Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 19:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe
-
Size
454KB
-
MD5
2c730cd47a602fc4d13a2686a9dd5bd9
-
SHA1
be734adb93753935dca282c4fd06dd90c4fbfb60
-
SHA256
0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0
-
SHA512
00a5897997e1432b76af169e9d9f65311a001155cac62670992a4424fb6035a9474a6065b5ea1a5d7383ac04d8080cb3cd2c50754a17bc2daf194bc43db8ed7f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7W:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3744-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-999-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-1009-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-1343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-1618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 972 vpvpj.exe 3620 rrfrxxl.exe 1564 7nhbbb.exe 5064 pvjpd.exe 2412 3xxxrfl.exe 2836 flxfrrl.exe 1516 bbhbbh.exe 1060 3ppjd.exe 1724 frxrrrr.exe 1640 ttbbbb.exe 1128 djjvp.exe 3460 xrxxrrr.exe 3008 xrxrllf.exe 3996 lffxrrr.exe 4388 bbthnh.exe 4084 rxfflrr.exe 756 3dddv.exe 4036 xrlfxxx.exe 4048 9rlfxxr.exe 4072 pppjd.exe 3948 bntnbb.exe 1332 dpvpj.exe 2080 dpdvv.exe 4672 htnbtt.exe 4692 pvdpd.exe 2232 9xfxrrx.exe 4232 htnhtn.exe 2040 vvpjp.exe 316 hhnntb.exe 4416 btbtnt.exe 1008 rlrlfff.exe 3944 bhbttn.exe 4780 vvdvd.exe 1932 xlffxfx.exe 2880 lxfxxlx.exe 2032 9nhbtt.exe 208 jjjdv.exe 4832 fxlxrrl.exe 1312 thhnbt.exe 2676 ppddj.exe 1112 dvvpd.exe 4340 lxlrfxx.exe 4408 bhbnbn.exe 2440 pdjdp.exe 1720 fxfllfr.exe 1952 ttbtnn.exe 3092 vjppp.exe 4628 9rrlxrl.exe 3632 xxxrlfx.exe 3648 bhbtnn.exe 2920 pdddv.exe 3160 xrxxrrr.exe 4624 lfllxxf.exe 392 9tttnn.exe 2928 pdpvp.exe 4164 fxffffl.exe 368 fxrlffx.exe 924 nbnbtt.exe 2292 djpjd.exe 4100 vppjd.exe 5084 7lrllrl.exe 1552 httnnh.exe 732 jvjjp.exe 1508 xxxxxxx.exe -
resource yara_rule behavioral2/memory/3744-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-795-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3744 wrote to memory of 972 3744 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 82 PID 3744 wrote to memory of 972 3744 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 82 PID 3744 wrote to memory of 972 3744 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 82 PID 972 wrote to memory of 3620 972 vpvpj.exe 83 PID 972 wrote to memory of 3620 972 vpvpj.exe 83 PID 972 wrote to memory of 3620 972 vpvpj.exe 83 PID 3620 wrote to memory of 1564 3620 rrfrxxl.exe 84 PID 3620 wrote to memory of 1564 3620 rrfrxxl.exe 84 PID 3620 wrote to memory of 1564 3620 rrfrxxl.exe 84 PID 1564 wrote to memory of 5064 1564 7nhbbb.exe 85 PID 1564 wrote to memory of 5064 1564 7nhbbb.exe 85 PID 1564 wrote to memory of 5064 1564 7nhbbb.exe 85 PID 5064 wrote to memory of 2412 5064 pvjpd.exe 86 PID 5064 wrote to memory of 2412 5064 pvjpd.exe 86 PID 5064 wrote to memory of 2412 5064 pvjpd.exe 86 PID 2412 wrote to memory of 2836 2412 3xxxrfl.exe 87 PID 2412 wrote to memory of 2836 2412 3xxxrfl.exe 87 PID 2412 wrote to memory of 2836 2412 3xxxrfl.exe 87 PID 2836 wrote to memory of 1516 2836 flxfrrl.exe 88 PID 2836 wrote to memory of 1516 2836 flxfrrl.exe 88 PID 2836 wrote to memory of 1516 2836 flxfrrl.exe 88 PID 1516 wrote to memory of 1060 1516 bbhbbh.exe 89 PID 1516 wrote to memory of 1060 1516 bbhbbh.exe 89 PID 1516 wrote to memory of 1060 1516 bbhbbh.exe 89 PID 1060 wrote to memory of 1724 1060 3ppjd.exe 90 PID 1060 wrote to memory of 1724 1060 3ppjd.exe 90 PID 1060 wrote to memory of 1724 1060 3ppjd.exe 90 PID 1724 wrote to memory of 1640 1724 frxrrrr.exe 91 PID 1724 wrote to memory of 1640 1724 frxrrrr.exe 91 PID 1724 wrote to memory of 1640 1724 frxrrrr.exe 91 PID 1640 wrote to memory of 1128 1640 ttbbbb.exe 92 PID 1640 wrote to memory of 1128 1640 ttbbbb.exe 92 PID 1640 wrote to memory of 1128 1640 ttbbbb.exe 92 PID 1128 wrote to memory of 3460 1128 djjvp.exe 93 PID 1128 wrote to memory of 3460 1128 djjvp.exe 93 PID 1128 wrote to memory of 3460 1128 djjvp.exe 93 PID 3460 wrote to memory of 3008 3460 xrxxrrr.exe 94 PID 3460 wrote to memory of 3008 3460 xrxxrrr.exe 94 PID 3460 wrote to memory of 3008 3460 xrxxrrr.exe 94 PID 3008 wrote to memory of 3996 3008 xrxrllf.exe 95 PID 3008 wrote to memory of 3996 3008 xrxrllf.exe 95 PID 3008 wrote to memory of 3996 3008 xrxrllf.exe 95 PID 3996 wrote to memory of 4388 3996 lffxrrr.exe 96 PID 3996 wrote to memory of 4388 3996 lffxrrr.exe 96 PID 3996 wrote to memory of 4388 3996 lffxrrr.exe 96 PID 4388 wrote to memory of 4084 4388 bbthnh.exe 97 PID 4388 wrote to memory of 4084 4388 bbthnh.exe 97 PID 4388 wrote to memory of 4084 4388 bbthnh.exe 97 PID 4084 wrote to memory of 756 4084 rxfflrr.exe 98 PID 4084 wrote to memory of 756 4084 rxfflrr.exe 98 PID 4084 wrote to memory of 756 4084 rxfflrr.exe 98 PID 756 wrote to memory of 4036 756 3dddv.exe 99 PID 756 wrote to memory of 4036 756 3dddv.exe 99 PID 756 wrote to memory of 4036 756 3dddv.exe 99 PID 4036 wrote to memory of 4048 4036 xrlfxxx.exe 100 PID 4036 wrote to memory of 4048 4036 xrlfxxx.exe 100 PID 4036 wrote to memory of 4048 4036 xrlfxxx.exe 100 PID 4048 wrote to memory of 4072 4048 9rlfxxr.exe 101 PID 4048 wrote to memory of 4072 4048 9rlfxxr.exe 101 PID 4048 wrote to memory of 4072 4048 9rlfxxr.exe 101 PID 4072 wrote to memory of 3948 4072 pppjd.exe 102 PID 4072 wrote to memory of 3948 4072 pppjd.exe 102 PID 4072 wrote to memory of 3948 4072 pppjd.exe 102 PID 3948 wrote to memory of 1332 3948 bntnbb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe"C:\Users\Admin\AppData\Local\Temp\0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\vpvpj.exec:\vpvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\rrfrxxl.exec:\rrfrxxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\7nhbbb.exec:\7nhbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\pvjpd.exec:\pvjpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\3xxxrfl.exec:\3xxxrfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\flxfrrl.exec:\flxfrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\bbhbbh.exec:\bbhbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\3ppjd.exec:\3ppjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\frxrrrr.exec:\frxrrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\ttbbbb.exec:\ttbbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\djjvp.exec:\djjvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\xrxrllf.exec:\xrxrllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\lffxrrr.exec:\lffxrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\bbthnh.exec:\bbthnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\rxfflrr.exec:\rxfflrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\3dddv.exec:\3dddv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\xrlfxxx.exec:\xrlfxxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\9rlfxxr.exec:\9rlfxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\pppjd.exec:\pppjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\bntnbb.exec:\bntnbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\dpvpj.exec:\dpvpj.exe23⤵
- Executes dropped EXE
PID:1332 -
\??\c:\dpdvv.exec:\dpdvv.exe24⤵
- Executes dropped EXE
PID:2080 -
\??\c:\htnbtt.exec:\htnbtt.exe25⤵
- Executes dropped EXE
PID:4672 -
\??\c:\pvdpd.exec:\pvdpd.exe26⤵
- Executes dropped EXE
PID:4692 -
\??\c:\9xfxrrx.exec:\9xfxrrx.exe27⤵
- Executes dropped EXE
PID:2232 -
\??\c:\htnhtn.exec:\htnhtn.exe28⤵
- Executes dropped EXE
PID:4232 -
\??\c:\vvpjp.exec:\vvpjp.exe29⤵
- Executes dropped EXE
PID:2040 -
\??\c:\hhnntb.exec:\hhnntb.exe30⤵
- Executes dropped EXE
PID:316 -
\??\c:\btbtnt.exec:\btbtnt.exe31⤵
- Executes dropped EXE
PID:4416 -
\??\c:\rlrlfff.exec:\rlrlfff.exe32⤵
- Executes dropped EXE
PID:1008 -
\??\c:\bhbttn.exec:\bhbttn.exe33⤵
- Executes dropped EXE
PID:3944 -
\??\c:\vvdvd.exec:\vvdvd.exe34⤵
- Executes dropped EXE
PID:4780 -
\??\c:\xlffxfx.exec:\xlffxfx.exe35⤵
- Executes dropped EXE
PID:1932 -
\??\c:\lxfxxlx.exec:\lxfxxlx.exe36⤵
- Executes dropped EXE
PID:2880 -
\??\c:\9nhbtt.exec:\9nhbtt.exe37⤵
- Executes dropped EXE
PID:2032 -
\??\c:\jjjdv.exec:\jjjdv.exe38⤵
- Executes dropped EXE
PID:208 -
\??\c:\fxlxrrl.exec:\fxlxrrl.exe39⤵
- Executes dropped EXE
PID:4832 -
\??\c:\thhnbt.exec:\thhnbt.exe40⤵
- Executes dropped EXE
PID:1312 -
\??\c:\ppddj.exec:\ppddj.exe41⤵
- Executes dropped EXE
PID:2676 -
\??\c:\dvvpd.exec:\dvvpd.exe42⤵
- Executes dropped EXE
PID:1112 -
\??\c:\lxlrfxx.exec:\lxlrfxx.exe43⤵
- Executes dropped EXE
PID:4340 -
\??\c:\bhbnbn.exec:\bhbnbn.exe44⤵
- Executes dropped EXE
PID:4408 -
\??\c:\pdjdp.exec:\pdjdp.exe45⤵
- Executes dropped EXE
PID:2440 -
\??\c:\fxfllfr.exec:\fxfllfr.exe46⤵
- Executes dropped EXE
PID:1720 -
\??\c:\ttbtnn.exec:\ttbtnn.exe47⤵
- Executes dropped EXE
PID:1952 -
\??\c:\vjppp.exec:\vjppp.exe48⤵
- Executes dropped EXE
PID:3092 -
\??\c:\9rrlxrl.exec:\9rrlxrl.exe49⤵
- Executes dropped EXE
PID:4628 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe50⤵
- Executes dropped EXE
PID:3632 -
\??\c:\bhbtnn.exec:\bhbtnn.exe51⤵
- Executes dropped EXE
PID:3648 -
\??\c:\pdddv.exec:\pdddv.exe52⤵
- Executes dropped EXE
PID:2920 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe53⤵
- Executes dropped EXE
PID:3160 -
\??\c:\lfllxxf.exec:\lfllxxf.exe54⤵
- Executes dropped EXE
PID:4624 -
\??\c:\9tttnn.exec:\9tttnn.exe55⤵
- Executes dropped EXE
PID:392 -
\??\c:\pdpvp.exec:\pdpvp.exe56⤵
- Executes dropped EXE
PID:2928 -
\??\c:\fxffffl.exec:\fxffffl.exe57⤵
- Executes dropped EXE
PID:4164 -
\??\c:\fxrlffx.exec:\fxrlffx.exe58⤵
- Executes dropped EXE
PID:368 -
\??\c:\nbnbtt.exec:\nbnbtt.exe59⤵
- Executes dropped EXE
PID:924 -
\??\c:\djpjd.exec:\djpjd.exe60⤵
- Executes dropped EXE
PID:2292 -
\??\c:\vppjd.exec:\vppjd.exe61⤵
- Executes dropped EXE
PID:4100 -
\??\c:\7lrllrl.exec:\7lrllrl.exe62⤵
- Executes dropped EXE
PID:5084 -
\??\c:\httnnh.exec:\httnnh.exe63⤵
- Executes dropped EXE
PID:1552 -
\??\c:\jvjjp.exec:\jvjjp.exe64⤵
- Executes dropped EXE
PID:732 -
\??\c:\xxxxxxx.exec:\xxxxxxx.exe65⤵
- Executes dropped EXE
PID:1508 -
\??\c:\xxfxxxx.exec:\xxfxxxx.exe66⤵PID:4828
-
\??\c:\tntntn.exec:\tntntn.exe67⤵PID:2500
-
\??\c:\vdppd.exec:\vdppd.exe68⤵PID:4236
-
\??\c:\rxllxfx.exec:\rxllxfx.exe69⤵PID:3996
-
\??\c:\7tbtht.exec:\7tbtht.exe70⤵PID:2120
-
\??\c:\vvjpd.exec:\vvjpd.exe71⤵PID:4388
-
\??\c:\rlffxff.exec:\rlffxff.exe72⤵PID:2064
-
\??\c:\5xfrrlx.exec:\5xfrrlx.exe73⤵PID:4140
-
\??\c:\htnbbt.exec:\htnbbt.exe74⤵PID:2388
-
\??\c:\9jvjv.exec:\9jvjv.exe75⤵PID:2068
-
\??\c:\1fxllfx.exec:\1fxllfx.exe76⤵PID:4036
-
\??\c:\hnnhhn.exec:\hnnhhn.exe77⤵PID:4996
-
\??\c:\jdvpd.exec:\jdvpd.exe78⤵PID:3120
-
\??\c:\vdddp.exec:\vdddp.exe79⤵PID:3380
-
\??\c:\ffflfrf.exec:\ffflfrf.exe80⤵PID:1568
-
\??\c:\hbbnbt.exec:\hbbnbt.exe81⤵PID:1304
-
\??\c:\ntbtnb.exec:\ntbtnb.exe82⤵PID:1532
-
\??\c:\pddjv.exec:\pddjv.exe83⤵PID:4204
-
\??\c:\pjpdv.exec:\pjpdv.exe84⤵PID:3360
-
\??\c:\3fllrrr.exec:\3fllrrr.exe85⤵PID:2376
-
\??\c:\djjdv.exec:\djjdv.exe86⤵PID:1556
-
\??\c:\1xxlrll.exec:\1xxlrll.exe87⤵PID:2828
-
\??\c:\nhbbnh.exec:\nhbbnh.exe88⤵PID:1960
-
\??\c:\7nnbtn.exec:\7nnbtn.exe89⤵PID:5000
-
\??\c:\1ppjd.exec:\1ppjd.exe90⤵PID:4580
-
\??\c:\rfxlxlf.exec:\rfxlxlf.exe91⤵PID:1104
-
\??\c:\bnbtnh.exec:\bnbtnh.exe92⤵PID:2060
-
\??\c:\7nthtn.exec:\7nthtn.exe93⤵PID:4688
-
\??\c:\7vpdv.exec:\7vpdv.exe94⤵PID:2396
-
\??\c:\xrllffx.exec:\xrllffx.exe95⤵PID:3388
-
\??\c:\hnnthb.exec:\hnnthb.exe96⤵PID:2936
-
\??\c:\3bhbnn.exec:\3bhbnn.exe97⤵PID:3944
-
\??\c:\1dpjd.exec:\1dpjd.exe98⤵PID:920
-
\??\c:\3xfxrfx.exec:\3xfxrfx.exe99⤵PID:4780
-
\??\c:\1hbthb.exec:\1hbthb.exe100⤵PID:1976
-
\??\c:\7ppjd.exec:\7ppjd.exe101⤵PID:3820
-
\??\c:\lflfxrr.exec:\lflfxrr.exe102⤵PID:4200
-
\??\c:\htbtnh.exec:\htbtnh.exe103⤵PID:4260
-
\??\c:\dvdpv.exec:\dvdpv.exe104⤵PID:4424
-
\??\c:\xfxxflx.exec:\xfxxflx.exe105⤵PID:1148
-
\??\c:\xlrfrlr.exec:\xlrfrlr.exe106⤵PID:2496
-
\??\c:\btbtnn.exec:\btbtnn.exe107⤵PID:712
-
\??\c:\7jvjv.exec:\7jvjv.exe108⤵PID:1972
-
\??\c:\ffrlxxf.exec:\ffrlxxf.exe109⤵PID:1944
-
\??\c:\btthbt.exec:\btthbt.exe110⤵PID:396
-
\??\c:\ntbtnh.exec:\ntbtnh.exe111⤵PID:944
-
\??\c:\ddpjd.exec:\ddpjd.exe112⤵PID:972
-
\??\c:\rlffrff.exec:\rlffrff.exe113⤵PID:1488
-
\??\c:\tbhbnn.exec:\tbhbnn.exe114⤵PID:3096
-
\??\c:\7vdvv.exec:\7vdvv.exe115⤵PID:3000
-
\??\c:\9ffrrxl.exec:\9ffrrxl.exe116⤵PID:4980
-
\??\c:\xxfxrxr.exec:\xxfxrxr.exe117⤵PID:4628
-
\??\c:\vpppj.exec:\vpppj.exe118⤵PID:4868
-
\??\c:\9dvjp.exec:\9dvjp.exe119⤵PID:3700
-
\??\c:\frxrffx.exec:\frxrffx.exe120⤵PID:1424
-
\??\c:\1bbnhb.exec:\1bbnhb.exe121⤵PID:744
-
\??\c:\dddpd.exec:\dddpd.exe122⤵PID:2284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-