Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 01:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8200987b79bf5bfa6a4825421d9b99f71036976c9cc89aa11ad0a45d024b4253.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8200987b79bf5bfa6a4825421d9b99f71036976c9cc89aa11ad0a45d024b4253.exe
-
Size
453KB
-
MD5
754d718c027ccd5f6509710a13af6eec
-
SHA1
b38851507add0e931f3369a25ec648824a1a6788
-
SHA256
8200987b79bf5bfa6a4825421d9b99f71036976c9cc89aa11ad0a45d024b4253
-
SHA512
f35c712bb41c3863204880846f86a865acb969a989df2c2b5f1719e67e1e8b1bf5e117cc6a8d1a520310975aef915dc0c5f094c3d7dd15b6549d492a12b1c72f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2616-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-953-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-1117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-1232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-1236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-1367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2616 vvdvp.exe 4752 fxxrllr.exe 1224 bhnnnn.exe 5008 jdpjp.exe 2304 pdjjp.exe 2088 rrffxrl.exe 2272 hbhbbh.exe 864 vdjjj.exe 688 lrxxrll.exe 4884 fxfxrll.exe 4928 nhbbhh.exe 3016 pvjjj.exe 1048 xrxrlll.exe 3720 1pjjd.exe 4664 rfllffx.exe 3584 vpdvv.exe 3464 hnbhbb.exe 2624 jdjjd.exe 2820 xlxllxr.exe 1916 xrrrrrr.exe 4996 ppvvd.exe 1156 lrlxlxf.exe 1220 bnhbbb.exe 1912 htbttt.exe 3444 dpjvp.exe 372 ntnhhh.exe 4228 jdddd.exe 2044 tttnnt.exe 4616 htttnn.exe 880 nbhbtt.exe 4828 jjjdv.exe 2168 dvpjj.exe 2460 ppvvj.exe 4668 htbnnn.exe 832 5htnnt.exe 2336 jvvpp.exe 2860 xrfrxxf.exe 4920 1bbthn.exe 4736 frxrllr.exe 648 hhbthh.exe 3060 xxrllfr.exe 1484 hbbtnn.exe 1972 rrxlffx.exe 1724 1rrxllf.exe 1968 thnnhb.exe 3456 dpdpj.exe 968 xrlxrll.exe 3992 bnnnhb.exe 4324 bhttnh.exe 3580 djpjd.exe 4788 7rrxrll.exe 4468 nnbttn.exe 1224 1djjd.exe 4356 7ffxrrl.exe 3336 tbhbtt.exe 2656 jvvjd.exe 3952 lrxxrll.exe 4768 fllfxxx.exe 532 5hbtnt.exe 4104 vpppj.exe 2920 frrlfff.exe 1448 nhhhhh.exe 4408 nbbnhh.exe 1508 jddvp.exe -
resource yara_rule behavioral2/memory/2616-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-953-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2616 1964 8200987b79bf5bfa6a4825421d9b99f71036976c9cc89aa11ad0a45d024b4253.exe 83 PID 1964 wrote to memory of 2616 1964 8200987b79bf5bfa6a4825421d9b99f71036976c9cc89aa11ad0a45d024b4253.exe 83 PID 1964 wrote to memory of 2616 1964 8200987b79bf5bfa6a4825421d9b99f71036976c9cc89aa11ad0a45d024b4253.exe 83 PID 2616 wrote to memory of 4752 2616 vvdvp.exe 84 PID 2616 wrote to memory of 4752 2616 vvdvp.exe 84 PID 2616 wrote to memory of 4752 2616 vvdvp.exe 84 PID 4752 wrote to memory of 1224 4752 fxxrllr.exe 85 PID 4752 wrote to memory of 1224 4752 fxxrllr.exe 85 PID 4752 wrote to memory of 1224 4752 fxxrllr.exe 85 PID 1224 wrote to memory of 5008 1224 bhnnnn.exe 86 PID 1224 wrote to memory of 5008 1224 bhnnnn.exe 86 PID 1224 wrote to memory of 5008 1224 bhnnnn.exe 86 PID 5008 wrote to memory of 2304 5008 jdpjp.exe 87 PID 5008 wrote to memory of 2304 5008 jdpjp.exe 87 PID 5008 wrote to memory of 2304 5008 jdpjp.exe 87 PID 2304 wrote to memory of 2088 2304 pdjjp.exe 88 PID 2304 wrote to memory of 2088 2304 pdjjp.exe 88 PID 2304 wrote to memory of 2088 2304 pdjjp.exe 88 PID 2088 wrote to memory of 2272 2088 rrffxrl.exe 89 PID 2088 wrote to memory of 2272 2088 rrffxrl.exe 89 PID 2088 wrote to memory of 2272 2088 rrffxrl.exe 89 PID 2272 wrote to memory of 864 2272 hbhbbh.exe 90 PID 2272 wrote to memory of 864 2272 hbhbbh.exe 90 PID 2272 wrote to memory of 864 2272 hbhbbh.exe 90 PID 864 wrote to memory of 688 864 vdjjj.exe 91 PID 864 wrote to memory of 688 864 vdjjj.exe 91 PID 864 wrote to memory of 688 864 vdjjj.exe 91 PID 688 wrote to memory of 4884 688 lrxxrll.exe 92 PID 688 wrote to memory of 4884 688 lrxxrll.exe 92 PID 688 wrote to memory of 4884 688 lrxxrll.exe 92 PID 4884 wrote to memory of 4928 4884 fxfxrll.exe 93 PID 4884 wrote to memory of 4928 4884 fxfxrll.exe 93 PID 4884 wrote to memory of 4928 4884 fxfxrll.exe 93 PID 4928 wrote to memory of 3016 4928 nhbbhh.exe 94 PID 4928 wrote to memory of 3016 4928 nhbbhh.exe 94 PID 4928 wrote to memory of 3016 4928 nhbbhh.exe 94 PID 3016 wrote to memory of 1048 3016 pvjjj.exe 95 PID 3016 wrote to memory of 1048 3016 pvjjj.exe 95 PID 3016 wrote to memory of 1048 3016 pvjjj.exe 95 PID 1048 wrote to memory of 3720 1048 xrxrlll.exe 96 PID 1048 wrote to memory of 3720 1048 xrxrlll.exe 96 PID 1048 wrote to memory of 3720 1048 xrxrlll.exe 96 PID 3720 wrote to memory of 4664 3720 1pjjd.exe 97 PID 3720 wrote to memory of 4664 3720 1pjjd.exe 97 PID 3720 wrote to memory of 4664 3720 1pjjd.exe 97 PID 4664 wrote to memory of 3584 4664 rfllffx.exe 98 PID 4664 wrote to memory of 3584 4664 rfllffx.exe 98 PID 4664 wrote to memory of 3584 4664 rfllffx.exe 98 PID 3584 wrote to memory of 3464 3584 vpdvv.exe 99 PID 3584 wrote to memory of 3464 3584 vpdvv.exe 99 PID 3584 wrote to memory of 3464 3584 vpdvv.exe 99 PID 3464 wrote to memory of 2624 3464 hnbhbb.exe 100 PID 3464 wrote to memory of 2624 3464 hnbhbb.exe 100 PID 3464 wrote to memory of 2624 3464 hnbhbb.exe 100 PID 2624 wrote to memory of 2820 2624 jdjjd.exe 101 PID 2624 wrote to memory of 2820 2624 jdjjd.exe 101 PID 2624 wrote to memory of 2820 2624 jdjjd.exe 101 PID 2820 wrote to memory of 1916 2820 xlxllxr.exe 102 PID 2820 wrote to memory of 1916 2820 xlxllxr.exe 102 PID 2820 wrote to memory of 1916 2820 xlxllxr.exe 102 PID 1916 wrote to memory of 4996 1916 xrrrrrr.exe 103 PID 1916 wrote to memory of 4996 1916 xrrrrrr.exe 103 PID 1916 wrote to memory of 4996 1916 xrrrrrr.exe 103 PID 4996 wrote to memory of 1156 4996 ppvvd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8200987b79bf5bfa6a4825421d9b99f71036976c9cc89aa11ad0a45d024b4253.exe"C:\Users\Admin\AppData\Local\Temp\8200987b79bf5bfa6a4825421d9b99f71036976c9cc89aa11ad0a45d024b4253.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\vvdvp.exec:\vvdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\fxxrllr.exec:\fxxrllr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\bhnnnn.exec:\bhnnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\jdpjp.exec:\jdpjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\pdjjp.exec:\pdjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\rrffxrl.exec:\rrffxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\hbhbbh.exec:\hbhbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\vdjjj.exec:\vdjjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\lrxxrll.exec:\lrxxrll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
\??\c:\fxfxrll.exec:\fxfxrll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\nhbbhh.exec:\nhbbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\pvjjj.exec:\pvjjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\xrxrlll.exec:\xrxrlll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\1pjjd.exec:\1pjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\rfllffx.exec:\rfllffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\vpdvv.exec:\vpdvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\hnbhbb.exec:\hnbhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\jdjjd.exec:\jdjjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\xlxllxr.exec:\xlxllxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\xrrrrrr.exec:\xrrrrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\ppvvd.exec:\ppvvd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\lrlxlxf.exec:\lrlxlxf.exe23⤵
- Executes dropped EXE
PID:1156 -
\??\c:\bnhbbb.exec:\bnhbbb.exe24⤵
- Executes dropped EXE
PID:1220 -
\??\c:\htbttt.exec:\htbttt.exe25⤵
- Executes dropped EXE
PID:1912 -
\??\c:\dpjvp.exec:\dpjvp.exe26⤵
- Executes dropped EXE
PID:3444 -
\??\c:\ntnhhh.exec:\ntnhhh.exe27⤵
- Executes dropped EXE
PID:372 -
\??\c:\jdddd.exec:\jdddd.exe28⤵
- Executes dropped EXE
PID:4228 -
\??\c:\tttnnt.exec:\tttnnt.exe29⤵
- Executes dropped EXE
PID:2044 -
\??\c:\htttnn.exec:\htttnn.exe30⤵
- Executes dropped EXE
PID:4616 -
\??\c:\nbhbtt.exec:\nbhbtt.exe31⤵
- Executes dropped EXE
PID:880 -
\??\c:\jjjdv.exec:\jjjdv.exe32⤵
- Executes dropped EXE
PID:4828 -
\??\c:\dvpjj.exec:\dvpjj.exe33⤵
- Executes dropped EXE
PID:2168 -
\??\c:\ppvvj.exec:\ppvvj.exe34⤵
- Executes dropped EXE
PID:2460 -
\??\c:\htbnnn.exec:\htbnnn.exe35⤵
- Executes dropped EXE
PID:4668 -
\??\c:\5htnnt.exec:\5htnnt.exe36⤵
- Executes dropped EXE
PID:832 -
\??\c:\jvvpp.exec:\jvvpp.exe37⤵
- Executes dropped EXE
PID:2336 -
\??\c:\xrfrxxf.exec:\xrfrxxf.exe38⤵
- Executes dropped EXE
PID:2860 -
\??\c:\1bbthn.exec:\1bbthn.exe39⤵
- Executes dropped EXE
PID:4920 -
\??\c:\frxrllr.exec:\frxrllr.exe40⤵
- Executes dropped EXE
PID:4736 -
\??\c:\hhbthh.exec:\hhbthh.exe41⤵
- Executes dropped EXE
PID:648 -
\??\c:\xxrllfr.exec:\xxrllfr.exe42⤵
- Executes dropped EXE
PID:3060 -
\??\c:\hbbtnn.exec:\hbbtnn.exe43⤵
- Executes dropped EXE
PID:1484 -
\??\c:\rrxlffx.exec:\rrxlffx.exe44⤵
- Executes dropped EXE
PID:1972 -
\??\c:\1rrxllf.exec:\1rrxllf.exe45⤵
- Executes dropped EXE
PID:1724 -
\??\c:\thnnhb.exec:\thnnhb.exe46⤵
- Executes dropped EXE
PID:1968 -
\??\c:\dpdpj.exec:\dpdpj.exe47⤵
- Executes dropped EXE
PID:3456 -
\??\c:\xrlxrll.exec:\xrlxrll.exe48⤵
- Executes dropped EXE
PID:968 -
\??\c:\bnnnhb.exec:\bnnnhb.exe49⤵
- Executes dropped EXE
PID:3992 -
\??\c:\bhttnh.exec:\bhttnh.exe50⤵
- Executes dropped EXE
PID:4324 -
\??\c:\djpjd.exec:\djpjd.exe51⤵
- Executes dropped EXE
PID:3580 -
\??\c:\7rrxrll.exec:\7rrxrll.exe52⤵
- Executes dropped EXE
PID:4788 -
\??\c:\nnbttn.exec:\nnbttn.exe53⤵
- Executes dropped EXE
PID:4468 -
\??\c:\1djjd.exec:\1djjd.exe54⤵
- Executes dropped EXE
PID:1224 -
\??\c:\7ffxrrl.exec:\7ffxrrl.exe55⤵
- Executes dropped EXE
PID:4356 -
\??\c:\tbhbtt.exec:\tbhbtt.exe56⤵
- Executes dropped EXE
PID:3336 -
\??\c:\jvvjd.exec:\jvvjd.exe57⤵
- Executes dropped EXE
PID:2656 -
\??\c:\lrxxrll.exec:\lrxxrll.exe58⤵
- Executes dropped EXE
PID:3952 -
\??\c:\fllfxxx.exec:\fllfxxx.exe59⤵
- Executes dropped EXE
PID:4768 -
\??\c:\5hbtnt.exec:\5hbtnt.exe60⤵
- Executes dropped EXE
PID:532 -
\??\c:\vpppj.exec:\vpppj.exe61⤵
- Executes dropped EXE
PID:4104 -
\??\c:\frrlfff.exec:\frrlfff.exe62⤵
- Executes dropped EXE
PID:2920 -
\??\c:\nhhhhh.exec:\nhhhhh.exe63⤵
- Executes dropped EXE
PID:1448 -
\??\c:\nbbnhh.exec:\nbbnhh.exe64⤵
- Executes dropped EXE
PID:4408 -
\??\c:\jddvp.exec:\jddvp.exe65⤵
- Executes dropped EXE
PID:1508 -
\??\c:\nhhbtn.exec:\nhhbtn.exe66⤵PID:4072
-
\??\c:\jpjjd.exec:\jpjjd.exe67⤵PID:4536
-
\??\c:\fxrrlff.exec:\fxrrlff.exe68⤵PID:3960
-
\??\c:\lllffxx.exec:\lllffxx.exe69⤵PID:4656
-
\??\c:\bhntbb.exec:\bhntbb.exe70⤵PID:4812
-
\??\c:\3rrrllf.exec:\3rrrllf.exe71⤵PID:4068
-
\??\c:\xxffxrr.exec:\xxffxrr.exe72⤵PID:4852
-
\??\c:\nnttnn.exec:\nnttnn.exe73⤵PID:4640
-
\??\c:\3dvvj.exec:\3dvvj.exe74⤵PID:3584
-
\??\c:\jvdpj.exec:\jvdpj.exe75⤵PID:5040
-
\??\c:\rllfxxr.exec:\rllfxxr.exe76⤵PID:2792
-
\??\c:\nbnnhh.exec:\nbnnhh.exe77⤵PID:3996
-
\??\c:\5ppjd.exec:\5ppjd.exe78⤵PID:1536
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe79⤵PID:1916
-
\??\c:\bbhttb.exec:\bbhttb.exe80⤵PID:3020
-
\??\c:\nbtnhh.exec:\nbtnhh.exe81⤵PID:4336
-
\??\c:\pvdvp.exec:\pvdvp.exe82⤵PID:2708
-
\??\c:\vppjv.exec:\vppjv.exe83⤵PID:4208
-
\??\c:\rrxrrrr.exec:\rrxrrrr.exe84⤵PID:3224
-
\??\c:\tnbbhn.exec:\tnbbhn.exe85⤵PID:1792
-
\??\c:\pppjd.exec:\pppjd.exe86⤵PID:3596
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe87⤵PID:1732
-
\??\c:\thnnhh.exec:\thnnhh.exe88⤵PID:4892
-
\??\c:\bbnhnn.exec:\bbnhnn.exe89⤵PID:316
-
\??\c:\dpjpv.exec:\dpjpv.exe90⤵PID:2044
-
\??\c:\rrrrlll.exec:\rrrrlll.exe91⤵PID:4616
-
\??\c:\7lfxxfx.exec:\7lfxxfx.exe92⤵PID:4252
-
\??\c:\5nhbtb.exec:\5nhbtb.exe93⤵PID:4832
-
\??\c:\vpvpj.exec:\vpvpj.exe94⤵PID:1376
-
\??\c:\rxlfffx.exec:\rxlfffx.exe95⤵PID:644
-
\??\c:\ntbnht.exec:\ntbnht.exe96⤵PID:1816
-
\??\c:\vpvvv.exec:\vpvvv.exe97⤵PID:2752
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe98⤵PID:996
-
\??\c:\tbtnhb.exec:\tbtnhb.exe99⤵PID:3600
-
\??\c:\ppjjd.exec:\ppjjd.exe100⤵PID:2936
-
\??\c:\rlrlfff.exec:\rlrlfff.exe101⤵PID:4580
-
\??\c:\lfxxxxf.exec:\lfxxxxf.exe102⤵PID:4488
-
\??\c:\hnhbtt.exec:\hnhbtt.exe103⤵PID:2768
-
\??\c:\9vvdd.exec:\9vvdd.exe104⤵PID:648
-
\??\c:\djjjd.exec:\djjjd.exe105⤵PID:3400
-
\??\c:\xxxxffr.exec:\xxxxffr.exe106⤵PID:1484
-
\??\c:\9bntbh.exec:\9bntbh.exe107⤵PID:1972
-
\??\c:\vpvpv.exec:\vpvpv.exe108⤵PID:2848
-
\??\c:\rlxfxxr.exec:\rlxfxxr.exe109⤵PID:4800
-
\??\c:\fxllllf.exec:\fxllllf.exe110⤵PID:3808
-
\??\c:\nntnbt.exec:\nntnbt.exe111⤵PID:2016
-
\??\c:\pjdjd.exec:\pjdjd.exe112⤵PID:4556
-
\??\c:\rllfrrr.exec:\rllfrrr.exe113⤵PID:3324
-
\??\c:\nhtthh.exec:\nhtthh.exe114⤵PID:1480
-
\??\c:\vjjvj.exec:\vjjvj.exe115⤵PID:4840
-
\??\c:\fxlxrxx.exec:\fxlxrxx.exe116⤵PID:1252
-
\??\c:\xlxrlrr.exec:\xlxrlrr.exe117⤵PID:2152
-
\??\c:\tntbbh.exec:\tntbbh.exe118⤵PID:4540
-
\??\c:\jjppd.exec:\jjppd.exe119⤵PID:616
-
\??\c:\ddjdp.exec:\ddjdp.exe120⤵PID:3336
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe121⤵PID:1432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-