Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe
Resource
win7-20241023-en
7 signatures
120 seconds
General
-
Target
3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe
-
Size
454KB
-
MD5
5dcce293c8672d539d9464cb4464c0db
-
SHA1
f838a4a67d133146356d901a3c26edd3f327cf4b
-
SHA256
3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7
-
SHA512
dcf7400a8b29f2dd60102595374e2182541552895bb840d2aad22302c1ca36286a6d4b363084213cbc8d93408751505afb801a02384e686061f1d517cc68a0a4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeg:q7Tc2NYHUrAwfMp3CDg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/556-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-1211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-1398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2036 nhbbtt.exe 4968 3ffrfrr.exe 2800 vpvvv.exe 4992 jvdvp.exe 536 5nnbtt.exe 868 vvvdd.exe 3380 vdddd.exe 396 rlrrrrr.exe 1716 vpppj.exe 1680 tbbbtb.exe 3488 vpppj.exe 3336 lrlfffx.exe 3200 9rxxxfx.exe 4108 jjjdv.exe 1032 lfrlfxl.exe 2300 pdpjj.exe 3620 llfrxfx.exe 1156 hhhttt.exe 4716 djdvp.exe 812 1bhbtt.exe 3636 ddppv.exe 1432 xrrlfxx.exe 1080 pvvvp.exe 1760 jjddd.exe 3136 thnnnh.exe 5064 nnnhbb.exe 2972 btbttt.exe 1644 1vvvv.exe 448 tnhbtt.exe 1868 vdjjp.exe 1160 xlllffx.exe 2520 nhtnnn.exe 1140 pppvd.exe 392 dpppp.exe 3944 vjpjj.exe 3596 rlrrrll.exe 2308 thnhbb.exe 1648 9ppjd.exe 3564 frxxrrr.exe 4648 bntnnn.exe 2364 5vpjp.exe 4104 fxxrllf.exe 3632 lffxrll.exe 1420 vjjjj.exe 1480 rllfffx.exe 1456 thnhhh.exe 4388 hbtnnh.exe 3248 jjjdv.exe 3276 xlrrrrr.exe 4348 nbhbnh.exe 548 bbnhhh.exe 4868 ppdvj.exe 2036 xxlffxx.exe 3004 bttnhh.exe 2108 3ppjp.exe 4168 vdppj.exe 2004 llxrlfl.exe 4856 nhnhbn.exe 4528 vvddj.exe 2808 rrfxxxx.exe 368 nnhhbb.exe 2884 nbnhbb.exe 864 7djdj.exe 2780 rllffff.exe -
resource yara_rule behavioral2/memory/556-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-849-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 556 wrote to memory of 2036 556 3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe 83 PID 556 wrote to memory of 2036 556 3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe 83 PID 556 wrote to memory of 2036 556 3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe 83 PID 2036 wrote to memory of 4968 2036 nhbbtt.exe 84 PID 2036 wrote to memory of 4968 2036 nhbbtt.exe 84 PID 2036 wrote to memory of 4968 2036 nhbbtt.exe 84 PID 4968 wrote to memory of 2800 4968 3ffrfrr.exe 85 PID 4968 wrote to memory of 2800 4968 3ffrfrr.exe 85 PID 4968 wrote to memory of 2800 4968 3ffrfrr.exe 85 PID 2800 wrote to memory of 4992 2800 vpvvv.exe 86 PID 2800 wrote to memory of 4992 2800 vpvvv.exe 86 PID 2800 wrote to memory of 4992 2800 vpvvv.exe 86 PID 4992 wrote to memory of 536 4992 jvdvp.exe 87 PID 4992 wrote to memory of 536 4992 jvdvp.exe 87 PID 4992 wrote to memory of 536 4992 jvdvp.exe 87 PID 536 wrote to memory of 868 536 5nnbtt.exe 88 PID 536 wrote to memory of 868 536 5nnbtt.exe 88 PID 536 wrote to memory of 868 536 5nnbtt.exe 88 PID 868 wrote to memory of 3380 868 vvvdd.exe 89 PID 868 wrote to memory of 3380 868 vvvdd.exe 89 PID 868 wrote to memory of 3380 868 vvvdd.exe 89 PID 3380 wrote to memory of 396 3380 vdddd.exe 90 PID 3380 wrote to memory of 396 3380 vdddd.exe 90 PID 3380 wrote to memory of 396 3380 vdddd.exe 90 PID 396 wrote to memory of 1716 396 rlrrrrr.exe 91 PID 396 wrote to memory of 1716 396 rlrrrrr.exe 91 PID 396 wrote to memory of 1716 396 rlrrrrr.exe 91 PID 1716 wrote to memory of 1680 1716 vpppj.exe 92 PID 1716 wrote to memory of 1680 1716 vpppj.exe 92 PID 1716 wrote to memory of 1680 1716 vpppj.exe 92 PID 1680 wrote to memory of 3488 1680 tbbbtb.exe 93 PID 1680 wrote to memory of 3488 1680 tbbbtb.exe 93 PID 1680 wrote to memory of 3488 1680 tbbbtb.exe 93 PID 3488 wrote to memory of 3336 3488 vpppj.exe 94 PID 3488 wrote to memory of 3336 3488 vpppj.exe 94 PID 3488 wrote to memory of 3336 3488 vpppj.exe 94 PID 3336 wrote to memory of 3200 3336 lrlfffx.exe 95 PID 3336 wrote to memory of 3200 3336 lrlfffx.exe 95 PID 3336 wrote to memory of 3200 3336 lrlfffx.exe 95 PID 3200 wrote to memory of 4108 3200 9rxxxfx.exe 96 PID 3200 wrote to memory of 4108 3200 9rxxxfx.exe 96 PID 3200 wrote to memory of 4108 3200 9rxxxfx.exe 96 PID 4108 wrote to memory of 1032 4108 jjjdv.exe 97 PID 4108 wrote to memory of 1032 4108 jjjdv.exe 97 PID 4108 wrote to memory of 1032 4108 jjjdv.exe 97 PID 1032 wrote to memory of 2300 1032 lfrlfxl.exe 98 PID 1032 wrote to memory of 2300 1032 lfrlfxl.exe 98 PID 1032 wrote to memory of 2300 1032 lfrlfxl.exe 98 PID 2300 wrote to memory of 3620 2300 pdpjj.exe 99 PID 2300 wrote to memory of 3620 2300 pdpjj.exe 99 PID 2300 wrote to memory of 3620 2300 pdpjj.exe 99 PID 3620 wrote to memory of 1156 3620 llfrxfx.exe 100 PID 3620 wrote to memory of 1156 3620 llfrxfx.exe 100 PID 3620 wrote to memory of 1156 3620 llfrxfx.exe 100 PID 1156 wrote to memory of 4716 1156 hhhttt.exe 101 PID 1156 wrote to memory of 4716 1156 hhhttt.exe 101 PID 1156 wrote to memory of 4716 1156 hhhttt.exe 101 PID 4716 wrote to memory of 812 4716 djdvp.exe 102 PID 4716 wrote to memory of 812 4716 djdvp.exe 102 PID 4716 wrote to memory of 812 4716 djdvp.exe 102 PID 812 wrote to memory of 3636 812 1bhbtt.exe 103 PID 812 wrote to memory of 3636 812 1bhbtt.exe 103 PID 812 wrote to memory of 3636 812 1bhbtt.exe 103 PID 3636 wrote to memory of 1432 3636 ddppv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe"C:\Users\Admin\AppData\Local\Temp\3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\nhbbtt.exec:\nhbbtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\3ffrfrr.exec:\3ffrfrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\vpvvv.exec:\vpvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\jvdvp.exec:\jvdvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\5nnbtt.exec:\5nnbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\vvvdd.exec:\vvvdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\vdddd.exec:\vdddd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\rlrrrrr.exec:\rlrrrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\vpppj.exec:\vpppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\tbbbtb.exec:\tbbbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\vpppj.exec:\vpppj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\lrlfffx.exec:\lrlfffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\9rxxxfx.exec:\9rxxxfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\jjjdv.exec:\jjjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\lfrlfxl.exec:\lfrlfxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\pdpjj.exec:\pdpjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\llfrxfx.exec:\llfrxfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\hhhttt.exec:\hhhttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\djdvp.exec:\djdvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\1bhbtt.exec:\1bhbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\ddppv.exec:\ddppv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\xrrlfxx.exec:\xrrlfxx.exe23⤵
- Executes dropped EXE
PID:1432 -
\??\c:\pvvvp.exec:\pvvvp.exe24⤵
- Executes dropped EXE
PID:1080 -
\??\c:\jjddd.exec:\jjddd.exe25⤵
- Executes dropped EXE
PID:1760 -
\??\c:\thnnnh.exec:\thnnnh.exe26⤵
- Executes dropped EXE
PID:3136 -
\??\c:\nnnhbb.exec:\nnnhbb.exe27⤵
- Executes dropped EXE
PID:5064 -
\??\c:\btbttt.exec:\btbttt.exe28⤵
- Executes dropped EXE
PID:2972 -
\??\c:\1vvvv.exec:\1vvvv.exe29⤵
- Executes dropped EXE
PID:1644 -
\??\c:\tnhbtt.exec:\tnhbtt.exe30⤵
- Executes dropped EXE
PID:448 -
\??\c:\vdjjp.exec:\vdjjp.exe31⤵
- Executes dropped EXE
PID:1868 -
\??\c:\xlllffx.exec:\xlllffx.exe32⤵
- Executes dropped EXE
PID:1160 -
\??\c:\nhtnnn.exec:\nhtnnn.exe33⤵
- Executes dropped EXE
PID:2520 -
\??\c:\pppvd.exec:\pppvd.exe34⤵
- Executes dropped EXE
PID:1140 -
\??\c:\dpppp.exec:\dpppp.exe35⤵
- Executes dropped EXE
PID:392 -
\??\c:\vjpjj.exec:\vjpjj.exe36⤵
- Executes dropped EXE
PID:3944 -
\??\c:\rlrrrll.exec:\rlrrrll.exe37⤵
- Executes dropped EXE
PID:3596 -
\??\c:\thnhbb.exec:\thnhbb.exe38⤵
- Executes dropped EXE
PID:2308 -
\??\c:\9ppjd.exec:\9ppjd.exe39⤵
- Executes dropped EXE
PID:1648 -
\??\c:\frxxrrr.exec:\frxxrrr.exe40⤵
- Executes dropped EXE
PID:3564 -
\??\c:\bntnnn.exec:\bntnnn.exe41⤵
- Executes dropped EXE
PID:4648 -
\??\c:\5vpjp.exec:\5vpjp.exe42⤵
- Executes dropped EXE
PID:2364 -
\??\c:\fxxrllf.exec:\fxxrllf.exe43⤵
- Executes dropped EXE
PID:4104 -
\??\c:\lffxrll.exec:\lffxrll.exe44⤵
- Executes dropped EXE
PID:3632 -
\??\c:\vjjjj.exec:\vjjjj.exe45⤵
- Executes dropped EXE
PID:1420 -
\??\c:\rllfffx.exec:\rllfffx.exe46⤵
- Executes dropped EXE
PID:1480 -
\??\c:\thnhhh.exec:\thnhhh.exe47⤵
- Executes dropped EXE
PID:1456 -
\??\c:\hbtnnh.exec:\hbtnnh.exe48⤵
- Executes dropped EXE
PID:4388 -
\??\c:\jjjdv.exec:\jjjdv.exe49⤵
- Executes dropped EXE
PID:3248 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe50⤵
- Executes dropped EXE
PID:3276 -
\??\c:\nbhbnh.exec:\nbhbnh.exe51⤵
- Executes dropped EXE
PID:4348 -
\??\c:\bbnhhh.exec:\bbnhhh.exe52⤵
- Executes dropped EXE
PID:548 -
\??\c:\ppdvj.exec:\ppdvj.exe53⤵
- Executes dropped EXE
PID:4868 -
\??\c:\xxlffxx.exec:\xxlffxx.exe54⤵
- Executes dropped EXE
PID:2036 -
\??\c:\bttnhh.exec:\bttnhh.exe55⤵
- Executes dropped EXE
PID:3004 -
\??\c:\3ppjp.exec:\3ppjp.exe56⤵
- Executes dropped EXE
PID:2108 -
\??\c:\vdppj.exec:\vdppj.exe57⤵
- Executes dropped EXE
PID:4168 -
\??\c:\llxrlfl.exec:\llxrlfl.exe58⤵
- Executes dropped EXE
PID:2004 -
\??\c:\nhnhbn.exec:\nhnhbn.exe59⤵
- Executes dropped EXE
PID:4856 -
\??\c:\vvddj.exec:\vvddj.exe60⤵
- Executes dropped EXE
PID:4528 -
\??\c:\rrfxxxx.exec:\rrfxxxx.exe61⤵
- Executes dropped EXE
PID:2808 -
\??\c:\nnhhbb.exec:\nnhhbb.exe62⤵
- Executes dropped EXE
PID:368 -
\??\c:\nbnhbb.exec:\nbnhbb.exe63⤵
- Executes dropped EXE
PID:2884 -
\??\c:\7djdj.exec:\7djdj.exe64⤵
- Executes dropped EXE
PID:864 -
\??\c:\rllffff.exec:\rllffff.exe65⤵
- Executes dropped EXE
PID:2780 -
\??\c:\9xxxxxx.exec:\9xxxxxx.exe66⤵PID:4120
-
\??\c:\bntnhh.exec:\bntnhh.exe67⤵PID:4432
-
\??\c:\dpppj.exec:\dpppj.exe68⤵PID:2320
-
\??\c:\jjjjv.exec:\jjjjv.exe69⤵PID:4148
-
\??\c:\lxfffrr.exec:\lxfffrr.exe70⤵PID:5008
-
\??\c:\thhhht.exec:\thhhht.exe71⤵PID:2752
-
\??\c:\dvvvv.exec:\dvvvv.exe72⤵PID:2156
-
\??\c:\flrrxxf.exec:\flrrxxf.exe73⤵PID:4108
-
\??\c:\1nhhnb.exec:\1nhhnb.exe74⤵PID:1360
-
\??\c:\nthbnn.exec:\nthbnn.exe75⤵PID:2468
-
\??\c:\3jvvd.exec:\3jvvd.exe76⤵PID:3188
-
\??\c:\lxrlllf.exec:\lxrlllf.exe77⤵PID:1156
-
\??\c:\btbttt.exec:\btbttt.exe78⤵PID:2060
-
\??\c:\nbhhbb.exec:\nbhhbb.exe79⤵PID:3080
-
\??\c:\vjvvp.exec:\vjvvp.exe80⤵PID:2436
-
\??\c:\fxfxrlr.exec:\fxfxrlr.exe81⤵PID:1800
-
\??\c:\tntnhh.exec:\tntnhh.exe82⤵PID:1440
-
\??\c:\thtnnn.exec:\thtnnn.exe83⤵PID:4536
-
\??\c:\pjpjd.exec:\pjpjd.exe84⤵PID:1812
-
\??\c:\xrflrrx.exec:\xrflrrx.exe85⤵PID:1760
-
\??\c:\3bbtnn.exec:\3bbtnn.exe86⤵PID:3136
-
\??\c:\pddvv.exec:\pddvv.exe87⤵PID:4504
-
\??\c:\vjpjd.exec:\vjpjd.exe88⤵PID:3536
-
\??\c:\3xxxrxx.exec:\3xxxrxx.exe89⤵PID:3896
-
\??\c:\btbthh.exec:\btbthh.exe90⤵PID:4764
-
\??\c:\3pvpj.exec:\3pvpj.exe91⤵PID:448
-
\??\c:\lffxxxr.exec:\lffxxxr.exe92⤵PID:4308
-
\??\c:\3nthhh.exec:\3nthhh.exe93⤵PID:376
-
\??\c:\dpvdj.exec:\dpvdj.exe94⤵PID:2520
-
\??\c:\7jjjd.exec:\7jjjd.exe95⤵PID:1876
-
\??\c:\lrrrlff.exec:\lrrrlff.exe96⤵PID:1720
-
\??\c:\bhbhbh.exec:\bhbhbh.exe97⤵PID:1780
-
\??\c:\jdddv.exec:\jdddv.exe98⤵PID:3968
-
\??\c:\lflfxxr.exec:\lflfxxr.exe99⤵PID:2484
-
\??\c:\nhtnnn.exec:\nhtnnn.exe100⤵PID:4316
-
\??\c:\5bnnnh.exec:\5bnnnh.exe101⤵PID:2736
-
\??\c:\vdjvv.exec:\vdjvv.exe102⤵PID:4816
-
\??\c:\rxllfff.exec:\rxllfff.exe103⤵PID:3728
-
\??\c:\1nnhhh.exec:\1nnhhh.exe104⤵PID:4648
-
\??\c:\jppjd.exec:\jppjd.exe105⤵PID:2400
-
\??\c:\ppvpp.exec:\ppvpp.exe106⤵PID:4552
-
\??\c:\xxxrrll.exec:\xxxrrll.exe107⤵PID:1944
-
\??\c:\hbthbt.exec:\hbthbt.exe108⤵PID:1420
-
\??\c:\9pvpp.exec:\9pvpp.exe109⤵PID:640
-
\??\c:\7lflffx.exec:\7lflffx.exe110⤵PID:1456
-
\??\c:\xffrlfl.exec:\xffrlfl.exe111⤵PID:2464
-
\??\c:\tthhnn.exec:\tthhnn.exe112⤵PID:1692
-
\??\c:\9jpjv.exec:\9jpjv.exe113⤵PID:4344
-
\??\c:\9ppvv.exec:\9ppvv.exe114⤵PID:4348
-
\??\c:\flrlxxr.exec:\flrlxxr.exe115⤵PID:1244
-
\??\c:\nhbbtb.exec:\nhbbtb.exe116⤵PID:4976
-
\??\c:\vvdvd.exec:\vvdvd.exe117⤵PID:4996
-
\??\c:\5frfxxr.exec:\5frfxxr.exe118⤵PID:4984
-
\??\c:\llrllfx.exec:\llrllfx.exe119⤵PID:2756
-
\??\c:\vpvpp.exec:\vpvpp.exe120⤵PID:2376
-
\??\c:\ffrllfl.exec:\ffrllfl.exe121⤵PID:3252
-
\??\c:\tnhhnh.exec:\tnhhnh.exe122⤵PID:704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-