Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 05:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe
-
Size
454KB
-
MD5
274a1fcae472dba4b609fb93f6bff0f2
-
SHA1
e9d7de4676f38184195d19ae4d26c034b79c956d
-
SHA256
ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae
-
SHA512
f0ad51de354726370bf6e8696c38e9b9316d056af559809c2de2346c8a99d14f8ceee3fce2f15cfea48abf0b98cda99889037ac792d347fa55cafb26b0a6e2c2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2756-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-741-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2296 pppvv.exe 2492 ntbnhh.exe 2100 ddjdv.exe 2360 3lfxrrl.exe 2684 ppvvp.exe 4396 9btnhh.exe 1204 jdpjj.exe 232 ddjdd.exe 4488 3dddd.exe 4128 xfxlxxl.exe 4640 nbhbhh.exe 2080 vjddv.exe 4148 frlxrlf.exe 224 dpppp.exe 3584 3xrrlll.exe 5040 vvjpp.exe 4324 3fxrrrl.exe 1108 ttnbtn.exe 2828 thnnhh.exe 4872 jpdvp.exe 1972 5nnnbb.exe 760 rxxxrrr.exe 3768 vpjjd.exe 2816 hbbbnn.exe 4604 jpjjd.exe 4976 hbhbtt.exe 2108 ddpjd.exe 4404 5lrrllf.exe 2472 ntntnn.exe 3580 7frfllf.exe 1912 btbtnt.exe 1440 1lrlfff.exe 548 nbttbb.exe 2872 llffxxx.exe 2824 bhhbbb.exe 3900 9jjdd.exe 4596 xxrrlrx.exe 1392 hnhhhh.exe 2884 djjjd.exe 3600 xxrxrrr.exe 1572 ppddp.exe 3448 rffrlrr.exe 1420 3nnhbt.exe 1864 dppjj.exe 3876 jjppp.exe 3928 ffxxffx.exe 216 hhtnhn.exe 452 djppp.exe 896 lrrllfx.exe 4120 5bbtnh.exe 2588 vvvjj.exe 2412 frlrflx.exe 1568 nntttt.exe 1160 vpjjp.exe 4304 3vjjv.exe 1336 xllffff.exe 4968 djjjj.exe 2708 xflllrf.exe 116 7llfrfr.exe 1576 hnnttb.exe 4140 jppjd.exe 4520 flxxrxr.exe 4204 ntnnhh.exe 5060 jpddd.exe -
resource yara_rule behavioral2/memory/2296-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-588-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frfllf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2296 2756 ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe 83 PID 2756 wrote to memory of 2296 2756 ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe 83 PID 2756 wrote to memory of 2296 2756 ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe 83 PID 2296 wrote to memory of 2492 2296 pppvv.exe 84 PID 2296 wrote to memory of 2492 2296 pppvv.exe 84 PID 2296 wrote to memory of 2492 2296 pppvv.exe 84 PID 2492 wrote to memory of 2100 2492 ntbnhh.exe 85 PID 2492 wrote to memory of 2100 2492 ntbnhh.exe 85 PID 2492 wrote to memory of 2100 2492 ntbnhh.exe 85 PID 2100 wrote to memory of 2360 2100 ddjdv.exe 86 PID 2100 wrote to memory of 2360 2100 ddjdv.exe 86 PID 2100 wrote to memory of 2360 2100 ddjdv.exe 86 PID 2360 wrote to memory of 2684 2360 3lfxrrl.exe 87 PID 2360 wrote to memory of 2684 2360 3lfxrrl.exe 87 PID 2360 wrote to memory of 2684 2360 3lfxrrl.exe 87 PID 2684 wrote to memory of 4396 2684 ppvvp.exe 88 PID 2684 wrote to memory of 4396 2684 ppvvp.exe 88 PID 2684 wrote to memory of 4396 2684 ppvvp.exe 88 PID 4396 wrote to memory of 1204 4396 9btnhh.exe 89 PID 4396 wrote to memory of 1204 4396 9btnhh.exe 89 PID 4396 wrote to memory of 1204 4396 9btnhh.exe 89 PID 1204 wrote to memory of 232 1204 jdpjj.exe 90 PID 1204 wrote to memory of 232 1204 jdpjj.exe 90 PID 1204 wrote to memory of 232 1204 jdpjj.exe 90 PID 232 wrote to memory of 4488 232 ddjdd.exe 91 PID 232 wrote to memory of 4488 232 ddjdd.exe 91 PID 232 wrote to memory of 4488 232 ddjdd.exe 91 PID 4488 wrote to memory of 4128 4488 3dddd.exe 92 PID 4488 wrote to memory of 4128 4488 3dddd.exe 92 PID 4488 wrote to memory of 4128 4488 3dddd.exe 92 PID 4128 wrote to memory of 4640 4128 xfxlxxl.exe 93 PID 4128 wrote to memory of 4640 4128 xfxlxxl.exe 93 PID 4128 wrote to memory of 4640 4128 xfxlxxl.exe 93 PID 4640 wrote to memory of 2080 4640 nbhbhh.exe 94 PID 4640 wrote to memory of 2080 4640 nbhbhh.exe 94 PID 4640 wrote to memory of 2080 4640 nbhbhh.exe 94 PID 2080 wrote to memory of 4148 2080 vjddv.exe 95 PID 2080 wrote to memory of 4148 2080 vjddv.exe 95 PID 2080 wrote to memory of 4148 2080 vjddv.exe 95 PID 4148 wrote to memory of 224 4148 frlxrlf.exe 96 PID 4148 wrote to memory of 224 4148 frlxrlf.exe 96 PID 4148 wrote to memory of 224 4148 frlxrlf.exe 96 PID 224 wrote to memory of 3584 224 dpppp.exe 97 PID 224 wrote to memory of 3584 224 dpppp.exe 97 PID 224 wrote to memory of 3584 224 dpppp.exe 97 PID 3584 wrote to memory of 5040 3584 3xrrlll.exe 98 PID 3584 wrote to memory of 5040 3584 3xrrlll.exe 98 PID 3584 wrote to memory of 5040 3584 3xrrlll.exe 98 PID 5040 wrote to memory of 4324 5040 vvjpp.exe 99 PID 5040 wrote to memory of 4324 5040 vvjpp.exe 99 PID 5040 wrote to memory of 4324 5040 vvjpp.exe 99 PID 4324 wrote to memory of 1108 4324 3fxrrrl.exe 100 PID 4324 wrote to memory of 1108 4324 3fxrrrl.exe 100 PID 4324 wrote to memory of 1108 4324 3fxrrrl.exe 100 PID 1108 wrote to memory of 2828 1108 ttnbtn.exe 101 PID 1108 wrote to memory of 2828 1108 ttnbtn.exe 101 PID 1108 wrote to memory of 2828 1108 ttnbtn.exe 101 PID 2828 wrote to memory of 4872 2828 thnnhh.exe 102 PID 2828 wrote to memory of 4872 2828 thnnhh.exe 102 PID 2828 wrote to memory of 4872 2828 thnnhh.exe 102 PID 4872 wrote to memory of 1972 4872 jpdvp.exe 103 PID 4872 wrote to memory of 1972 4872 jpdvp.exe 103 PID 4872 wrote to memory of 1972 4872 jpdvp.exe 103 PID 1972 wrote to memory of 760 1972 5nnnbb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe"C:\Users\Admin\AppData\Local\Temp\ff1329ef875231339790a5801c27e70e6ad6fcfeb8bb93b8df483ee3dca83bae.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\pppvv.exec:\pppvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\ntbnhh.exec:\ntbnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\ddjdv.exec:\ddjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\3lfxrrl.exec:\3lfxrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\ppvvp.exec:\ppvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\9btnhh.exec:\9btnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\jdpjj.exec:\jdpjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\ddjdd.exec:\ddjdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\3dddd.exec:\3dddd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\xfxlxxl.exec:\xfxlxxl.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\nbhbhh.exec:\nbhbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\vjddv.exec:\vjddv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\frlxrlf.exec:\frlxrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\dpppp.exec:\dpppp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\3xrrlll.exec:\3xrrlll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\vvjpp.exec:\vvjpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\3fxrrrl.exec:\3fxrrrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\ttnbtn.exec:\ttnbtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\thnnhh.exec:\thnnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\jpdvp.exec:\jpdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\5nnnbb.exec:\5nnnbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\rxxxrrr.exec:\rxxxrrr.exe23⤵
- Executes dropped EXE
PID:760 -
\??\c:\vpjjd.exec:\vpjjd.exe24⤵
- Executes dropped EXE
PID:3768 -
\??\c:\hbbbnn.exec:\hbbbnn.exe25⤵
- Executes dropped EXE
PID:2816 -
\??\c:\jpjjd.exec:\jpjjd.exe26⤵
- Executes dropped EXE
PID:4604 -
\??\c:\hbhbtt.exec:\hbhbtt.exe27⤵
- Executes dropped EXE
PID:4976 -
\??\c:\ddpjd.exec:\ddpjd.exe28⤵
- Executes dropped EXE
PID:2108 -
\??\c:\5lrrllf.exec:\5lrrllf.exe29⤵
- Executes dropped EXE
PID:4404 -
\??\c:\ntntnn.exec:\ntntnn.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2472 -
\??\c:\7frfllf.exec:\7frfllf.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3580 -
\??\c:\btbtnt.exec:\btbtnt.exe32⤵
- Executes dropped EXE
PID:1912 -
\??\c:\1lrlfff.exec:\1lrlfff.exe33⤵
- Executes dropped EXE
PID:1440 -
\??\c:\nbttbb.exec:\nbttbb.exe34⤵
- Executes dropped EXE
PID:548 -
\??\c:\llffxxx.exec:\llffxxx.exe35⤵
- Executes dropped EXE
PID:2872 -
\??\c:\bhhbbb.exec:\bhhbbb.exe36⤵
- Executes dropped EXE
PID:2824 -
\??\c:\9jjdd.exec:\9jjdd.exe37⤵
- Executes dropped EXE
PID:3900 -
\??\c:\xxrrlrx.exec:\xxrrlrx.exe38⤵
- Executes dropped EXE
PID:4596 -
\??\c:\hnhhhh.exec:\hnhhhh.exe39⤵
- Executes dropped EXE
PID:1392 -
\??\c:\djjjd.exec:\djjjd.exe40⤵
- Executes dropped EXE
PID:2884 -
\??\c:\xxrxrrr.exec:\xxrxrrr.exe41⤵
- Executes dropped EXE
PID:3600 -
\??\c:\ppddp.exec:\ppddp.exe42⤵
- Executes dropped EXE
PID:1572 -
\??\c:\rffrlrr.exec:\rffrlrr.exe43⤵
- Executes dropped EXE
PID:3448 -
\??\c:\3nnhbt.exec:\3nnhbt.exe44⤵
- Executes dropped EXE
PID:1420 -
\??\c:\dppjj.exec:\dppjj.exe45⤵
- Executes dropped EXE
PID:1864 -
\??\c:\jjppp.exec:\jjppp.exe46⤵
- Executes dropped EXE
PID:3876 -
\??\c:\ffxxffx.exec:\ffxxffx.exe47⤵
- Executes dropped EXE
PID:3928 -
\??\c:\hhtnhn.exec:\hhtnhn.exe48⤵
- Executes dropped EXE
PID:216 -
\??\c:\djppp.exec:\djppp.exe49⤵
- Executes dropped EXE
PID:452 -
\??\c:\lrrllfx.exec:\lrrllfx.exe50⤵
- Executes dropped EXE
PID:896 -
\??\c:\5bbtnh.exec:\5bbtnh.exe51⤵
- Executes dropped EXE
PID:4120 -
\??\c:\vvvjj.exec:\vvvjj.exe52⤵
- Executes dropped EXE
PID:2588 -
\??\c:\frlrflx.exec:\frlrflx.exe53⤵
- Executes dropped EXE
PID:2412 -
\??\c:\nntttt.exec:\nntttt.exe54⤵
- Executes dropped EXE
PID:1568 -
\??\c:\vpjjp.exec:\vpjjp.exe55⤵
- Executes dropped EXE
PID:1160 -
\??\c:\3vjjv.exec:\3vjjv.exe56⤵
- Executes dropped EXE
PID:4304 -
\??\c:\xllffff.exec:\xllffff.exe57⤵
- Executes dropped EXE
PID:1336 -
\??\c:\djjjj.exec:\djjjj.exe58⤵
- Executes dropped EXE
PID:4968 -
\??\c:\xflllrf.exec:\xflllrf.exe59⤵
- Executes dropped EXE
PID:2708 -
\??\c:\7llfrfr.exec:\7llfrfr.exe60⤵
- Executes dropped EXE
PID:116 -
\??\c:\hnnttb.exec:\hnnttb.exe61⤵
- Executes dropped EXE
PID:1576 -
\??\c:\jppjd.exec:\jppjd.exe62⤵
- Executes dropped EXE
PID:4140 -
\??\c:\flxxrxr.exec:\flxxrxr.exe63⤵
- Executes dropped EXE
PID:4520 -
\??\c:\ntnnhh.exec:\ntnnhh.exe64⤵
- Executes dropped EXE
PID:4204 -
\??\c:\jpddd.exec:\jpddd.exe65⤵
- Executes dropped EXE
PID:5060 -
\??\c:\lrxxxxf.exec:\lrxxxxf.exe66⤵PID:3668
-
\??\c:\3xllfff.exec:\3xllfff.exe67⤵PID:4764
-
\??\c:\hnbbnn.exec:\hnbbnn.exe68⤵PID:4408
-
\??\c:\5ppjd.exec:\5ppjd.exe69⤵PID:3576
-
\??\c:\9xfllrr.exec:\9xfllrr.exe70⤵PID:880
-
\??\c:\xllllrx.exec:\xllllrx.exe71⤵PID:2268
-
\??\c:\pdjvv.exec:\pdjvv.exe72⤵PID:2820
-
\??\c:\pddvv.exec:\pddvv.exe73⤵PID:400
-
\??\c:\1ffffll.exec:\1ffffll.exe74⤵PID:1748
-
\??\c:\nbhnnn.exec:\nbhnnn.exe75⤵PID:964
-
\??\c:\jjjpj.exec:\jjjpj.exe76⤵PID:5040
-
\??\c:\fxxxxff.exec:\fxxxxff.exe77⤵PID:3368
-
\??\c:\hnnnnn.exec:\hnnnnn.exe78⤵PID:3812
-
\??\c:\jvjdj.exec:\jvjdj.exe79⤵PID:2392
-
\??\c:\rxrrlll.exec:\rxrrlll.exe80⤵PID:4952
-
\??\c:\3bbbtn.exec:\3bbbtn.exe81⤵PID:4004
-
\??\c:\bthhhh.exec:\bthhhh.exe82⤵PID:3556
-
\??\c:\vpppp.exec:\vpppp.exe83⤵PID:3172
-
\??\c:\1fxxxff.exec:\1fxxxff.exe84⤵PID:4900
-
\??\c:\hhnhhh.exec:\hhnhhh.exe85⤵PID:1152
-
\??\c:\9dddd.exec:\9dddd.exe86⤵PID:4528
-
\??\c:\djdvv.exec:\djdvv.exe87⤵PID:1408
-
\??\c:\rlrxxrf.exec:\rlrxxrf.exe88⤵PID:4008
-
\??\c:\bbbbbb.exec:\bbbbbb.exe89⤵PID:3572
-
\??\c:\pvddd.exec:\pvddd.exe90⤵PID:4644
-
\??\c:\llxxxxx.exec:\llxxxxx.exe91⤵PID:432
-
\??\c:\7rxxxrr.exec:\7rxxxrr.exe92⤵PID:2668
-
\??\c:\thbhhn.exec:\thbhhn.exe93⤵PID:3956
-
\??\c:\vjpjj.exec:\vjpjj.exe94⤵PID:2688
-
\??\c:\lllllll.exec:\lllllll.exe95⤵PID:3580
-
\??\c:\bnntnn.exec:\bnntnn.exe96⤵PID:2868
-
\??\c:\dpdpd.exec:\dpdpd.exe97⤵PID:996
-
\??\c:\llxxxff.exec:\llxxxff.exe98⤵PID:1684
-
\??\c:\bnttth.exec:\bnttth.exe99⤵PID:3108
-
\??\c:\vjjdv.exec:\vjjdv.exe100⤵PID:3664
-
\??\c:\ffllxxr.exec:\ffllxxr.exe101⤵PID:1992
-
\??\c:\bhhnnb.exec:\bhhnnb.exe102⤵PID:1600
-
\??\c:\hntbbh.exec:\hntbbh.exe103⤵PID:4972
-
\??\c:\dpdvp.exec:\dpdvp.exe104⤵PID:1352
-
\??\c:\llxxxrx.exec:\llxxxrx.exe105⤵PID:4492
-
\??\c:\nhbbtb.exec:\nhbbtb.exe106⤵PID:2776
-
\??\c:\ddddv.exec:\ddddv.exe107⤵PID:1572
-
\??\c:\ppppp.exec:\ppppp.exe108⤵PID:4288
-
\??\c:\rlxxrxx.exec:\rlxxrxx.exe109⤵PID:1420
-
\??\c:\btbtnn.exec:\btbtnn.exe110⤵PID:2544
-
\??\c:\vpdjd.exec:\vpdjd.exe111⤵PID:448
-
\??\c:\jvddj.exec:\jvddj.exe112⤵PID:4072
-
\??\c:\3fxrrrr.exec:\3fxrrrr.exe113⤵PID:2336
-
\??\c:\hhhhbb.exec:\hhhhbb.exe114⤵PID:4452
-
\??\c:\ddjdv.exec:\ddjdv.exe115⤵PID:4500
-
\??\c:\ppjpp.exec:\ppjpp.exe116⤵PID:2528
-
\??\c:\lfrrrll.exec:\lfrrrll.exe117⤵PID:2712
-
\??\c:\tnnnnn.exec:\tnnnnn.exe118⤵PID:4672
-
\??\c:\pvvpv.exec:\pvvpv.exe119⤵PID:3432
-
\??\c:\7xxxxxx.exec:\7xxxxxx.exe120⤵PID:3084
-
\??\c:\hbhhnt.exec:\hbhhnt.exe121⤵PID:756
-
\??\c:\vddpp.exec:\vddpp.exe122⤵PID:4032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-