Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 19:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe
-
Size
456KB
-
MD5
b98f985e83248678de7723f497de6437
-
SHA1
49fb5cf04f2e827ce87926552a53d6c3bb0fc681
-
SHA256
ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4
-
SHA512
84e0922fce6494edfbf25b6fb5447bb5115b67adee9f01bc1ebbdd12ab6164527f52f3100bdbe3910b9524d13f1d2a46bee934c9e2a2b60d5c61b3d33cdb2ad0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1212-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-1234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-1253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-1347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1440 tnbbhh.exe 2112 vppjd.exe 5008 xxrxrxr.exe 3168 bhtthh.exe 2228 rrxxrrr.exe 1256 nhbbhh.exe 4872 lrxrllf.exe 4608 hntthn.exe 4312 ddpjj.exe 4280 1rllffx.exe 4228 5dpjj.exe 208 5rxxrrl.exe 3268 pvvjd.exe 3132 fxxrxrl.exe 2696 pdpdv.exe 2432 rrrrlll.exe 4880 dvdvv.exe 812 1nhhbb.exe 1184 vjvvv.exe 1348 rrrfxxx.exe 1608 pvdpd.exe 3196 9lrfxfx.exe 3192 rlfxrrl.exe 4332 pvpjj.exe 1644 3hhtnn.exe 2296 ppppp.exe 4432 1rrlllf.exe 3116 9bnhhh.exe 1668 pjjvp.exe 764 nhnhbb.exe 4752 3tnbhn.exe 2088 lllfxlr.exe 3556 thnhbh.exe 1576 9ffxrrl.exe 1604 9lfxrlf.exe 4780 bhnhbb.exe 3788 ppdvv.exe 1788 rllfxrl.exe 2948 lllfxxr.exe 2392 1tttnt.exe 4716 vddvp.exe 3500 rlfxffl.exe 3568 9bnnhb.exe 2192 1ntnnt.exe 2072 pdppd.exe 232 7frlffx.exe 4680 1nbttt.exe 2180 ttnhnn.exe 396 vppjj.exe 4300 1xrlffx.exe 4288 9xrrrll.exe 4488 nhbtnn.exe 1440 vdpjd.exe 2580 5rrlxxx.exe 4468 bbhbnh.exe 3896 1dddj.exe 3868 flrlxrl.exe 3928 nhhbnn.exe 2448 vvvpd.exe 1596 lxfrrff.exe 4600 nhnhhb.exe 1256 5nbtnn.exe 4892 dvjvp.exe 2152 rfffxrl.exe -
resource yara_rule behavioral2/memory/1212-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-808-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-1234-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1440 1212 ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe 82 PID 1212 wrote to memory of 1440 1212 ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe 82 PID 1212 wrote to memory of 1440 1212 ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe 82 PID 1440 wrote to memory of 2112 1440 tnbbhh.exe 83 PID 1440 wrote to memory of 2112 1440 tnbbhh.exe 83 PID 1440 wrote to memory of 2112 1440 tnbbhh.exe 83 PID 2112 wrote to memory of 5008 2112 vppjd.exe 84 PID 2112 wrote to memory of 5008 2112 vppjd.exe 84 PID 2112 wrote to memory of 5008 2112 vppjd.exe 84 PID 5008 wrote to memory of 3168 5008 xxrxrxr.exe 85 PID 5008 wrote to memory of 3168 5008 xxrxrxr.exe 85 PID 5008 wrote to memory of 3168 5008 xxrxrxr.exe 85 PID 3168 wrote to memory of 2228 3168 bhtthh.exe 86 PID 3168 wrote to memory of 2228 3168 bhtthh.exe 86 PID 3168 wrote to memory of 2228 3168 bhtthh.exe 86 PID 2228 wrote to memory of 1256 2228 rrxxrrr.exe 87 PID 2228 wrote to memory of 1256 2228 rrxxrrr.exe 87 PID 2228 wrote to memory of 1256 2228 rrxxrrr.exe 87 PID 1256 wrote to memory of 4872 1256 nhbbhh.exe 88 PID 1256 wrote to memory of 4872 1256 nhbbhh.exe 88 PID 1256 wrote to memory of 4872 1256 nhbbhh.exe 88 PID 4872 wrote to memory of 4608 4872 lrxrllf.exe 89 PID 4872 wrote to memory of 4608 4872 lrxrllf.exe 89 PID 4872 wrote to memory of 4608 4872 lrxrllf.exe 89 PID 4608 wrote to memory of 4312 4608 hntthn.exe 90 PID 4608 wrote to memory of 4312 4608 hntthn.exe 90 PID 4608 wrote to memory of 4312 4608 hntthn.exe 90 PID 4312 wrote to memory of 4280 4312 ddpjj.exe 91 PID 4312 wrote to memory of 4280 4312 ddpjj.exe 91 PID 4312 wrote to memory of 4280 4312 ddpjj.exe 91 PID 4280 wrote to memory of 4228 4280 1rllffx.exe 92 PID 4280 wrote to memory of 4228 4280 1rllffx.exe 92 PID 4280 wrote to memory of 4228 4280 1rllffx.exe 92 PID 4228 wrote to memory of 208 4228 5dpjj.exe 93 PID 4228 wrote to memory of 208 4228 5dpjj.exe 93 PID 4228 wrote to memory of 208 4228 5dpjj.exe 93 PID 208 wrote to memory of 3268 208 5rxxrrl.exe 94 PID 208 wrote to memory of 3268 208 5rxxrrl.exe 94 PID 208 wrote to memory of 3268 208 5rxxrrl.exe 94 PID 3268 wrote to memory of 3132 3268 pvvjd.exe 95 PID 3268 wrote to memory of 3132 3268 pvvjd.exe 95 PID 3268 wrote to memory of 3132 3268 pvvjd.exe 95 PID 3132 wrote to memory of 2696 3132 fxxrxrl.exe 96 PID 3132 wrote to memory of 2696 3132 fxxrxrl.exe 96 PID 3132 wrote to memory of 2696 3132 fxxrxrl.exe 96 PID 2696 wrote to memory of 2432 2696 pdpdv.exe 97 PID 2696 wrote to memory of 2432 2696 pdpdv.exe 97 PID 2696 wrote to memory of 2432 2696 pdpdv.exe 97 PID 2432 wrote to memory of 4880 2432 rrrrlll.exe 98 PID 2432 wrote to memory of 4880 2432 rrrrlll.exe 98 PID 2432 wrote to memory of 4880 2432 rrrrlll.exe 98 PID 4880 wrote to memory of 812 4880 dvdvv.exe 99 PID 4880 wrote to memory of 812 4880 dvdvv.exe 99 PID 4880 wrote to memory of 812 4880 dvdvv.exe 99 PID 812 wrote to memory of 1184 812 1nhhbb.exe 100 PID 812 wrote to memory of 1184 812 1nhhbb.exe 100 PID 812 wrote to memory of 1184 812 1nhhbb.exe 100 PID 1184 wrote to memory of 1348 1184 vjvvv.exe 101 PID 1184 wrote to memory of 1348 1184 vjvvv.exe 101 PID 1184 wrote to memory of 1348 1184 vjvvv.exe 101 PID 1348 wrote to memory of 1608 1348 rrrfxxx.exe 102 PID 1348 wrote to memory of 1608 1348 rrrfxxx.exe 102 PID 1348 wrote to memory of 1608 1348 rrrfxxx.exe 102 PID 1608 wrote to memory of 3196 1608 pvdpd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe"C:\Users\Admin\AppData\Local\Temp\ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\tnbbhh.exec:\tnbbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\vppjd.exec:\vppjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\xxrxrxr.exec:\xxrxrxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\bhtthh.exec:\bhtthh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\rrxxrrr.exec:\rrxxrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\nhbbhh.exec:\nhbbhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\lrxrllf.exec:\lrxrllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\hntthn.exec:\hntthn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\ddpjj.exec:\ddpjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\1rllffx.exec:\1rllffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\5dpjj.exec:\5dpjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\5rxxrrl.exec:\5rxxrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\pvvjd.exec:\pvvjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\fxxrxrl.exec:\fxxrxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\pdpdv.exec:\pdpdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\rrrrlll.exec:\rrrrlll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\dvdvv.exec:\dvdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\1nhhbb.exec:\1nhhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\vjvvv.exec:\vjvvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\rrrfxxx.exec:\rrrfxxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\pvdpd.exec:\pvdpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\9lrfxfx.exec:\9lrfxfx.exe23⤵
- Executes dropped EXE
PID:3196 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe24⤵
- Executes dropped EXE
PID:3192 -
\??\c:\pvpjj.exec:\pvpjj.exe25⤵
- Executes dropped EXE
PID:4332 -
\??\c:\3hhtnn.exec:\3hhtnn.exe26⤵
- Executes dropped EXE
PID:1644 -
\??\c:\ppppp.exec:\ppppp.exe27⤵
- Executes dropped EXE
PID:2296 -
\??\c:\1rrlllf.exec:\1rrlllf.exe28⤵
- Executes dropped EXE
PID:4432 -
\??\c:\9bnhhh.exec:\9bnhhh.exe29⤵
- Executes dropped EXE
PID:3116 -
\??\c:\pjjvp.exec:\pjjvp.exe30⤵
- Executes dropped EXE
PID:1668 -
\??\c:\nhnhbb.exec:\nhnhbb.exe31⤵
- Executes dropped EXE
PID:764 -
\??\c:\3tnbhn.exec:\3tnbhn.exe32⤵
- Executes dropped EXE
PID:4752 -
\??\c:\lllfxlr.exec:\lllfxlr.exe33⤵
- Executes dropped EXE
PID:2088 -
\??\c:\thnhbh.exec:\thnhbh.exe34⤵
- Executes dropped EXE
PID:3556 -
\??\c:\9ffxrrl.exec:\9ffxrrl.exe35⤵
- Executes dropped EXE
PID:1576 -
\??\c:\9lfxrlf.exec:\9lfxrlf.exe36⤵
- Executes dropped EXE
PID:1604 -
\??\c:\bhnhbb.exec:\bhnhbb.exe37⤵
- Executes dropped EXE
PID:4780 -
\??\c:\ppdvv.exec:\ppdvv.exe38⤵
- Executes dropped EXE
PID:3788 -
\??\c:\rllfxrl.exec:\rllfxrl.exe39⤵
- Executes dropped EXE
PID:1788 -
\??\c:\lllfxxr.exec:\lllfxxr.exe40⤵
- Executes dropped EXE
PID:2948 -
\??\c:\1tttnt.exec:\1tttnt.exe41⤵
- Executes dropped EXE
PID:2392 -
\??\c:\vddvp.exec:\vddvp.exe42⤵
- Executes dropped EXE
PID:4716 -
\??\c:\rlfxffl.exec:\rlfxffl.exe43⤵
- Executes dropped EXE
PID:3500 -
\??\c:\9bnnhb.exec:\9bnnhb.exe44⤵
- Executes dropped EXE
PID:3568 -
\??\c:\1ntnnt.exec:\1ntnnt.exe45⤵
- Executes dropped EXE
PID:2192 -
\??\c:\pdppd.exec:\pdppd.exe46⤵
- Executes dropped EXE
PID:2072 -
\??\c:\7frlffx.exec:\7frlffx.exe47⤵
- Executes dropped EXE
PID:232 -
\??\c:\1nbttt.exec:\1nbttt.exe48⤵
- Executes dropped EXE
PID:4680 -
\??\c:\ttnhnn.exec:\ttnhnn.exe49⤵
- Executes dropped EXE
PID:2180 -
\??\c:\vppjj.exec:\vppjj.exe50⤵
- Executes dropped EXE
PID:396 -
\??\c:\1xrlffx.exec:\1xrlffx.exe51⤵
- Executes dropped EXE
PID:4300 -
\??\c:\9xrrrll.exec:\9xrrrll.exe52⤵
- Executes dropped EXE
PID:4288 -
\??\c:\nhbtnn.exec:\nhbtnn.exe53⤵
- Executes dropped EXE
PID:4488 -
\??\c:\vdpjd.exec:\vdpjd.exe54⤵
- Executes dropped EXE
PID:1440 -
\??\c:\5rrlxxx.exec:\5rrlxxx.exe55⤵
- Executes dropped EXE
PID:2580 -
\??\c:\bbhbnh.exec:\bbhbnh.exe56⤵
- Executes dropped EXE
PID:4468 -
\??\c:\1dddj.exec:\1dddj.exe57⤵
- Executes dropped EXE
PID:3896 -
\??\c:\flrlxrl.exec:\flrlxrl.exe58⤵
- Executes dropped EXE
PID:3868 -
\??\c:\nhhbnn.exec:\nhhbnn.exe59⤵
- Executes dropped EXE
PID:3928 -
\??\c:\vvvpd.exec:\vvvpd.exe60⤵
- Executes dropped EXE
PID:2448 -
\??\c:\lxfrrff.exec:\lxfrrff.exe61⤵
- Executes dropped EXE
PID:1596 -
\??\c:\nhnhhb.exec:\nhnhhb.exe62⤵
- Executes dropped EXE
PID:4600 -
\??\c:\5nbtnn.exec:\5nbtnn.exe63⤵
- Executes dropped EXE
PID:1256 -
\??\c:\dvjvp.exec:\dvjvp.exe64⤵
- Executes dropped EXE
PID:4892 -
\??\c:\rfffxrl.exec:\rfffxrl.exe65⤵
- Executes dropped EXE
PID:2152 -
\??\c:\bntnhb.exec:\bntnhb.exe66⤵PID:2484
-
\??\c:\5bnhhh.exec:\5bnhhh.exe67⤵PID:1504
-
\??\c:\dvvdj.exec:\dvvdj.exe68⤵PID:2776
-
\??\c:\rllfrlf.exec:\rllfrlf.exe69⤵PID:4212
-
\??\c:\1bhthb.exec:\1bhthb.exe70⤵PID:4948
-
\??\c:\7vdvd.exec:\7vdvd.exe71⤵PID:4884
-
\??\c:\5rrfffx.exec:\5rrfffx.exe72⤵PID:3988
-
\??\c:\1hhbtt.exec:\1hhbtt.exe73⤵PID:676
-
\??\c:\dvjdv.exec:\dvjdv.exe74⤵PID:2372
-
\??\c:\9fxrlrl.exec:\9fxrlrl.exe75⤵PID:5012
-
\??\c:\nhhhbb.exec:\nhhhbb.exe76⤵PID:2516
-
\??\c:\3pjdv.exec:\3pjdv.exe77⤵PID:4088
-
\??\c:\llrrxlf.exec:\llrrxlf.exe78⤵PID:4748
-
\??\c:\ttbnbt.exec:\ttbnbt.exe79⤵PID:3384
-
\??\c:\tntbtb.exec:\tntbtb.exe80⤵PID:3608
-
\??\c:\jvdvj.exec:\jvdvj.exe81⤵PID:2480
-
\??\c:\xrfxffl.exec:\xrfxffl.exe82⤵PID:1348
-
\??\c:\lxlfxxf.exec:\lxlfxxf.exe83⤵PID:5116
-
\??\c:\bthbbb.exec:\bthbbb.exe84⤵PID:2340
-
\??\c:\pvjpp.exec:\pvjpp.exe85⤵PID:3196
-
\??\c:\lxxxffx.exec:\lxxxffx.exe86⤵PID:3676
-
\??\c:\nhhbtt.exec:\nhhbtt.exe87⤵PID:2916
-
\??\c:\bbnhnh.exec:\bbnhnh.exe88⤵PID:1644
-
\??\c:\vvdpj.exec:\vvdpj.exe89⤵PID:940
-
\??\c:\1rfxflr.exec:\1rfxflr.exe90⤵PID:2556
-
\??\c:\7tbnbb.exec:\7tbnbb.exe91⤵PID:2940
-
\??\c:\9vddv.exec:\9vddv.exe92⤵PID:4008
-
\??\c:\7jjdv.exec:\7jjdv.exe93⤵PID:3496
-
\??\c:\frxxrxr.exec:\frxxrxr.exe94⤵PID:3792
-
\??\c:\bbbtnn.exec:\bbbtnn.exe95⤵PID:4820
-
\??\c:\5vvpj.exec:\5vvpj.exe96⤵PID:2068
-
\??\c:\9rrlrlf.exec:\9rrlrlf.exe97⤵PID:2420
-
\??\c:\ttbbbb.exec:\ttbbbb.exe98⤵PID:1156
-
\??\c:\bbtttb.exec:\bbtttb.exe99⤵PID:1620
-
\??\c:\vpjdv.exec:\vpjdv.exe100⤵PID:4684
-
\??\c:\flfffff.exec:\flfffff.exe101⤵PID:1684
-
\??\c:\htnhbb.exec:\htnhbb.exe102⤵PID:760
-
\??\c:\jjpdj.exec:\jjpdj.exe103⤵PID:2688
-
\??\c:\lxfrxlx.exec:\lxfrxlx.exe104⤵PID:3688
-
\??\c:\thnbtn.exec:\thnbtn.exe105⤵PID:3420
-
\??\c:\vvvvv.exec:\vvvvv.exe106⤵PID:3228
-
\??\c:\xrxlffl.exec:\xrxlffl.exe107⤵PID:2392
-
\??\c:\flxllxx.exec:\flxllxx.exe108⤵PID:3128
-
\??\c:\1nnnhn.exec:\1nnnhn.exe109⤵PID:2412
-
\??\c:\pjpjd.exec:\pjpjd.exe110⤵PID:3568
-
\??\c:\9flfxlf.exec:\9flfxlf.exe111⤵PID:3472
-
\??\c:\lrlflll.exec:\lrlflll.exe112⤵PID:2988
-
\??\c:\7htnhb.exec:\7htnhb.exe113⤵PID:4920
-
\??\c:\pjddd.exec:\pjddd.exe114⤵PID:4756
-
\??\c:\3llffll.exec:\3llffll.exe115⤵PID:1944
-
\??\c:\1nnhtt.exec:\1nnhtt.exe116⤵PID:4436
-
\??\c:\9nbttt.exec:\9nbttt.exe117⤵PID:1948
-
\??\c:\7jpdv.exec:\7jpdv.exe118⤵PID:4932
-
\??\c:\7flfxfx.exec:\7flfxfx.exe119⤵PID:4104
-
\??\c:\xlrlxrl.exec:\xlrlxrl.exe120⤵PID:2624
-
\??\c:\9ttnhb.exec:\9ttnhb.exe121⤵PID:4704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-