Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1b8f36ff1350ff793463e0fa37e4a3db092d4bb52be47a8390cb67cc55433c40.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1b8f36ff1350ff793463e0fa37e4a3db092d4bb52be47a8390cb67cc55433c40.exe
-
Size
454KB
-
MD5
316f3f69f06f9a81a12bd79317a438c8
-
SHA1
4aa92d00c10aa7492b64c80cebcdcac22a3b80d6
-
SHA256
1b8f36ff1350ff793463e0fa37e4a3db092d4bb52be47a8390cb67cc55433c40
-
SHA512
a4a0172dfdb4fd86a37b8ea50bf94971c539667ba323d2250eeddb17513372be7bcca6aaaee2238da8492c8c8e086d7fd4820812f97711b9b8364e5abc02c192
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/1036-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-858-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-973-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 736 ppdvp.exe 3644 btbhtb.exe 1696 jvpjv.exe 1048 9ffrllf.exe 632 jvvpd.exe 2780 bhhhbt.exe 3820 rfllxrf.exe 4856 lxfxrrl.exe 2656 lxxlfrl.exe 2932 pjdpj.exe 1148 3hbnhh.exe 4772 jpvpj.exe 112 xlrflrx.exe 3004 thnhbb.exe 3428 9btnhh.exe 4216 xlrlffx.exe 3484 jdpjd.exe 1268 rffxrrl.exe 1936 nbhhhn.exe 2836 dvpjv.exe 1992 tttnhh.exe 848 lrfrxrx.exe 3612 jvpjd.exe 392 9pvpp.exe 2212 5vppj.exe 3868 hhbhhb.exe 2600 lxxrfxr.exe 1668 jppvp.exe 3804 frrrlll.exe 4524 hthbbb.exe 3064 bbnnnt.exe 2272 pdddv.exe 3384 bttnbb.exe 208 htthtn.exe 1912 ddvdd.exe 2488 rffxrlf.exe 1556 3bbtnt.exe 1216 pdppj.exe 1744 fxfxxxl.exe 2692 rxxrfxr.exe 2284 vpvvj.exe 5068 fflrllf.exe 1540 1nbtnh.exe 1412 jddvp.exe 3276 fxlflll.exe 2980 nntnnn.exe 1164 pdjjd.exe 4352 lrxrllx.exe 4728 tnthnh.exe 3632 djpdv.exe 4588 jvjdv.exe 2252 xrrrllf.exe 2808 bntnhh.exe 2892 vpjdd.exe 3208 vvvpp.exe 3556 rflfxrl.exe 1572 ttbbnt.exe 3828 vdpjd.exe 4540 dvjjd.exe 3668 fxxrrll.exe 1804 bbtnnh.exe 4136 vpvpp.exe 1056 fxfrlfx.exe 4576 thbnhb.exe -
resource yara_rule behavioral2/memory/1036-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-701-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1036 wrote to memory of 736 1036 1b8f36ff1350ff793463e0fa37e4a3db092d4bb52be47a8390cb67cc55433c40.exe 82 PID 1036 wrote to memory of 736 1036 1b8f36ff1350ff793463e0fa37e4a3db092d4bb52be47a8390cb67cc55433c40.exe 82 PID 1036 wrote to memory of 736 1036 1b8f36ff1350ff793463e0fa37e4a3db092d4bb52be47a8390cb67cc55433c40.exe 82 PID 736 wrote to memory of 3644 736 ppdvp.exe 83 PID 736 wrote to memory of 3644 736 ppdvp.exe 83 PID 736 wrote to memory of 3644 736 ppdvp.exe 83 PID 3644 wrote to memory of 1696 3644 btbhtb.exe 84 PID 3644 wrote to memory of 1696 3644 btbhtb.exe 84 PID 3644 wrote to memory of 1696 3644 btbhtb.exe 84 PID 1696 wrote to memory of 1048 1696 jvpjv.exe 85 PID 1696 wrote to memory of 1048 1696 jvpjv.exe 85 PID 1696 wrote to memory of 1048 1696 jvpjv.exe 85 PID 1048 wrote to memory of 632 1048 9ffrllf.exe 86 PID 1048 wrote to memory of 632 1048 9ffrllf.exe 86 PID 1048 wrote to memory of 632 1048 9ffrllf.exe 86 PID 632 wrote to memory of 2780 632 jvvpd.exe 87 PID 632 wrote to memory of 2780 632 jvvpd.exe 87 PID 632 wrote to memory of 2780 632 jvvpd.exe 87 PID 2780 wrote to memory of 3820 2780 bhhhbt.exe 88 PID 2780 wrote to memory of 3820 2780 bhhhbt.exe 88 PID 2780 wrote to memory of 3820 2780 bhhhbt.exe 88 PID 3820 wrote to memory of 4856 3820 rfllxrf.exe 89 PID 3820 wrote to memory of 4856 3820 rfllxrf.exe 89 PID 3820 wrote to memory of 4856 3820 rfllxrf.exe 89 PID 4856 wrote to memory of 2656 4856 lxfxrrl.exe 90 PID 4856 wrote to memory of 2656 4856 lxfxrrl.exe 90 PID 4856 wrote to memory of 2656 4856 lxfxrrl.exe 90 PID 2656 wrote to memory of 2932 2656 lxxlfrl.exe 91 PID 2656 wrote to memory of 2932 2656 lxxlfrl.exe 91 PID 2656 wrote to memory of 2932 2656 lxxlfrl.exe 91 PID 2932 wrote to memory of 1148 2932 pjdpj.exe 92 PID 2932 wrote to memory of 1148 2932 pjdpj.exe 92 PID 2932 wrote to memory of 1148 2932 pjdpj.exe 92 PID 1148 wrote to memory of 4772 1148 3hbnhh.exe 93 PID 1148 wrote to memory of 4772 1148 3hbnhh.exe 93 PID 1148 wrote to memory of 4772 1148 3hbnhh.exe 93 PID 4772 wrote to memory of 112 4772 jpvpj.exe 94 PID 4772 wrote to memory of 112 4772 jpvpj.exe 94 PID 4772 wrote to memory of 112 4772 jpvpj.exe 94 PID 112 wrote to memory of 3004 112 xlrflrx.exe 95 PID 112 wrote to memory of 3004 112 xlrflrx.exe 95 PID 112 wrote to memory of 3004 112 xlrflrx.exe 95 PID 3004 wrote to memory of 3428 3004 thnhbb.exe 96 PID 3004 wrote to memory of 3428 3004 thnhbb.exe 96 PID 3004 wrote to memory of 3428 3004 thnhbb.exe 96 PID 3428 wrote to memory of 4216 3428 9btnhh.exe 97 PID 3428 wrote to memory of 4216 3428 9btnhh.exe 97 PID 3428 wrote to memory of 4216 3428 9btnhh.exe 97 PID 4216 wrote to memory of 3484 4216 xlrlffx.exe 98 PID 4216 wrote to memory of 3484 4216 xlrlffx.exe 98 PID 4216 wrote to memory of 3484 4216 xlrlffx.exe 98 PID 3484 wrote to memory of 1268 3484 jdpjd.exe 99 PID 3484 wrote to memory of 1268 3484 jdpjd.exe 99 PID 3484 wrote to memory of 1268 3484 jdpjd.exe 99 PID 1268 wrote to memory of 1936 1268 rffxrrl.exe 100 PID 1268 wrote to memory of 1936 1268 rffxrrl.exe 100 PID 1268 wrote to memory of 1936 1268 rffxrrl.exe 100 PID 1936 wrote to memory of 2836 1936 nbhhhn.exe 101 PID 1936 wrote to memory of 2836 1936 nbhhhn.exe 101 PID 1936 wrote to memory of 2836 1936 nbhhhn.exe 101 PID 2836 wrote to memory of 1992 2836 dvpjv.exe 102 PID 2836 wrote to memory of 1992 2836 dvpjv.exe 102 PID 2836 wrote to memory of 1992 2836 dvpjv.exe 102 PID 1992 wrote to memory of 848 1992 tttnhh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b8f36ff1350ff793463e0fa37e4a3db092d4bb52be47a8390cb67cc55433c40.exe"C:\Users\Admin\AppData\Local\Temp\1b8f36ff1350ff793463e0fa37e4a3db092d4bb52be47a8390cb67cc55433c40.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\ppdvp.exec:\ppdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\btbhtb.exec:\btbhtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\jvpjv.exec:\jvpjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\9ffrllf.exec:\9ffrllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\jvvpd.exec:\jvvpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\bhhhbt.exec:\bhhhbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\rfllxrf.exec:\rfllxrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\lxxlfrl.exec:\lxxlfrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\pjdpj.exec:\pjdpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\3hbnhh.exec:\3hbnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\jpvpj.exec:\jpvpj.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\xlrflrx.exec:\xlrflrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\thnhbb.exec:\thnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\9btnhh.exec:\9btnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\xlrlffx.exec:\xlrlffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\jdpjd.exec:\jdpjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\rffxrrl.exec:\rffxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\nbhhhn.exec:\nbhhhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\dvpjv.exec:\dvpjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\tttnhh.exec:\tttnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\lrfrxrx.exec:\lrfrxrx.exe23⤵
- Executes dropped EXE
PID:848 -
\??\c:\jvpjd.exec:\jvpjd.exe24⤵
- Executes dropped EXE
PID:3612 -
\??\c:\9pvpp.exec:\9pvpp.exe25⤵
- Executes dropped EXE
PID:392 -
\??\c:\5vppj.exec:\5vppj.exe26⤵
- Executes dropped EXE
PID:2212 -
\??\c:\hhbhhb.exec:\hhbhhb.exe27⤵
- Executes dropped EXE
PID:3868 -
\??\c:\lxxrfxr.exec:\lxxrfxr.exe28⤵
- Executes dropped EXE
PID:2600 -
\??\c:\jppvp.exec:\jppvp.exe29⤵
- Executes dropped EXE
PID:1668 -
\??\c:\frrrlll.exec:\frrrlll.exe30⤵
- Executes dropped EXE
PID:3804 -
\??\c:\hthbbb.exec:\hthbbb.exe31⤵
- Executes dropped EXE
PID:4524 -
\??\c:\bbnnnt.exec:\bbnnnt.exe32⤵
- Executes dropped EXE
PID:3064 -
\??\c:\pdddv.exec:\pdddv.exe33⤵
- Executes dropped EXE
PID:2272 -
\??\c:\bttnbb.exec:\bttnbb.exe34⤵
- Executes dropped EXE
PID:3384 -
\??\c:\htthtn.exec:\htthtn.exe35⤵
- Executes dropped EXE
PID:208 -
\??\c:\ddvdd.exec:\ddvdd.exe36⤵
- Executes dropped EXE
PID:1912 -
\??\c:\rffxrlf.exec:\rffxrlf.exe37⤵
- Executes dropped EXE
PID:2488 -
\??\c:\3bbtnt.exec:\3bbtnt.exe38⤵
- Executes dropped EXE
PID:1556 -
\??\c:\pdppj.exec:\pdppj.exe39⤵
- Executes dropped EXE
PID:1216 -
\??\c:\fxfxxxl.exec:\fxfxxxl.exe40⤵
- Executes dropped EXE
PID:1744 -
\??\c:\rxxrfxr.exec:\rxxrfxr.exe41⤵
- Executes dropped EXE
PID:2692 -
\??\c:\vpvvj.exec:\vpvvj.exe42⤵
- Executes dropped EXE
PID:2284 -
\??\c:\fflrllf.exec:\fflrllf.exe43⤵
- Executes dropped EXE
PID:5068 -
\??\c:\1nbtnh.exec:\1nbtnh.exe44⤵
- Executes dropped EXE
PID:1540 -
\??\c:\jddvp.exec:\jddvp.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1412 -
\??\c:\fxlflll.exec:\fxlflll.exe46⤵
- Executes dropped EXE
PID:3276 -
\??\c:\nntnnn.exec:\nntnnn.exe47⤵
- Executes dropped EXE
PID:2980 -
\??\c:\pdjjd.exec:\pdjjd.exe48⤵
- Executes dropped EXE
PID:1164 -
\??\c:\lrxrllx.exec:\lrxrllx.exe49⤵
- Executes dropped EXE
PID:4352 -
\??\c:\tnthnh.exec:\tnthnh.exe50⤵
- Executes dropped EXE
PID:4728 -
\??\c:\djpdv.exec:\djpdv.exe51⤵
- Executes dropped EXE
PID:3632 -
\??\c:\jvjdv.exec:\jvjdv.exe52⤵
- Executes dropped EXE
PID:4588 -
\??\c:\xrrrllf.exec:\xrrrllf.exe53⤵
- Executes dropped EXE
PID:2252 -
\??\c:\bntnhh.exec:\bntnhh.exe54⤵
- Executes dropped EXE
PID:2808 -
\??\c:\vpjdd.exec:\vpjdd.exe55⤵
- Executes dropped EXE
PID:2892 -
\??\c:\vvvpp.exec:\vvvpp.exe56⤵
- Executes dropped EXE
PID:3208 -
\??\c:\rflfxrl.exec:\rflfxrl.exe57⤵
- Executes dropped EXE
PID:3556 -
\??\c:\ttbbnt.exec:\ttbbnt.exe58⤵
- Executes dropped EXE
PID:1572 -
\??\c:\vdpjd.exec:\vdpjd.exe59⤵
- Executes dropped EXE
PID:3828 -
\??\c:\dvjjd.exec:\dvjjd.exe60⤵
- Executes dropped EXE
PID:4540 -
\??\c:\fxxrrll.exec:\fxxrrll.exe61⤵
- Executes dropped EXE
PID:3668 -
\??\c:\bbtnnh.exec:\bbtnnh.exe62⤵
- Executes dropped EXE
PID:1804 -
\??\c:\vpvpp.exec:\vpvpp.exe63⤵
- Executes dropped EXE
PID:4136 -
\??\c:\fxfrlfx.exec:\fxfrlfx.exe64⤵
- Executes dropped EXE
PID:1056 -
\??\c:\thbnhb.exec:\thbnhb.exe65⤵
- Executes dropped EXE
PID:4576 -
\??\c:\dppjv.exec:\dppjv.exe66⤵PID:2716
-
\??\c:\xflfrrl.exec:\xflfrrl.exe67⤵PID:3024
-
\??\c:\flxrrff.exec:\flxrrff.exe68⤵PID:3500
-
\??\c:\9hhbbt.exec:\9hhbbt.exe69⤵PID:1332
-
\??\c:\dddjd.exec:\dddjd.exe70⤵PID:4772
-
\??\c:\xrrlrrx.exec:\xrrlrrx.exe71⤵PID:2024
-
\??\c:\nhnnhh.exec:\nhnnhh.exe72⤵PID:3012
-
\??\c:\tnhbtn.exec:\tnhbtn.exe73⤵PID:4424
-
\??\c:\7jpjv.exec:\7jpjv.exe74⤵PID:2020
-
\??\c:\3lxlfxr.exec:\3lxlfxr.exe75⤵PID:3428
-
\??\c:\bttnhb.exec:\bttnhb.exe76⤵PID:4996
-
\??\c:\jdvjd.exec:\jdvjd.exe77⤵PID:3484
-
\??\c:\xxxlxrl.exec:\xxxlxrl.exe78⤵PID:5000
-
\??\c:\1lrlrrl.exec:\1lrlrrl.exe79⤵PID:3240
-
\??\c:\hhnhtt.exec:\hhnhtt.exe80⤵PID:1428
-
\??\c:\vpjvp.exec:\vpjvp.exe81⤵PID:2224
-
\??\c:\rflfxrl.exec:\rflfxrl.exe82⤵PID:4612
-
\??\c:\ffxfxxr.exec:\ffxfxxr.exe83⤵
- System Location Discovery: System Language Discovery
PID:1528 -
\??\c:\3nnnhb.exec:\3nnnhb.exe84⤵PID:1896
-
\??\c:\ppdvd.exec:\ppdvd.exe85⤵PID:4408
-
\??\c:\xrrlxxl.exec:\xrrlxxl.exe86⤵PID:3528
-
\??\c:\llrfxlf.exec:\llrfxlf.exe87⤵PID:3612
-
\??\c:\thnhbb.exec:\thnhbb.exe88⤵PID:3968
-
\??\c:\vvjjd.exec:\vvjjd.exe89⤵PID:2812
-
\??\c:\xxxxxrx.exec:\xxxxxrx.exe90⤵PID:4060
-
\??\c:\hthbtt.exec:\hthbtt.exe91⤵PID:4020
-
\??\c:\hbbnbt.exec:\hbbnbt.exe92⤵PID:1724
-
\??\c:\pvddd.exec:\pvddd.exe93⤵PID:1120
-
\??\c:\9xxrllf.exec:\9xxrllf.exe94⤵PID:5024
-
\??\c:\thhtnb.exec:\thhtnb.exe95⤵PID:2036
-
\??\c:\jjpjp.exec:\jjpjp.exe96⤵PID:3768
-
\??\c:\rxlfffx.exec:\rxlfffx.exe97⤵PID:1524
-
\??\c:\nhhnht.exec:\nhhnht.exe98⤵PID:3492
-
\??\c:\pvjdd.exec:\pvjdd.exe99⤵PID:380
-
\??\c:\lrrrxfr.exec:\lrrrxfr.exe100⤵PID:4644
-
\??\c:\fffxfxl.exec:\fffxfxl.exe101⤵PID:1616
-
\??\c:\nhnhbt.exec:\nhnhbt.exe102⤵PID:1232
-
\??\c:\pjjdv.exec:\pjjdv.exe103⤵PID:3052
-
\??\c:\xrxrrfr.exec:\xrxrrfr.exe104⤵PID:2488
-
\??\c:\7fflfxl.exec:\7fflfxl.exe105⤵PID:4628
-
\??\c:\htbttn.exec:\htbttn.exe106⤵PID:4788
-
\??\c:\vjdvp.exec:\vjdvp.exe107⤵PID:4640
-
\??\c:\rrrxrrl.exec:\rrrxrrl.exe108⤵PID:2708
-
\??\c:\hbnntn.exec:\hbnntn.exe109⤵PID:2116
-
\??\c:\vvvpd.exec:\vvvpd.exe110⤵PID:4808
-
\??\c:\pvpjd.exec:\pvpjd.exe111⤵PID:912
-
\??\c:\xffrllf.exec:\xffrllf.exe112⤵PID:3016
-
\??\c:\tbnhnh.exec:\tbnhnh.exe113⤵PID:1444
-
\??\c:\jjdvp.exec:\jjdvp.exe114⤵PID:4308
-
\??\c:\vjpjv.exec:\vjpjv.exe115⤵PID:1760
-
\??\c:\rlrxllx.exec:\rlrxllx.exe116⤵PID:4852
-
\??\c:\9tthbb.exec:\9tthbb.exe117⤵PID:4940
-
\??\c:\dddvv.exec:\dddvv.exe118⤵PID:1036
-
\??\c:\dvjjp.exec:\dvjjp.exe119⤵PID:3644
-
\??\c:\fllfrrx.exec:\fllfrrx.exe120⤵PID:4720
-
\??\c:\hbbtnn.exec:\hbbtnn.exe121⤵PID:2252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-