Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 18:40 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe
-
Size
332KB
-
MD5
5b375ffd7e329f847006aa293a451a71
-
SHA1
f953cda54742f7f4cb2305c9461b4ca78e5d64d3
-
SHA256
0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d
-
SHA512
6ca80e64991106a40744e2329f22c8e3e2afa0efbdf0657966f36c4c8da1cbaa8cb37af9405b351a656c1cc36ef67ef6b1a2a7276c3fe2ed1646ada8d8405f8c
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPh7:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTL
Malware Config
Signatures
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2004-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1100-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-163-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2052-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/304-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1384-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/340-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-514-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1956-522-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1700-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-598-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-678-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1752-773-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/560-987-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1100 5dvdv.exe 2520 5rxrflf.exe 2500 5lflxxf.exe 2884 thbbtt.exe 2788 rxrflxl.exe 2156 dvpvj.exe 2928 xlffxxf.exe 2684 3lflrrf.exe 2680 jvddp.exe 1804 ffxxlrx.exe 2624 9thhtt.exe 1168 9pddp.exe 3000 jjdpd.exe 1496 nthntt.exe 1664 nhtbnn.exe 2964 vpdjj.exe 2044 flrlxlr.exe 864 1pddp.exe 2052 ddjvj.exe 1752 flfxlfx.exe 1652 jjvdp.exe 1140 bnnntt.exe 1152 nhntbh.exe 672 1pvdd.exe 1692 rlllxxx.exe 304 3bhnbh.exe 1556 dppjd.exe 1384 1frrxxl.exe 1640 tnbnbt.exe 2696 pjvdj.exe 892 ffrxrrx.exe 1520 5nntth.exe 2004 vvppp.exe 340 rflxllx.exe 2388 bthhhh.exe 2296 ththtb.exe 2792 vppvj.exe 2480 llxxfff.exe 2868 5xrxflr.exe 2748 hbtntt.exe 2672 9djdj.exe 2676 vvjdj.exe 2756 xrxxflr.exe 2668 rlrrffl.exe 2056 3thbht.exe 2244 jdjjj.exe 1048 jvjdj.exe 1492 lflxxff.exe 2960 nnhhtn.exe 780 btnnbb.exe 776 dvpvv.exe 2944 rfflrrx.exe 2824 rlflxxx.exe 2964 3tnnnt.exe 1576 jpvdd.exe 1676 dvddj.exe 2352 9lrrxfl.exe 2432 7tnnhb.exe 2136 tntttn.exe 912 jdjjj.exe 1708 1lffrrf.exe 1140 5xllrrf.exe 2408 3nnhhh.exe 1956 7vpjj.exe -
resource yara_rule behavioral1/memory/2004-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/304-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-885-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-898-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-936-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-962-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/560-987-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2004 wrote to memory of 1100 2004 0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe 30 PID 2004 wrote to memory of 1100 2004 0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe 30 PID 2004 wrote to memory of 1100 2004 0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe 30 PID 2004 wrote to memory of 1100 2004 0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe 30 PID 1100 wrote to memory of 2520 1100 5dvdv.exe 31 PID 1100 wrote to memory of 2520 1100 5dvdv.exe 31 PID 1100 wrote to memory of 2520 1100 5dvdv.exe 31 PID 1100 wrote to memory of 2520 1100 5dvdv.exe 31 PID 2520 wrote to memory of 2500 2520 5rxrflf.exe 32 PID 2520 wrote to memory of 2500 2520 5rxrflf.exe 32 PID 2520 wrote to memory of 2500 2520 5rxrflf.exe 32 PID 2520 wrote to memory of 2500 2520 5rxrflf.exe 32 PID 2500 wrote to memory of 2884 2500 5lflxxf.exe 33 PID 2500 wrote to memory of 2884 2500 5lflxxf.exe 33 PID 2500 wrote to memory of 2884 2500 5lflxxf.exe 33 PID 2500 wrote to memory of 2884 2500 5lflxxf.exe 33 PID 2884 wrote to memory of 2788 2884 thbbtt.exe 34 PID 2884 wrote to memory of 2788 2884 thbbtt.exe 34 PID 2884 wrote to memory of 2788 2884 thbbtt.exe 34 PID 2884 wrote to memory of 2788 2884 thbbtt.exe 34 PID 2788 wrote to memory of 2156 2788 rxrflxl.exe 35 PID 2788 wrote to memory of 2156 2788 rxrflxl.exe 35 PID 2788 wrote to memory of 2156 2788 rxrflxl.exe 35 PID 2788 wrote to memory of 2156 2788 rxrflxl.exe 35 PID 2156 wrote to memory of 2928 2156 dvpvj.exe 36 PID 2156 wrote to memory of 2928 2156 dvpvj.exe 36 PID 2156 wrote to memory of 2928 2156 dvpvj.exe 36 PID 2156 wrote to memory of 2928 2156 dvpvj.exe 36 PID 2928 wrote to memory of 2684 2928 xlffxxf.exe 37 PID 2928 wrote to memory of 2684 2928 xlffxxf.exe 37 PID 2928 wrote to memory of 2684 2928 xlffxxf.exe 37 PID 2928 wrote to memory of 2684 2928 xlffxxf.exe 37 PID 2684 wrote to memory of 2680 2684 3lflrrf.exe 38 PID 2684 wrote to memory of 2680 2684 3lflrrf.exe 38 PID 2684 wrote to memory of 2680 2684 3lflrrf.exe 38 PID 2684 wrote to memory of 2680 2684 3lflrrf.exe 38 PID 2680 wrote to memory of 1804 2680 jvddp.exe 39 PID 2680 wrote to memory of 1804 2680 jvddp.exe 39 PID 2680 wrote to memory of 1804 2680 jvddp.exe 39 PID 2680 wrote to memory of 1804 2680 jvddp.exe 39 PID 1804 wrote to memory of 2624 1804 ffxxlrx.exe 40 PID 1804 wrote to memory of 2624 1804 ffxxlrx.exe 40 PID 1804 wrote to memory of 2624 1804 ffxxlrx.exe 40 PID 1804 wrote to memory of 2624 1804 ffxxlrx.exe 40 PID 2624 wrote to memory of 1168 2624 9thhtt.exe 41 PID 2624 wrote to memory of 1168 2624 9thhtt.exe 41 PID 2624 wrote to memory of 1168 2624 9thhtt.exe 41 PID 2624 wrote to memory of 1168 2624 9thhtt.exe 41 PID 1168 wrote to memory of 3000 1168 9pddp.exe 42 PID 1168 wrote to memory of 3000 1168 9pddp.exe 42 PID 1168 wrote to memory of 3000 1168 9pddp.exe 42 PID 1168 wrote to memory of 3000 1168 9pddp.exe 42 PID 3000 wrote to memory of 1496 3000 jjdpd.exe 43 PID 3000 wrote to memory of 1496 3000 jjdpd.exe 43 PID 3000 wrote to memory of 1496 3000 jjdpd.exe 43 PID 3000 wrote to memory of 1496 3000 jjdpd.exe 43 PID 1496 wrote to memory of 1664 1496 nthntt.exe 44 PID 1496 wrote to memory of 1664 1496 nthntt.exe 44 PID 1496 wrote to memory of 1664 1496 nthntt.exe 44 PID 1496 wrote to memory of 1664 1496 nthntt.exe 44 PID 1664 wrote to memory of 2964 1664 nhtbnn.exe 45 PID 1664 wrote to memory of 2964 1664 nhtbnn.exe 45 PID 1664 wrote to memory of 2964 1664 nhtbnn.exe 45 PID 1664 wrote to memory of 2964 1664 nhtbnn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe"C:\Users\Admin\AppData\Local\Temp\0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\5dvdv.exec:\5dvdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\5rxrflf.exec:\5rxrflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\5lflxxf.exec:\5lflxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\thbbtt.exec:\thbbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\rxrflxl.exec:\rxrflxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\dvpvj.exec:\dvpvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\xlffxxf.exec:\xlffxxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\3lflrrf.exec:\3lflrrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\jvddp.exec:\jvddp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\ffxxlrx.exec:\ffxxlrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\9thhtt.exec:\9thhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\9pddp.exec:\9pddp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\jjdpd.exec:\jjdpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\nthntt.exec:\nthntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\nhtbnn.exec:\nhtbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\vpdjj.exec:\vpdjj.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964 -
\??\c:\flrlxlr.exec:\flrlxlr.exe18⤵
- Executes dropped EXE
PID:2044 -
\??\c:\1pddp.exec:\1pddp.exe19⤵
- Executes dropped EXE
PID:864 -
\??\c:\ddjvj.exec:\ddjvj.exe20⤵
- Executes dropped EXE
PID:2052 -
\??\c:\flfxlfx.exec:\flfxlfx.exe21⤵
- Executes dropped EXE
PID:1752 -
\??\c:\jjvdp.exec:\jjvdp.exe22⤵
- Executes dropped EXE
PID:1652 -
\??\c:\bnnntt.exec:\bnnntt.exe23⤵
- Executes dropped EXE
PID:1140 -
\??\c:\nhntbh.exec:\nhntbh.exe24⤵
- Executes dropped EXE
PID:1152 -
\??\c:\1pvdd.exec:\1pvdd.exe25⤵
- Executes dropped EXE
PID:672 -
\??\c:\rlllxxx.exec:\rlllxxx.exe26⤵
- Executes dropped EXE
PID:1692 -
\??\c:\3bhnbh.exec:\3bhnbh.exe27⤵
- Executes dropped EXE
PID:304 -
\??\c:\dppjd.exec:\dppjd.exe28⤵
- Executes dropped EXE
PID:1556 -
\??\c:\1frrxxl.exec:\1frrxxl.exe29⤵
- Executes dropped EXE
PID:1384 -
\??\c:\tnbnbt.exec:\tnbnbt.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1640 -
\??\c:\pjvdj.exec:\pjvdj.exe31⤵
- Executes dropped EXE
PID:2696 -
\??\c:\ffrxrrx.exec:\ffrxrrx.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:892 -
\??\c:\5nntth.exec:\5nntth.exe33⤵
- Executes dropped EXE
PID:1520 -
\??\c:\vvppp.exec:\vvppp.exe34⤵
- Executes dropped EXE
PID:2004 -
\??\c:\rflxllx.exec:\rflxllx.exe35⤵
- Executes dropped EXE
PID:340 -
\??\c:\bthhhh.exec:\bthhhh.exe36⤵
- Executes dropped EXE
PID:2388 -
\??\c:\ththtb.exec:\ththtb.exe37⤵
- Executes dropped EXE
PID:2296 -
\??\c:\vppvj.exec:\vppvj.exe38⤵
- Executes dropped EXE
PID:2792 -
\??\c:\llxxfff.exec:\llxxfff.exe39⤵
- Executes dropped EXE
PID:2480 -
\??\c:\5xrxflr.exec:\5xrxflr.exe40⤵
- Executes dropped EXE
PID:2868 -
\??\c:\hbtntt.exec:\hbtntt.exe41⤵
- Executes dropped EXE
PID:2748 -
\??\c:\9djdj.exec:\9djdj.exe42⤵
- Executes dropped EXE
PID:2672 -
\??\c:\vvjdj.exec:\vvjdj.exe43⤵
- Executes dropped EXE
PID:2676 -
\??\c:\xrxxflr.exec:\xrxxflr.exe44⤵
- Executes dropped EXE
PID:2756 -
\??\c:\rlrrffl.exec:\rlrrffl.exe45⤵
- Executes dropped EXE
PID:2668 -
\??\c:\3thbht.exec:\3thbht.exe46⤵
- Executes dropped EXE
PID:2056 -
\??\c:\jdjjj.exec:\jdjjj.exe47⤵
- Executes dropped EXE
PID:2244 -
\??\c:\jvjdj.exec:\jvjdj.exe48⤵
- Executes dropped EXE
PID:1048 -
\??\c:\lflxxff.exec:\lflxxff.exe49⤵
- Executes dropped EXE
PID:1492 -
\??\c:\nnhhtn.exec:\nnhhtn.exe50⤵
- Executes dropped EXE
PID:2960 -
\??\c:\btnnbb.exec:\btnnbb.exe51⤵
- Executes dropped EXE
PID:780 -
\??\c:\dvpvv.exec:\dvpvv.exe52⤵
- Executes dropped EXE
PID:776 -
\??\c:\rfflrrx.exec:\rfflrrx.exe53⤵
- Executes dropped EXE
PID:2944 -
\??\c:\rlflxxx.exec:\rlflxxx.exe54⤵
- Executes dropped EXE
PID:2824 -
\??\c:\3tnnnt.exec:\3tnnnt.exe55⤵
- Executes dropped EXE
PID:2964 -
\??\c:\jpvdd.exec:\jpvdd.exe56⤵
- Executes dropped EXE
PID:1576 -
\??\c:\dvddj.exec:\dvddj.exe57⤵
- Executes dropped EXE
PID:1676 -
\??\c:\9lrrxfl.exec:\9lrrxfl.exe58⤵
- Executes dropped EXE
PID:2352 -
\??\c:\7tnnhb.exec:\7tnnhb.exe59⤵
- Executes dropped EXE
PID:2432 -
\??\c:\tntttn.exec:\tntttn.exe60⤵
- Executes dropped EXE
PID:2136 -
\??\c:\jdjjj.exec:\jdjjj.exe61⤵
- Executes dropped EXE
PID:912 -
\??\c:\1lffrrf.exec:\1lffrrf.exe62⤵
- Executes dropped EXE
PID:1708 -
\??\c:\5xllrrf.exec:\5xllrrf.exe63⤵
- Executes dropped EXE
PID:1140 -
\??\c:\3nnhhh.exec:\3nnhhh.exe64⤵
- Executes dropped EXE
PID:2408 -
\??\c:\7vpjj.exec:\7vpjj.exe65⤵
- Executes dropped EXE
PID:1956 -
\??\c:\3jdvp.exec:\3jdvp.exe66⤵PID:1832
-
\??\c:\xlrlrxl.exec:\xlrlrxl.exe67⤵PID:1564
-
\??\c:\tnttnn.exec:\tnttnn.exe68⤵PID:1812
-
\??\c:\bnttbh.exec:\bnttbh.exe69⤵PID:2304
-
\??\c:\dpvpv.exec:\dpvpv.exe70⤵PID:1756
-
\??\c:\lflxxxx.exec:\lflxxxx.exe71⤵PID:1700
-
\??\c:\lxllllr.exec:\lxllllr.exe72⤵PID:1044
-
\??\c:\tntthh.exec:\tntthh.exe73⤵PID:2696
-
\??\c:\tnthbh.exec:\tnthbh.exe74⤵PID:1928
-
\??\c:\pdjjp.exec:\pdjjp.exe75⤵PID:2576
-
\??\c:\rllfrxx.exec:\rllfrxx.exe76⤵PID:1360
-
\??\c:\7lrxrxx.exec:\7lrxrxx.exe77⤵PID:2728
-
\??\c:\nhtbbt.exec:\nhtbbt.exe78⤵PID:1100
-
\??\c:\bnbhnn.exec:\bnbhnn.exe79⤵PID:1616
-
\??\c:\5jvvd.exec:\5jvvd.exe80⤵PID:2464
-
\??\c:\7xfxfxr.exec:\7xfxfxr.exe81⤵PID:2276
-
\??\c:\lfrxlrx.exec:\lfrxlrx.exe82⤵PID:2896
-
\??\c:\1ntttt.exec:\1ntttt.exe83⤵PID:2840
-
\??\c:\btbttn.exec:\btbttn.exe84⤵PID:2852
-
\??\c:\vpdjp.exec:\vpdjp.exe85⤵PID:2748
-
\??\c:\fxrrrxf.exec:\fxrrrxf.exe86⤵PID:2672
-
\??\c:\nhntbh.exec:\nhntbh.exe87⤵PID:2640
-
\??\c:\bhtbnn.exec:\bhtbnn.exe88⤵PID:2756
-
\??\c:\1jjvd.exec:\1jjvd.exe89⤵PID:1984
-
\??\c:\pjvdd.exec:\pjvdd.exe90⤵PID:768
-
\??\c:\lrlrrrx.exec:\lrlrrrx.exe91⤵PID:576
-
\??\c:\nhntbb.exec:\nhntbb.exe92⤵PID:1092
-
\??\c:\dpvvv.exec:\dpvvv.exe93⤵PID:2976
-
\??\c:\3pdjp.exec:\3pdjp.exe94⤵PID:2960
-
\??\c:\lxllxrx.exec:\lxllxrx.exe95⤵PID:3004
-
\??\c:\7lrxffr.exec:\7lrxffr.exe96⤵PID:776
-
\??\c:\3bhtnh.exec:\3bhtnh.exe97⤵PID:2944
-
\??\c:\vpjjp.exec:\vpjjp.exe98⤵PID:888
-
\??\c:\1pdvv.exec:\1pdvv.exe99⤵PID:1940
-
\??\c:\lffflrf.exec:\lffflrf.exe100⤵PID:1920
-
\??\c:\rfrrxxf.exec:\rfrrxxf.exe101⤵PID:2128
-
\??\c:\3bntht.exec:\3bntht.exe102⤵PID:2384
-
\??\c:\9nbnbn.exec:\9nbnbn.exe103⤵PID:2052
-
\??\c:\vjddj.exec:\vjddj.exe104⤵PID:1752
-
\??\c:\jvddv.exec:\jvddv.exe105⤵PID:448
-
\??\c:\9xrrxfl.exec:\9xrrxfl.exe106⤵PID:684
-
\??\c:\bthbhb.exec:\bthbhb.exe107⤵PID:1944
-
\??\c:\3bbtbb.exec:\3bbtbb.exe108⤵PID:2588
-
\??\c:\vvjjd.exec:\vvjjd.exe109⤵PID:2284
-
\??\c:\lfxfrrx.exec:\lfxfrrx.exe110⤵PID:1724
-
\??\c:\1rlllrr.exec:\1rlllrr.exe111⤵PID:2392
-
\??\c:\tbtnbb.exec:\tbtnbb.exe112⤵PID:1788
-
\??\c:\nbhhbb.exec:\nbhhbb.exe113⤵PID:1556
-
\??\c:\vjvpj.exec:\vjvpj.exe114⤵PID:2988
-
\??\c:\fxxlxxx.exec:\fxxlxxx.exe115⤵PID:2252
-
\??\c:\rlxlrrx.exec:\rlxlrrx.exe116⤵PID:2168
-
\??\c:\1htnnn.exec:\1htnnn.exe117⤵PID:3040
-
\??\c:\djppj.exec:\djppj.exe118⤵PID:2488
-
\??\c:\vjvvj.exec:\vjvvj.exe119⤵PID:2608
-
\??\c:\rfxxxxx.exec:\rfxxxxx.exe120⤵PID:2088
-
\??\c:\7btbtb.exec:\7btbtb.exe121⤵PID:1816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-