Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 00:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
745fc305fb8a9429dcf042c5a9d409897df76187d3ac112446d1f6bee53ba87e.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
745fc305fb8a9429dcf042c5a9d409897df76187d3ac112446d1f6bee53ba87e.exe
-
Size
456KB
-
MD5
077d40d43e799d020472eb47983000c4
-
SHA1
877ff8c579668c854c403118e31a2f26c09f1d2f
-
SHA256
745fc305fb8a9429dcf042c5a9d409897df76187d3ac112446d1f6bee53ba87e
-
SHA512
0f5f8fac7ed4dcca1591464898f2a864f79f1a1aad6445dc1ec69ec1cbc899b9776bb9531d00713fa00183012ef42cd34f90d6d528cb9a8bbc57f2b2b021b28b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRwK:q7Tc2NYHUrAwfMp3CDRwK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
Processes:
resource yara_rule behavioral2/memory/3276-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-1302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
g0860.exec060444.exepddvv.exe82260.exepjvvd.exehbttnn.exenbtttt.exek84488.exe0242660.exe442666.exe080888.exe2404882.exeq42062.exe440488.exeflrlflx.exe2660044.exe2248440.exerlllllf.exe46260.exepdjjd.exe40666.exevdpvd.exe266206.exe828828.exehnbbtt.exe420666.exe4482260.exe220464.exedvpjv.exejvppd.exebbtnbn.exe7hnbbt.exevvdvj.exe9nhtnh.exehbbhtn.exe7vdpj.exe44482.exejvvjp.exe8608204.exe8028626.exe48264.exelrxlfxr.exe0848604.exe84004.exedjpdp.exe9ffxrrr.exe3jjdp.exe426426.exedppdp.exe668226.exe9rlfxrr.exe40440.exedjpdv.exerfrrxxf.exe8840688.exe4860602.exedppdv.exevpvjd.exehnnnbt.exeppppd.exei448204.exe442082.exe00888.exerrxrxxf.exepid Process 2740 g0860.exe 2200 c060444.exe 3928 pddvv.exe 4964 82260.exe 4572 pjvvd.exe 1560 hbttnn.exe 184 nbtttt.exe 692 k84488.exe 2664 0242660.exe 3032 442666.exe 4136 080888.exe 2464 2404882.exe 2732 q42062.exe 4496 440488.exe 1532 flrlflx.exe 2544 2660044.exe 5108 2248440.exe 2276 rlllllf.exe 1368 46260.exe 3136 pdjjd.exe 3792 40666.exe 3548 vdpvd.exe 3396 266206.exe 1900 828828.exe 2408 hnbbtt.exe 3044 420666.exe 4776 4482260.exe 1628 220464.exe 4356 dvpjv.exe 3732 jvppd.exe 5060 bbtnbn.exe 1120 7hnbbt.exe 3564 vvdvj.exe 1668 9nhtnh.exe 1596 hbbhtn.exe 2172 7vdpj.exe 3024 44482.exe 3428 jvvjp.exe 2948 8608204.exe 2536 8028626.exe 4772 48264.exe 1800 lrxlfxr.exe 3376 0848604.exe 3932 84004.exe 2316 djpdp.exe 1692 9ffxrrr.exe 5056 3jjdp.exe 3664 426426.exe 4032 dppdp.exe 3028 668226.exe 4516 9rlfxrr.exe 4984 40440.exe 4676 djpdv.exe 1064 rfrrxxf.exe 1208 8840688.exe 3796 4860602.exe 4792 dppdv.exe 4964 vpvjd.exe 4380 hnnnbt.exe 3480 ppppd.exe 944 i448204.exe 3984 442082.exe 2012 00888.exe 3992 rrxrxxf.exe -
Processes:
resource yara_rule behavioral2/memory/3276-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-744-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3rxrrxl.exe220426.exe5xxrllf.exedjjjv.exevjjdv.exentbnhh.exerflxllf.exe884204.exe6602846.exelfffffx.exejpdvj.exejddpd.exerllrxff.exe26008.exerfflfll.exeg2204.exedvdvd.exerlxxxxx.exe040488.exebhnnhh.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 220426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6602846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfflfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
745fc305fb8a9429dcf042c5a9d409897df76187d3ac112446d1f6bee53ba87e.exeg0860.exec060444.exepddvv.exe82260.exepjvvd.exehbttnn.exenbtttt.exek84488.exe0242660.exe442666.exe080888.exe2404882.exeq42062.exe440488.exeflrlflx.exe2660044.exe2248440.exerlllllf.exe46260.exepdjjd.exe40666.exedescription pid Process procid_target PID 3276 wrote to memory of 2740 3276 745fc305fb8a9429dcf042c5a9d409897df76187d3ac112446d1f6bee53ba87e.exe 83 PID 3276 wrote to memory of 2740 3276 745fc305fb8a9429dcf042c5a9d409897df76187d3ac112446d1f6bee53ba87e.exe 83 PID 3276 wrote to memory of 2740 3276 745fc305fb8a9429dcf042c5a9d409897df76187d3ac112446d1f6bee53ba87e.exe 83 PID 2740 wrote to memory of 2200 2740 g0860.exe 84 PID 2740 wrote to memory of 2200 2740 g0860.exe 84 PID 2740 wrote to memory of 2200 2740 g0860.exe 84 PID 2200 wrote to memory of 3928 2200 c060444.exe 85 PID 2200 wrote to memory of 3928 2200 c060444.exe 85 PID 2200 wrote to memory of 3928 2200 c060444.exe 85 PID 3928 wrote to memory of 4964 3928 pddvv.exe 86 PID 3928 wrote to memory of 4964 3928 pddvv.exe 86 PID 3928 wrote to memory of 4964 3928 pddvv.exe 86 PID 4964 wrote to memory of 4572 4964 82260.exe 87 PID 4964 wrote to memory of 4572 4964 82260.exe 87 PID 4964 wrote to memory of 4572 4964 82260.exe 87 PID 4572 wrote to memory of 1560 4572 pjvvd.exe 88 PID 4572 wrote to memory of 1560 4572 pjvvd.exe 88 PID 4572 wrote to memory of 1560 4572 pjvvd.exe 88 PID 1560 wrote to memory of 184 1560 hbttnn.exe 89 PID 1560 wrote to memory of 184 1560 hbttnn.exe 89 PID 1560 wrote to memory of 184 1560 hbttnn.exe 89 PID 184 wrote to memory of 692 184 nbtttt.exe 90 PID 184 wrote to memory of 692 184 nbtttt.exe 90 PID 184 wrote to memory of 692 184 nbtttt.exe 90 PID 692 wrote to memory of 2664 692 k84488.exe 91 PID 692 wrote to memory of 2664 692 k84488.exe 91 PID 692 wrote to memory of 2664 692 k84488.exe 91 PID 2664 wrote to memory of 3032 2664 0242660.exe 92 PID 2664 wrote to memory of 3032 2664 0242660.exe 92 PID 2664 wrote to memory of 3032 2664 0242660.exe 92 PID 3032 wrote to memory of 4136 3032 442666.exe 93 PID 3032 wrote to memory of 4136 3032 442666.exe 93 PID 3032 wrote to memory of 4136 3032 442666.exe 93 PID 4136 wrote to memory of 2464 4136 080888.exe 94 PID 4136 wrote to memory of 2464 4136 080888.exe 94 PID 4136 wrote to memory of 2464 4136 080888.exe 94 PID 2464 wrote to memory of 2732 2464 2404882.exe 95 PID 2464 wrote to memory of 2732 2464 2404882.exe 95 PID 2464 wrote to memory of 2732 2464 2404882.exe 95 PID 2732 wrote to memory of 4496 2732 q42062.exe 96 PID 2732 wrote to memory of 4496 2732 q42062.exe 96 PID 2732 wrote to memory of 4496 2732 q42062.exe 96 PID 4496 wrote to memory of 1532 4496 440488.exe 97 PID 4496 wrote to memory of 1532 4496 440488.exe 97 PID 4496 wrote to memory of 1532 4496 440488.exe 97 PID 1532 wrote to memory of 2544 1532 flrlflx.exe 98 PID 1532 wrote to memory of 2544 1532 flrlflx.exe 98 PID 1532 wrote to memory of 2544 1532 flrlflx.exe 98 PID 2544 wrote to memory of 5108 2544 2660044.exe 99 PID 2544 wrote to memory of 5108 2544 2660044.exe 99 PID 2544 wrote to memory of 5108 2544 2660044.exe 99 PID 5108 wrote to memory of 2276 5108 2248440.exe 100 PID 5108 wrote to memory of 2276 5108 2248440.exe 100 PID 5108 wrote to memory of 2276 5108 2248440.exe 100 PID 2276 wrote to memory of 1368 2276 rlllllf.exe 101 PID 2276 wrote to memory of 1368 2276 rlllllf.exe 101 PID 2276 wrote to memory of 1368 2276 rlllllf.exe 101 PID 1368 wrote to memory of 3136 1368 46260.exe 102 PID 1368 wrote to memory of 3136 1368 46260.exe 102 PID 1368 wrote to memory of 3136 1368 46260.exe 102 PID 3136 wrote to memory of 3792 3136 pdjjd.exe 103 PID 3136 wrote to memory of 3792 3136 pdjjd.exe 103 PID 3136 wrote to memory of 3792 3136 pdjjd.exe 103 PID 3792 wrote to memory of 3548 3792 40666.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\745fc305fb8a9429dcf042c5a9d409897df76187d3ac112446d1f6bee53ba87e.exe"C:\Users\Admin\AppData\Local\Temp\745fc305fb8a9429dcf042c5a9d409897df76187d3ac112446d1f6bee53ba87e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\g0860.exec:\g0860.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\c060444.exec:\c060444.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\pddvv.exec:\pddvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\82260.exec:\82260.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\pjvvd.exec:\pjvvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\hbttnn.exec:\hbttnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\nbtttt.exec:\nbtttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\k84488.exec:\k84488.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\0242660.exec:\0242660.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\442666.exec:\442666.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\080888.exec:\080888.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\2404882.exec:\2404882.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\q42062.exec:\q42062.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\440488.exec:\440488.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\flrlflx.exec:\flrlflx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\2660044.exec:\2660044.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\2248440.exec:\2248440.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\rlllllf.exec:\rlllllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\46260.exec:\46260.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\pdjjd.exec:\pdjjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\40666.exec:\40666.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\vdpvd.exec:\vdpvd.exe23⤵
- Executes dropped EXE
PID:3548 -
\??\c:\266206.exec:\266206.exe24⤵
- Executes dropped EXE
PID:3396 -
\??\c:\828828.exec:\828828.exe25⤵
- Executes dropped EXE
PID:1900 -
\??\c:\hnbbtt.exec:\hnbbtt.exe26⤵
- Executes dropped EXE
PID:2408 -
\??\c:\420666.exec:\420666.exe27⤵
- Executes dropped EXE
PID:3044 -
\??\c:\4482260.exec:\4482260.exe28⤵
- Executes dropped EXE
PID:4776 -
\??\c:\220464.exec:\220464.exe29⤵
- Executes dropped EXE
PID:1628 -
\??\c:\dvpjv.exec:\dvpjv.exe30⤵
- Executes dropped EXE
PID:4356 -
\??\c:\jvppd.exec:\jvppd.exe31⤵
- Executes dropped EXE
PID:3732 -
\??\c:\bbtnbn.exec:\bbtnbn.exe32⤵
- Executes dropped EXE
PID:5060 -
\??\c:\7hnbbt.exec:\7hnbbt.exe33⤵
- Executes dropped EXE
PID:1120 -
\??\c:\vvdvj.exec:\vvdvj.exe34⤵
- Executes dropped EXE
PID:3564 -
\??\c:\9nhtnh.exec:\9nhtnh.exe35⤵
- Executes dropped EXE
PID:1668 -
\??\c:\hbbhtn.exec:\hbbhtn.exe36⤵
- Executes dropped EXE
PID:1596 -
\??\c:\7vdpj.exec:\7vdpj.exe37⤵
- Executes dropped EXE
PID:2172 -
\??\c:\44482.exec:\44482.exe38⤵
- Executes dropped EXE
PID:3024 -
\??\c:\jvvjp.exec:\jvvjp.exe39⤵
- Executes dropped EXE
PID:3428 -
\??\c:\8608204.exec:\8608204.exe40⤵
- Executes dropped EXE
PID:2948 -
\??\c:\8028626.exec:\8028626.exe41⤵
- Executes dropped EXE
PID:2536 -
\??\c:\48264.exec:\48264.exe42⤵
- Executes dropped EXE
PID:4772 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe43⤵
- Executes dropped EXE
PID:1800 -
\??\c:\0848604.exec:\0848604.exe44⤵
- Executes dropped EXE
PID:3376 -
\??\c:\84004.exec:\84004.exe45⤵
- Executes dropped EXE
PID:3932 -
\??\c:\djpdp.exec:\djpdp.exe46⤵
- Executes dropped EXE
PID:2316 -
\??\c:\9ffxrrr.exec:\9ffxrrr.exe47⤵
- Executes dropped EXE
PID:1692 -
\??\c:\3jjdp.exec:\3jjdp.exe48⤵
- Executes dropped EXE
PID:5056 -
\??\c:\426426.exec:\426426.exe49⤵
- Executes dropped EXE
PID:3664 -
\??\c:\dppdp.exec:\dppdp.exe50⤵
- Executes dropped EXE
PID:4032 -
\??\c:\668226.exec:\668226.exe51⤵
- Executes dropped EXE
PID:3028 -
\??\c:\9rlfxrr.exec:\9rlfxrr.exe52⤵
- Executes dropped EXE
PID:4516 -
\??\c:\40440.exec:\40440.exe53⤵
- Executes dropped EXE
PID:4984 -
\??\c:\djpdv.exec:\djpdv.exe54⤵
- Executes dropped EXE
PID:4676 -
\??\c:\rfrrxxf.exec:\rfrrxxf.exe55⤵
- Executes dropped EXE
PID:1064 -
\??\c:\8840688.exec:\8840688.exe56⤵
- Executes dropped EXE
PID:1208 -
\??\c:\4860602.exec:\4860602.exe57⤵
- Executes dropped EXE
PID:3796 -
\??\c:\dppdv.exec:\dppdv.exe58⤵
- Executes dropped EXE
PID:4792 -
\??\c:\vpvjd.exec:\vpvjd.exe59⤵
- Executes dropped EXE
PID:4964 -
\??\c:\hnnnbt.exec:\hnnnbt.exe60⤵
- Executes dropped EXE
PID:4380 -
\??\c:\ppppd.exec:\ppppd.exe61⤵
- Executes dropped EXE
PID:3480 -
\??\c:\i448204.exec:\i448204.exe62⤵
- Executes dropped EXE
PID:944 -
\??\c:\442082.exec:\442082.exe63⤵
- Executes dropped EXE
PID:3984 -
\??\c:\00888.exec:\00888.exe64⤵
- Executes dropped EXE
PID:2012 -
\??\c:\rrxrxxf.exec:\rrxrxxf.exe65⤵
- Executes dropped EXE
PID:3992 -
\??\c:\ntbnnh.exec:\ntbnnh.exe66⤵PID:4716
-
\??\c:\3fxlfxr.exec:\3fxlfxr.exe67⤵PID:2212
-
\??\c:\s0482.exec:\s0482.exe68⤵PID:2120
-
\??\c:\xrfxfxr.exec:\xrfxfxr.exe69⤵PID:3032
-
\??\c:\vjvvp.exec:\vjvvp.exe70⤵PID:5048
-
\??\c:\2860004.exec:\2860004.exe71⤵PID:4688
-
\??\c:\frfxxxr.exec:\frfxxxr.exe72⤵PID:4620
-
\??\c:\k66266.exec:\k66266.exe73⤵PID:1156
-
\??\c:\jdpjv.exec:\jdpjv.exe74⤵PID:556
-
\??\c:\02888.exec:\02888.exe75⤵PID:4216
-
\??\c:\vdpdv.exec:\vdpdv.exe76⤵PID:4484
-
\??\c:\4402448.exec:\4402448.exe77⤵PID:5012
-
\??\c:\62822.exec:\62822.exe78⤵PID:5028
-
\??\c:\04604.exec:\04604.exe79⤵PID:1592
-
\??\c:\tnnhbb.exec:\tnnhbb.exe80⤵PID:3196
-
\??\c:\dvdvv.exec:\dvdvv.exe81⤵PID:2560
-
\??\c:\64600.exec:\64600.exe82⤵PID:32
-
\??\c:\1bnbnh.exec:\1bnbnh.exe83⤵PID:3792
-
\??\c:\vjdvp.exec:\vjdvp.exe84⤵PID:3548
-
\??\c:\pvjdj.exec:\pvjdj.exe85⤵PID:3092
-
\??\c:\4460482.exec:\4460482.exe86⤵PID:4448
-
\??\c:\220622.exec:\220622.exe87⤵PID:1700
-
\??\c:\84600.exec:\84600.exe88⤵PID:2056
-
\??\c:\fxflfll.exec:\fxflfll.exe89⤵PID:4800
-
\??\c:\ffxxxxx.exec:\ffxxxxx.exe90⤵PID:2964
-
\??\c:\nhbhbt.exec:\nhbhbt.exe91⤵PID:4640
-
\??\c:\nhtnnn.exec:\nhtnnn.exe92⤵PID:4432
-
\??\c:\206660.exec:\206660.exe93⤵PID:4172
-
\??\c:\9jpjd.exec:\9jpjd.exe94⤵PID:2348
-
\??\c:\9bbnhn.exec:\9bbnhn.exe95⤵PID:4840
-
\??\c:\420468.exec:\420468.exe96⤵PID:4200
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe97⤵PID:3020
-
\??\c:\xrxrllf.exec:\xrxrllf.exe98⤵PID:3364
-
\??\c:\3rxrrxl.exec:\3rxrrxl.exe99⤵
- System Location Discovery: System Language Discovery
PID:368 -
\??\c:\xffffff.exec:\xffffff.exe100⤵PID:3628
-
\??\c:\pdjdv.exec:\pdjdv.exe101⤵PID:1132
-
\??\c:\rrxffff.exec:\rrxffff.exe102⤵PID:4456
-
\??\c:\i266660.exec:\i266660.exe103⤵PID:4832
-
\??\c:\hbnbbt.exec:\hbnbbt.exe104⤵PID:2996
-
\??\c:\6022002.exec:\6022002.exe105⤵PID:2948
-
\??\c:\lxfrfrr.exec:\lxfrfrr.exe106⤵PID:1684
-
\??\c:\nbnnnt.exec:\nbnnnt.exe107⤵PID:1552
-
\??\c:\4860000.exec:\4860000.exe108⤵PID:3500
-
\??\c:\rxlxrrr.exec:\rxlxrrr.exe109⤵PID:1792
-
\??\c:\tbbthh.exec:\tbbthh.exe110⤵PID:3932
-
\??\c:\i066004.exec:\i066004.exe111⤵PID:5100
-
\??\c:\0466226.exec:\0466226.exe112⤵PID:2248
-
\??\c:\tntnhh.exec:\tntnhh.exe113⤵PID:2616
-
\??\c:\828288.exec:\828288.exe114⤵PID:3664
-
\??\c:\2626880.exec:\2626880.exe115⤵PID:2684
-
\??\c:\hnbttt.exec:\hnbttt.exe116⤵PID:1536
-
\??\c:\jdvpj.exec:\jdvpj.exe117⤵PID:3276
-
\??\c:\822260.exec:\822260.exe118⤵PID:2740
-
\??\c:\xrrllll.exec:\xrrllll.exe119⤵PID:4612
-
\??\c:\848820.exec:\848820.exe120⤵PID:1064
-
\??\c:\a2288.exec:\a2288.exe121⤵PID:4236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-