Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 01:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98f9ec6c2bc41b1876c15f05c7a04e682c734c432b3d5dece9d40315d232f136N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
98f9ec6c2bc41b1876c15f05c7a04e682c734c432b3d5dece9d40315d232f136N.exe
-
Size
453KB
-
MD5
8412b701ec62b69b1bd5ab870bd412c0
-
SHA1
5866a4d50052bcf4577f6777322e35e6cdfae73d
-
SHA256
98f9ec6c2bc41b1876c15f05c7a04e682c734c432b3d5dece9d40315d232f136
-
SHA512
e14dd0b933b09f31f8fabcd8bb7879e11c1406cdc4c5093c9a379a39d3fb1fdfedac02963c6bde90bb73401e55c61ef42e2e8331fe0b3635604f0d8797ce6bd4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/468-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-1002-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-1024-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-1088-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-1308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3544 vddpj.exe 1904 fxxrlfx.exe 4164 nnbtbb.exe 3752 jvpdv.exe 820 jvpvp.exe 5068 flrlxxr.exe 3576 xlxlfxr.exe 3764 7bbttt.exe 3256 rxxrrrl.exe 1444 5nbhth.exe 2404 ppjdv.exe 3732 rxfxlfx.exe 3228 dvpjv.exe 912 xlxxxfl.exe 3356 nhbthh.exe 2408 djjvp.exe 908 9hthbt.exe 212 frxxfff.exe 2036 tthhtb.exe 1236 rxrxlfl.exe 3564 bnthbt.exe 4652 pjjpp.exe 1912 bnnbnb.exe 4476 jddpv.exe 4424 tbnbbh.exe 3928 hthnnb.exe 588 jjjdd.exe 4656 7hhbbb.exe 5104 vddvj.exe 4636 bbnhbt.exe 4592 tnhbtt.exe 4412 llfxrlf.exe 1016 tnnhnh.exe 4536 9xrrxrl.exe 2844 hnnhtn.exe 1592 bnbnnt.exe 3448 xlrlffx.exe 4376 9ffxllf.exe 2456 tbhbtn.exe 5092 jvdpj.exe 3452 pjpjp.exe 2760 1xfxxxx.exe 1808 ttthhb.exe 2532 3xrlffx.exe 4016 nnbtnh.exe 1424 pvdpd.exe 2044 rfrxlxf.exe 3872 3xxrrll.exe 860 bbhtnn.exe 2324 vdjdv.exe 4404 rlfxxxr.exe 1240 3bthbn.exe 528 ppjpj.exe 828 dpjdv.exe 4316 3xxrfxr.exe 4136 bbtnhb.exe 664 3jjdp.exe 3752 fxrfrrf.exe 2328 lxfxfrf.exe 3508 9nhhtn.exe 3372 9vdvj.exe 4844 3frlfff.exe 3080 htthbb.exe 856 jjddd.exe -
resource yara_rule behavioral2/memory/468-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-917-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 468 wrote to memory of 3544 468 98f9ec6c2bc41b1876c15f05c7a04e682c734c432b3d5dece9d40315d232f136N.exe 82 PID 468 wrote to memory of 3544 468 98f9ec6c2bc41b1876c15f05c7a04e682c734c432b3d5dece9d40315d232f136N.exe 82 PID 468 wrote to memory of 3544 468 98f9ec6c2bc41b1876c15f05c7a04e682c734c432b3d5dece9d40315d232f136N.exe 82 PID 3544 wrote to memory of 1904 3544 vddpj.exe 83 PID 3544 wrote to memory of 1904 3544 vddpj.exe 83 PID 3544 wrote to memory of 1904 3544 vddpj.exe 83 PID 1904 wrote to memory of 4164 1904 fxxrlfx.exe 84 PID 1904 wrote to memory of 4164 1904 fxxrlfx.exe 84 PID 1904 wrote to memory of 4164 1904 fxxrlfx.exe 84 PID 4164 wrote to memory of 3752 4164 nnbtbb.exe 85 PID 4164 wrote to memory of 3752 4164 nnbtbb.exe 85 PID 4164 wrote to memory of 3752 4164 nnbtbb.exe 85 PID 3752 wrote to memory of 820 3752 jvpdv.exe 86 PID 3752 wrote to memory of 820 3752 jvpdv.exe 86 PID 3752 wrote to memory of 820 3752 jvpdv.exe 86 PID 820 wrote to memory of 5068 820 jvpvp.exe 87 PID 820 wrote to memory of 5068 820 jvpvp.exe 87 PID 820 wrote to memory of 5068 820 jvpvp.exe 87 PID 5068 wrote to memory of 3576 5068 flrlxxr.exe 88 PID 5068 wrote to memory of 3576 5068 flrlxxr.exe 88 PID 5068 wrote to memory of 3576 5068 flrlxxr.exe 88 PID 3576 wrote to memory of 3764 3576 xlxlfxr.exe 89 PID 3576 wrote to memory of 3764 3576 xlxlfxr.exe 89 PID 3576 wrote to memory of 3764 3576 xlxlfxr.exe 89 PID 3764 wrote to memory of 3256 3764 7bbttt.exe 90 PID 3764 wrote to memory of 3256 3764 7bbttt.exe 90 PID 3764 wrote to memory of 3256 3764 7bbttt.exe 90 PID 3256 wrote to memory of 1444 3256 rxxrrrl.exe 91 PID 3256 wrote to memory of 1444 3256 rxxrrrl.exe 91 PID 3256 wrote to memory of 1444 3256 rxxrrrl.exe 91 PID 1444 wrote to memory of 2404 1444 5nbhth.exe 92 PID 1444 wrote to memory of 2404 1444 5nbhth.exe 92 PID 1444 wrote to memory of 2404 1444 5nbhth.exe 92 PID 2404 wrote to memory of 3732 2404 ppjdv.exe 93 PID 2404 wrote to memory of 3732 2404 ppjdv.exe 93 PID 2404 wrote to memory of 3732 2404 ppjdv.exe 93 PID 3732 wrote to memory of 3228 3732 rxfxlfx.exe 94 PID 3732 wrote to memory of 3228 3732 rxfxlfx.exe 94 PID 3732 wrote to memory of 3228 3732 rxfxlfx.exe 94 PID 3228 wrote to memory of 912 3228 dvpjv.exe 95 PID 3228 wrote to memory of 912 3228 dvpjv.exe 95 PID 3228 wrote to memory of 912 3228 dvpjv.exe 95 PID 912 wrote to memory of 3356 912 xlxxxfl.exe 96 PID 912 wrote to memory of 3356 912 xlxxxfl.exe 96 PID 912 wrote to memory of 3356 912 xlxxxfl.exe 96 PID 3356 wrote to memory of 2408 3356 nhbthh.exe 97 PID 3356 wrote to memory of 2408 3356 nhbthh.exe 97 PID 3356 wrote to memory of 2408 3356 nhbthh.exe 97 PID 2408 wrote to memory of 908 2408 djjvp.exe 98 PID 2408 wrote to memory of 908 2408 djjvp.exe 98 PID 2408 wrote to memory of 908 2408 djjvp.exe 98 PID 908 wrote to memory of 212 908 9hthbt.exe 99 PID 908 wrote to memory of 212 908 9hthbt.exe 99 PID 908 wrote to memory of 212 908 9hthbt.exe 99 PID 212 wrote to memory of 2036 212 frxxfff.exe 100 PID 212 wrote to memory of 2036 212 frxxfff.exe 100 PID 212 wrote to memory of 2036 212 frxxfff.exe 100 PID 2036 wrote to memory of 1236 2036 tthhtb.exe 101 PID 2036 wrote to memory of 1236 2036 tthhtb.exe 101 PID 2036 wrote to memory of 1236 2036 tthhtb.exe 101 PID 1236 wrote to memory of 3564 1236 rxrxlfl.exe 102 PID 1236 wrote to memory of 3564 1236 rxrxlfl.exe 102 PID 1236 wrote to memory of 3564 1236 rxrxlfl.exe 102 PID 3564 wrote to memory of 4652 3564 bnthbt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\98f9ec6c2bc41b1876c15f05c7a04e682c734c432b3d5dece9d40315d232f136N.exe"C:\Users\Admin\AppData\Local\Temp\98f9ec6c2bc41b1876c15f05c7a04e682c734c432b3d5dece9d40315d232f136N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\vddpj.exec:\vddpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\nnbtbb.exec:\nnbtbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\jvpdv.exec:\jvpdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\jvpvp.exec:\jvpvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\flrlxxr.exec:\flrlxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\xlxlfxr.exec:\xlxlfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\7bbttt.exec:\7bbttt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\rxxrrrl.exec:\rxxrrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\5nbhth.exec:\5nbhth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\ppjdv.exec:\ppjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\rxfxlfx.exec:\rxfxlfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\dvpjv.exec:\dvpjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\xlxxxfl.exec:\xlxxxfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\nhbthh.exec:\nhbthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\djjvp.exec:\djjvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\9hthbt.exec:\9hthbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
\??\c:\frxxfff.exec:\frxxfff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\tthhtb.exec:\tthhtb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\rxrxlfl.exec:\rxrxlfl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\bnthbt.exec:\bnthbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\pjjpp.exec:\pjjpp.exe23⤵
- Executes dropped EXE
PID:4652 -
\??\c:\bnnbnb.exec:\bnnbnb.exe24⤵
- Executes dropped EXE
PID:1912 -
\??\c:\jddpv.exec:\jddpv.exe25⤵
- Executes dropped EXE
PID:4476 -
\??\c:\tbnbbh.exec:\tbnbbh.exe26⤵
- Executes dropped EXE
PID:4424 -
\??\c:\hthnnb.exec:\hthnnb.exe27⤵
- Executes dropped EXE
PID:3928 -
\??\c:\jjjdd.exec:\jjjdd.exe28⤵
- Executes dropped EXE
PID:588 -
\??\c:\7hhbbb.exec:\7hhbbb.exe29⤵
- Executes dropped EXE
PID:4656 -
\??\c:\vddvj.exec:\vddvj.exe30⤵
- Executes dropped EXE
PID:5104 -
\??\c:\bbnhbt.exec:\bbnhbt.exe31⤵
- Executes dropped EXE
PID:4636 -
\??\c:\tnhbtt.exec:\tnhbtt.exe32⤵
- Executes dropped EXE
PID:4592 -
\??\c:\llfxrlf.exec:\llfxrlf.exe33⤵
- Executes dropped EXE
PID:4412 -
\??\c:\tnnhnh.exec:\tnnhnh.exe34⤵
- Executes dropped EXE
PID:1016 -
\??\c:\9xrrxrl.exec:\9xrrxrl.exe35⤵
- Executes dropped EXE
PID:4536 -
\??\c:\hnnhtn.exec:\hnnhtn.exe36⤵
- Executes dropped EXE
PID:2844 -
\??\c:\bnbnnt.exec:\bnbnnt.exe37⤵
- Executes dropped EXE
PID:1592 -
\??\c:\xlrlffx.exec:\xlrlffx.exe38⤵
- Executes dropped EXE
PID:3448 -
\??\c:\9ffxllf.exec:\9ffxllf.exe39⤵
- Executes dropped EXE
PID:4376 -
\??\c:\tbhbtn.exec:\tbhbtn.exe40⤵
- Executes dropped EXE
PID:2456 -
\??\c:\jvdpj.exec:\jvdpj.exe41⤵
- Executes dropped EXE
PID:5092 -
\??\c:\pjpjp.exec:\pjpjp.exe42⤵
- Executes dropped EXE
PID:3452 -
\??\c:\1xfxxxx.exec:\1xfxxxx.exe43⤵
- Executes dropped EXE
PID:2760 -
\??\c:\ttthhb.exec:\ttthhb.exe44⤵
- Executes dropped EXE
PID:1808 -
\??\c:\3xrlffx.exec:\3xrlffx.exe45⤵
- Executes dropped EXE
PID:2532 -
\??\c:\nnbtnh.exec:\nnbtnh.exe46⤵
- Executes dropped EXE
PID:4016 -
\??\c:\pvdpd.exec:\pvdpd.exe47⤵
- Executes dropped EXE
PID:1424 -
\??\c:\rfrxlxf.exec:\rfrxlxf.exe48⤵
- Executes dropped EXE
PID:2044 -
\??\c:\3xxrrll.exec:\3xxrrll.exe49⤵
- Executes dropped EXE
PID:3872 -
\??\c:\bbhtnn.exec:\bbhtnn.exe50⤵
- Executes dropped EXE
PID:860 -
\??\c:\vdjdv.exec:\vdjdv.exe51⤵
- Executes dropped EXE
PID:2324 -
\??\c:\rlfxxxr.exec:\rlfxxxr.exe52⤵
- Executes dropped EXE
PID:4404 -
\??\c:\3bthbn.exec:\3bthbn.exe53⤵
- Executes dropped EXE
PID:1240 -
\??\c:\ppjpj.exec:\ppjpj.exe54⤵
- Executes dropped EXE
PID:528 -
\??\c:\dpjdv.exec:\dpjdv.exe55⤵
- Executes dropped EXE
PID:828 -
\??\c:\3xxrfxr.exec:\3xxrfxr.exe56⤵
- Executes dropped EXE
PID:4316 -
\??\c:\bbtnhb.exec:\bbtnhb.exe57⤵
- Executes dropped EXE
PID:4136 -
\??\c:\3jjdp.exec:\3jjdp.exe58⤵
- Executes dropped EXE
PID:664 -
\??\c:\fxrfrrf.exec:\fxrfrrf.exe59⤵
- Executes dropped EXE
PID:3752 -
\??\c:\lxfxfrf.exec:\lxfxfrf.exe60⤵
- Executes dropped EXE
PID:2328 -
\??\c:\9nhhtn.exec:\9nhhtn.exe61⤵
- Executes dropped EXE
PID:3508 -
\??\c:\9vdvj.exec:\9vdvj.exe62⤵
- Executes dropped EXE
PID:3372 -
\??\c:\3frlfff.exec:\3frlfff.exe63⤵
- Executes dropped EXE
PID:4844 -
\??\c:\htthbb.exec:\htthbb.exe64⤵
- Executes dropped EXE
PID:3080 -
\??\c:\jjddd.exec:\jjddd.exe65⤵
- Executes dropped EXE
PID:856 -
\??\c:\9llfrrx.exec:\9llfrrx.exe66⤵PID:1560
-
\??\c:\rxxrfxr.exec:\rxxrfxr.exe67⤵PID:968
-
\??\c:\btthbh.exec:\btthbh.exe68⤵PID:4364
-
\??\c:\bhnhhb.exec:\bhnhhb.exe69⤵PID:1748
-
\??\c:\djjpd.exec:\djjpd.exe70⤵PID:4724
-
\??\c:\5fxrfxr.exec:\5fxrfxr.exe71⤵PID:1408
-
\??\c:\bhnhtn.exec:\bhnhtn.exe72⤵PID:2196
-
\??\c:\1bnbnn.exec:\1bnbnn.exe73⤵PID:2184
-
\??\c:\5ppjd.exec:\5ppjd.exe74⤵PID:1620
-
\??\c:\5rxlxrl.exec:\5rxlxrl.exe75⤵PID:4544
-
\??\c:\9rlxrll.exec:\9rlxrll.exe76⤵PID:1088
-
\??\c:\jvvjd.exec:\jvvjd.exe77⤵PID:3960
-
\??\c:\1lxlrfl.exec:\1lxlrfl.exe78⤵PID:2220
-
\??\c:\7xxrffx.exec:\7xxrffx.exe79⤵PID:888
-
\??\c:\5bbnnh.exec:\5bbnnh.exe80⤵PID:1920
-
\??\c:\vdppp.exec:\vdppp.exe81⤵PID:4220
-
\??\c:\lrlxxlf.exec:\lrlxxlf.exe82⤵PID:1096
-
\??\c:\tttnhb.exec:\tttnhb.exe83⤵PID:4692
-
\??\c:\dpjvp.exec:\dpjvp.exe84⤵PID:3364
-
\??\c:\vvdpv.exec:\vvdpv.exe85⤵PID:4112
-
\??\c:\rlxlxrl.exec:\rlxlxrl.exe86⤵PID:4292
-
\??\c:\nhhthb.exec:\nhhthb.exe87⤵PID:1692
-
\??\c:\vppvp.exec:\vppvp.exe88⤵PID:3384
-
\??\c:\1lfrlfr.exec:\1lfrlfr.exe89⤵PID:1160
-
\??\c:\7fxlfxr.exec:\7fxlfxr.exe90⤵PID:4500
-
\??\c:\1hnbbt.exec:\1hnbbt.exe91⤵PID:4660
-
\??\c:\vdvpj.exec:\vdvpj.exe92⤵PID:1216
-
\??\c:\lfxxrxl.exec:\lfxxrxl.exe93⤵PID:4656
-
\??\c:\hthbnn.exec:\hthbnn.exe94⤵PID:4612
-
\??\c:\bttnhh.exec:\bttnhh.exe95⤵PID:5040
-
\??\c:\ddvpj.exec:\ddvpj.exe96⤵PID:740
-
\??\c:\rfxrffx.exec:\rfxrffx.exe97⤵PID:3124
-
\??\c:\tttnbb.exec:\tttnbb.exe98⤵PID:4628
-
\??\c:\jppdp.exec:\jppdp.exe99⤵PID:1016
-
\??\c:\9vpjv.exec:\9vpjv.exe100⤵PID:4092
-
\??\c:\rlxrrxr.exec:\rlxrrxr.exe101⤵PID:1728
-
\??\c:\ttnbnh.exec:\ttnbnh.exe102⤵PID:1752
-
\??\c:\jdvpj.exec:\jdvpj.exe103⤵PID:2084
-
\??\c:\frrxlxf.exec:\frrxlxf.exe104⤵PID:4504
-
\??\c:\3rllffx.exec:\3rllffx.exe105⤵PID:4104
-
\??\c:\5hbthb.exec:\5hbthb.exe106⤵PID:2172
-
\??\c:\dvjpv.exec:\dvjpv.exe107⤵PID:1908
-
\??\c:\jpdjj.exec:\jpdjj.exe108⤵PID:5108
-
\??\c:\xxflllr.exec:\xxflllr.exe109⤵PID:1324
-
\??\c:\jpjdp.exec:\jpjdp.exe110⤵
- System Location Discovery: System Language Discovery
PID:4468 -
\??\c:\pjdvp.exec:\pjdvp.exe111⤵
- System Location Discovery: System Language Discovery
PID:2864 -
\??\c:\flxrfrl.exec:\flxrfrl.exe112⤵PID:4028
-
\??\c:\5thbtn.exec:\5thbtn.exe113⤵PID:3568
-
\??\c:\9jppj.exec:\9jppj.exe114⤵PID:2104
-
\??\c:\7ppdv.exec:\7ppdv.exe115⤵PID:4800
-
\??\c:\xlxrlfr.exec:\xlxrlfr.exe116⤵PID:4804
-
\??\c:\hbbthh.exec:\hbbthh.exe117⤵PID:2292
-
\??\c:\vvpdp.exec:\vvpdp.exe118⤵PID:4392
-
\??\c:\rllllfx.exec:\rllllfx.exe119⤵PID:468
-
\??\c:\llflxrl.exec:\llflxrl.exe120⤵PID:2060
-
\??\c:\thntnn.exec:\thntnn.exe121⤵PID:2944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-