Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9b2dca201b20107f2263ef202815d8f0d1a9091b1fcf28d8507965b08a131673.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9b2dca201b20107f2263ef202815d8f0d1a9091b1fcf28d8507965b08a131673.exe
-
Size
454KB
-
MD5
56e75b960fa28cf112e4ec4af67256ac
-
SHA1
8d83c919a3339465ccc53732b176bfc44b3983c9
-
SHA256
9b2dca201b20107f2263ef202815d8f0d1a9091b1fcf28d8507965b08a131673
-
SHA512
190c83660c7de82c2123ce1242a06f70687e721ae09c550d744ac8f87df7d7fbe24615d14f1c8c93d721c40a17b65cd029172faec7545ecedb078ab8e3c4a6e3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeg:q7Tc2NYHUrAwfMp3CDg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4480-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/788-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-1130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-1218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-1228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-1253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-1608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4480 ppjvp.exe 1092 lfrrflf.exe 1548 1vddp.exe 1308 tntnhb.exe 2412 djdpp.exe 1424 1rlfxxr.exe 3528 xxflrxx.exe 2728 3tthth.exe 1004 nbbtnn.exe 2152 lflffxr.exe 4360 nhhtnn.exe 1856 jdjjj.exe 3996 xrlfxxr.exe 2400 tbnhtt.exe 4840 lffrlrr.exe 804 lffxrlf.exe 860 1tthhb.exe 3476 vjvdp.exe 4348 pjpjv.exe 1212 vdjvj.exe 3944 xxxlxlr.exe 5100 dpdvj.exe 5004 rflrlxx.exe 1596 vpvvp.exe 2680 9rlfxxr.exe 1800 1rfxfxf.exe 2548 thhthh.exe 2848 jvvpj.exe 788 rlrflfl.exe 4076 tbhhbb.exe 3632 9ntthh.exe 1176 ddvdv.exe 1920 xrxrxrr.exe 4188 9ntttn.exe 3252 5jppp.exe 2292 thnhbb.exe 3644 htthtt.exe 392 ddvpv.exe 1700 fxxlxrl.exe 1200 9nhbtn.exe 1900 tthhbh.exe 2992 jjjdp.exe 2952 bbhbtn.exe 812 pvjvd.exe 3880 xllxlfx.exe 2912 hthbtn.exe 1160 dpvpj.exe 4568 xlxrrlx.exe 2240 hbbtnn.exe 4260 pjvpd.exe 2900 ppvpj.exe 1944 rrlfxrl.exe 2632 tttthh.exe 4460 hhhbbh.exe 1192 vdjvp.exe 5032 7flxxrx.exe 2480 tnhnth.exe 1224 tnnhbt.exe 3888 dvpjd.exe 2888 lfrrffx.exe 4548 hbbnnb.exe 1544 ddvpj.exe 3116 rfxrrrr.exe 4540 hbttbt.exe -
resource yara_rule behavioral2/memory/4480-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/788-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-991-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-1130-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thbtt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2852 wrote to memory of 4480 2852 9b2dca201b20107f2263ef202815d8f0d1a9091b1fcf28d8507965b08a131673.exe 82 PID 2852 wrote to memory of 4480 2852 9b2dca201b20107f2263ef202815d8f0d1a9091b1fcf28d8507965b08a131673.exe 82 PID 2852 wrote to memory of 4480 2852 9b2dca201b20107f2263ef202815d8f0d1a9091b1fcf28d8507965b08a131673.exe 82 PID 4480 wrote to memory of 1092 4480 ppjvp.exe 83 PID 4480 wrote to memory of 1092 4480 ppjvp.exe 83 PID 4480 wrote to memory of 1092 4480 ppjvp.exe 83 PID 1092 wrote to memory of 1548 1092 lfrrflf.exe 84 PID 1092 wrote to memory of 1548 1092 lfrrflf.exe 84 PID 1092 wrote to memory of 1548 1092 lfrrflf.exe 84 PID 1548 wrote to memory of 1308 1548 1vddp.exe 85 PID 1548 wrote to memory of 1308 1548 1vddp.exe 85 PID 1548 wrote to memory of 1308 1548 1vddp.exe 85 PID 1308 wrote to memory of 2412 1308 tntnhb.exe 86 PID 1308 wrote to memory of 2412 1308 tntnhb.exe 86 PID 1308 wrote to memory of 2412 1308 tntnhb.exe 86 PID 2412 wrote to memory of 1424 2412 djdpp.exe 87 PID 2412 wrote to memory of 1424 2412 djdpp.exe 87 PID 2412 wrote to memory of 1424 2412 djdpp.exe 87 PID 1424 wrote to memory of 3528 1424 1rlfxxr.exe 88 PID 1424 wrote to memory of 3528 1424 1rlfxxr.exe 88 PID 1424 wrote to memory of 3528 1424 1rlfxxr.exe 88 PID 3528 wrote to memory of 2728 3528 xxflrxx.exe 89 PID 3528 wrote to memory of 2728 3528 xxflrxx.exe 89 PID 3528 wrote to memory of 2728 3528 xxflrxx.exe 89 PID 2728 wrote to memory of 1004 2728 3tthth.exe 90 PID 2728 wrote to memory of 1004 2728 3tthth.exe 90 PID 2728 wrote to memory of 1004 2728 3tthth.exe 90 PID 1004 wrote to memory of 2152 1004 nbbtnn.exe 91 PID 1004 wrote to memory of 2152 1004 nbbtnn.exe 91 PID 1004 wrote to memory of 2152 1004 nbbtnn.exe 91 PID 2152 wrote to memory of 4360 2152 lflffxr.exe 92 PID 2152 wrote to memory of 4360 2152 lflffxr.exe 92 PID 2152 wrote to memory of 4360 2152 lflffxr.exe 92 PID 4360 wrote to memory of 1856 4360 nhhtnn.exe 93 PID 4360 wrote to memory of 1856 4360 nhhtnn.exe 93 PID 4360 wrote to memory of 1856 4360 nhhtnn.exe 93 PID 1856 wrote to memory of 3996 1856 jdjjj.exe 94 PID 1856 wrote to memory of 3996 1856 jdjjj.exe 94 PID 1856 wrote to memory of 3996 1856 jdjjj.exe 94 PID 3996 wrote to memory of 2400 3996 xrlfxxr.exe 95 PID 3996 wrote to memory of 2400 3996 xrlfxxr.exe 95 PID 3996 wrote to memory of 2400 3996 xrlfxxr.exe 95 PID 2400 wrote to memory of 4840 2400 tbnhtt.exe 96 PID 2400 wrote to memory of 4840 2400 tbnhtt.exe 96 PID 2400 wrote to memory of 4840 2400 tbnhtt.exe 96 PID 4840 wrote to memory of 804 4840 lffrlrr.exe 97 PID 4840 wrote to memory of 804 4840 lffrlrr.exe 97 PID 4840 wrote to memory of 804 4840 lffrlrr.exe 97 PID 804 wrote to memory of 860 804 lffxrlf.exe 98 PID 804 wrote to memory of 860 804 lffxrlf.exe 98 PID 804 wrote to memory of 860 804 lffxrlf.exe 98 PID 860 wrote to memory of 3476 860 1tthhb.exe 99 PID 860 wrote to memory of 3476 860 1tthhb.exe 99 PID 860 wrote to memory of 3476 860 1tthhb.exe 99 PID 3476 wrote to memory of 4348 3476 vjvdp.exe 100 PID 3476 wrote to memory of 4348 3476 vjvdp.exe 100 PID 3476 wrote to memory of 4348 3476 vjvdp.exe 100 PID 4348 wrote to memory of 1212 4348 pjpjv.exe 101 PID 4348 wrote to memory of 1212 4348 pjpjv.exe 101 PID 4348 wrote to memory of 1212 4348 pjpjv.exe 101 PID 1212 wrote to memory of 3944 1212 vdjvj.exe 102 PID 1212 wrote to memory of 3944 1212 vdjvj.exe 102 PID 1212 wrote to memory of 3944 1212 vdjvj.exe 102 PID 3944 wrote to memory of 5100 3944 xxxlxlr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b2dca201b20107f2263ef202815d8f0d1a9091b1fcf28d8507965b08a131673.exe"C:\Users\Admin\AppData\Local\Temp\9b2dca201b20107f2263ef202815d8f0d1a9091b1fcf28d8507965b08a131673.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\ppjvp.exec:\ppjvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\lfrrflf.exec:\lfrrflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\1vddp.exec:\1vddp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\tntnhb.exec:\tntnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\djdpp.exec:\djdpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\1rlfxxr.exec:\1rlfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\xxflrxx.exec:\xxflrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\3tthth.exec:\3tthth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\nbbtnn.exec:\nbbtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\lflffxr.exec:\lflffxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\nhhtnn.exec:\nhhtnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\jdjjj.exec:\jdjjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\tbnhtt.exec:\tbnhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\lffrlrr.exec:\lffrlrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\lffxrlf.exec:\lffxrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\1tthhb.exec:\1tthhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\vjvdp.exec:\vjvdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\pjpjv.exec:\pjpjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\vdjvj.exec:\vdjvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\xxxlxlr.exec:\xxxlxlr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\dpdvj.exec:\dpdvj.exe23⤵
- Executes dropped EXE
PID:5100 -
\??\c:\rflrlxx.exec:\rflrlxx.exe24⤵
- Executes dropped EXE
PID:5004 -
\??\c:\vpvvp.exec:\vpvvp.exe25⤵
- Executes dropped EXE
PID:1596 -
\??\c:\9rlfxxr.exec:\9rlfxxr.exe26⤵
- Executes dropped EXE
PID:2680 -
\??\c:\1rfxfxf.exec:\1rfxfxf.exe27⤵
- Executes dropped EXE
PID:1800 -
\??\c:\thhthh.exec:\thhthh.exe28⤵
- Executes dropped EXE
PID:2548 -
\??\c:\jvvpj.exec:\jvvpj.exe29⤵
- Executes dropped EXE
PID:2848 -
\??\c:\rlrflfl.exec:\rlrflfl.exe30⤵
- Executes dropped EXE
PID:788 -
\??\c:\tbhhbb.exec:\tbhhbb.exe31⤵
- Executes dropped EXE
PID:4076 -
\??\c:\9ntthh.exec:\9ntthh.exe32⤵
- Executes dropped EXE
PID:3632 -
\??\c:\ddvdv.exec:\ddvdv.exe33⤵
- Executes dropped EXE
PID:1176 -
\??\c:\xrxrxrr.exec:\xrxrxrr.exe34⤵
- Executes dropped EXE
PID:1920 -
\??\c:\9ntttn.exec:\9ntttn.exe35⤵
- Executes dropped EXE
PID:4188 -
\??\c:\5jppp.exec:\5jppp.exe36⤵
- Executes dropped EXE
PID:3252 -
\??\c:\thnhbb.exec:\thnhbb.exe37⤵
- Executes dropped EXE
PID:2292 -
\??\c:\htthtt.exec:\htthtt.exe38⤵
- Executes dropped EXE
PID:3644 -
\??\c:\ddvpv.exec:\ddvpv.exe39⤵
- Executes dropped EXE
PID:392 -
\??\c:\fxxlxrl.exec:\fxxlxrl.exe40⤵
- Executes dropped EXE
PID:1700 -
\??\c:\9nhbtn.exec:\9nhbtn.exe41⤵
- Executes dropped EXE
PID:1200 -
\??\c:\tthhbh.exec:\tthhbh.exe42⤵
- Executes dropped EXE
PID:1900 -
\??\c:\jjjdp.exec:\jjjdp.exe43⤵
- Executes dropped EXE
PID:2992 -
\??\c:\bbhbtn.exec:\bbhbtn.exe44⤵
- Executes dropped EXE
PID:2952 -
\??\c:\pvjvd.exec:\pvjvd.exe45⤵
- Executes dropped EXE
PID:812 -
\??\c:\xllxlfx.exec:\xllxlfx.exe46⤵
- Executes dropped EXE
PID:3880 -
\??\c:\hthbtn.exec:\hthbtn.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912 -
\??\c:\dpvpj.exec:\dpvpj.exe48⤵
- Executes dropped EXE
PID:1160 -
\??\c:\lxfxlll.exec:\lxfxlll.exe49⤵PID:4448
-
\??\c:\xlxrrlx.exec:\xlxrrlx.exe50⤵
- Executes dropped EXE
PID:4568 -
\??\c:\hbbtnn.exec:\hbbtnn.exe51⤵
- Executes dropped EXE
PID:2240 -
\??\c:\pjvpd.exec:\pjvpd.exe52⤵
- Executes dropped EXE
PID:4260 -
\??\c:\ppvpj.exec:\ppvpj.exe53⤵
- Executes dropped EXE
PID:2900 -
\??\c:\rrlfxrl.exec:\rrlfxrl.exe54⤵
- Executes dropped EXE
PID:1944 -
\??\c:\tttthh.exec:\tttthh.exe55⤵
- Executes dropped EXE
PID:2632 -
\??\c:\hhhbbh.exec:\hhhbbh.exe56⤵
- Executes dropped EXE
PID:4460 -
\??\c:\vdjvp.exec:\vdjvp.exe57⤵
- Executes dropped EXE
PID:1192 -
\??\c:\7flxxrx.exec:\7flxxrx.exe58⤵
- Executes dropped EXE
PID:5032 -
\??\c:\tnhnth.exec:\tnhnth.exe59⤵
- Executes dropped EXE
PID:2480 -
\??\c:\tnnhbt.exec:\tnnhbt.exe60⤵
- Executes dropped EXE
PID:1224 -
\??\c:\dvpjd.exec:\dvpjd.exe61⤵
- Executes dropped EXE
PID:3888 -
\??\c:\lfrrffx.exec:\lfrrffx.exe62⤵
- Executes dropped EXE
PID:2888 -
\??\c:\hbbnnb.exec:\hbbnnb.exe63⤵
- Executes dropped EXE
PID:4548 -
\??\c:\ddvpj.exec:\ddvpj.exe64⤵
- Executes dropped EXE
PID:1544 -
\??\c:\rfxrrrr.exec:\rfxrrrr.exe65⤵
- Executes dropped EXE
PID:3116 -
\??\c:\hbttbt.exec:\hbttbt.exe66⤵
- Executes dropped EXE
PID:4540 -
\??\c:\vjdvp.exec:\vjdvp.exe67⤵PID:1264
-
\??\c:\ffrfxxx.exec:\ffrfxxx.exe68⤵PID:3608
-
\??\c:\flrrlll.exec:\flrrlll.exe69⤵PID:852
-
\??\c:\nnnttb.exec:\nnnttb.exe70⤵PID:3988
-
\??\c:\dppjd.exec:\dppjd.exe71⤵PID:4944
-
\??\c:\dvpjv.exec:\dvpjv.exe72⤵PID:3996
-
\??\c:\lfllrlr.exec:\lfllrlr.exe73⤵PID:2068
-
\??\c:\nbbbhh.exec:\nbbbhh.exe74⤵PID:4280
-
\??\c:\pjpjd.exec:\pjpjd.exe75⤵PID:4472
-
\??\c:\xxfrlxr.exec:\xxfrlxr.exe76⤵PID:4976
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe77⤵PID:804
-
\??\c:\hbbtnn.exec:\hbbtnn.exe78⤵PID:2360
-
\??\c:\dddvp.exec:\dddvp.exe79⤵PID:3640
-
\??\c:\9lrrllx.exec:\9lrrllx.exe80⤵PID:4440
-
\??\c:\lffxrrl.exec:\lffxrrl.exe81⤵PID:4324
-
\??\c:\httnbh.exec:\httnbh.exe82⤵PID:4204
-
\??\c:\jvvpj.exec:\jvvpj.exe83⤵PID:432
-
\??\c:\fffxrlf.exec:\fffxrlf.exe84⤵
- System Location Discovery: System Language Discovery
PID:5024 -
\??\c:\hbbtnn.exec:\hbbtnn.exe85⤵PID:2204
-
\??\c:\nnttnb.exec:\nnttnb.exe86⤵PID:2876
-
\??\c:\jjpjd.exec:\jjpjd.exe87⤵PID:4244
-
\??\c:\rxfxrff.exec:\rxfxrff.exe88⤵PID:3960
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe89⤵PID:3452
-
\??\c:\hbtttt.exec:\hbtttt.exe90⤵PID:1392
-
\??\c:\dvvpd.exec:\dvvpd.exe91⤵PID:2548
-
\??\c:\xlrllfx.exec:\xlrllfx.exe92⤵PID:2000
-
\??\c:\bnhttt.exec:\bnhttt.exe93⤵PID:3600
-
\??\c:\ppjjd.exec:\ppjjd.exe94⤵PID:2848
-
\??\c:\3xlxrlx.exec:\3xlxrlx.exe95⤵PID:788
-
\??\c:\rfxlfxl.exec:\rfxlfxl.exe96⤵PID:3172
-
\??\c:\thtnhh.exec:\thtnhh.exe97⤵PID:4240
-
\??\c:\pjjvp.exec:\pjjvp.exe98⤵PID:4972
-
\??\c:\9lxlxrf.exec:\9lxlxrf.exe99⤵PID:4356
-
\??\c:\httnbt.exec:\httnbt.exe100⤵PID:4384
-
\??\c:\nbtnth.exec:\nbtnth.exe101⤵PID:1796
-
\??\c:\djpjv.exec:\djpjv.exe102⤵PID:2328
-
\??\c:\1rlfxxr.exec:\1rlfxxr.exe103⤵PID:3252
-
\??\c:\lffxlll.exec:\lffxlll.exe104⤵PID:3240
-
\??\c:\dvjdv.exec:\dvjdv.exe105⤵PID:3644
-
\??\c:\3fxxfxl.exec:\3fxxfxl.exe106⤵PID:3372
-
\??\c:\3xrfrlx.exec:\3xrfrlx.exe107⤵PID:2308
-
\??\c:\httnhh.exec:\httnhh.exe108⤵PID:1824
-
\??\c:\jvvpv.exec:\jvvpv.exe109⤵PID:2056
-
\??\c:\fxfxxxf.exec:\fxfxxxf.exe110⤵PID:544
-
\??\c:\frfffff.exec:\frfffff.exe111⤵PID:4544
-
\??\c:\1ntntt.exec:\1ntntt.exe112⤵PID:4224
-
\??\c:\jvvpp.exec:\jvvpp.exe113⤵PID:4344
-
\??\c:\dvvpj.exec:\dvvpj.exe114⤵PID:620
-
\??\c:\xrrrlll.exec:\xrrrlll.exe115⤵PID:1044
-
\??\c:\bhhthb.exec:\bhhthb.exe116⤵PID:1172
-
\??\c:\5jppd.exec:\5jppd.exe117⤵PID:4380
-
\??\c:\lfflffx.exec:\lfflffx.exe118⤵PID:2852
-
\??\c:\xxrflff.exec:\xxrflff.exe119⤵PID:1560
-
\??\c:\bnbtnb.exec:\bnbtnb.exe120⤵PID:4260
-
\??\c:\vvvdp.exec:\vvvdp.exe121⤵PID:2900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-