dropped EXE
PID:280 -
\??\c:\ddjpv.exec:\ddjpv.exe29⤵
- Executes dropped EXE
PID:2220 -
\??\c:\xflrlrx.exec:\xflrlrx.exe30⤵
- Executes dropped EXE
PID:580 -
\??\c:\bbntbb.exec:\bbntbb.exe31⤵
- Executes dropped EXE
PID:2160 -
\??\c:\5djvv.exec:\5djvv.exe32⤵
- Executes dropped EXE
PID:1048 -
\??\c:\thtbhh.exec:\thtbhh.exe33⤵
- Executes dropped EXE
PID:2868 -
\??\c:\dpjjd.exec:\dpjjd.exe34⤵
- Executes dropped EXE
PID:1228 -
\??\c:\fxllrrx.exec:\fxllrrx.exe35⤵
- Executes dropped EXE
PID:2876 -
\??\c:\nbhhnh.exec:\nbhhnh.exe36⤵
- Executes dropped EXE
PID:2932 -
\??\c:\jvpjj.exec:\jvpjj.exe37⤵
- Executes dropped EXE
PID:2896 -
\??\c:\pjvdj.exec:\pjvdj.exe38⤵
- Executes dropped EXE
PID:1964 -
\??\c:\lxffxxf.exec:\lxffxxf.exe39⤵
- Executes dropped EXE
PID:2376 -
\??\c:\thtbhh.exec:\thtbhh.exe40⤵
- Executes dropped EXE
PID:2820 -
\??\c:\ttnnnn.exec:\ttnnnn.exe41⤵
- Executes dropped EXE
PID:2600 -
\??\c:\vvjjp.exec:\vvjjp.exe42⤵
- Executes dropped EXE
PID:2712 -
\??\c:\jdjjd.exec:\jdjjd.exe43⤵
- Executes dropped EXE
PID:2740 -
\??\c:\xlxxxff.exec:\xlxxxff.exe44⤵
- Executes dropped EXE
PID:2624 -
\??\c:\1nttbh.exec:\1nttbh.exe45⤵
- Executes dropped EXE
PID:2644 -
\??\c:\3nthnn.exec:\3nthnn.exe46⤵
- Executes dropped EXE
PID:2580 -
\??\c:\jvpdj.exec:\jvpdj.exe47⤵
- Executes dropped EXE
PID:2532 -
\??\c:\rllfxxf.exec:\rllfxxf.exe48⤵
- Executes dropped EXE
PID:2496 -
\??\c:\fffxlfl.exec:\fffxlfl.exe49⤵
- Executes dropped EXE
PID:2432 -
\??\c:\bnnnnn.exec:\bnnnnn.exe50⤵
- Executes dropped EXE
PID:2180 -
\??\c:\vpddj.exec:\vpddj.exe51⤵
- Executes dropped EXE
PID:832 -
\??\c:\lxllxxl.exec:\lxllxxl.exe52⤵
- Executes dropped EXE
PID:1816 -
\??\c:\1ntttb.exec:\1ntttb.exe53⤵
- Executes dropped EXE
PID:1740 -
\??\c:\hhtnnt.exec:\hhtnnt.exe54⤵
- Executes dropped EXE
PID:296 -
\??\c:\vvjdj.exec:\vvjdj.exe55⤵
- Executes dropped EXE
PID:2464 -
\??\c:\rlxxlfl.exec:\rlxxlfl.exe56⤵
- Executes dropped EXE
PID:1284 -
\??\c:\5rxxfxl.exec:\5rxxfxl.exe57⤵
- Executes dropped EXE
PID:808 -
\??\c:\httttt.exec:\httttt.exe58⤵
- Executes dropped EXE
PID:1296 -
\??\c:\htnbtt.exec:\htnbtt.exe59⤵
- Executes dropped EXE
PID:1528 -
\??\c:\dvppp.exec:\dvppp.exe60⤵
- Executes dropped EXE
PID:864 -
\??\c:\7frlllr.exec:\7frlllr.exe61⤵
- Executes dropped EXE
PID:1764 -
\??\c:\5hnhnb.exec:\5hnhnb.exe62⤵
- Executes dropped EXE
PID:1612 -
\??\c:\5nnnnn.exec:\5nnnnn.exe63⤵
- Executes dropped EXE
PID:3068 -
\??\c:\pvpjv.exec:\pvpjv.exe64⤵
- Executes dropped EXE
PID:2336 -
\??\c:\1rlflrr.exec:\1rlflrr.exe65⤵
- Executes dropped EXE
PID:800 -
\??\c:\rlrrffr.exec:\rlrrffr.exe66⤵PID:2372
-
\??\c:\bbnbbt.exec:\bbnbbt.exe67⤵PID:1688
-
\??\c:\vpjjp.exec:\vpjjp.exe68⤵PID:836
-
\??\c:\ffffxxx.exec:\ffffxxx.exe69⤵PID:740
-
\??\c:\nhbbbh.exec:\nhbbbh.exe70⤵PID:2060
-
\??\c:\jjjpd.exec:\jjjpd.exe71⤵PID:3048
-
\??\c:\jdjdj.exec:\jdjdj.exe72⤵PID:2344
-
\??\c:\lxxxxxl.exec:\lxxxxxl.exe73⤵PID:2188
-
\??\c:\1hbbhh.exec:\1hbbhh.exe74⤵PID:2324
-
\??\c:\nhntbh.exec:\nhntbh.exe75⤵PID:3028
-
\??\c:\vvjdp.exec:\vvjdp.exe76⤵PID:2004
-
\??\c:\pdjjp.exec:\pdjjp.exe77⤵PID:2112
-
\??\c:\5rxrrrx.exec:\5rxrrrx.exe78⤵PID:1328
-
\??\c:\ntbbhh.exec:\ntbbhh.exe79⤵PID:2840
-
\??\c:\1tnnnn.exec:\1tnnnn.exe80⤵PID:1268
-
\??\c:\dvjjp.exec:\dvjjp.exe81⤵PID:1248
-
\??\c:\xrfflrx.exec:\xrfflrx.exe82⤵PID:1756
-
\??\c:\5lffllr.exec:\5lffllr.exe83⤵PID:2232
-
\??\c:\7tbttb.exec:\7tbttb.exe84⤵PID:2704
-
\??\c:\5djjj.exec:\5djjj.exe85⤵PID:2596
-
\??\c:\vpdpd.exec:\vpdpd.exe86⤵PID:2700
-
\??\c:\xrllrxl.exec:\xrllrxl.exe87⤵PID:2760
-
\??\c:\htbbbt.exec:\htbbbt.exe88⤵PID:2776
-
\??\c:\pjvvv.exec:\pjvvv.exe89⤵PID:2516
-
\??\c:\7pdvv.exec:\7pdvv.exe90⤵
- System Location Discovery: System Language Discovery
PID:2532 -
\??\c:\3rrrrrx.exec:\3rrrrrx.exe91⤵PID:2656
-
\??\c:\tbbtnh.exec:\tbbtnh.exe92⤵PID:2924
-
\??\c:\hthhnn.exec:\hthhnn.exe93⤵PID:2904
-
\??\c:\vjjdj.exec:\vjjdj.exe94⤵PID:1872
-
\??\c:\fxxrrrf.exec:\fxxrrrf.exe95⤵PID:2308
-
\??\c:\3hnhtt.exec:\3hnhtt.exe96⤵PID:2272
-
\??\c:\ttnntt.exec:\ttnntt.exe97⤵PID:2300
-
\??\c:\7vjpv.exec:\7vjpv.exe98⤵PID:2296
-
\??\c:\pjjdj.exec:\pjjdj.exe99⤵PID:1704
-
\??\c:\rrlllrx.exec:\rrlllrx.exe100⤵PID:1960
-
\??\c:\tnbntb.exec:\tnbntb.exe101⤵PID:1992
-
\??\c:\jvvvj.exec:\jvvvj.exe102⤵PID:1624
-
\??\c:\dvjjp.exec:\dvjjp.exe103⤵PID:1708
-
\??\c:\rxrlfrl.exec:\rxrlfrl.exe104⤵PID:1308
-
\??\c:\1btbbh.exec:\1btbbh.exe105⤵PID:2940
-
\??\c:\thbbhh.exec:\thbbhh.exe106⤵PID:2728
-
\??\c:\jdvdv.exec:\jdvdv.exe107⤵PID:2788
-
\??\c:\xrlllll.exec:\xrlllll.exe108⤵PID:1880
-
\??\c:\rfrxffl.exec:\rfrxffl.exe109⤵PID:1900
-
\??\c:\3bhhnn.exec:\3bhhnn.exe110⤵PID:1896
-
\??\c:\5pjjj.exec:\5pjjj.exe111⤵PID:2148
-
\??\c:\9pjjj.exec:\9pjjj.exe112⤵PID:2404
-
\??\c:\fxxrxrf.exec:\fxxrxrf.exe113⤵PID:3008
-
\??\c:\nhnnbb.exec:\nhnnbb.exe114⤵PID:3012
-
\??\c:\hthhbh.exec:\hthhbh.exe115⤵PID:1592
-
\??\c:\9pjjd.exec:\9pjjd.exe116⤵PID:2344
-
\??\c:\jdvvd.exec:\jdvvd.exe117⤵PID:2208
-
\??\c:\rrfrrlr.exec:\rrfrrlr.exe118⤵PID:2324
-
\??\c:\bnttbt.exec:\bnttbt.exe119⤵PID:2368
-
\??\c:\nhtnbt.exec:\nhtnbt.exe120⤵PID:2868
-
\??\c:\jvjpp.exec:\jvjpp.exe121⤵PID:2112
-
\??\c:\fxxrxxx.exec:\fxxrxxx.exe122⤵PID:1328
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-