Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2024, 23:35
Behavioral task
behavioral1
Sample
d844f07a435c6f863c3075f9fffdc142d06dfcd6899480e92b0da68fb663f434N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
d844f07a435c6f863c3075f9fffdc142d06dfcd6899480e92b0da68fb663f434N.exe
-
Size
406KB
-
MD5
cc030524ff68fad9794a0b7d1fd41bd0
-
SHA1
1e9de6d8b09e70b4b2856183ad1a557cfa491a8a
-
SHA256
d844f07a435c6f863c3075f9fffdc142d06dfcd6899480e92b0da68fb663f434
-
SHA512
7ec000251c308160b73aeafdc979b1ee54bed3e57fd81753642c8fc2e405df6589bf2e4b5614c9b6bf5fb97cc5d8a6eb4a3e5a2a6c344109de15e15b8ab4e964
-
SSDEEP
6144:Jcm4FmowdHoSEubDcAkOCOu0EajNVBZr6y2WXxLO1UqW9E3HC:T4wFHoSEubD2P3HC
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4888-5-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3304-14-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1892-36-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/784-230-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1212-283-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1008-293-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5092-274-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4692-267-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2796-241-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/828-234-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/536-226-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4600-222-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1100-216-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1116-205-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1568-201-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3216-303-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3380-198-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2508-194-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/512-189-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/552-185-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2700-181-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2992-175-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3216-149-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5040-134-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3736-127-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2036-120-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2260-115-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/852-110-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1660-103-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/548-87-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1976-77-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2280-65-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3208-59-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4136-53-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/336-42-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/228-25-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1888-19-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3960-11-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1236-323-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/860-336-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2108-342-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1872-350-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3364-408-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1724-421-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2412-443-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1080-447-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/908-463-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/512-467-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1176-486-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1312-520-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3364-554-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3352-591-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4888-649-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3704-662-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1660-693-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3808-703-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4316-749-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3812-897-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/536-1146-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4844-1183-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4292-1244-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5100-1470-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2368-1783-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3304 jjddd.exe 3960 2660826.exe 1888 flxxxrf.exe 228 pjdvj.exe 116 frlxfxl.exe 1892 i848008.exe 336 thnhnh.exe 4856 08620.exe 4136 pdddd.exe 3208 frxlffr.exe 2280 3jjdp.exe 3156 rflxfxx.exe 1976 66084.exe 4844 fllxlfr.exe 548 httnnn.exe 1396 484860.exe 696 26046.exe 1660 86022.exe 852 42222.exe 2260 624426.exe 2036 2682660.exe 3736 0428260.exe 5040 0686488.exe 1008 1dvvj.exe 2484 2248826.exe 3216 660420.exe 4484 1nthbt.exe 4704 42400.exe 1896 0848604.exe 3168 08804.exe 2992 bttnhb.exe 2700 60682.exe 552 800084.exe 512 422660.exe 2508 8408260.exe 3380 q60208.exe 1568 jjjpd.exe 1116 6648604.exe 2108 fxfxrfx.exe 1616 206826.exe 1100 422626.exe 4764 a4260.exe 4600 ntbthh.exe 536 vdjdv.exe 784 thhthb.exe 828 nthbnb.exe 212 66420.exe 2796 u060040.exe 4024 44008.exe 2168 7hbnbt.exe 3916 flrfxfr.exe 1976 4204046.exe 4800 0460280.exe 3568 00862.exe 1068 0648260.exe 4692 0864040.exe 3356 3fxrlff.exe 5092 00060.exe 852 w66022.exe 1632 040024.exe 1212 pdjvd.exe 1084 s4422.exe 1500 2248604.exe 1008 9vvjd.exe -
resource yara_rule behavioral2/memory/4888-0-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x000b0000000235e9-3.dat upx behavioral2/memory/4888-5-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x00080000000235ef-9.dat upx behavioral2/memory/3304-14-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x00070000000235f0-17.dat upx behavioral2/files/0x00070000000235f2-28.dat upx behavioral2/memory/1892-36-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x00070000000235f5-46.dat upx behavioral2/files/0x00070000000235f6-51.dat upx behavioral2/files/0x00070000000235f7-57.dat upx behavioral2/files/0x0007000000023600-106.dat upx behavioral2/files/0x0007000000023603-124.dat upx behavioral2/files/0x0007000000023605-136.dat upx behavioral2/files/0x000700000002360d-179.dat upx behavioral2/memory/784-230-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1212-283-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1008-293-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5092-274-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4692-267-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2796-241-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/828-234-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/536-226-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4600-222-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1100-216-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1116-205-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1568-201-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4060-304-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3216-303-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3380-198-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2508-194-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/512-189-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/552-185-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2700-181-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2992-175-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x000700000002360c-173.dat upx behavioral2/files/0x000700000002360b-168.dat upx behavioral2/files/0x000700000002360a-162.dat upx behavioral2/files/0x0007000000023609-158.dat upx behavioral2/files/0x0007000000023608-153.dat upx behavioral2/memory/3216-149-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x0007000000023607-147.dat upx behavioral2/files/0x0007000000023606-142.dat upx behavioral2/memory/5040-134-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x0007000000023604-131.dat upx behavioral2/memory/3736-127-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2036-120-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x0007000000023602-119.dat upx behavioral2/memory/2260-115-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x0007000000023601-113.dat upx behavioral2/memory/852-110-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1660-103-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x00070000000235ff-101.dat upx behavioral2/files/0x00070000000235fe-96.dat upx behavioral2/files/0x00070000000235fd-91.dat upx behavioral2/memory/548-87-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x00070000000235fc-85.dat upx behavioral2/files/0x00070000000235fb-79.dat upx behavioral2/memory/1976-77-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x00070000000235fa-74.dat upx behavioral2/files/0x00070000000235f9-69.dat upx behavioral2/memory/2280-65-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x00070000000235f8-63.dat upx behavioral2/memory/3208-59-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2660826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0482044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8264240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w22026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 248422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i604440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4888 wrote to memory of 3304 4888 d844f07a435c6f863c3075f9fffdc142d06dfcd6899480e92b0da68fb663f434N.exe 89 PID 4888 wrote to memory of 3304 4888 d844f07a435c6f863c3075f9fffdc142d06dfcd6899480e92b0da68fb663f434N.exe 89 PID 4888 wrote to memory of 3304 4888 d844f07a435c6f863c3075f9fffdc142d06dfcd6899480e92b0da68fb663f434N.exe 89 PID 3304 wrote to memory of 3960 3304 jjddd.exe 90 PID 3304 wrote to memory of 3960 3304 jjddd.exe 90 PID 3304 wrote to memory of 3960 3304 jjddd.exe 90 PID 3960 wrote to memory of 1888 3960 2660826.exe 91 PID 3960 wrote to memory of 1888 3960 2660826.exe 91 PID 3960 wrote to memory of 1888 3960 2660826.exe 91 PID 1888 wrote to memory of 228 1888 flxxxrf.exe 92 PID 1888 wrote to memory of 228 1888 flxxxrf.exe 92 PID 1888 wrote to memory of 228 1888 flxxxrf.exe 92 PID 228 wrote to memory of 116 228 pjdvj.exe 93 PID 228 wrote to memory of 116 228 pjdvj.exe 93 PID 228 wrote to memory of 116 228 pjdvj.exe 93 PID 116 wrote to memory of 1892 116 frlxfxl.exe 94 PID 116 wrote to memory of 1892 116 frlxfxl.exe 94 PID 116 wrote to memory of 1892 116 frlxfxl.exe 94 PID 1892 wrote to memory of 336 1892 i848008.exe 95 PID 1892 wrote to memory of 336 1892 i848008.exe 95 PID 1892 wrote to memory of 336 1892 i848008.exe 95 PID 336 wrote to memory of 4856 336 thnhnh.exe 96 PID 336 wrote to memory of 4856 336 thnhnh.exe 96 PID 336 wrote to memory of 4856 336 thnhnh.exe 96 PID 4856 wrote to memory of 4136 4856 08620.exe 97 PID 4856 wrote to memory of 4136 4856 08620.exe 97 PID 4856 wrote to memory of 4136 4856 08620.exe 97 PID 4136 wrote to memory of 3208 4136 pdddd.exe 98 PID 4136 wrote to memory of 3208 4136 pdddd.exe 98 PID 4136 wrote to memory of 3208 4136 pdddd.exe 98 PID 3208 wrote to memory of 2280 3208 frxlffr.exe 99 PID 3208 wrote to memory of 2280 3208 frxlffr.exe 99 PID 3208 wrote to memory of 2280 3208 frxlffr.exe 99 PID 2280 wrote to memory of 3156 2280 3jjdp.exe 100 PID 2280 wrote to memory of 3156 2280 3jjdp.exe 100 PID 2280 wrote to memory of 3156 2280 3jjdp.exe 100 PID 3156 wrote to memory of 1976 3156 rflxfxx.exe 101 PID 3156 wrote to memory of 1976 3156 rflxfxx.exe 101 PID 3156 wrote to memory of 1976 3156 rflxfxx.exe 101 PID 1976 wrote to memory of 4844 1976 66084.exe 102 PID 1976 wrote to memory of 4844 1976 66084.exe 102 PID 1976 wrote to memory of 4844 1976 66084.exe 102 PID 4844 wrote to memory of 548 4844 fllxlfr.exe 103 PID 4844 wrote to memory of 548 4844 fllxlfr.exe 103 PID 4844 wrote to memory of 548 4844 fllxlfr.exe 103 PID 548 wrote to memory of 1396 548 httnnn.exe 104 PID 548 wrote to memory of 1396 548 httnnn.exe 104 PID 548 wrote to memory of 1396 548 httnnn.exe 104 PID 1396 wrote to memory of 696 1396 484860.exe 105 PID 1396 wrote to memory of 696 1396 484860.exe 105 PID 1396 wrote to memory of 696 1396 484860.exe 105 PID 696 wrote to memory of 1660 696 26046.exe 106 PID 696 wrote to memory of 1660 696 26046.exe 106 PID 696 wrote to memory of 1660 696 26046.exe 106 PID 1660 wrote to memory of 852 1660 86022.exe 107 PID 1660 wrote to memory of 852 1660 86022.exe 107 PID 1660 wrote to memory of 852 1660 86022.exe 107 PID 852 wrote to memory of 2260 852 42222.exe 108 PID 852 wrote to memory of 2260 852 42222.exe 108 PID 852 wrote to memory of 2260 852 42222.exe 108 PID 2260 wrote to memory of 2036 2260 624426.exe 109 PID 2260 wrote to memory of 2036 2260 624426.exe 109 PID 2260 wrote to memory of 2036 2260 624426.exe 109 PID 2036 wrote to memory of 3736 2036 2682660.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\d844f07a435c6f863c3075f9fffdc142d06dfcd6899480e92b0da68fb663f434N.exe"C:\Users\Admin\AppData\Local\Temp\d844f07a435c6f863c3075f9fffdc142d06dfcd6899480e92b0da68fb663f434N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\jjddd.exec:\jjddd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\2660826.exec:\2660826.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\flxxxrf.exec:\flxxxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\pjdvj.exec:\pjdvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\frlxfxl.exec:\frlxfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\i848008.exec:\i848008.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\thnhnh.exec:\thnhnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\08620.exec:\08620.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\pdddd.exec:\pdddd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\frxlffr.exec:\frxlffr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\3jjdp.exec:\3jjdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\rflxfxx.exec:\rflxfxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\66084.exec:\66084.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\fllxlfr.exec:\fllxlfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\httnnn.exec:\httnnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\484860.exec:\484860.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\26046.exec:\26046.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\86022.exec:\86022.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\42222.exec:\42222.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\624426.exec:\624426.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\2682660.exec:\2682660.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\0428260.exec:\0428260.exe23⤵
- Executes dropped EXE
PID:3736 -
\??\c:\0686488.exec:\0686488.exe24⤵
- Executes dropped EXE
PID:5040 -
\??\c:\1dvvj.exec:\1dvvj.exe25⤵
- Executes dropped EXE
PID:1008 -
\??\c:\2248826.exec:\2248826.exe26⤵
- Executes dropped EXE
PID:2484 -
\??\c:\660420.exec:\660420.exe27⤵
- Executes dropped EXE
PID:3216 -
\??\c:\1nthbt.exec:\1nthbt.exe28⤵
- Executes dropped EXE
PID:4484 -
\??\c:\42400.exec:\42400.exe29⤵
- Executes dropped EXE
PID:4704 -
\??\c:\0848604.exec:\0848604.exe30⤵
- Executes dropped EXE
PID:1896 -
\??\c:\08804.exec:\08804.exe31⤵
- Executes dropped EXE
PID:3168 -
\??\c:\bttnhb.exec:\bttnhb.exe32⤵
- Executes dropped EXE
PID:2992 -
\??\c:\60682.exec:\60682.exe33⤵
- Executes dropped EXE
PID:2700 -
\??\c:\800084.exec:\800084.exe34⤵
- Executes dropped EXE
PID:552 -
\??\c:\422660.exec:\422660.exe35⤵
- Executes dropped EXE
PID:512 -
\??\c:\8408260.exec:\8408260.exe36⤵
- Executes dropped EXE
PID:2508 -
\??\c:\q60208.exec:\q60208.exe37⤵
- Executes dropped EXE
PID:3380 -
\??\c:\jjjpd.exec:\jjjpd.exe38⤵
- Executes dropped EXE
PID:1568 -
\??\c:\6648604.exec:\6648604.exe39⤵
- Executes dropped EXE
PID:1116 -
\??\c:\fxfxrfx.exec:\fxfxrfx.exe40⤵
- Executes dropped EXE
PID:2108 -
\??\c:\206826.exec:\206826.exe41⤵
- Executes dropped EXE
PID:1616 -
\??\c:\422626.exec:\422626.exe42⤵
- Executes dropped EXE
PID:1100 -
\??\c:\a4260.exec:\a4260.exe43⤵
- Executes dropped EXE
PID:4764 -
\??\c:\ntbthh.exec:\ntbthh.exe44⤵
- Executes dropped EXE
PID:4600 -
\??\c:\vdjdv.exec:\vdjdv.exe45⤵
- Executes dropped EXE
PID:536 -
\??\c:\thhthb.exec:\thhthb.exe46⤵
- Executes dropped EXE
PID:784 -
\??\c:\nthbnb.exec:\nthbnb.exe47⤵
- Executes dropped EXE
PID:828 -
\??\c:\66420.exec:\66420.exe48⤵
- Executes dropped EXE
PID:212 -
\??\c:\u060040.exec:\u060040.exe49⤵
- Executes dropped EXE
PID:2796 -
\??\c:\44008.exec:\44008.exe50⤵
- Executes dropped EXE
PID:4024 -
\??\c:\7hbnbt.exec:\7hbnbt.exe51⤵
- Executes dropped EXE
PID:2168 -
\??\c:\flrfxfr.exec:\flrfxfr.exe52⤵
- Executes dropped EXE
PID:3916 -
\??\c:\4204046.exec:\4204046.exe53⤵
- Executes dropped EXE
PID:1976 -
\??\c:\0460280.exec:\0460280.exe54⤵
- Executes dropped EXE
PID:4800 -
\??\c:\00862.exec:\00862.exe55⤵
- Executes dropped EXE
PID:3568 -
\??\c:\0648260.exec:\0648260.exe56⤵
- Executes dropped EXE
PID:1068 -
\??\c:\0864040.exec:\0864040.exe57⤵
- Executes dropped EXE
PID:4692 -
\??\c:\3fxrlff.exec:\3fxrlff.exe58⤵
- Executes dropped EXE
PID:3356 -
\??\c:\00060.exec:\00060.exe59⤵
- Executes dropped EXE
PID:5092 -
\??\c:\w66022.exec:\w66022.exe60⤵
- Executes dropped EXE
PID:852 -
\??\c:\040024.exec:\040024.exe61⤵
- Executes dropped EXE
PID:1632 -
\??\c:\pdjvd.exec:\pdjvd.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1212 -
\??\c:\s4422.exec:\s4422.exe63⤵
- Executes dropped EXE
PID:1084 -
\??\c:\2248604.exec:\2248604.exe64⤵
- Executes dropped EXE
PID:1500 -
\??\c:\9vvjd.exec:\9vvjd.exe65⤵
- Executes dropped EXE
PID:1008 -
\??\c:\0808822.exec:\0808822.exe66⤵PID:4092
-
\??\c:\28842.exec:\28842.exe67⤵PID:3216
-
\??\c:\0882026.exec:\0882026.exe68⤵PID:4060
-
\??\c:\dpdpd.exec:\dpdpd.exe69⤵PID:4664
-
\??\c:\vppdv.exec:\vppdv.exe70⤵PID:2568
-
\??\c:\k28604.exec:\k28604.exe71⤵PID:4840
-
\??\c:\208240.exec:\208240.exe72⤵PID:1872
-
\??\c:\006000.exec:\006000.exe73⤵PID:1236
-
\??\c:\46066.exec:\46066.exe74⤵PID:4568
-
\??\c:\vjvvv.exec:\vjvvv.exe75⤵PID:2508
-
\??\c:\jjdvj.exec:\jjdvj.exe76⤵PID:3576
-
\??\c:\rfrrxfl.exec:\rfrrxfl.exe77⤵PID:860
-
\??\c:\k48282.exec:\k48282.exe78⤵PID:3020
-
\??\c:\rlxllrx.exec:\rlxllrx.exe79⤵PID:2108
-
\??\c:\xxrrlfx.exec:\xxrrlfx.exe80⤵PID:1176
-
\??\c:\3ffxllx.exec:\3ffxllx.exe81⤵PID:3960
-
\??\c:\frrfxrl.exec:\frrfxrl.exe82⤵PID:620
-
\??\c:\46060.exec:\46060.exe83⤵PID:4460
-
\??\c:\8604826.exec:\8604826.exe84⤵PID:1172
-
\??\c:\pdjvv.exec:\pdjvv.exe85⤵PID:784
-
\??\c:\jvjvp.exec:\jvjvp.exe86⤵PID:1064
-
\??\c:\04448.exec:\04448.exe87⤵PID:652
-
\??\c:\0028400.exec:\0028400.exe88⤵PID:1648
-
\??\c:\466048.exec:\466048.exe89⤵PID:1312
-
\??\c:\6488264.exec:\6488264.exe90⤵PID:2576
-
\??\c:\hnhthb.exec:\hnhthb.exe91⤵PID:1048
-
\??\c:\806464.exec:\806464.exe92⤵PID:1964
-
\??\c:\pdjdv.exec:\pdjdv.exe93⤵PID:4956
-
\??\c:\62066.exec:\62066.exe94⤵PID:3208
-
\??\c:\040886.exec:\040886.exe95⤵PID:3860
-
\??\c:\rllxrrl.exec:\rllxrrl.exe96⤵PID:5032
-
\??\c:\8680242.exec:\8680242.exe97⤵PID:3540
-
\??\c:\26406.exec:\26406.exe98⤵PID:4004
-
\??\c:\lffxxxf.exec:\lffxxxf.exe99⤵PID:3932
-
\??\c:\9dpjv.exec:\9dpjv.exe100⤵PID:3364
-
\??\c:\fxlllll.exec:\fxlllll.exe101⤵PID:1736
-
\??\c:\hhbnnn.exec:\hhbnnn.exe102⤵PID:3112
-
\??\c:\848680.exec:\848680.exe103⤵PID:3232
-
\??\c:\lfffxxx.exec:\lfffxxx.exe104⤵PID:1724
-
\??\c:\g8048.exec:\g8048.exe105⤵PID:3952
-
\??\c:\pjdvd.exec:\pjdvd.exe106⤵PID:3000
-
\??\c:\bhtntn.exec:\bhtntn.exe107⤵PID:4332
-
\??\c:\1fxxlfx.exec:\1fxxlfx.exe108⤵PID:5040
-
\??\c:\86266.exec:\86266.exe109⤵PID:3520
-
\??\c:\4484400.exec:\4484400.exe110⤵PID:3944
-
\??\c:\rfrllff.exec:\rfrllff.exe111⤵PID:2412
-
\??\c:\pvvpj.exec:\pvvpj.exe112⤵PID:1080
-
\??\c:\9jpdp.exec:\9jpdp.exe113⤵PID:1688
-
\??\c:\4428204.exec:\4428204.exe114⤵PID:4476
-
\??\c:\06860.exec:\06860.exe115⤵PID:4848
-
\??\c:\tnnhbb.exec:\tnnhbb.exe116⤵PID:4212
-
\??\c:\g4226.exec:\g4226.exe117⤵PID:908
-
\??\c:\htbtnn.exec:\htbtnn.exe118⤵PID:512
-
\??\c:\xrlfrxr.exec:\xrlfrxr.exe119⤵PID:2204
-
\??\c:\64208.exec:\64208.exe120⤵
- System Location Discovery: System Language Discovery
PID:4312 -
\??\c:\42042.exec:\42042.exe121⤵PID:4012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-