Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 18:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe
-
Size
345KB
-
MD5
b35f879de8dde74491ecb20e62820f66
-
SHA1
710b97712d963c25aa9e0b0208ba251922d319b1
-
SHA256
0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e
-
SHA512
5d2ba9c3148f4c9407c4a04519e1ebf57a01f634f9546179f6543f106e9b7ff37b1a32dc53fde88a6a146cacc9cd3e62b80cdd1a08bad727671023ba3e04b63a
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYA5:l7TcbWXZshJX2VGd5
Malware Config
Signatures
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2108-1-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2084-20-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2428-16-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1588-28-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1668-45-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2756-84-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2656-69-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2908-60-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2920-57-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2920-55-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/2632-95-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2632-93-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2132-104-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/672-114-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2000-148-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2448-185-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2440-183-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1708-220-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2604-218-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2068-246-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/848-256-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2488-275-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1576-304-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1668-319-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1224-379-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2144-397-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2144-401-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1408-402-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1688-415-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1924-435-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2312-479-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1604-504-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2284-516-0x0000000000230000-0x0000000000258000-memory.dmp family_blackmoon behavioral1/memory/2416-536-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/3064-554-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/536-587-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2928-601-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2824-699-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1900-870-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1876-910-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/316-987-0x00000000003C0000-0x00000000003E8000-memory.dmp family_blackmoon behavioral1/memory/1952-1002-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/1952-1000-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/2252-1020-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2392-1052-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/1432-1116-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2036-1159-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/840-1255-0x00000000002F0000-0x0000000000318000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2428 jvvvp.exe 2084 3fxfrxl.exe 1588 nnbnnt.exe 1668 vppdp.exe 2920 3hhnht.exe 2908 vpdjj.exe 2656 rlxfllx.exe 2756 7hhtht.exe 2632 vpjdd.exe 2132 3ppdv.exe 672 xlrlrxx.exe 1104 bhnhhh.exe 1300 bhhbbt.exe 2016 1ffxxfx.exe 2000 hhhbbn.exe 352 xxflrrx.exe 2436 nhhnhh.exe 2012 fflrxrr.exe 2440 9rxrlrf.exe 2448 pjjvd.exe 1260 7xlrrxl.exe 2312 ntntnb.exe 2604 fffxlfx.exe 1708 tttbtb.exe 1604 pjjpj.exe 708 rxllfrl.exe 2068 vvvpv.exe 848 xflrxlr.exe 2364 ththhb.exe 2488 llfrrrr.exe 2428 bhnntt.exe 2084 ppjpj.exe 1576 3llrrlx.exe 2588 ttntbh.exe 764 ppdvv.exe 1668 7fxlrfr.exe 2928 nbbhhb.exe 2752 1vdvv.exe 2656 rrlrxrf.exe 2732 5tnthn.exe 2640 vdjpv.exe 2620 xxrxflr.exe 2672 xflflrr.exe 1224 bhbttn.exe 2432 jpdpv.exe 1532 rlfflff.exe 2144 lxxffff.exe 1408 5nttth.exe 1688 dvdvj.exe 2804 9ffrfxr.exe 1160 7nnhhb.exe 1924 tthhth.exe 2484 jddjd.exe 2976 fffrffx.exe 2092 btthbn.exe 236 bbbhtt.exe 1620 dpjpj.exe 2468 xrrfrlf.exe 2312 hhthtb.exe 1148 tnhtbb.exe 1444 vpddj.exe 1680 xlrfrll.exe 1604 rlfllxx.exe 1556 nnnbnt.exe -
resource yara_rule behavioral1/memory/2108-1-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2084-20-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2428-16-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1588-28-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1668-37-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1668-45-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2756-84-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2656-69-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2908-60-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2920-57-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2132-96-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2632-95-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2132-104-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/672-114-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2000-148-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2440-174-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2448-185-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2440-183-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1708-220-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2604-218-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/708-236-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2068-246-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/848-256-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2488-275-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1576-304-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/764-311-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1668-319-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1224-372-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1224-379-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2144-401-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1408-402-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1688-415-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1924-435-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/2312-479-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1604-504-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2416-536-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1588-568-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/536-587-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2928-594-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2928-601-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2824-699-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/3040-766-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1900-870-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2856-896-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2480-988-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2416-1040-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1948-1054-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1432-1116-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1808-1216-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1276-1223-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lflrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2428 2108 0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe 30 PID 2108 wrote to memory of 2428 2108 0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe 30 PID 2108 wrote to memory of 2428 2108 0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe 30 PID 2108 wrote to memory of 2428 2108 0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe 30 PID 2428 wrote to memory of 2084 2428 jvvvp.exe 31 PID 2428 wrote to memory of 2084 2428 jvvvp.exe 31 PID 2428 wrote to memory of 2084 2428 jvvvp.exe 31 PID 2428 wrote to memory of 2084 2428 jvvvp.exe 31 PID 2084 wrote to memory of 1588 2084 3fxfrxl.exe 32 PID 2084 wrote to memory of 1588 2084 3fxfrxl.exe 32 PID 2084 wrote to memory of 1588 2084 3fxfrxl.exe 32 PID 2084 wrote to memory of 1588 2084 3fxfrxl.exe 32 PID 1588 wrote to memory of 1668 1588 nnbnnt.exe 33 PID 1588 wrote to memory of 1668 1588 nnbnnt.exe 33 PID 1588 wrote to memory of 1668 1588 nnbnnt.exe 33 PID 1588 wrote to memory of 1668 1588 nnbnnt.exe 33 PID 1668 wrote to memory of 2920 1668 vppdp.exe 34 PID 1668 wrote to memory of 2920 1668 vppdp.exe 34 PID 1668 wrote to memory of 2920 1668 vppdp.exe 34 PID 1668 wrote to memory of 2920 1668 vppdp.exe 34 PID 2920 wrote to memory of 2908 2920 3hhnht.exe 35 PID 2920 wrote to memory of 2908 2920 3hhnht.exe 35 PID 2920 wrote to memory of 2908 2920 3hhnht.exe 35 PID 2920 wrote to memory of 2908 2920 3hhnht.exe 35 PID 2908 wrote to memory of 2656 2908 vpdjj.exe 36 PID 2908 wrote to memory of 2656 2908 vpdjj.exe 36 PID 2908 wrote to memory of 2656 2908 vpdjj.exe 36 PID 2908 wrote to memory of 2656 2908 vpdjj.exe 36 PID 2656 wrote to memory of 2756 2656 rlxfllx.exe 37 PID 2656 wrote to memory of 2756 2656 rlxfllx.exe 37 PID 2656 wrote to memory of 2756 2656 rlxfllx.exe 37 PID 2656 wrote to memory of 2756 2656 rlxfllx.exe 37 PID 2756 wrote to memory of 2632 2756 7hhtht.exe 38 PID 2756 wrote to memory of 2632 2756 7hhtht.exe 38 PID 2756 wrote to memory of 2632 2756 7hhtht.exe 38 PID 2756 wrote to memory of 2632 2756 7hhtht.exe 38 PID 2632 wrote to memory of 2132 2632 vpjdd.exe 39 PID 2632 wrote to memory of 2132 2632 vpjdd.exe 39 PID 2632 wrote to memory of 2132 2632 vpjdd.exe 39 PID 2632 wrote to memory of 2132 2632 vpjdd.exe 39 PID 2132 wrote to memory of 672 2132 3ppdv.exe 40 PID 2132 wrote to memory of 672 2132 3ppdv.exe 40 PID 2132 wrote to memory of 672 2132 3ppdv.exe 40 PID 2132 wrote to memory of 672 2132 3ppdv.exe 40 PID 672 wrote to memory of 1104 672 xlrlrxx.exe 41 PID 672 wrote to memory of 1104 672 xlrlrxx.exe 41 PID 672 wrote to memory of 1104 672 xlrlrxx.exe 41 PID 672 wrote to memory of 1104 672 xlrlrxx.exe 41 PID 1104 wrote to memory of 1300 1104 bhnhhh.exe 42 PID 1104 wrote to memory of 1300 1104 bhnhhh.exe 42 PID 1104 wrote to memory of 1300 1104 bhnhhh.exe 42 PID 1104 wrote to memory of 1300 1104 bhnhhh.exe 42 PID 1300 wrote to memory of 2016 1300 bhhbbt.exe 43 PID 1300 wrote to memory of 2016 1300 bhhbbt.exe 43 PID 1300 wrote to memory of 2016 1300 bhhbbt.exe 43 PID 1300 wrote to memory of 2016 1300 bhhbbt.exe 43 PID 2016 wrote to memory of 2000 2016 1ffxxfx.exe 44 PID 2016 wrote to memory of 2000 2016 1ffxxfx.exe 44 PID 2016 wrote to memory of 2000 2016 1ffxxfx.exe 44 PID 2016 wrote to memory of 2000 2016 1ffxxfx.exe 44 PID 2000 wrote to memory of 352 2000 hhhbbn.exe 45 PID 2000 wrote to memory of 352 2000 hhhbbn.exe 45 PID 2000 wrote to memory of 352 2000 hhhbbn.exe 45 PID 2000 wrote to memory of 352 2000 hhhbbn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe"C:\Users\Admin\AppData\Local\Temp\0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\jvvvp.exec:\jvvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\3fxfrxl.exec:\3fxfrxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\nnbnnt.exec:\nnbnnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\vppdp.exec:\vppdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\3hhnht.exec:\3hhnht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\vpdjj.exec:\vpdjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\rlxfllx.exec:\rlxfllx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\7hhtht.exec:\7hhtht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\vpjdd.exec:\vpjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\3ppdv.exec:\3ppdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\xlrlrxx.exec:\xlrlrxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\bhnhhh.exec:\bhnhhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\bhhbbt.exec:\bhhbbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\1ffxxfx.exec:\1ffxxfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\hhhbbn.exec:\hhhbbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\xxflrrx.exec:\xxflrrx.exe17⤵
- Executes dropped EXE
PID:352 -
\??\c:\nhhnhh.exec:\nhhnhh.exe18⤵
- Executes dropped EXE
PID:2436 -
\??\c:\fflrxrr.exec:\fflrxrr.exe19⤵
- Executes dropped EXE
PID:2012 -
\??\c:\9rxrlrf.exec:\9rxrlrf.exe20⤵
- Executes dropped EXE
PID:2440 -
\??\c:\pjjvd.exec:\pjjvd.exe21⤵
- Executes dropped EXE
PID:2448 -
\??\c:\7xlrrxl.exec:\7xlrrxl.exe22⤵
- Executes dropped EXE
PID:1260 -
\??\c:\ntntnb.exec:\ntntnb.exe23⤵
- Executes dropped EXE
PID:2312 -
\??\c:\fffxlfx.exec:\fffxlfx.exe24⤵
- Executes dropped EXE
PID:2604 -
\??\c:\tttbtb.exec:\tttbtb.exe25⤵
- Executes dropped EXE
PID:1708 -
\??\c:\pjjpj.exec:\pjjpj.exe26⤵
- Executes dropped EXE
PID:1604 -
\??\c:\rxllfrl.exec:\rxllfrl.exe27⤵
- Executes dropped EXE
PID:708 -
\??\c:\vvvpv.exec:\vvvpv.exe28⤵
- Executes dropped EXE
PID:2068 -
\??\c:\xflrxlr.exec:\xflrxlr.exe29⤵
- Executes dropped EXE
PID:848 -
\??\c:\ththhb.exec:\ththhb.exe30⤵
- Executes dropped EXE
PID:2364 -
\??\c:\llfrrrr.exec:\llfrrrr.exe31⤵
- Executes dropped EXE
PID:2488 -
\??\c:\bhnntt.exec:\bhnntt.exe32⤵
- Executes dropped EXE
PID:2428 -
\??\c:\ppjpj.exec:\ppjpj.exe33⤵
- Executes dropped EXE
PID:2084 -
\??\c:\3llrrlx.exec:\3llrrlx.exe34⤵
- Executes dropped EXE
PID:1576 -
\??\c:\ttntbh.exec:\ttntbh.exe35⤵
- Executes dropped EXE
PID:2588 -
\??\c:\ppdvv.exec:\ppdvv.exe36⤵
- Executes dropped EXE
PID:764 -
\??\c:\7fxlrfr.exec:\7fxlrfr.exe37⤵
- Executes dropped EXE
PID:1668 -
\??\c:\nbbhhb.exec:\nbbhhb.exe38⤵
- Executes dropped EXE
PID:2928 -
\??\c:\1vdvv.exec:\1vdvv.exe39⤵
- Executes dropped EXE
PID:2752 -
\??\c:\rrlrxrf.exec:\rrlrxrf.exe40⤵
- Executes dropped EXE
PID:2656 -
\??\c:\5tnthn.exec:\5tnthn.exe41⤵
- Executes dropped EXE
PID:2732 -
\??\c:\vdjpv.exec:\vdjpv.exe42⤵
- Executes dropped EXE
PID:2640 -
\??\c:\xxrxflr.exec:\xxrxflr.exe43⤵
- Executes dropped EXE
PID:2620 -
\??\c:\xflflrr.exec:\xflflrr.exe44⤵
- Executes dropped EXE
PID:2672 -
\??\c:\bhbttn.exec:\bhbttn.exe45⤵
- Executes dropped EXE
PID:1224 -
\??\c:\jpdpv.exec:\jpdpv.exe46⤵
- Executes dropped EXE
PID:2432 -
\??\c:\rlfflff.exec:\rlfflff.exe47⤵
- Executes dropped EXE
PID:1532 -
\??\c:\lxxffff.exec:\lxxffff.exe48⤵
- Executes dropped EXE
PID:2144 -
\??\c:\5nttth.exec:\5nttth.exe49⤵
- Executes dropped EXE
PID:1408 -
\??\c:\dvdvj.exec:\dvdvj.exe50⤵
- Executes dropped EXE
PID:1688 -
\??\c:\9ffrfxr.exec:\9ffrfxr.exe51⤵
- Executes dropped EXE
PID:2804 -
\??\c:\7nnhhb.exec:\7nnhhb.exe52⤵
- Executes dropped EXE
PID:1160 -
\??\c:\tthhth.exec:\tthhth.exe53⤵
- Executes dropped EXE
PID:1924 -
\??\c:\jddjd.exec:\jddjd.exe54⤵
- Executes dropped EXE
PID:2484 -
\??\c:\fffrffx.exec:\fffrffx.exe55⤵
- Executes dropped EXE
PID:2976 -
\??\c:\btthbn.exec:\btthbn.exe56⤵
- Executes dropped EXE
PID:2092 -
\??\c:\bbbhtt.exec:\bbbhtt.exe57⤵
- Executes dropped EXE
PID:236 -
\??\c:\dpjpj.exec:\dpjpj.exe58⤵
- Executes dropped EXE
PID:1620 -
\??\c:\xrrfrlf.exec:\xrrfrlf.exe59⤵
- Executes dropped EXE
PID:2468 -
\??\c:\hhthtb.exec:\hhthtb.exe60⤵
- Executes dropped EXE
PID:2312 -
\??\c:\tnhtbb.exec:\tnhtbb.exe61⤵
- Executes dropped EXE
PID:1148 -
\??\c:\vpddj.exec:\vpddj.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1444 -
\??\c:\xlrfrll.exec:\xlrfrll.exe63⤵
- Executes dropped EXE
PID:1680 -
\??\c:\rlfllxx.exec:\rlfllxx.exe64⤵
- Executes dropped EXE
PID:1604 -
\??\c:\nnnbnt.exec:\nnnbnt.exe65⤵
- Executes dropped EXE
PID:1556 -
\??\c:\djjdd.exec:\djjdd.exe66⤵PID:2284
-
\??\c:\ffrxflf.exec:\ffrxflf.exe67⤵PID:1212
-
\??\c:\xxxlxrl.exec:\xxxlxrl.exe68⤵PID:2260
-
\??\c:\hhthnn.exec:\hhthnn.exe69⤵PID:2416
-
\??\c:\ddvdp.exec:\ddvdp.exe70⤵PID:2420
-
\??\c:\xlrrxxl.exec:\xlrrxxl.exe71⤵PID:1948
-
\??\c:\frlrlrf.exec:\frlrlrf.exe72⤵PID:3064
-
\??\c:\bhhnnt.exec:\bhhnnt.exe73⤵PID:2084
-
\??\c:\jjppj.exec:\jjppj.exe74⤵PID:2700
-
\??\c:\xxxfrlr.exec:\xxxfrlr.exe75⤵PID:1588
-
\??\c:\1fxflfl.exec:\1fxflfl.exe76⤵PID:2888
-
\??\c:\nnhbnt.exec:\nnhbnt.exe77⤵PID:536
-
\??\c:\jppvv.exec:\jppvv.exe78⤵PID:2224
-
\??\c:\rxxlxfr.exec:\rxxlxfr.exe79⤵PID:2928
-
\??\c:\hhhbnh.exec:\hhhbnh.exe80⤵PID:1432
-
\??\c:\vjjvv.exec:\vjjvv.exe81⤵PID:2932
-
\??\c:\vvvdp.exec:\vvvdp.exe82⤵PID:2736
-
\??\c:\3rlrxff.exec:\3rlrxff.exe83⤵PID:1884
-
\??\c:\tbhttn.exec:\tbhttn.exe84⤵PID:2620
-
\??\c:\ttnnbb.exec:\ttnnbb.exe85⤵PID:1704
-
\??\c:\vdpjj.exec:\vdpjj.exe86⤵PID:1224
-
\??\c:\3lxfrxr.exec:\3lxfrxr.exe87⤵PID:2372
-
\??\c:\hnnbbh.exec:\hnnbbh.exe88⤵PID:1956
-
\??\c:\vdjvd.exec:\vdjvd.exe89⤵PID:1964
-
\??\c:\pvddd.exec:\pvddd.exe90⤵PID:2444
-
\??\c:\rrlllxx.exec:\rrlllxx.exe91⤵PID:1816
-
\??\c:\tthntn.exec:\tthntn.exe92⤵PID:1752
-
\??\c:\vvjvp.exec:\vvjvp.exe93⤵PID:2020
-
\??\c:\dvjvj.exec:\dvjvj.exe94⤵PID:1160
-
\??\c:\rfrxlrf.exec:\rfrxlrf.exe95⤵PID:2824
-
\??\c:\hhhhnb.exec:\hhhhnb.exe96⤵PID:2960
-
\??\c:\7ththn.exec:\7ththn.exe97⤵PID:2984
-
\??\c:\jdvdp.exec:\jdvdp.exe98⤵PID:2120
-
\??\c:\xrrlfrf.exec:\xrrlfrf.exe99⤵PID:1260
-
\??\c:\lllfrxl.exec:\lllfrxl.exe100⤵PID:988
-
\??\c:\hnntbh.exec:\hnntbh.exe101⤵PID:1544
-
\??\c:\jpjvj.exec:\jpjvj.exe102⤵PID:1952
-
\??\c:\7lflxfx.exec:\7lflxfx.exe103⤵PID:2308
-
\??\c:\rlrfrfl.exec:\rlrfrfl.exe104⤵PID:1888
-
\??\c:\bhhtnb.exec:\bhhtnb.exe105⤵PID:344
-
\??\c:\bttbth.exec:\bttbth.exe106⤵PID:2540
-
\??\c:\9dvdp.exec:\9dvdp.exe107⤵PID:3040
-
\??\c:\llfrlfr.exec:\llfrlfr.exe108⤵PID:2348
-
\??\c:\5nbhtb.exec:\5nbhtb.exe109⤵PID:300
-
\??\c:\nthbht.exec:\nthbht.exe110⤵PID:2364
-
\??\c:\pvdvv.exec:\pvdvv.exe111⤵PID:2424
-
\??\c:\pjjdd.exec:\pjjdd.exe112⤵PID:2344
-
\??\c:\rlfrxxl.exec:\rlfrxxl.exe113⤵PID:2172
-
\??\c:\ttnbbh.exec:\ttnbbh.exe114⤵PID:1716
-
\??\c:\vvvdp.exec:\vvvdp.exe115⤵PID:1576
-
\??\c:\vppvp.exec:\vppvp.exe116⤵PID:2588
-
\??\c:\fxxflrx.exec:\fxxflrx.exe117⤵PID:764
-
\??\c:\tthnbb.exec:\tthnbb.exe118⤵PID:1668
-
\??\c:\pvdpd.exec:\pvdpd.exe119⤵
- System Location Discovery: System Language Discovery
PID:536 -
\??\c:\jpvpj.exec:\jpvpj.exe120⤵PID:2720
-
\??\c:\1fxxxff.exec:\1fxxxff.exe121⤵PID:2780
-
\??\c:\ddpvj.exec:\ddpvj.exe122⤵PID:2668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-