Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 20:27
Behavioral task
behavioral1
Sample
1fcc8c976fb3591ad059be4b34199991df72c41fec89c0491bb83f45b6f8b4dc.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1fcc8c976fb3591ad059be4b34199991df72c41fec89c0491bb83f45b6f8b4dc.exe
-
Size
79KB
-
MD5
fb1fd035f1e8b278cc61ad4c6994f02c
-
SHA1
7ee7405d8b19b01da9fa0fa4bd1f4bf04b3f6d9d
-
SHA256
1fcc8c976fb3591ad059be4b34199991df72c41fec89c0491bb83f45b6f8b4dc
-
SHA512
4bb26691d8110924b214e99353b83a42145e7b57f26520561970870fd95e363b687b9792b52a400efeecf45024612184523312f4c75955ee3a07901a2630171c
-
SSDEEP
1536:xvQBeOGtrYS3srx93UBWfwC6Ggnouy82F13w1rCJtzC8BSYobia:xhOmTsF93UYfwC6GIout03Lze8BSYobh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
Processes:
resource yara_rule behavioral2/memory/4940-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1248-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1228-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3404-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2888-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4492-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3436-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3808-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3008-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1408-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/724-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4948-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/836-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1028-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4324-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1272-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1176-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1944-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3956-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4148-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2664-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2940-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/456-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1104-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1756-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/544-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1588-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1992-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2424-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2652-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2780-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5020-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3356-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-461-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1172-471-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/528-491-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/724-526-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4196-536-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1728-591-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1512-646-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3644-665-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-684-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-955-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/724-1185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4224-1436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
9nbtth.exe8440880.exe0268882.exedjvvj.exe2644024.exe68044.exe680866.exe8640666.exexxrllrl.exe602806.exe7ffxlrr.exevvppp.exe048406.exevpvpd.exejjdpv.exe06888.exefxxrrrr.exe62066.exei022228.exehtnhhn.exenhnhhh.exe628484.exeppddj.exevpdpv.exedvpvp.exe2466406.exe9ppvd.exe6800060.exehhhhnt.exefffxrrr.exexrlxxxr.exe02826.exepvjdp.exe4462280.exe66888.exexlrrlll.exepjpvd.exejvvjp.exelllfxxx.exe46040.exe88404.exe406048.exe8466600.exehbnhtn.exe24868.exe02404.exe2680668.exebhbbbb.exe866604.exe44226.exetttnnh.exem6608.exejvpjp.exenhnhtn.exe8448282.exexflxrrl.exexrlfrlx.exebthnhn.exe884426.exeo004260.exeg6260.exe64820.exe2004820.exelxffxxr.exepid Process 4940 9nbtth.exe 1228 8440880.exe 2888 0268882.exe 5012 djvvj.exe 3404 2644024.exe 1264 68044.exe 4492 680866.exe 4900 8640666.exe 3824 xxrllrl.exe 3436 602806.exe 2692 7ffxlrr.exe 3808 vvppp.exe 3008 048406.exe 4272 vpvpd.exe 5096 jjdpv.exe 1296 06888.exe 2260 fxxrrrr.exe 1408 62066.exe 5028 i022228.exe 1532 htnhhn.exe 4548 nhnhhh.exe 2212 628484.exe 724 ppddj.exe 3664 vpdpv.exe 1116 dvpvp.exe 3732 2466406.exe 4948 9ppvd.exe 1028 6800060.exe 836 hhhhnt.exe 4324 fffxrrr.exe 4632 xrlxxxr.exe 1256 02826.exe 1272 pvjdp.exe 1176 4462280.exe 3520 66888.exe 3956 xlrrlll.exe 1944 pjpvd.exe 4148 jvvjp.exe 1728 lllfxxx.exe 2664 46040.exe 5100 88404.exe 2940 406048.exe 3264 8466600.exe 2576 hbnhtn.exe 2996 24868.exe 4320 02404.exe 456 2680668.exe 4880 bhbbbb.exe 4412 866604.exe 4888 44226.exe 1104 tttnnh.exe 4136 m6608.exe 1756 jvpjp.exe 544 nhnhtn.exe 3768 8448282.exe 2108 xflxrrl.exe 3144 xrlfrlx.exe 4564 bthnhn.exe 4528 884426.exe 1468 o004260.exe 1588 g6260.exe 1992 64820.exe 2424 2004820.exe 2652 lxffxxr.exe -
Processes:
resource yara_rule behavioral2/memory/1248-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c52-4.dat upx behavioral2/memory/4940-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1248-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1228-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-16.dat upx behavioral2/memory/1228-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5012-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3404-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-36.dat upx behavioral2/files/0x0007000000023cb4-30.dat upx behavioral2/files/0x0007000000023cb3-24.dat upx behavioral2/files/0x0007000000023cb6-41.dat upx behavioral2/memory/1264-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2888-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-11.dat upx behavioral2/files/0x0007000000023cb7-46.dat upx behavioral2/memory/4492-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-52.dat upx behavioral2/files/0x0007000000023cb9-56.dat upx behavioral2/files/0x0007000000023cba-63.dat upx behavioral2/memory/3436-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-67.dat upx behavioral2/memory/2692-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-72.dat upx behavioral2/memory/3808-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-78.dat upx behavioral2/memory/3008-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-84.dat upx behavioral2/files/0x0007000000023cbf-89.dat upx behavioral2/memory/5096-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-95.dat upx behavioral2/files/0x0007000000023cc1-100.dat upx behavioral2/memory/2260-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-106.dat upx behavioral2/memory/1408-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-112.dat upx behavioral2/memory/5028-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-118.dat upx behavioral2/files/0x0007000000023cc5-123.dat upx behavioral2/files/0x0007000000023cc6-128.dat upx behavioral2/files/0x0007000000023cc7-133.dat upx behavioral2/memory/724-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3664-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc8-141.dat upx behavioral2/files/0x0008000000023cae-145.dat upx behavioral2/memory/1116-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc9-152.dat upx behavioral2/memory/4948-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-163.dat upx behavioral2/memory/836-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1028-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccb-157.dat upx behavioral2/files/0x0007000000023ccd-170.dat upx behavioral2/memory/4324-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4632-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cce-175.dat upx behavioral2/files/0x0007000000023ccf-182.dat upx behavioral2/memory/1272-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1176-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1944-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3956-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4148-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2664-214-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
408468.exe6448260.exe2622022.exevvppp.exerfllllf.exehntnbt.exe8666448.exerlfxxrr.exe086840.exe604400.exe064066.exepjvjv.exe26220.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 408468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6448260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2622022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8666448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 064066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1fcc8c976fb3591ad059be4b34199991df72c41fec89c0491bb83f45b6f8b4dc.exe9nbtth.exe8440880.exe0268882.exedjvvj.exe2644024.exe68044.exe680866.exe8640666.exexxrllrl.exe602806.exe7ffxlrr.exevvppp.exe048406.exevpvpd.exejjdpv.exe06888.exefxxrrrr.exe62066.exei022228.exehtnhhn.exenhnhhh.exedescription pid Process procid_target PID 1248 wrote to memory of 4940 1248 1fcc8c976fb3591ad059be4b34199991df72c41fec89c0491bb83f45b6f8b4dc.exe 83 PID 1248 wrote to memory of 4940 1248 1fcc8c976fb3591ad059be4b34199991df72c41fec89c0491bb83f45b6f8b4dc.exe 83 PID 1248 wrote to memory of 4940 1248 1fcc8c976fb3591ad059be4b34199991df72c41fec89c0491bb83f45b6f8b4dc.exe 83 PID 4940 wrote to memory of 1228 4940 9nbtth.exe 84 PID 4940 wrote to memory of 1228 4940 9nbtth.exe 84 PID 4940 wrote to memory of 1228 4940 9nbtth.exe 84 PID 1228 wrote to memory of 2888 1228 8440880.exe 85 PID 1228 wrote to memory of 2888 1228 8440880.exe 85 PID 1228 wrote to memory of 2888 1228 8440880.exe 85 PID 2888 wrote to memory of 5012 2888 0268882.exe 86 PID 2888 wrote to memory of 5012 2888 0268882.exe 86 PID 2888 wrote to memory of 5012 2888 0268882.exe 86 PID 5012 wrote to memory of 3404 5012 djvvj.exe 87 PID 5012 wrote to memory of 3404 5012 djvvj.exe 87 PID 5012 wrote to memory of 3404 5012 djvvj.exe 87 PID 3404 wrote to memory of 1264 3404 2644024.exe 88 PID 3404 wrote to memory of 1264 3404 2644024.exe 88 PID 3404 wrote to memory of 1264 3404 2644024.exe 88 PID 1264 wrote to memory of 4492 1264 68044.exe 89 PID 1264 wrote to memory of 4492 1264 68044.exe 89 PID 1264 wrote to memory of 4492 1264 68044.exe 89 PID 4492 wrote to memory of 4900 4492 680866.exe 90 PID 4492 wrote to memory of 4900 4492 680866.exe 90 PID 4492 wrote to memory of 4900 4492 680866.exe 90 PID 4900 wrote to memory of 3824 4900 8640666.exe 91 PID 4900 wrote to memory of 3824 4900 8640666.exe 91 PID 4900 wrote to memory of 3824 4900 8640666.exe 91 PID 3824 wrote to memory of 3436 3824 xxrllrl.exe 92 PID 3824 wrote to memory of 3436 3824 xxrllrl.exe 92 PID 3824 wrote to memory of 3436 3824 xxrllrl.exe 92 PID 3436 wrote to memory of 2692 3436 602806.exe 93 PID 3436 wrote to memory of 2692 3436 602806.exe 93 PID 3436 wrote to memory of 2692 3436 602806.exe 93 PID 2692 wrote to memory of 3808 2692 7ffxlrr.exe 94 PID 2692 wrote to memory of 3808 2692 7ffxlrr.exe 94 PID 2692 wrote to memory of 3808 2692 7ffxlrr.exe 94 PID 3808 wrote to memory of 3008 3808 vvppp.exe 95 PID 3808 wrote to memory of 3008 3808 vvppp.exe 95 PID 3808 wrote to memory of 3008 3808 vvppp.exe 95 PID 3008 wrote to memory of 4272 3008 048406.exe 96 PID 3008 wrote to memory of 4272 3008 048406.exe 96 PID 3008 wrote to memory of 4272 3008 048406.exe 96 PID 4272 wrote to memory of 5096 4272 vpvpd.exe 97 PID 4272 wrote to memory of 5096 4272 vpvpd.exe 97 PID 4272 wrote to memory of 5096 4272 vpvpd.exe 97 PID 5096 wrote to memory of 1296 5096 jjdpv.exe 98 PID 5096 wrote to memory of 1296 5096 jjdpv.exe 98 PID 5096 wrote to memory of 1296 5096 jjdpv.exe 98 PID 1296 wrote to memory of 2260 1296 06888.exe 99 PID 1296 wrote to memory of 2260 1296 06888.exe 99 PID 1296 wrote to memory of 2260 1296 06888.exe 99 PID 2260 wrote to memory of 1408 2260 fxxrrrr.exe 100 PID 2260 wrote to memory of 1408 2260 fxxrrrr.exe 100 PID 2260 wrote to memory of 1408 2260 fxxrrrr.exe 100 PID 1408 wrote to memory of 5028 1408 62066.exe 101 PID 1408 wrote to memory of 5028 1408 62066.exe 101 PID 1408 wrote to memory of 5028 1408 62066.exe 101 PID 5028 wrote to memory of 1532 5028 i022228.exe 102 PID 5028 wrote to memory of 1532 5028 i022228.exe 102 PID 5028 wrote to memory of 1532 5028 i022228.exe 102 PID 1532 wrote to memory of 4548 1532 htnhhn.exe 103 PID 1532 wrote to memory of 4548 1532 htnhhn.exe 103 PID 1532 wrote to memory of 4548 1532 htnhhn.exe 103 PID 4548 wrote to memory of 2212 4548 nhnhhh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fcc8c976fb3591ad059be4b34199991df72c41fec89c0491bb83f45b6f8b4dc.exe"C:\Users\Admin\AppData\Local\Temp\1fcc8c976fb3591ad059be4b34199991df72c41fec89c0491bb83f45b6f8b4dc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\9nbtth.exec:\9nbtth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\8440880.exec:\8440880.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\0268882.exec:\0268882.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\djvvj.exec:\djvvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\2644024.exec:\2644024.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\68044.exec:\68044.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\680866.exec:\680866.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\8640666.exec:\8640666.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\xxrllrl.exec:\xxrllrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\602806.exec:\602806.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\7ffxlrr.exec:\7ffxlrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\vvppp.exec:\vvppp.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\048406.exec:\048406.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\vpvpd.exec:\vpvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\jjdpv.exec:\jjdpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\06888.exec:\06888.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\62066.exec:\62066.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\i022228.exec:\i022228.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\htnhhn.exec:\htnhhn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\nhnhhh.exec:\nhnhhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\628484.exec:\628484.exe23⤵
- Executes dropped EXE
PID:2212 -
\??\c:\ppddj.exec:\ppddj.exe24⤵
- Executes dropped EXE
PID:724 -
\??\c:\vpdpv.exec:\vpdpv.exe25⤵
- Executes dropped EXE
PID:3664 -
\??\c:\dvpvp.exec:\dvpvp.exe26⤵
- Executes dropped EXE
PID:1116 -
\??\c:\2466406.exec:\2466406.exe27⤵
- Executes dropped EXE
PID:3732 -
\??\c:\9ppvd.exec:\9ppvd.exe28⤵
- Executes dropped EXE
PID:4948 -
\??\c:\6800060.exec:\6800060.exe29⤵
- Executes dropped EXE
PID:1028 -
\??\c:\hhhhnt.exec:\hhhhnt.exe30⤵
- Executes dropped EXE
PID:836 -
\??\c:\fffxrrr.exec:\fffxrrr.exe31⤵
- Executes dropped EXE
PID:4324 -
\??\c:\xrlxxxr.exec:\xrlxxxr.exe32⤵
- Executes dropped EXE
PID:4632 -
\??\c:\02826.exec:\02826.exe33⤵
- Executes dropped EXE
PID:1256 -
\??\c:\pvjdp.exec:\pvjdp.exe34⤵
- Executes dropped EXE
PID:1272 -
\??\c:\4462280.exec:\4462280.exe35⤵
- Executes dropped EXE
PID:1176 -
\??\c:\66888.exec:\66888.exe36⤵
- Executes dropped EXE
PID:3520 -
\??\c:\xlrrlll.exec:\xlrrlll.exe37⤵
- Executes dropped EXE
PID:3956 -
\??\c:\pjpvd.exec:\pjpvd.exe38⤵
- Executes dropped EXE
PID:1944 -
\??\c:\jvvjp.exec:\jvvjp.exe39⤵
- Executes dropped EXE
PID:4148 -
\??\c:\lllfxxx.exec:\lllfxxx.exe40⤵
- Executes dropped EXE
PID:1728 -
\??\c:\46040.exec:\46040.exe41⤵
- Executes dropped EXE
PID:2664 -
\??\c:\88404.exec:\88404.exe42⤵
- Executes dropped EXE
PID:5100 -
\??\c:\406048.exec:\406048.exe43⤵
- Executes dropped EXE
PID:2940 -
\??\c:\8466600.exec:\8466600.exe44⤵
- Executes dropped EXE
PID:3264 -
\??\c:\hbnhtn.exec:\hbnhtn.exe45⤵
- Executes dropped EXE
PID:2576 -
\??\c:\24868.exec:\24868.exe46⤵
- Executes dropped EXE
PID:2996 -
\??\c:\02404.exec:\02404.exe47⤵
- Executes dropped EXE
PID:4320 -
\??\c:\2680668.exec:\2680668.exe48⤵
- Executes dropped EXE
PID:456 -
\??\c:\bhbbbb.exec:\bhbbbb.exe49⤵
- Executes dropped EXE
PID:4880 -
\??\c:\866604.exec:\866604.exe50⤵
- Executes dropped EXE
PID:4412 -
\??\c:\44226.exec:\44226.exe51⤵
- Executes dropped EXE
PID:4888 -
\??\c:\tttnnh.exec:\tttnnh.exe52⤵
- Executes dropped EXE
PID:1104 -
\??\c:\m6608.exec:\m6608.exe53⤵
- Executes dropped EXE
PID:4136 -
\??\c:\jvpjp.exec:\jvpjp.exe54⤵
- Executes dropped EXE
PID:1756 -
\??\c:\nhnhtn.exec:\nhnhtn.exe55⤵
- Executes dropped EXE
PID:544 -
\??\c:\8448282.exec:\8448282.exe56⤵
- Executes dropped EXE
PID:3768 -
\??\c:\xflxrrl.exec:\xflxrrl.exe57⤵
- Executes dropped EXE
PID:2108 -
\??\c:\xrlfrlx.exec:\xrlfrlx.exe58⤵
- Executes dropped EXE
PID:3144 -
\??\c:\bthnhn.exec:\bthnhn.exe59⤵
- Executes dropped EXE
PID:4564 -
\??\c:\884426.exec:\884426.exe60⤵
- Executes dropped EXE
PID:4528 -
\??\c:\o004260.exec:\o004260.exe61⤵
- Executes dropped EXE
PID:1468 -
\??\c:\g6260.exec:\g6260.exe62⤵
- Executes dropped EXE
PID:1588 -
\??\c:\64820.exec:\64820.exe63⤵
- Executes dropped EXE
PID:1992 -
\??\c:\2004820.exec:\2004820.exe64⤵
- Executes dropped EXE
PID:2424 -
\??\c:\lxffxxr.exec:\lxffxxr.exe65⤵
- Executes dropped EXE
PID:2652 -
\??\c:\9jvvd.exec:\9jvvd.exe66⤵PID:3868
-
\??\c:\822660.exec:\822660.exe67⤵PID:4612
-
\??\c:\5bhnbh.exec:\5bhnbh.exe68⤵PID:3092
-
\??\c:\rxrrrrl.exec:\rxrrrrl.exe69⤵PID:2780
-
\??\c:\rfllllf.exec:\rfllllf.exe70⤵
- System Location Discovery: System Language Discovery
PID:3048 -
\??\c:\408826.exec:\408826.exe71⤵PID:760
-
\??\c:\82006.exec:\82006.exe72⤵PID:3156
-
\??\c:\1tttnt.exec:\1tttnt.exe73⤵PID:3864
-
\??\c:\vpppd.exec:\vpppd.exe74⤵PID:3964
-
\??\c:\e06600.exec:\e06600.exe75⤵PID:2260
-
\??\c:\rrrllll.exec:\rrrllll.exe76⤵PID:1408
-
\??\c:\480000.exec:\480000.exe77⤵PID:1792
-
\??\c:\jvddv.exec:\jvddv.exe78⤵PID:5020
-
\??\c:\2648040.exec:\2648040.exe79⤵PID:3640
-
\??\c:\u860488.exec:\u860488.exe80⤵PID:4548
-
\??\c:\48628.exec:\48628.exe81⤵PID:372
-
\??\c:\vppjv.exec:\vppjv.exe82⤵PID:3308
-
\??\c:\rxlflfx.exec:\rxlflfx.exe83⤵PID:2468
-
\??\c:\pvvvp.exec:\pvvvp.exe84⤵PID:1616
-
\??\c:\xllffxr.exec:\xllffxr.exe85⤵PID:4552
-
\??\c:\3hbbbt.exec:\3hbbbt.exe86⤵PID:3260
-
\??\c:\6800666.exec:\6800666.exe87⤵PID:3800
-
\??\c:\6284448.exec:\6284448.exe88⤵PID:4368
-
\??\c:\60600.exec:\60600.exe89⤵PID:2272
-
\??\c:\o628000.exec:\o628000.exe90⤵PID:860
-
\??\c:\jpdpv.exec:\jpdpv.exe91⤵PID:944
-
\??\c:\00660.exec:\00660.exe92⤵PID:4952
-
\??\c:\0026222.exec:\0026222.exe93⤵PID:928
-
\??\c:\llfxllx.exec:\llfxllx.exe94⤵PID:4380
-
\??\c:\djppj.exec:\djppj.exe95⤵PID:1644
-
\??\c:\jpvdv.exec:\jpvdv.exe96⤵PID:3356
-
\??\c:\48882.exec:\48882.exe97⤵PID:4156
-
\??\c:\dddvv.exec:\dddvv.exe98⤵PID:1680
-
\??\c:\9ppjd.exec:\9ppjd.exe99⤵PID:912
-
\??\c:\7flllll.exec:\7flllll.exe100⤵PID:3152
-
\??\c:\k24066.exec:\k24066.exe101⤵PID:1728
-
\??\c:\ppvpp.exec:\ppvpp.exe102⤵PID:8
-
\??\c:\4824040.exec:\4824040.exe103⤵PID:4488
-
\??\c:\62844.exec:\62844.exe104⤵PID:1724
-
\??\c:\btbttt.exec:\btbttt.exe105⤵PID:1544
-
\??\c:\rxrxrxx.exec:\rxrxrxx.exe106⤵PID:1564
-
\??\c:\00844.exec:\00844.exe107⤵PID:4344
-
\??\c:\6088222.exec:\6088222.exe108⤵PID:2084
-
\??\c:\440448.exec:\440448.exe109⤵PID:4104
-
\??\c:\vdjdv.exec:\vdjdv.exe110⤵PID:4572
-
\??\c:\ttbbtb.exec:\ttbbtb.exe111⤵PID:736
-
\??\c:\68226.exec:\68226.exe112⤵PID:4888
-
\??\c:\ffxfxxl.exec:\ffxfxxl.exe113⤵PID:4420
-
\??\c:\lxlrrrl.exec:\lxlrrrl.exe114⤵PID:3380
-
\??\c:\0466226.exec:\0466226.exe115⤵PID:3404
-
\??\c:\5dddv.exec:\5dddv.exe116⤵PID:1264
-
\??\c:\4028884.exec:\4028884.exe117⤵PID:3352
-
\??\c:\3lrxfrf.exec:\3lrxfrf.exe118⤵PID:1132
-
\??\c:\ntbttn.exec:\ntbttn.exe119⤵PID:1172
-
\??\c:\808208.exec:\808208.exe120⤵PID:2424
-
\??\c:\ntnnnb.exec:\ntnnnb.exe121⤵PID:4000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-