Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2ce68fc1a596f8ea2e381e810270fff1421696a5db6ec89700eacf8010d8ed40N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2ce68fc1a596f8ea2e381e810270fff1421696a5db6ec89700eacf8010d8ed40N.exe
-
Size
453KB
-
MD5
fd126e0c26dafcfb66d137c4ebef3d60
-
SHA1
d6966232c847765c88bc1c3f765de026d90fc736
-
SHA256
2ce68fc1a596f8ea2e381e810270fff1421696a5db6ec89700eacf8010d8ed40
-
SHA512
6c60fabf2b66edb6835f656ef466442ea63891cd8a7a6913b440ae44c7bf0f0bbaf819f40d866a4bc180273c08cbf78bda7a9936098c22ee630ee3f671d4c6ce
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2764-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-992-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-1029-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-1171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-1578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-1771-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3412 vvvpj.exe 2740 1lxrlff.exe 4928 htbtnn.exe 4100 3xllffl.exe 4228 lfrlffx.exe 1196 hbnhbb.exe 1576 pjdvv.exe 1200 5xfxrrl.exe 4212 lrlffxx.exe 396 pjpjd.exe 2536 frrrrrr.exe 4976 tnhthb.exe 2572 pvvvp.exe 2168 rlxfrrl.exe 1928 lrlfllf.exe 5104 1tbbtb.exe 4744 vppvp.exe 3092 rllfxrf.exe 3024 thbnbn.exe 1232 jpdpj.exe 1952 lxlxrrl.exe 2152 tnbtbh.exe 388 lffrlrl.exe 932 htbttn.exe 4108 lxlfxxx.exe 3128 jpvvv.exe 2656 nntbtn.exe 4180 lllfrrl.exe 2112 ttbttn.exe 4540 xrlffxr.exe 4432 7djdv.exe 4656 7fflxll.exe 4440 5vvvp.exe 1832 9vjjd.exe 3520 dvvpp.exe 1276 rfllfff.exe 3176 5tbbtb.exe 3260 vvdvp.exe 3144 hthbtb.exe 2244 1pppj.exe 4528 1lfxrrr.exe 3548 thbtbb.exe 4988 vdjdd.exe 4724 rrfrxxx.exe 4476 3flfflf.exe 1508 tthhbh.exe 664 3ddvp.exe 1268 xxfrfxr.exe 4600 3fllrff.exe 2404 hhtnhh.exe 5000 pvjdd.exe 1500 lflllll.exe 4912 hhttbb.exe 720 jdjjd.exe 4968 5fxrfxr.exe 2652 rrfxrrl.exe 2472 hhbbtt.exe 2896 3dpjv.exe 4848 xfrflfx.exe 4232 3bhtbb.exe 2380 hhbthn.exe 3512 pvvpj.exe 4552 xlfxfxf.exe 2428 1nnbth.exe -
resource yara_rule behavioral2/memory/3412-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-992-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-1029-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-1171-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xlflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfffxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2764 wrote to memory of 3412 2764 2ce68fc1a596f8ea2e381e810270fff1421696a5db6ec89700eacf8010d8ed40N.exe 83 PID 2764 wrote to memory of 3412 2764 2ce68fc1a596f8ea2e381e810270fff1421696a5db6ec89700eacf8010d8ed40N.exe 83 PID 2764 wrote to memory of 3412 2764 2ce68fc1a596f8ea2e381e810270fff1421696a5db6ec89700eacf8010d8ed40N.exe 83 PID 3412 wrote to memory of 2740 3412 vvvpj.exe 84 PID 3412 wrote to memory of 2740 3412 vvvpj.exe 84 PID 3412 wrote to memory of 2740 3412 vvvpj.exe 84 PID 2740 wrote to memory of 4928 2740 1lxrlff.exe 85 PID 2740 wrote to memory of 4928 2740 1lxrlff.exe 85 PID 2740 wrote to memory of 4928 2740 1lxrlff.exe 85 PID 4928 wrote to memory of 4100 4928 htbtnn.exe 86 PID 4928 wrote to memory of 4100 4928 htbtnn.exe 86 PID 4928 wrote to memory of 4100 4928 htbtnn.exe 86 PID 4100 wrote to memory of 4228 4100 3xllffl.exe 87 PID 4100 wrote to memory of 4228 4100 3xllffl.exe 87 PID 4100 wrote to memory of 4228 4100 3xllffl.exe 87 PID 4228 wrote to memory of 1196 4228 lfrlffx.exe 88 PID 4228 wrote to memory of 1196 4228 lfrlffx.exe 88 PID 4228 wrote to memory of 1196 4228 lfrlffx.exe 88 PID 1196 wrote to memory of 1576 1196 hbnhbb.exe 89 PID 1196 wrote to memory of 1576 1196 hbnhbb.exe 89 PID 1196 wrote to memory of 1576 1196 hbnhbb.exe 89 PID 1576 wrote to memory of 1200 1576 pjdvv.exe 90 PID 1576 wrote to memory of 1200 1576 pjdvv.exe 90 PID 1576 wrote to memory of 1200 1576 pjdvv.exe 90 PID 1200 wrote to memory of 4212 1200 5xfxrrl.exe 91 PID 1200 wrote to memory of 4212 1200 5xfxrrl.exe 91 PID 1200 wrote to memory of 4212 1200 5xfxrrl.exe 91 PID 4212 wrote to memory of 396 4212 lrlffxx.exe 92 PID 4212 wrote to memory of 396 4212 lrlffxx.exe 92 PID 4212 wrote to memory of 396 4212 lrlffxx.exe 92 PID 396 wrote to memory of 2536 396 pjpjd.exe 93 PID 396 wrote to memory of 2536 396 pjpjd.exe 93 PID 396 wrote to memory of 2536 396 pjpjd.exe 93 PID 2536 wrote to memory of 4976 2536 frrrrrr.exe 94 PID 2536 wrote to memory of 4976 2536 frrrrrr.exe 94 PID 2536 wrote to memory of 4976 2536 frrrrrr.exe 94 PID 4976 wrote to memory of 2572 4976 tnhthb.exe 95 PID 4976 wrote to memory of 2572 4976 tnhthb.exe 95 PID 4976 wrote to memory of 2572 4976 tnhthb.exe 95 PID 2572 wrote to memory of 2168 2572 pvvvp.exe 96 PID 2572 wrote to memory of 2168 2572 pvvvp.exe 96 PID 2572 wrote to memory of 2168 2572 pvvvp.exe 96 PID 2168 wrote to memory of 1928 2168 rlxfrrl.exe 97 PID 2168 wrote to memory of 1928 2168 rlxfrrl.exe 97 PID 2168 wrote to memory of 1928 2168 rlxfrrl.exe 97 PID 1928 wrote to memory of 5104 1928 lrlfllf.exe 98 PID 1928 wrote to memory of 5104 1928 lrlfllf.exe 98 PID 1928 wrote to memory of 5104 1928 lrlfllf.exe 98 PID 5104 wrote to memory of 4744 5104 1tbbtb.exe 99 PID 5104 wrote to memory of 4744 5104 1tbbtb.exe 99 PID 5104 wrote to memory of 4744 5104 1tbbtb.exe 99 PID 4744 wrote to memory of 3092 4744 vppvp.exe 100 PID 4744 wrote to memory of 3092 4744 vppvp.exe 100 PID 4744 wrote to memory of 3092 4744 vppvp.exe 100 PID 3092 wrote to memory of 3024 3092 rllfxrf.exe 101 PID 3092 wrote to memory of 3024 3092 rllfxrf.exe 101 PID 3092 wrote to memory of 3024 3092 rllfxrf.exe 101 PID 3024 wrote to memory of 1232 3024 thbnbn.exe 102 PID 3024 wrote to memory of 1232 3024 thbnbn.exe 102 PID 3024 wrote to memory of 1232 3024 thbnbn.exe 102 PID 1232 wrote to memory of 1952 1232 jpdpj.exe 103 PID 1232 wrote to memory of 1952 1232 jpdpj.exe 103 PID 1232 wrote to memory of 1952 1232 jpdpj.exe 103 PID 1952 wrote to memory of 2152 1952 lxlxrrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ce68fc1a596f8ea2e381e810270fff1421696a5db6ec89700eacf8010d8ed40N.exe"C:\Users\Admin\AppData\Local\Temp\2ce68fc1a596f8ea2e381e810270fff1421696a5db6ec89700eacf8010d8ed40N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\vvvpj.exec:\vvvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\1lxrlff.exec:\1lxrlff.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\htbtnn.exec:\htbtnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\3xllffl.exec:\3xllffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\lfrlffx.exec:\lfrlffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\hbnhbb.exec:\hbnhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\pjdvv.exec:\pjdvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\5xfxrrl.exec:\5xfxrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\lrlffxx.exec:\lrlffxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\pjpjd.exec:\pjpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\frrrrrr.exec:\frrrrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\tnhthb.exec:\tnhthb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\pvvvp.exec:\pvvvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\rlxfrrl.exec:\rlxfrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\lrlfllf.exec:\lrlfllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\1tbbtb.exec:\1tbbtb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\vppvp.exec:\vppvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\rllfxrf.exec:\rllfxrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\thbnbn.exec:\thbnbn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\jpdpj.exec:\jpdpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\lxlxrrl.exec:\lxlxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\tnbtbh.exec:\tnbtbh.exe23⤵
- Executes dropped EXE
PID:2152 -
\??\c:\lffrlrl.exec:\lffrlrl.exe24⤵
- Executes dropped EXE
PID:388 -
\??\c:\htbttn.exec:\htbttn.exe25⤵
- Executes dropped EXE
PID:932 -
\??\c:\lxlfxxx.exec:\lxlfxxx.exe26⤵
- Executes dropped EXE
PID:4108 -
\??\c:\jpvvv.exec:\jpvvv.exe27⤵
- Executes dropped EXE
PID:3128 -
\??\c:\nntbtn.exec:\nntbtn.exe28⤵
- Executes dropped EXE
PID:2656 -
\??\c:\lllfrrl.exec:\lllfrrl.exe29⤵
- Executes dropped EXE
PID:4180 -
\??\c:\ttbttn.exec:\ttbttn.exe30⤵
- Executes dropped EXE
PID:2112 -
\??\c:\xrlffxr.exec:\xrlffxr.exe31⤵
- Executes dropped EXE
PID:4540 -
\??\c:\7djdv.exec:\7djdv.exe32⤵
- Executes dropped EXE
PID:4432 -
\??\c:\7fflxll.exec:\7fflxll.exe33⤵
- Executes dropped EXE
PID:4656 -
\??\c:\5vvvp.exec:\5vvvp.exe34⤵
- Executes dropped EXE
PID:4440 -
\??\c:\9vjjd.exec:\9vjjd.exe35⤵
- Executes dropped EXE
PID:1832 -
\??\c:\dvvpp.exec:\dvvpp.exe36⤵
- Executes dropped EXE
PID:3520 -
\??\c:\rfllfff.exec:\rfllfff.exe37⤵
- Executes dropped EXE
PID:1276 -
\??\c:\5tbbtb.exec:\5tbbtb.exe38⤵
- Executes dropped EXE
PID:3176 -
\??\c:\vvdvp.exec:\vvdvp.exe39⤵
- Executes dropped EXE
PID:3260 -
\??\c:\hthbtb.exec:\hthbtb.exe40⤵
- Executes dropped EXE
PID:3144 -
\??\c:\1pppj.exec:\1pppj.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244 -
\??\c:\1lfxrrr.exec:\1lfxrrr.exe42⤵
- Executes dropped EXE
PID:4528 -
\??\c:\thbtbb.exec:\thbtbb.exe43⤵
- Executes dropped EXE
PID:3548 -
\??\c:\vdjdd.exec:\vdjdd.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4988 -
\??\c:\rrfrxxx.exec:\rrfrxxx.exe45⤵
- Executes dropped EXE
PID:4724 -
\??\c:\3flfflf.exec:\3flfflf.exe46⤵
- Executes dropped EXE
PID:4476 -
\??\c:\tthhbh.exec:\tthhbh.exe47⤵
- Executes dropped EXE
PID:1508 -
\??\c:\3ddvp.exec:\3ddvp.exe48⤵
- Executes dropped EXE
PID:664 -
\??\c:\xxfrfxr.exec:\xxfrfxr.exe49⤵
- Executes dropped EXE
PID:1268 -
\??\c:\3fllrff.exec:\3fllrff.exe50⤵
- Executes dropped EXE
PID:4600 -
\??\c:\hhtnhh.exec:\hhtnhh.exe51⤵
- Executes dropped EXE
PID:2404 -
\??\c:\pvjdd.exec:\pvjdd.exe52⤵
- Executes dropped EXE
PID:5000 -
\??\c:\lflllll.exec:\lflllll.exe53⤵
- Executes dropped EXE
PID:1500 -
\??\c:\hhttbb.exec:\hhttbb.exe54⤵
- Executes dropped EXE
PID:4912 -
\??\c:\jdjjd.exec:\jdjjd.exe55⤵
- Executes dropped EXE
PID:720 -
\??\c:\5fxrfxr.exec:\5fxrfxr.exe56⤵
- Executes dropped EXE
PID:4968 -
\??\c:\rrfxrrl.exec:\rrfxrrl.exe57⤵
- Executes dropped EXE
PID:2652 -
\??\c:\hhbbtt.exec:\hhbbtt.exe58⤵
- Executes dropped EXE
PID:2472 -
\??\c:\3dpjv.exec:\3dpjv.exe59⤵
- Executes dropped EXE
PID:2896 -
\??\c:\xfrflfx.exec:\xfrflfx.exe60⤵
- Executes dropped EXE
PID:4848 -
\??\c:\3bhtbb.exec:\3bhtbb.exe61⤵
- Executes dropped EXE
PID:4232 -
\??\c:\hhbthn.exec:\hhbthn.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
\??\c:\pvvpj.exec:\pvvpj.exe63⤵
- Executes dropped EXE
PID:3512 -
\??\c:\xlfxfxf.exec:\xlfxfxf.exe64⤵
- Executes dropped EXE
PID:4552 -
\??\c:\1nnbth.exec:\1nnbth.exe65⤵
- Executes dropped EXE
PID:2428 -
\??\c:\7ttbth.exec:\7ttbth.exe66⤵PID:4620
-
\??\c:\pdjdv.exec:\pdjdv.exe67⤵PID:2804
-
\??\c:\1xflflf.exec:\1xflflf.exe68⤵PID:1704
-
\??\c:\nnbnhh.exec:\nnbnhh.exe69⤵PID:4664
-
\??\c:\1tthbb.exec:\1tthbb.exe70⤵PID:4812
-
\??\c:\jjpjd.exec:\jjpjd.exe71⤵PID:4364
-
\??\c:\xrllfxr.exec:\xrllfxr.exe72⤵PID:1928
-
\??\c:\bnnhtt.exec:\bnnhtt.exe73⤵PID:964
-
\??\c:\jvjdv.exec:\jvjdv.exe74⤵PID:3308
-
\??\c:\frlxllf.exec:\frlxllf.exe75⤵PID:4828
-
\??\c:\fffxrll.exec:\fffxrll.exe76⤵PID:3092
-
\??\c:\hbhbtt.exec:\hbhbtt.exe77⤵PID:2020
-
\??\c:\vvdvp.exec:\vvdvp.exe78⤵PID:1952
-
\??\c:\3pjjd.exec:\3pjjd.exe79⤵PID:4104
-
\??\c:\rllfxxr.exec:\rllfxxr.exe80⤵PID:2792
-
\??\c:\3ththh.exec:\3ththh.exe81⤵PID:2152
-
\??\c:\pjvjv.exec:\pjvjv.exe82⤵
- System Location Discovery: System Language Discovery
PID:388 -
\??\c:\lffxrll.exec:\lffxrll.exe83⤵PID:2916
-
\??\c:\tthbtt.exec:\tthbtt.exe84⤵PID:3524
-
\??\c:\7djdv.exec:\7djdv.exe85⤵PID:760
-
\??\c:\7lrlxxx.exec:\7lrlxxx.exe86⤵PID:2872
-
\??\c:\3lrlrrr.exec:\3lrlrrr.exe87⤵PID:1892
-
\??\c:\bhnhbb.exec:\bhnhbb.exe88⤵PID:4508
-
\??\c:\5ddvp.exec:\5ddvp.exe89⤵PID:3060
-
\??\c:\xfrlxxr.exec:\xfrlxxr.exe90⤵PID:5016
-
\??\c:\tnbttn.exec:\tnbttn.exe91⤵PID:1060
-
\??\c:\nnhbtt.exec:\nnhbtt.exe92⤵PID:3384
-
\??\c:\pdjdj.exec:\pdjdj.exe93⤵PID:4432
-
\??\c:\llrfxxr.exec:\llrfxxr.exe94⤵PID:2208
-
\??\c:\hbhbtt.exec:\hbhbtt.exe95⤵PID:1756
-
\??\c:\hhthbt.exec:\hhthbt.exe96⤵PID:3972
-
\??\c:\vdpjj.exec:\vdpjj.exe97⤵PID:4544
-
\??\c:\xfrfrrl.exec:\xfrfrrl.exe98⤵PID:3520
-
\??\c:\7xxxrxx.exec:\7xxxrxx.exe99⤵PID:3096
-
\??\c:\hthbtt.exec:\hthbtt.exe100⤵PID:3872
-
\??\c:\bhtnnn.exec:\bhtnnn.exe101⤵PID:4172
-
\??\c:\vdvvj.exec:\vdvvj.exe102⤵PID:2372
-
\??\c:\1xlffxf.exec:\1xlffxf.exe103⤵PID:3564
-
\??\c:\rrfxxxf.exec:\rrfxxxf.exe104⤵PID:2800
-
\??\c:\1htbbb.exec:\1htbbb.exe105⤵PID:3932
-
\??\c:\vppvp.exec:\vppvp.exe106⤵PID:2464
-
\??\c:\7jdpv.exec:\7jdpv.exe107⤵PID:3544
-
\??\c:\3nnhtt.exec:\3nnhtt.exe108⤵PID:2092
-
\??\c:\3hnhhh.exec:\3hnhhh.exe109⤵PID:228
-
\??\c:\vpvjd.exec:\vpvjd.exe110⤵PID:2100
-
\??\c:\xxxflfr.exec:\xxxflfr.exe111⤵PID:4472
-
\??\c:\lfxlxfr.exec:\lfxlxfr.exe112⤵PID:4340
-
\??\c:\ttntbb.exec:\ttntbb.exe113⤵PID:4600
-
\??\c:\ppdpj.exec:\ppdpj.exe114⤵PID:2404
-
\??\c:\xflfxlf.exec:\xflfxlf.exe115⤵PID:3436
-
\??\c:\rfxlffx.exec:\rfxlffx.exe116⤵PID:1076
-
\??\c:\1hhtth.exec:\1hhtth.exe117⤵PID:3644
-
\??\c:\5djjv.exec:\5djjv.exe118⤵PID:4928
-
\??\c:\5ffxxxr.exec:\5ffxxxr.exe119⤵PID:3848
-
\??\c:\llxxlll.exec:\llxxlll.exe120⤵PID:4592
-
\??\c:\3hhbnh.exec:\3hhbnh.exe121⤵PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-