Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 18:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe
-
Size
345KB
-
MD5
b35f879de8dde74491ecb20e62820f66
-
SHA1
710b97712d963c25aa9e0b0208ba251922d319b1
-
SHA256
0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e
-
SHA512
5d2ba9c3148f4c9407c4a04519e1ebf57a01f634f9546179f6543f106e9b7ff37b1a32dc53fde88a6a146cacc9cd3e62b80cdd1a08bad727671023ba3e04b63a
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYA5:l7TcbWXZshJX2VGd5
Malware Config
Signatures
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3312-5-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1796-18-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3660-28-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5112-31-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4136-12-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1428-39-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3336-54-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3972-52-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/400-63-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4144-68-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4936-73-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3600-81-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3372-82-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1340-94-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3516-91-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1836-101-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1192-110-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1812-115-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2816-121-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1716-139-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3124-145-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3984-157-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3760-162-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1312-167-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5008-173-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3252-187-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2164-191-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3436-199-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4136-209-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2752-215-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3816-227-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3052-230-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2824-235-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3896-243-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1948-247-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3936-260-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3484-264-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4784-283-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3944-287-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3740-290-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2684-297-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2320-319-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3924-332-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/800-342-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/748-358-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4400-362-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2944-369-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5076-382-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1960-389-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4884-408-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3516-430-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2596-434-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3332-438-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2004-472-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1896-491-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2272-597-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1376-610-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3256-647-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1156-708-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1924-730-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3344-815-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3140-876-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4136 bntntn.exe 1796 jppjd.exe 2752 7flfxxx.exe 5112 tthbtb.exe 3660 thbthb.exe 1428 vppdd.exe 4092 dddvj.exe 3972 jjvpv.exe 3336 7rlfxfx.exe 400 xrlxxrl.exe 4144 5pjdp.exe 4936 lrlfxlf.exe 3600 dvpdp.exe 3372 5flfxxr.exe 3516 fxfxllx.exe 1340 5ffxxxx.exe 1836 nntbtb.exe 1192 djjjd.exe 1812 llffxxr.exe 2816 pdddp.exe 1180 fffxxll.exe 3080 1hnhhh.exe 1716 jjppj.exe 3124 thhhhb.exe 3140 pdjdv.exe 3984 vpjdp.exe 3760 hhhhht.exe 1312 pdjvj.exe 5008 9fxxlff.exe 4584 hhtttt.exe 3252 3ppdv.exe 2164 3llfrrr.exe 748 btntbb.exe 4400 1bbttt.exe 3436 5vvpj.exe 3932 3fffffl.exe 4136 tbttbb.exe 1796 bbnnnh.exe 2752 ddvvp.exe 3588 xrxrlll.exe 4520 xxrrrrr.exe 3816 btbttt.exe 3976 pdjpj.exe 3052 jvpvd.exe 2824 3frlfll.exe 3896 dvvvd.exe 1948 vdpjv.exe 3580 lrxlxxx.exe 3152 hbtttt.exe 2000 vjjjd.exe 3936 5vdvp.exe 3484 7xfxrrl.exe 3348 hbbttt.exe 3868 hnnhbt.exe 3996 3jjdp.exe 4572 fxfllrr.exe 1340 rrrrlll.exe 4784 hbnhhh.exe 3944 nbhbnn.exe 3740 7ddvp.exe 2956 lxfrllf.exe 2684 bbhbtb.exe 1680 pjjdd.exe 3924 rffffff.exe -
resource yara_rule behavioral2/memory/3312-5-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1796-18-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3660-28-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5112-31-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4136-12-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1428-39-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3336-54-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3972-52-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/400-63-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4144-68-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4936-73-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3600-81-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3372-82-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1340-94-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3516-91-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1836-101-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1192-110-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1812-115-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2816-121-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1716-139-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3124-140-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3124-145-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3984-157-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3760-162-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1312-167-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5008-173-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3252-181-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3252-187-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2164-191-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3436-199-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4136-209-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2752-215-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4520-219-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3816-227-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3052-230-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2824-235-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3896-239-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3896-243-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1948-247-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3936-260-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3484-264-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4784-283-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3944-287-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3740-290-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2684-297-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2320-319-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3924-332-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/800-342-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/748-358-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4400-362-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2944-369-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5076-382-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1960-389-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4884-408-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3516-430-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2596-434-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3332-438-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2004-472-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1896-491-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2272-597-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1376-610-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3256-647-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1156-708-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1924-730-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3312 wrote to memory of 4136 3312 0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe 84 PID 3312 wrote to memory of 4136 3312 0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe 84 PID 3312 wrote to memory of 4136 3312 0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe 84 PID 4136 wrote to memory of 1796 4136 bntntn.exe 85 PID 4136 wrote to memory of 1796 4136 bntntn.exe 85 PID 4136 wrote to memory of 1796 4136 bntntn.exe 85 PID 1796 wrote to memory of 2752 1796 jppjd.exe 86 PID 1796 wrote to memory of 2752 1796 jppjd.exe 86 PID 1796 wrote to memory of 2752 1796 jppjd.exe 86 PID 2752 wrote to memory of 5112 2752 7flfxxx.exe 87 PID 2752 wrote to memory of 5112 2752 7flfxxx.exe 87 PID 2752 wrote to memory of 5112 2752 7flfxxx.exe 87 PID 5112 wrote to memory of 3660 5112 tthbtb.exe 88 PID 5112 wrote to memory of 3660 5112 tthbtb.exe 88 PID 5112 wrote to memory of 3660 5112 tthbtb.exe 88 PID 3660 wrote to memory of 1428 3660 thbthb.exe 89 PID 3660 wrote to memory of 1428 3660 thbthb.exe 89 PID 3660 wrote to memory of 1428 3660 thbthb.exe 89 PID 1428 wrote to memory of 4092 1428 vppdd.exe 90 PID 1428 wrote to memory of 4092 1428 vppdd.exe 90 PID 1428 wrote to memory of 4092 1428 vppdd.exe 90 PID 4092 wrote to memory of 3972 4092 dddvj.exe 92 PID 4092 wrote to memory of 3972 4092 dddvj.exe 92 PID 4092 wrote to memory of 3972 4092 dddvj.exe 92 PID 3972 wrote to memory of 3336 3972 jjvpv.exe 93 PID 3972 wrote to memory of 3336 3972 jjvpv.exe 93 PID 3972 wrote to memory of 3336 3972 jjvpv.exe 93 PID 3336 wrote to memory of 400 3336 7rlfxfx.exe 94 PID 3336 wrote to memory of 400 3336 7rlfxfx.exe 94 PID 3336 wrote to memory of 400 3336 7rlfxfx.exe 94 PID 400 wrote to memory of 4144 400 xrlxxrl.exe 96 PID 400 wrote to memory of 4144 400 xrlxxrl.exe 96 PID 400 wrote to memory of 4144 400 xrlxxrl.exe 96 PID 4144 wrote to memory of 4936 4144 5pjdp.exe 97 PID 4144 wrote to memory of 4936 4144 5pjdp.exe 97 PID 4144 wrote to memory of 4936 4144 5pjdp.exe 97 PID 4936 wrote to memory of 3600 4936 lrlfxlf.exe 98 PID 4936 wrote to memory of 3600 4936 lrlfxlf.exe 98 PID 4936 wrote to memory of 3600 4936 lrlfxlf.exe 98 PID 3600 wrote to memory of 3372 3600 dvpdp.exe 99 PID 3600 wrote to memory of 3372 3600 dvpdp.exe 99 PID 3600 wrote to memory of 3372 3600 dvpdp.exe 99 PID 3372 wrote to memory of 3516 3372 5flfxxr.exe 101 PID 3372 wrote to memory of 3516 3372 5flfxxr.exe 101 PID 3372 wrote to memory of 3516 3372 5flfxxr.exe 101 PID 3516 wrote to memory of 1340 3516 fxfxllx.exe 102 PID 3516 wrote to memory of 1340 3516 fxfxllx.exe 102 PID 3516 wrote to memory of 1340 3516 fxfxllx.exe 102 PID 1340 wrote to memory of 1836 1340 5ffxxxx.exe 103 PID 1340 wrote to memory of 1836 1340 5ffxxxx.exe 103 PID 1340 wrote to memory of 1836 1340 5ffxxxx.exe 103 PID 1836 wrote to memory of 1192 1836 nntbtb.exe 104 PID 1836 wrote to memory of 1192 1836 nntbtb.exe 104 PID 1836 wrote to memory of 1192 1836 nntbtb.exe 104 PID 1192 wrote to memory of 1812 1192 djjjd.exe 105 PID 1192 wrote to memory of 1812 1192 djjjd.exe 105 PID 1192 wrote to memory of 1812 1192 djjjd.exe 105 PID 1812 wrote to memory of 2816 1812 llffxxr.exe 106 PID 1812 wrote to memory of 2816 1812 llffxxr.exe 106 PID 1812 wrote to memory of 2816 1812 llffxxr.exe 106 PID 2816 wrote to memory of 1180 2816 pdddp.exe 107 PID 2816 wrote to memory of 1180 2816 pdddp.exe 107 PID 2816 wrote to memory of 1180 2816 pdddp.exe 107 PID 1180 wrote to memory of 3080 1180 fffxxll.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe"C:\Users\Admin\AppData\Local\Temp\0a0cb589b9c16bf00c9bb59c2da2d5a9fa4c0f1ab2b013a89b3a6e753ffa8e8e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\bntntn.exec:\bntntn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\jppjd.exec:\jppjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\7flfxxx.exec:\7flfxxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\tthbtb.exec:\tthbtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\thbthb.exec:\thbthb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\vppdd.exec:\vppdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\dddvj.exec:\dddvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\jjvpv.exec:\jjvpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\7rlfxfx.exec:\7rlfxfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\xrlxxrl.exec:\xrlxxrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\5pjdp.exec:\5pjdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\lrlfxlf.exec:\lrlfxlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\dvpdp.exec:\dvpdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\5flfxxr.exec:\5flfxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\fxfxllx.exec:\fxfxllx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\5ffxxxx.exec:\5ffxxxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\nntbtb.exec:\nntbtb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\djjjd.exec:\djjjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\llffxxr.exec:\llffxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\pdddp.exec:\pdddp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\fffxxll.exec:\fffxxll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\1hnhhh.exec:\1hnhhh.exe23⤵
- Executes dropped EXE
PID:3080 -
\??\c:\jjppj.exec:\jjppj.exe24⤵
- Executes dropped EXE
PID:1716 -
\??\c:\thhhhb.exec:\thhhhb.exe25⤵
- Executes dropped EXE
PID:3124 -
\??\c:\pdjdv.exec:\pdjdv.exe26⤵
- Executes dropped EXE
PID:3140 -
\??\c:\vpjdp.exec:\vpjdp.exe27⤵
- Executes dropped EXE
PID:3984 -
\??\c:\hhhhht.exec:\hhhhht.exe28⤵
- Executes dropped EXE
PID:3760 -
\??\c:\pdjvj.exec:\pdjvj.exe29⤵
- Executes dropped EXE
PID:1312 -
\??\c:\9fxxlff.exec:\9fxxlff.exe30⤵
- Executes dropped EXE
PID:5008 -
\??\c:\hhtttt.exec:\hhtttt.exe31⤵
- Executes dropped EXE
PID:4584 -
\??\c:\3ppdv.exec:\3ppdv.exe32⤵
- Executes dropped EXE
PID:3252 -
\??\c:\3llfrrr.exec:\3llfrrr.exe33⤵
- Executes dropped EXE
PID:2164 -
\??\c:\btntbb.exec:\btntbb.exe34⤵
- Executes dropped EXE
PID:748 -
\??\c:\1bbttt.exec:\1bbttt.exe35⤵
- Executes dropped EXE
PID:4400 -
\??\c:\5vvpj.exec:\5vvpj.exe36⤵
- Executes dropped EXE
PID:3436 -
\??\c:\3fffffl.exec:\3fffffl.exe37⤵
- Executes dropped EXE
PID:3932 -
\??\c:\tbttbb.exec:\tbttbb.exe38⤵
- Executes dropped EXE
PID:4136 -
\??\c:\bbnnnh.exec:\bbnnnh.exe39⤵
- Executes dropped EXE
PID:1796 -
\??\c:\ddvvp.exec:\ddvvp.exe40⤵
- Executes dropped EXE
PID:2752 -
\??\c:\xrxrlll.exec:\xrxrlll.exe41⤵
- Executes dropped EXE
PID:3588 -
\??\c:\xxrrrrr.exec:\xxrrrrr.exe42⤵
- Executes dropped EXE
PID:4520 -
\??\c:\btbttt.exec:\btbttt.exe43⤵
- Executes dropped EXE
PID:3816 -
\??\c:\pdjpj.exec:\pdjpj.exe44⤵
- Executes dropped EXE
PID:3976 -
\??\c:\jvpvd.exec:\jvpvd.exe45⤵
- Executes dropped EXE
PID:3052 -
\??\c:\3frlfll.exec:\3frlfll.exe46⤵
- Executes dropped EXE
PID:2824 -
\??\c:\dvvvd.exec:\dvvvd.exe47⤵
- Executes dropped EXE
PID:3896 -
\??\c:\vdpjv.exec:\vdpjv.exe48⤵
- Executes dropped EXE
PID:1948 -
\??\c:\lrxlxxx.exec:\lrxlxxx.exe49⤵
- Executes dropped EXE
PID:3580 -
\??\c:\hbtttt.exec:\hbtttt.exe50⤵
- Executes dropped EXE
PID:3152 -
\??\c:\vjjjd.exec:\vjjjd.exe51⤵
- Executes dropped EXE
PID:2000 -
\??\c:\5vdvp.exec:\5vdvp.exe52⤵
- Executes dropped EXE
PID:3936 -
\??\c:\7xfxrrl.exec:\7xfxrrl.exe53⤵
- Executes dropped EXE
PID:3484 -
\??\c:\hbbttt.exec:\hbbttt.exe54⤵
- Executes dropped EXE
PID:3348 -
\??\c:\hnnhbt.exec:\hnnhbt.exe55⤵
- Executes dropped EXE
PID:3868 -
\??\c:\3jjdp.exec:\3jjdp.exe56⤵
- Executes dropped EXE
PID:3996 -
\??\c:\fxfllrr.exec:\fxfllrr.exe57⤵
- Executes dropped EXE
PID:4572 -
\??\c:\rrrrlll.exec:\rrrrlll.exe58⤵
- Executes dropped EXE
PID:1340 -
\??\c:\hbnhhh.exec:\hbnhhh.exe59⤵
- Executes dropped EXE
PID:4784 -
\??\c:\nbhbnn.exec:\nbhbnn.exe60⤵
- Executes dropped EXE
PID:3944 -
\??\c:\7ddvp.exec:\7ddvp.exe61⤵
- Executes dropped EXE
PID:3740 -
\??\c:\lxfrllf.exec:\lxfrllf.exe62⤵
- Executes dropped EXE
PID:2956 -
\??\c:\bbhbtb.exec:\bbhbtb.exe63⤵
- Executes dropped EXE
PID:2684 -
\??\c:\pjjdd.exec:\pjjdd.exe64⤵
- Executes dropped EXE
PID:1680 -
\??\c:\rffffff.exec:\rffffff.exe65⤵
- Executes dropped EXE
PID:3924 -
\??\c:\frllffx.exec:\frllffx.exe66⤵PID:1252
-
\??\c:\bntntt.exec:\bntntt.exe67⤵PID:4396
-
\??\c:\vjjdp.exec:\vjjdp.exe68⤵PID:2960
-
\??\c:\rfflffx.exec:\rfflffx.exe69⤵PID:4624
-
\??\c:\9flfxxr.exec:\9flfxxr.exe70⤵PID:2320
-
\??\c:\tnbtbt.exec:\tnbtbt.exe71⤵PID:5056
-
\??\c:\ddjjd.exec:\ddjjd.exe72⤵PID:692
-
\??\c:\7dpdv.exec:\7dpdv.exe73⤵PID:1448
-
\??\c:\rllfrrr.exec:\rllfrrr.exe74⤵PID:2948
-
\??\c:\rffxxxr.exec:\rffxxxr.exe75⤵PID:3048
-
\??\c:\btbbhh.exec:\btbbhh.exe76⤵PID:3544
-
\??\c:\jvpvp.exec:\jvpvp.exe77⤵PID:800
-
\??\c:\rllfrrl.exec:\rllfrrl.exe78⤵PID:2860
-
\??\c:\xlllffx.exec:\xlllffx.exe79⤵PID:4540
-
\??\c:\bnhhbb.exec:\bnhhbb.exe80⤵PID:3792
-
\??\c:\vdpjd.exec:\vdpjd.exe81⤵PID:4388
-
\??\c:\ppjjp.exec:\ppjjp.exe82⤵
- System Location Discovery: System Language Discovery
PID:748 -
\??\c:\rrxxxxf.exec:\rrxxxxf.exe83⤵PID:4400
-
\??\c:\9tbtnt.exec:\9tbtnt.exe84⤵PID:1084
-
\??\c:\jdvjj.exec:\jdvjj.exe85⤵PID:2944
-
\??\c:\lfflfff.exec:\lfflfff.exe86⤵PID:4136
-
\??\c:\xrlfllr.exec:\xrlfllr.exe87⤵PID:3376
-
\??\c:\thtnhh.exec:\thtnhh.exe88⤵PID:2748
-
\??\c:\ppdvj.exec:\ppdvj.exe89⤵PID:5076
-
\??\c:\xrxrxxl.exec:\xrxrxxl.exe90⤵PID:4520
-
\??\c:\9hbhtb.exec:\9hbhtb.exe91⤵PID:1960
-
\??\c:\thhbtn.exec:\thhbtn.exe92⤵PID:1064
-
\??\c:\ppppp.exec:\ppppp.exe93⤵PID:3052
-
\??\c:\lffxrrl.exec:\lffxrrl.exe94⤵PID:1784
-
\??\c:\thhhbb.exec:\thhhbb.exe95⤵PID:3344
-
\??\c:\hnnbtt.exec:\hnnbtt.exe96⤵PID:2868
-
\??\c:\vvpjd.exec:\vvpjd.exe97⤵PID:4884
-
\??\c:\jjjdv.exec:\jjjdv.exe98⤵
- System Location Discovery: System Language Discovery
PID:4988 -
\??\c:\fxffxxr.exec:\fxffxxr.exe99⤵PID:1832
-
\??\c:\rfllrrx.exec:\rfllrrx.exe100⤵PID:2256
-
\??\c:\dvvvp.exec:\dvvvp.exe101⤵PID:3600
-
\??\c:\jpvpp.exec:\jpvpp.exe102⤵PID:3484
-
\??\c:\xlrrffl.exec:\xlrrffl.exe103⤵PID:3348
-
\??\c:\nnbthb.exec:\nnbthb.exe104⤵PID:3516
-
\??\c:\hbtnnh.exec:\hbtnnh.exe105⤵PID:2596
-
\??\c:\dpvvd.exec:\dpvvd.exe106⤵PID:3332
-
\??\c:\ffffrxx.exec:\ffffrxx.exe107⤵PID:2260
-
\??\c:\fxlfxxx.exec:\fxlfxxx.exe108⤵PID:872
-
\??\c:\nhtttt.exec:\nhtttt.exe109⤵PID:5028
-
\??\c:\dddvp.exec:\dddvp.exe110⤵PID:640
-
\??\c:\7jdvp.exec:\7jdvp.exe111⤵PID:1800
-
\??\c:\7lrrrrx.exec:\7lrrrrx.exe112⤵PID:5100
-
\??\c:\ntttnn.exec:\ntttnn.exe113⤵PID:1500
-
\??\c:\btbbhh.exec:\btbbhh.exe114⤵PID:1424
-
\??\c:\ppppj.exec:\ppppj.exe115⤵PID:1716
-
\??\c:\9rxrxff.exec:\9rxrxff.exe116⤵PID:4592
-
\??\c:\lrxrrrr.exec:\lrxrrrr.exe117⤵PID:2004
-
\??\c:\9tttnn.exec:\9tttnn.exe118⤵PID:3068
-
\??\c:\djjjd.exec:\djjjd.exe119⤵PID:1376
-
\??\c:\ppddv.exec:\ppddv.exe120⤵PID:3132
-
\??\c:\5lfxrrr.exec:\5lfxrrr.exe121⤵PID:424
-
\??\c:\xrllffx.exec:\xrllffx.exe122⤵PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-