Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 18:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe
-
Size
456KB
-
MD5
797ccb05a37c20b190b39708b77b904b
-
SHA1
c94e55e875df32b7f3a82e3668fb8967cecba7ad
-
SHA256
e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46
-
SHA512
2e14e14dfc1674080f9cdbfe8b5cd2f96801e0598d1fd34d26486d1bd808ad4317559c8cf991e5cbb93a69e90f0e341b0123e25eb04ee431a86486b44512fa21
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRT:q7Tc2NYHUrAwfMp3CDRT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2348-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-35-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2192-46-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2744-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-66-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2816-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-134-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2944-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1216-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/272-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-377-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2116-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-388-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1404-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/532-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1452-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-431-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2664-438-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/1900-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-461-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/2052-472-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2052-473-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2208-484-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2052-493-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2100-592-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2668-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-714-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1144-730-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1864-761-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-802-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2300-835-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2536-848-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1364 vdvdv.exe 2392 pjjdp.exe 2684 lffrlfx.exe 2192 bhhbnt.exe 2744 fxfxxlf.exe 2816 dvppd.exe 2916 rxlrflx.exe 2736 vpddp.exe 2608 rlflxlf.exe 1704 flfllxx.exe 2356 7vpvv.exe 1716 hnbhbh.exe 2796 hbbbht.exe 1956 7frrxfl.exe 692 nhbhnn.exe 2844 7bntth.exe 2944 tbtbnb.exe 1952 3jdvj.exe 2276 hbtbbb.exe 1708 rlxrlxf.exe 1616 tbbhtb.exe 3060 jjdpv.exe 2044 1xrxlrf.exe 1216 bhbbbn.exe 272 vjvdd.exe 1268 7hbhtb.exe 2148 xfffxfl.exe 1296 bhtbnh.exe 1960 nhnthn.exe 2468 ddvjv.exe 2084 3fxlxfr.exe 2028 7jvvv.exe 2392 rlxfxxl.exe 2552 9hhttb.exe 2296 nhtbtt.exe 2192 ppjjp.exe 2708 9jjjp.exe 2612 lllrxrx.exe 2892 5bttbh.exe 2632 thnhhb.exe 1712 3jdpd.exe 2620 rlflrfl.exe 2116 3fxxxxf.exe 2668 tnnbhn.exe 1404 ppdjd.exe 1888 xrfrfrl.exe 532 xfxlxlr.exe 2804 3bnhbb.exe 1452 9btnth.exe 1056 1jddj.exe 2664 xrlrllx.exe 1116 rfxxxfr.exe 1900 hhbhht.exe 2944 3vvvv.exe 1440 1jvvv.exe 2052 xlfxxrx.exe 2076 5bbbhb.exe 2208 bbtbbh.exe 1572 jjdjv.exe 2940 1lxfrrx.exe 448 hbntbt.exe 996 jdvvv.exe 564 ddvjv.exe 1720 fxrxrxr.exe -
resource yara_rule behavioral1/memory/2348-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-35-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2744-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/272-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1452-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-484-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/996-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-887-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-900-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-922-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/3064-927-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 1364 2348 e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe 30 PID 2348 wrote to memory of 1364 2348 e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe 30 PID 2348 wrote to memory of 1364 2348 e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe 30 PID 2348 wrote to memory of 1364 2348 e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe 30 PID 1364 wrote to memory of 2392 1364 vdvdv.exe 31 PID 1364 wrote to memory of 2392 1364 vdvdv.exe 31 PID 1364 wrote to memory of 2392 1364 vdvdv.exe 31 PID 1364 wrote to memory of 2392 1364 vdvdv.exe 31 PID 2392 wrote to memory of 2684 2392 pjjdp.exe 32 PID 2392 wrote to memory of 2684 2392 pjjdp.exe 32 PID 2392 wrote to memory of 2684 2392 pjjdp.exe 32 PID 2392 wrote to memory of 2684 2392 pjjdp.exe 32 PID 2684 wrote to memory of 2192 2684 lffrlfx.exe 33 PID 2684 wrote to memory of 2192 2684 lffrlfx.exe 33 PID 2684 wrote to memory of 2192 2684 lffrlfx.exe 33 PID 2684 wrote to memory of 2192 2684 lffrlfx.exe 33 PID 2192 wrote to memory of 2744 2192 bhhbnt.exe 34 PID 2192 wrote to memory of 2744 2192 bhhbnt.exe 34 PID 2192 wrote to memory of 2744 2192 bhhbnt.exe 34 PID 2192 wrote to memory of 2744 2192 bhhbnt.exe 34 PID 2744 wrote to memory of 2816 2744 fxfxxlf.exe 35 PID 2744 wrote to memory of 2816 2744 fxfxxlf.exe 35 PID 2744 wrote to memory of 2816 2744 fxfxxlf.exe 35 PID 2744 wrote to memory of 2816 2744 fxfxxlf.exe 35 PID 2816 wrote to memory of 2916 2816 dvppd.exe 36 PID 2816 wrote to memory of 2916 2816 dvppd.exe 36 PID 2816 wrote to memory of 2916 2816 dvppd.exe 36 PID 2816 wrote to memory of 2916 2816 dvppd.exe 36 PID 2916 wrote to memory of 2736 2916 rxlrflx.exe 37 PID 2916 wrote to memory of 2736 2916 rxlrflx.exe 37 PID 2916 wrote to memory of 2736 2916 rxlrflx.exe 37 PID 2916 wrote to memory of 2736 2916 rxlrflx.exe 37 PID 2736 wrote to memory of 2608 2736 vpddp.exe 38 PID 2736 wrote to memory of 2608 2736 vpddp.exe 38 PID 2736 wrote to memory of 2608 2736 vpddp.exe 38 PID 2736 wrote to memory of 2608 2736 vpddp.exe 38 PID 2608 wrote to memory of 1704 2608 rlflxlf.exe 39 PID 2608 wrote to memory of 1704 2608 rlflxlf.exe 39 PID 2608 wrote to memory of 1704 2608 rlflxlf.exe 39 PID 2608 wrote to memory of 1704 2608 rlflxlf.exe 39 PID 1704 wrote to memory of 2356 1704 flfllxx.exe 40 PID 1704 wrote to memory of 2356 1704 flfllxx.exe 40 PID 1704 wrote to memory of 2356 1704 flfllxx.exe 40 PID 1704 wrote to memory of 2356 1704 flfllxx.exe 40 PID 2356 wrote to memory of 1716 2356 7vpvv.exe 41 PID 2356 wrote to memory of 1716 2356 7vpvv.exe 41 PID 2356 wrote to memory of 1716 2356 7vpvv.exe 41 PID 2356 wrote to memory of 1716 2356 7vpvv.exe 41 PID 1716 wrote to memory of 2796 1716 hnbhbh.exe 42 PID 1716 wrote to memory of 2796 1716 hnbhbh.exe 42 PID 1716 wrote to memory of 2796 1716 hnbhbh.exe 42 PID 1716 wrote to memory of 2796 1716 hnbhbh.exe 42 PID 2796 wrote to memory of 1956 2796 hbbbht.exe 43 PID 2796 wrote to memory of 1956 2796 hbbbht.exe 43 PID 2796 wrote to memory of 1956 2796 hbbbht.exe 43 PID 2796 wrote to memory of 1956 2796 hbbbht.exe 43 PID 1956 wrote to memory of 692 1956 7frrxfl.exe 44 PID 1956 wrote to memory of 692 1956 7frrxfl.exe 44 PID 1956 wrote to memory of 692 1956 7frrxfl.exe 44 PID 1956 wrote to memory of 692 1956 7frrxfl.exe 44 PID 692 wrote to memory of 2844 692 nhbhnn.exe 45 PID 692 wrote to memory of 2844 692 nhbhnn.exe 45 PID 692 wrote to memory of 2844 692 nhbhnn.exe 45 PID 692 wrote to memory of 2844 692 nhbhnn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe"C:\Users\Admin\AppData\Local\Temp\e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\vdvdv.exec:\vdvdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\pjjdp.exec:\pjjdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\lffrlfx.exec:\lffrlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\bhhbnt.exec:\bhhbnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\fxfxxlf.exec:\fxfxxlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\dvppd.exec:\dvppd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\rxlrflx.exec:\rxlrflx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\vpddp.exec:\vpddp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\rlflxlf.exec:\rlflxlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\flfllxx.exec:\flfllxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\7vpvv.exec:\7vpvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\hnbhbh.exec:\hnbhbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\hbbbht.exec:\hbbbht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\7frrxfl.exec:\7frrxfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\nhbhnn.exec:\nhbhnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\7bntth.exec:\7bntth.exe17⤵
- Executes dropped EXE
PID:2844 -
\??\c:\tbtbnb.exec:\tbtbnb.exe18⤵
- Executes dropped EXE
PID:2944 -
\??\c:\3jdvj.exec:\3jdvj.exe19⤵
- Executes dropped EXE
PID:1952 -
\??\c:\hbtbbb.exec:\hbtbbb.exe20⤵
- Executes dropped EXE
PID:2276 -
\??\c:\rlxrlxf.exec:\rlxrlxf.exe21⤵
- Executes dropped EXE
PID:1708 -
\??\c:\tbbhtb.exec:\tbbhtb.exe22⤵
- Executes dropped EXE
PID:1616 -
\??\c:\jjdpv.exec:\jjdpv.exe23⤵
- Executes dropped EXE
PID:3060 -
\??\c:\1xrxlrf.exec:\1xrxlrf.exe24⤵
- Executes dropped EXE
PID:2044 -
\??\c:\bhbbbn.exec:\bhbbbn.exe25⤵
- Executes dropped EXE
PID:1216 -
\??\c:\vjvdd.exec:\vjvdd.exe26⤵
- Executes dropped EXE
PID:272 -
\??\c:\7hbhtb.exec:\7hbhtb.exe27⤵
- Executes dropped EXE
PID:1268 -
\??\c:\xfffxfl.exec:\xfffxfl.exe28⤵
- Executes dropped EXE
PID:2148 -
\??\c:\bhtbnh.exec:\bhtbnh.exe29⤵
- Executes dropped EXE
PID:1296 -
\??\c:\nhnthn.exec:\nhnthn.exe30⤵
- Executes dropped EXE
PID:1960 -
\??\c:\ddvjv.exec:\ddvjv.exe31⤵
- Executes dropped EXE
PID:2468 -
\??\c:\3fxlxfr.exec:\3fxlxfr.exe32⤵
- Executes dropped EXE
PID:2084 -
\??\c:\7jvvv.exec:\7jvvv.exe33⤵
- Executes dropped EXE
PID:2028 -
\??\c:\rlxfxxl.exec:\rlxfxxl.exe34⤵
- Executes dropped EXE
PID:2392 -
\??\c:\9hhttb.exec:\9hhttb.exe35⤵
- Executes dropped EXE
PID:2552 -
\??\c:\nhtbtt.exec:\nhtbtt.exe36⤵
- Executes dropped EXE
PID:2296 -
\??\c:\ppjjp.exec:\ppjjp.exe37⤵
- Executes dropped EXE
PID:2192 -
\??\c:\9jjjp.exec:\9jjjp.exe38⤵
- Executes dropped EXE
PID:2708 -
\??\c:\lllrxrx.exec:\lllrxrx.exe39⤵
- Executes dropped EXE
PID:2612 -
\??\c:\5bttbh.exec:\5bttbh.exe40⤵
- Executes dropped EXE
PID:2892 -
\??\c:\thnhhb.exec:\thnhhb.exe41⤵
- Executes dropped EXE
PID:2632 -
\??\c:\3jdpd.exec:\3jdpd.exe42⤵
- Executes dropped EXE
PID:1712 -
\??\c:\rlflrfl.exec:\rlflrfl.exe43⤵
- Executes dropped EXE
PID:2620 -
\??\c:\3fxxxxf.exec:\3fxxxxf.exe44⤵
- Executes dropped EXE
PID:2116 -
\??\c:\tnnbhn.exec:\tnnbhn.exe45⤵
- Executes dropped EXE
PID:2668 -
\??\c:\ppdjd.exec:\ppdjd.exe46⤵
- Executes dropped EXE
PID:1404 -
\??\c:\xrfrfrl.exec:\xrfrfrl.exe47⤵
- Executes dropped EXE
PID:1888 -
\??\c:\xfxlxlr.exec:\xfxlxlr.exe48⤵
- Executes dropped EXE
PID:532 -
\??\c:\3bnhbb.exec:\3bnhbb.exe49⤵
- Executes dropped EXE
PID:2804 -
\??\c:\9btnth.exec:\9btnth.exe50⤵
- Executes dropped EXE
PID:1452 -
\??\c:\1jddj.exec:\1jddj.exe51⤵
- Executes dropped EXE
PID:1056 -
\??\c:\xrlrllx.exec:\xrlrllx.exe52⤵
- Executes dropped EXE
PID:2664 -
\??\c:\rfxxxfr.exec:\rfxxxfr.exe53⤵
- Executes dropped EXE
PID:1116 -
\??\c:\hhbhht.exec:\hhbhht.exe54⤵
- Executes dropped EXE
PID:1900 -
\??\c:\3vvvv.exec:\3vvvv.exe55⤵
- Executes dropped EXE
PID:2944 -
\??\c:\1jvvv.exec:\1jvvv.exe56⤵
- Executes dropped EXE
PID:1440 -
\??\c:\xlfxxrx.exec:\xlfxxrx.exe57⤵
- Executes dropped EXE
PID:2052 -
\??\c:\5bbbhb.exec:\5bbbhb.exe58⤵
- Executes dropped EXE
PID:2076 -
\??\c:\bbtbbh.exec:\bbtbbh.exe59⤵
- Executes dropped EXE
PID:2208 -
\??\c:\jjdjv.exec:\jjdjv.exe60⤵
- Executes dropped EXE
PID:1572 -
\??\c:\1lxfrrx.exec:\1lxfrrx.exe61⤵
- Executes dropped EXE
PID:2940 -
\??\c:\hbntbt.exec:\hbntbt.exe62⤵
- Executes dropped EXE
PID:448 -
\??\c:\jdvvv.exec:\jdvvv.exe63⤵
- Executes dropped EXE
PID:996 -
\??\c:\ddvjv.exec:\ddvjv.exe64⤵
- Executes dropped EXE
PID:564 -
\??\c:\fxrxrxr.exec:\fxrxrxr.exe65⤵
- Executes dropped EXE
PID:1720 -
\??\c:\nhntbh.exec:\nhntbh.exe66⤵PID:1832
-
\??\c:\tnhhhh.exec:\tnhhhh.exe67⤵PID:1268
-
\??\c:\jdvdp.exec:\jdvdp.exe68⤵PID:1676
-
\??\c:\3frrrrx.exec:\3frrrrx.exe69⤵PID:992
-
\??\c:\9rlxrxf.exec:\9rlxrxf.exe70⤵PID:900
-
\??\c:\5thntb.exec:\5thntb.exe71⤵PID:1624
-
\??\c:\tnnthh.exec:\tnnthh.exe72⤵PID:3036
-
\??\c:\dvjjj.exec:\dvjjj.exe73⤵PID:2536
-
\??\c:\9dpdj.exec:\9dpdj.exe74⤵PID:1632
-
\??\c:\1frxxfl.exec:\1frxxfl.exe75⤵PID:848
-
\??\c:\hbntbb.exec:\hbntbb.exe76⤵PID:2100
-
\??\c:\7tnhhb.exec:\7tnhhb.exe77⤵PID:2960
-
\??\c:\7jdpd.exec:\7jdpd.exe78⤵PID:2928
-
\??\c:\5rrrxfl.exec:\5rrrxfl.exe79⤵PID:2748
-
\??\c:\5htbnt.exec:\5htbnt.exe80⤵PID:2760
-
\??\c:\htbbhh.exec:\htbbhh.exe81⤵PID:2612
-
\??\c:\dppvv.exec:\dppvv.exe82⤵PID:2724
-
\??\c:\ffxrlfx.exec:\ffxrlfx.exe83⤵PID:2316
-
\??\c:\rfllfff.exec:\rfllfff.exe84⤵PID:2604
-
\??\c:\tbnnbt.exec:\tbnnbt.exe85⤵PID:2656
-
\??\c:\9vvvp.exec:\9vvvp.exe86⤵PID:2924
-
\??\c:\1rlfxrr.exec:\1rlfxrr.exe87⤵PID:1704
-
\??\c:\xxlxxfr.exec:\xxlxxfr.exe88⤵PID:2668
-
\??\c:\9hnhbb.exec:\9hnhbb.exe89⤵PID:316
-
\??\c:\ddvvj.exec:\ddvvj.exe90⤵PID:2440
-
\??\c:\9pddv.exec:\9pddv.exe91⤵PID:2856
-
\??\c:\rlxxffl.exec:\rlxxffl.exe92⤵PID:1668
-
\??\c:\tbtbhb.exec:\tbtbhb.exe93⤵PID:2592
-
\??\c:\btnthb.exec:\btnthb.exe94⤵PID:1056
-
\??\c:\7vvvj.exec:\7vvvj.exe95⤵PID:2664
-
\??\c:\fxlrxfl.exec:\fxlrxfl.exe96⤵PID:1964
-
\??\c:\1hnhhb.exec:\1hnhhb.exe97⤵PID:1980
-
\??\c:\tnbbnn.exec:\tnbbnn.exe98⤵PID:1144
-
\??\c:\jddjj.exec:\jddjj.exe99⤵PID:1828
-
\??\c:\xxrxfrr.exec:\xxrxfrr.exe100⤵PID:2052
-
\??\c:\hbhbbt.exec:\hbhbbt.exe101⤵PID:2252
-
\??\c:\nbhntn.exec:\nbhntn.exe102⤵PID:2164
-
\??\c:\pdddv.exec:\pdddv.exe103⤵PID:1864
-
\??\c:\xfllfrx.exec:\xfllfrx.exe104⤵PID:1656
-
\??\c:\lfrxlrf.exec:\lfrxlrf.exe105⤵PID:2992
-
\??\c:\tbthnn.exec:\tbthnn.exe106⤵PID:1692
-
\??\c:\vdvpd.exec:\vdvpd.exe107⤵PID:2780
-
\??\c:\llffrlx.exec:\llffrlx.exe108⤵
- System Location Discovery: System Language Discovery
PID:2232 -
\??\c:\lfxxffr.exec:\lfxxffr.exe109⤵PID:2308
-
\??\c:\btnhbb.exec:\btnhbb.exe110⤵PID:2976
-
\??\c:\vjvvv.exec:\vjvvv.exe111⤵PID:2236
-
\??\c:\jjdjj.exec:\jjdjj.exe112⤵PID:1924
-
\??\c:\llxflrr.exec:\llxflrr.exe113⤵PID:796
-
\??\c:\rlflfxf.exec:\rlflfxf.exe114⤵PID:2300
-
\??\c:\thtntt.exec:\thtntt.exe115⤵PID:2320
-
\??\c:\jdvdv.exec:\jdvdv.exe116⤵
- System Location Discovery: System Language Discovery
PID:2536 -
\??\c:\rrlfllr.exec:\rrlfllr.exe117⤵PID:2920
-
\??\c:\rrlrlll.exec:\rrlrlll.exe118⤵PID:1664
-
\??\c:\hnbbbt.exec:\hnbbbt.exe119⤵PID:2100
-
\??\c:\btthth.exec:\btthth.exe120⤵PID:2088
-
\??\c:\pdppp.exec:\pdppp.exe121⤵PID:2228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-