Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 04:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
da977cb1e3afd4d56f0e49ef978bfb02cda2fe9cee04b112d6e049acb6dc5f2b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
da977cb1e3afd4d56f0e49ef978bfb02cda2fe9cee04b112d6e049acb6dc5f2b.exe
-
Size
455KB
-
MD5
baf0de87168f5f8e4372bcd13873d8bf
-
SHA1
42ff17385708196ce129cc9802157220a8a5cdd5
-
SHA256
da977cb1e3afd4d56f0e49ef978bfb02cda2fe9cee04b112d6e049acb6dc5f2b
-
SHA512
de818867d5b440aee664e80c1524ecb01942da951be3114d1de4a1fd793fdff3325407ccabcd057c6f0c2351b6e9a3548e9eba326a8f46bf8fef1c88b82fbfda
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRy:q7Tc2NYHUrAwfMp3CDRy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/324-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-1016-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-1042-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-1705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-2270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4680 vddvp.exe 3200 1xxfxxr.exe 3988 bnntnt.exe 1548 dpjjp.exe 2980 xlfrllf.exe 2640 3ntnnb.exe 2680 7jppp.exe 4520 rlrfffx.exe 1028 vvjjd.exe 4748 flllflr.exe 2512 1jjjd.exe 2788 tbnntt.exe 3472 rxrrxrl.exe 2064 jdddd.exe 4896 7hnntb.exe 2700 vdjdd.exe 4368 9flfllr.exe 764 bhtttt.exe 1916 frfrxlf.exe 388 vdpvj.exe 3316 rrrxffr.exe 4060 btbhtn.exe 1948 dddvp.exe 1448 hhbnbn.exe 2716 fllffxr.exe 4420 vjvvp.exe 4436 rflfxxr.exe 3356 5vdvp.exe 4584 llxrxxx.exe 3832 jvdvp.exe 1084 jpjvv.exe 2940 llrxrfr.exe 3588 bbbnbb.exe 3812 vpdvj.exe 2844 5jjjd.exe 3232 xlrlfxx.exe 4180 pdjjj.exe 5108 7vvpp.exe 4032 llrrlrr.exe 700 tnhbbn.exe 4964 jjjpj.exe 4348 rflfxlf.exe 5072 jdjdj.exe 872 3frffrr.exe 4716 xxllfff.exe 2368 rlxfxxx.exe 3052 5bbbbh.exe 804 dpdvd.exe 4696 9xxrffx.exe 4680 7lxlfxr.exe 936 htnntt.exe 1984 vvdvd.exe 3980 nnhtth.exe 1140 jdpjv.exe 4144 rllfxrl.exe 4312 llffrlf.exe 3604 9ntnnn.exe 5084 pjjdv.exe 1844 jvdvp.exe 1884 frxllxr.exe 968 httnnh.exe 3948 7jjvp.exe 4848 rrxlflf.exe 2512 btnntt.exe -
resource yara_rule behavioral2/memory/324-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-618-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvpj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 324 wrote to memory of 4680 324 da977cb1e3afd4d56f0e49ef978bfb02cda2fe9cee04b112d6e049acb6dc5f2b.exe 82 PID 324 wrote to memory of 4680 324 da977cb1e3afd4d56f0e49ef978bfb02cda2fe9cee04b112d6e049acb6dc5f2b.exe 82 PID 324 wrote to memory of 4680 324 da977cb1e3afd4d56f0e49ef978bfb02cda2fe9cee04b112d6e049acb6dc5f2b.exe 82 PID 4680 wrote to memory of 3200 4680 vddvp.exe 83 PID 4680 wrote to memory of 3200 4680 vddvp.exe 83 PID 4680 wrote to memory of 3200 4680 vddvp.exe 83 PID 3200 wrote to memory of 3988 3200 1xxfxxr.exe 84 PID 3200 wrote to memory of 3988 3200 1xxfxxr.exe 84 PID 3200 wrote to memory of 3988 3200 1xxfxxr.exe 84 PID 3988 wrote to memory of 1548 3988 bnntnt.exe 85 PID 3988 wrote to memory of 1548 3988 bnntnt.exe 85 PID 3988 wrote to memory of 1548 3988 bnntnt.exe 85 PID 1548 wrote to memory of 2980 1548 dpjjp.exe 86 PID 1548 wrote to memory of 2980 1548 dpjjp.exe 86 PID 1548 wrote to memory of 2980 1548 dpjjp.exe 86 PID 2980 wrote to memory of 2640 2980 xlfrllf.exe 87 PID 2980 wrote to memory of 2640 2980 xlfrllf.exe 87 PID 2980 wrote to memory of 2640 2980 xlfrllf.exe 87 PID 2640 wrote to memory of 2680 2640 3ntnnb.exe 88 PID 2640 wrote to memory of 2680 2640 3ntnnb.exe 88 PID 2640 wrote to memory of 2680 2640 3ntnnb.exe 88 PID 2680 wrote to memory of 4520 2680 7jppp.exe 89 PID 2680 wrote to memory of 4520 2680 7jppp.exe 89 PID 2680 wrote to memory of 4520 2680 7jppp.exe 89 PID 4520 wrote to memory of 1028 4520 rlrfffx.exe 90 PID 4520 wrote to memory of 1028 4520 rlrfffx.exe 90 PID 4520 wrote to memory of 1028 4520 rlrfffx.exe 90 PID 1028 wrote to memory of 4748 1028 vvjjd.exe 91 PID 1028 wrote to memory of 4748 1028 vvjjd.exe 91 PID 1028 wrote to memory of 4748 1028 vvjjd.exe 91 PID 4748 wrote to memory of 2512 4748 flllflr.exe 92 PID 4748 wrote to memory of 2512 4748 flllflr.exe 92 PID 4748 wrote to memory of 2512 4748 flllflr.exe 92 PID 2512 wrote to memory of 2788 2512 1jjjd.exe 93 PID 2512 wrote to memory of 2788 2512 1jjjd.exe 93 PID 2512 wrote to memory of 2788 2512 1jjjd.exe 93 PID 2788 wrote to memory of 3472 2788 tbnntt.exe 94 PID 2788 wrote to memory of 3472 2788 tbnntt.exe 94 PID 2788 wrote to memory of 3472 2788 tbnntt.exe 94 PID 3472 wrote to memory of 2064 3472 rxrrxrl.exe 95 PID 3472 wrote to memory of 2064 3472 rxrrxrl.exe 95 PID 3472 wrote to memory of 2064 3472 rxrrxrl.exe 95 PID 2064 wrote to memory of 4896 2064 jdddd.exe 96 PID 2064 wrote to memory of 4896 2064 jdddd.exe 96 PID 2064 wrote to memory of 4896 2064 jdddd.exe 96 PID 4896 wrote to memory of 2700 4896 7hnntb.exe 97 PID 4896 wrote to memory of 2700 4896 7hnntb.exe 97 PID 4896 wrote to memory of 2700 4896 7hnntb.exe 97 PID 2700 wrote to memory of 4368 2700 vdjdd.exe 98 PID 2700 wrote to memory of 4368 2700 vdjdd.exe 98 PID 2700 wrote to memory of 4368 2700 vdjdd.exe 98 PID 4368 wrote to memory of 764 4368 9flfllr.exe 99 PID 4368 wrote to memory of 764 4368 9flfllr.exe 99 PID 4368 wrote to memory of 764 4368 9flfllr.exe 99 PID 764 wrote to memory of 1916 764 bhtttt.exe 100 PID 764 wrote to memory of 1916 764 bhtttt.exe 100 PID 764 wrote to memory of 1916 764 bhtttt.exe 100 PID 1916 wrote to memory of 388 1916 frfrxlf.exe 101 PID 1916 wrote to memory of 388 1916 frfrxlf.exe 101 PID 1916 wrote to memory of 388 1916 frfrxlf.exe 101 PID 388 wrote to memory of 3316 388 vdpvj.exe 102 PID 388 wrote to memory of 3316 388 vdpvj.exe 102 PID 388 wrote to memory of 3316 388 vdpvj.exe 102 PID 3316 wrote to memory of 4060 3316 rrrxffr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\da977cb1e3afd4d56f0e49ef978bfb02cda2fe9cee04b112d6e049acb6dc5f2b.exe"C:\Users\Admin\AppData\Local\Temp\da977cb1e3afd4d56f0e49ef978bfb02cda2fe9cee04b112d6e049acb6dc5f2b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\vddvp.exec:\vddvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\1xxfxxr.exec:\1xxfxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\bnntnt.exec:\bnntnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\dpjjp.exec:\dpjjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\xlfrllf.exec:\xlfrllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\3ntnnb.exec:\3ntnnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\7jppp.exec:\7jppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\rlrfffx.exec:\rlrfffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\vvjjd.exec:\vvjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\flllflr.exec:\flllflr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\1jjjd.exec:\1jjjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\tbnntt.exec:\tbnntt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\rxrrxrl.exec:\rxrrxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\jdddd.exec:\jdddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\7hnntb.exec:\7hnntb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\vdjdd.exec:\vdjdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\9flfllr.exec:\9flfllr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\bhtttt.exec:\bhtttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\frfrxlf.exec:\frfrxlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\vdpvj.exec:\vdpvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\rrrxffr.exec:\rrrxffr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\btbhtn.exec:\btbhtn.exe23⤵
- Executes dropped EXE
PID:4060 -
\??\c:\dddvp.exec:\dddvp.exe24⤵
- Executes dropped EXE
PID:1948 -
\??\c:\hhbnbn.exec:\hhbnbn.exe25⤵
- Executes dropped EXE
PID:1448 -
\??\c:\fllffxr.exec:\fllffxr.exe26⤵
- Executes dropped EXE
PID:2716 -
\??\c:\vjvvp.exec:\vjvvp.exe27⤵
- Executes dropped EXE
PID:4420 -
\??\c:\rflfxxr.exec:\rflfxxr.exe28⤵
- Executes dropped EXE
PID:4436 -
\??\c:\5vdvp.exec:\5vdvp.exe29⤵
- Executes dropped EXE
PID:3356 -
\??\c:\llxrxxx.exec:\llxrxxx.exe30⤵
- Executes dropped EXE
PID:4584 -
\??\c:\jvdvp.exec:\jvdvp.exe31⤵
- Executes dropped EXE
PID:3832 -
\??\c:\jpjvv.exec:\jpjvv.exe32⤵
- Executes dropped EXE
PID:1084 -
\??\c:\llrxrfr.exec:\llrxrfr.exe33⤵
- Executes dropped EXE
PID:2940 -
\??\c:\bbbnbb.exec:\bbbnbb.exe34⤵
- Executes dropped EXE
PID:3588 -
\??\c:\vpdvj.exec:\vpdvj.exe35⤵
- Executes dropped EXE
PID:3812 -
\??\c:\5jjjd.exec:\5jjjd.exe36⤵
- Executes dropped EXE
PID:2844 -
\??\c:\xlrlfxx.exec:\xlrlfxx.exe37⤵
- Executes dropped EXE
PID:3232 -
\??\c:\pdjjj.exec:\pdjjj.exe38⤵
- Executes dropped EXE
PID:4180 -
\??\c:\7vvpp.exec:\7vvpp.exe39⤵
- Executes dropped EXE
PID:5108 -
\??\c:\llrrlrr.exec:\llrrlrr.exe40⤵
- Executes dropped EXE
PID:4032 -
\??\c:\tnhbbn.exec:\tnhbbn.exe41⤵
- Executes dropped EXE
PID:700 -
\??\c:\jjjpj.exec:\jjjpj.exe42⤵
- Executes dropped EXE
PID:4964 -
\??\c:\rflfxlf.exec:\rflfxlf.exe43⤵
- Executes dropped EXE
PID:4348 -
\??\c:\jdjdj.exec:\jdjdj.exe44⤵
- Executes dropped EXE
PID:5072 -
\??\c:\3frffrr.exec:\3frffrr.exe45⤵
- Executes dropped EXE
PID:872 -
\??\c:\xxllfff.exec:\xxllfff.exe46⤵
- Executes dropped EXE
PID:4716 -
\??\c:\rlxfxxx.exec:\rlxfxxx.exe47⤵
- Executes dropped EXE
PID:2368 -
\??\c:\5bbbbh.exec:\5bbbbh.exe48⤵
- Executes dropped EXE
PID:3052 -
\??\c:\dpdvd.exec:\dpdvd.exe49⤵
- Executes dropped EXE
PID:804 -
\??\c:\9xxrffx.exec:\9xxrffx.exe50⤵
- Executes dropped EXE
PID:4696 -
\??\c:\7lxlfxr.exec:\7lxlfxr.exe51⤵
- Executes dropped EXE
PID:4680 -
\??\c:\htnntt.exec:\htnntt.exe52⤵
- Executes dropped EXE
PID:936 -
\??\c:\vvdvd.exec:\vvdvd.exe53⤵
- Executes dropped EXE
PID:1984 -
\??\c:\nnhtth.exec:\nnhtth.exe54⤵
- Executes dropped EXE
PID:3980 -
\??\c:\jdpjv.exec:\jdpjv.exe55⤵
- Executes dropped EXE
PID:1140 -
\??\c:\rllfxrl.exec:\rllfxrl.exe56⤵
- Executes dropped EXE
PID:4144 -
\??\c:\llffrlf.exec:\llffrlf.exe57⤵
- Executes dropped EXE
PID:4312 -
\??\c:\9ntnnn.exec:\9ntnnn.exe58⤵
- Executes dropped EXE
PID:3604 -
\??\c:\pjjdv.exec:\pjjdv.exe59⤵
- Executes dropped EXE
PID:5084 -
\??\c:\jvdvp.exec:\jvdvp.exe60⤵
- Executes dropped EXE
PID:1844 -
\??\c:\frxllxr.exec:\frxllxr.exe61⤵
- Executes dropped EXE
PID:1884 -
\??\c:\httnnh.exec:\httnnh.exe62⤵
- Executes dropped EXE
PID:968 -
\??\c:\7jjvp.exec:\7jjvp.exe63⤵
- Executes dropped EXE
PID:3948 -
\??\c:\rrxlflf.exec:\rrxlflf.exe64⤵
- Executes dropped EXE
PID:4848 -
\??\c:\btnntt.exec:\btnntt.exe65⤵
- Executes dropped EXE
PID:2512 -
\??\c:\1vvdp.exec:\1vvdp.exe66⤵PID:3048
-
\??\c:\dpdvd.exec:\dpdvd.exe67⤵PID:5032
-
\??\c:\rflrrlf.exec:\rflrrlf.exe68⤵PID:4872
-
\??\c:\bhtnnn.exec:\bhtnnn.exe69⤵PID:892
-
\??\c:\nbbbtt.exec:\nbbbtt.exe70⤵PID:1716
-
\??\c:\vvjjd.exec:\vvjjd.exe71⤵PID:2060
-
\??\c:\llfrfxf.exec:\llfrfxf.exe72⤵PID:3092
-
\??\c:\btbbbb.exec:\btbbbb.exe73⤵PID:1628
-
\??\c:\3vvjj.exec:\3vvjj.exe74⤵
- System Location Discovery: System Language Discovery
PID:2756 -
\??\c:\xfrlfff.exec:\xfrlfff.exe75⤵PID:4912
-
\??\c:\xrlfllr.exec:\xrlfllr.exe76⤵PID:840
-
\??\c:\tttnhh.exec:\tttnhh.exe77⤵PID:4444
-
\??\c:\9ppjv.exec:\9ppjv.exe78⤵
- System Location Discovery: System Language Discovery
PID:2464 -
\??\c:\1rrfxrl.exec:\1rrfxrl.exe79⤵PID:2328
-
\??\c:\hbhbtn.exec:\hbhbtn.exe80⤵PID:828
-
\??\c:\3bbbtt.exec:\3bbbtt.exe81⤵PID:1596
-
\??\c:\5jjdj.exec:\5jjdj.exe82⤵PID:2592
-
\??\c:\rflfxxx.exec:\rflfxxx.exe83⤵PID:1948
-
\??\c:\nnthbt.exec:\nnthbt.exe84⤵PID:1544
-
\??\c:\tttttt.exec:\tttttt.exe85⤵PID:1160
-
\??\c:\jpvvp.exec:\jpvvp.exe86⤵PID:1328
-
\??\c:\lfrxrrx.exec:\lfrxrrx.exe87⤵PID:2224
-
\??\c:\tbtbtt.exec:\tbtbtt.exe88⤵PID:336
-
\??\c:\btbnht.exec:\btbnht.exe89⤵PID:3144
-
\??\c:\vvdvp.exec:\vvdvp.exe90⤵PID:2076
-
\??\c:\flrrrff.exec:\flrrrff.exe91⤵PID:1136
-
\??\c:\9bhbbb.exec:\9bhbbb.exe92⤵PID:1020
-
\??\c:\ppdpp.exec:\ppdpp.exe93⤵PID:2836
-
\??\c:\llllfll.exec:\llllfll.exe94⤵PID:3596
-
\??\c:\lfllflf.exec:\lfllflf.exe95⤵PID:3244
-
\??\c:\nnbttn.exec:\nnbttn.exe96⤵PID:4600
-
\??\c:\vvvpd.exec:\vvvpd.exe97⤵PID:1204
-
\??\c:\7xffxff.exec:\7xffxff.exe98⤵PID:1512
-
\??\c:\bthtbh.exec:\bthtbh.exe99⤵PID:4472
-
\??\c:\vdvvp.exec:\vdvvp.exe100⤵PID:3016
-
\??\c:\rfffffx.exec:\rfffffx.exe101⤵PID:3084
-
\??\c:\rffffff.exec:\rffffff.exe102⤵PID:3480
-
\??\c:\bbnttb.exec:\bbnttb.exe103⤵PID:2324
-
\??\c:\jpdvp.exec:\jpdvp.exe104⤵PID:1128
-
\??\c:\fxxlllx.exec:\fxxlllx.exe105⤵PID:668
-
\??\c:\hhbttt.exec:\hhbttt.exe106⤵PID:872
-
\??\c:\pdpjd.exec:\pdpjd.exe107⤵PID:4716
-
\??\c:\vpjjd.exec:\vpjjd.exe108⤵PID:4328
-
\??\c:\9xrxrlf.exec:\9xrxrlf.exe109⤵PID:3052
-
\??\c:\thnhhh.exec:\thnhhh.exe110⤵PID:2432
-
\??\c:\pppjj.exec:\pppjj.exe111⤵PID:4696
-
\??\c:\1vpjd.exec:\1vpjd.exe112⤵PID:1860
-
\??\c:\rxrrrrr.exec:\rxrrrrr.exe113⤵PID:1548
-
\??\c:\nnnnhh.exec:\nnnnhh.exe114⤵PID:3176
-
\??\c:\vpjjv.exec:\vpjjv.exe115⤵PID:4660
-
\??\c:\1xxfxxx.exec:\1xxfxxx.exe116⤵PID:2980
-
\??\c:\rlrxrfx.exec:\rlrxrfx.exe117⤵PID:2248
-
\??\c:\3hhbtb.exec:\3hhbtb.exe118⤵PID:2640
-
\??\c:\5dddj.exec:\5dddj.exe119⤵PID:3620
-
\??\c:\ddppd.exec:\ddppd.exe120⤵PID:2656
-
\??\c:\flrfxxr.exec:\flrfxxr.exe121⤵PID:3536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-