Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 07:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1239442c369e6f0d49109524b73b33ac03997cf9901a5d50ac2ee0dcdd1d1a58N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1239442c369e6f0d49109524b73b33ac03997cf9901a5d50ac2ee0dcdd1d1a58N.exe
-
Size
456KB
-
MD5
7f0a706e43a678c6f571aa287f86d590
-
SHA1
a55b983c3b4a5b8ce4376ab978573c729238ddc0
-
SHA256
1239442c369e6f0d49109524b73b33ac03997cf9901a5d50ac2ee0dcdd1d1a58
-
SHA512
8ddd85fb6f3ce5b51285faea231e8b92b4c5c979e19659e4dd98ae973fed6ec4f1814f920deb3d702e607f046dcfb8365da9de005ccd57cb2c169439d19e1339
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR8:q7Tc2NYHUrAwfMp3CDR8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3960-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-975-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-1003-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-1029-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-1033-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-1442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-1925-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 440 6844444.exe 4324 nbnnnt.exe 4908 vpvvv.exe 4060 02884.exe 3580 9pjdv.exe 3404 ppjjj.exe 2080 pjjdv.exe 1092 m6266.exe 5016 668266.exe 4352 fllfxxx.exe 1836 488488.exe 4808 9pppj.exe 4940 hbbtnn.exe 4392 0240442.exe 4056 8222666.exe 3572 8828626.exe 5092 vvjpp.exe 2300 4060680.exe 4844 424022.exe 3412 llxxlfr.exe 3820 jdjpp.exe 384 04286.exe 3060 c426666.exe 4928 xxlllxx.exe 1796 1vvvv.exe 1652 5rxxfff.exe 4504 20468.exe 2904 q40006.exe 412 vvvpj.exe 512 xxllrrx.exe 2480 jdjjd.exe 3976 dpppd.exe 4656 pdddj.exe 1704 btntbt.exe 640 dvvpv.exe 2744 8286844.exe 2168 c260246.exe 1724 thhhbh.exe 3308 ppvvp.exe 64 04402.exe 1504 84840.exe 3000 s0642.exe 3620 dvpdj.exe 4160 824822.exe 1236 tbhhht.exe 4336 rfllfll.exe 3628 nbbtnn.exe 2936 pjvpv.exe 4272 6448626.exe 1648 jdvvj.exe 668 684000.exe 4468 k08666.exe 3136 44884.exe 3980 m2826.exe 4676 bhbbhn.exe 1880 e22828.exe 3256 frfrrrl.exe 5068 jjjjj.exe 4060 3ttbbh.exe 692 5hnnbh.exe 3924 vdppp.exe 1388 206404.exe 3056 e86062.exe 2080 6442828.exe -
resource yara_rule behavioral2/memory/3960-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-884-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-975-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-1003-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-1029-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-1033-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-1442-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4026088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6448626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffxx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3960 wrote to memory of 440 3960 1239442c369e6f0d49109524b73b33ac03997cf9901a5d50ac2ee0dcdd1d1a58N.exe 83 PID 3960 wrote to memory of 440 3960 1239442c369e6f0d49109524b73b33ac03997cf9901a5d50ac2ee0dcdd1d1a58N.exe 83 PID 3960 wrote to memory of 440 3960 1239442c369e6f0d49109524b73b33ac03997cf9901a5d50ac2ee0dcdd1d1a58N.exe 83 PID 440 wrote to memory of 4324 440 6844444.exe 84 PID 440 wrote to memory of 4324 440 6844444.exe 84 PID 440 wrote to memory of 4324 440 6844444.exe 84 PID 4324 wrote to memory of 4908 4324 nbnnnt.exe 85 PID 4324 wrote to memory of 4908 4324 nbnnnt.exe 85 PID 4324 wrote to memory of 4908 4324 nbnnnt.exe 85 PID 4908 wrote to memory of 4060 4908 vpvvv.exe 86 PID 4908 wrote to memory of 4060 4908 vpvvv.exe 86 PID 4908 wrote to memory of 4060 4908 vpvvv.exe 86 PID 4060 wrote to memory of 3580 4060 02884.exe 87 PID 4060 wrote to memory of 3580 4060 02884.exe 87 PID 4060 wrote to memory of 3580 4060 02884.exe 87 PID 3580 wrote to memory of 3404 3580 9pjdv.exe 88 PID 3580 wrote to memory of 3404 3580 9pjdv.exe 88 PID 3580 wrote to memory of 3404 3580 9pjdv.exe 88 PID 3404 wrote to memory of 2080 3404 ppjjj.exe 89 PID 3404 wrote to memory of 2080 3404 ppjjj.exe 89 PID 3404 wrote to memory of 2080 3404 ppjjj.exe 89 PID 2080 wrote to memory of 1092 2080 pjjdv.exe 90 PID 2080 wrote to memory of 1092 2080 pjjdv.exe 90 PID 2080 wrote to memory of 1092 2080 pjjdv.exe 90 PID 1092 wrote to memory of 5016 1092 m6266.exe 91 PID 1092 wrote to memory of 5016 1092 m6266.exe 91 PID 1092 wrote to memory of 5016 1092 m6266.exe 91 PID 5016 wrote to memory of 4352 5016 668266.exe 92 PID 5016 wrote to memory of 4352 5016 668266.exe 92 PID 5016 wrote to memory of 4352 5016 668266.exe 92 PID 4352 wrote to memory of 1836 4352 fllfxxx.exe 93 PID 4352 wrote to memory of 1836 4352 fllfxxx.exe 93 PID 4352 wrote to memory of 1836 4352 fllfxxx.exe 93 PID 1836 wrote to memory of 4808 1836 488488.exe 94 PID 1836 wrote to memory of 4808 1836 488488.exe 94 PID 1836 wrote to memory of 4808 1836 488488.exe 94 PID 4808 wrote to memory of 4940 4808 9pppj.exe 95 PID 4808 wrote to memory of 4940 4808 9pppj.exe 95 PID 4808 wrote to memory of 4940 4808 9pppj.exe 95 PID 4940 wrote to memory of 4392 4940 hbbtnn.exe 96 PID 4940 wrote to memory of 4392 4940 hbbtnn.exe 96 PID 4940 wrote to memory of 4392 4940 hbbtnn.exe 96 PID 4392 wrote to memory of 4056 4392 0240442.exe 97 PID 4392 wrote to memory of 4056 4392 0240442.exe 97 PID 4392 wrote to memory of 4056 4392 0240442.exe 97 PID 4056 wrote to memory of 3572 4056 8222666.exe 98 PID 4056 wrote to memory of 3572 4056 8222666.exe 98 PID 4056 wrote to memory of 3572 4056 8222666.exe 98 PID 3572 wrote to memory of 5092 3572 8828626.exe 99 PID 3572 wrote to memory of 5092 3572 8828626.exe 99 PID 3572 wrote to memory of 5092 3572 8828626.exe 99 PID 5092 wrote to memory of 2300 5092 vvjpp.exe 100 PID 5092 wrote to memory of 2300 5092 vvjpp.exe 100 PID 5092 wrote to memory of 2300 5092 vvjpp.exe 100 PID 2300 wrote to memory of 4844 2300 4060680.exe 101 PID 2300 wrote to memory of 4844 2300 4060680.exe 101 PID 2300 wrote to memory of 4844 2300 4060680.exe 101 PID 4844 wrote to memory of 3412 4844 424022.exe 102 PID 4844 wrote to memory of 3412 4844 424022.exe 102 PID 4844 wrote to memory of 3412 4844 424022.exe 102 PID 3412 wrote to memory of 3820 3412 llxxlfr.exe 103 PID 3412 wrote to memory of 3820 3412 llxxlfr.exe 103 PID 3412 wrote to memory of 3820 3412 llxxlfr.exe 103 PID 3820 wrote to memory of 384 3820 jdjpp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1239442c369e6f0d49109524b73b33ac03997cf9901a5d50ac2ee0dcdd1d1a58N.exe"C:\Users\Admin\AppData\Local\Temp\1239442c369e6f0d49109524b73b33ac03997cf9901a5d50ac2ee0dcdd1d1a58N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\6844444.exec:\6844444.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\nbnnnt.exec:\nbnnnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\vpvvv.exec:\vpvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\02884.exec:\02884.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\9pjdv.exec:\9pjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\ppjjj.exec:\ppjjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\pjjdv.exec:\pjjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\m6266.exec:\m6266.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\668266.exec:\668266.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\fllfxxx.exec:\fllfxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\488488.exec:\488488.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\9pppj.exec:\9pppj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\hbbtnn.exec:\hbbtnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\0240442.exec:\0240442.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\8222666.exec:\8222666.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\8828626.exec:\8828626.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\vvjpp.exec:\vvjpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\4060680.exec:\4060680.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\424022.exec:\424022.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\llxxlfr.exec:\llxxlfr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\jdjpp.exec:\jdjpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\04286.exec:\04286.exe23⤵
- Executes dropped EXE
PID:384 -
\??\c:\c426666.exec:\c426666.exe24⤵
- Executes dropped EXE
PID:3060 -
\??\c:\xxlllxx.exec:\xxlllxx.exe25⤵
- Executes dropped EXE
PID:4928 -
\??\c:\1vvvv.exec:\1vvvv.exe26⤵
- Executes dropped EXE
PID:1796 -
\??\c:\5rxxfff.exec:\5rxxfff.exe27⤵
- Executes dropped EXE
PID:1652 -
\??\c:\20468.exec:\20468.exe28⤵
- Executes dropped EXE
PID:4504 -
\??\c:\q40006.exec:\q40006.exe29⤵
- Executes dropped EXE
PID:2904 -
\??\c:\vvvpj.exec:\vvvpj.exe30⤵
- Executes dropped EXE
PID:412 -
\??\c:\xxllrrx.exec:\xxllrrx.exe31⤵
- Executes dropped EXE
PID:512 -
\??\c:\jdjjd.exec:\jdjjd.exe32⤵
- Executes dropped EXE
PID:2480 -
\??\c:\dpppd.exec:\dpppd.exe33⤵
- Executes dropped EXE
PID:3976 -
\??\c:\pdddj.exec:\pdddj.exe34⤵
- Executes dropped EXE
PID:4656 -
\??\c:\btntbt.exec:\btntbt.exe35⤵
- Executes dropped EXE
PID:1704 -
\??\c:\dvvpv.exec:\dvvpv.exe36⤵
- Executes dropped EXE
PID:640 -
\??\c:\8286844.exec:\8286844.exe37⤵
- Executes dropped EXE
PID:2744 -
\??\c:\c260246.exec:\c260246.exe38⤵
- Executes dropped EXE
PID:2168 -
\??\c:\thhhbh.exec:\thhhbh.exe39⤵
- Executes dropped EXE
PID:1724 -
\??\c:\ppvvp.exec:\ppvvp.exe40⤵
- Executes dropped EXE
PID:3308 -
\??\c:\04402.exec:\04402.exe41⤵
- Executes dropped EXE
PID:64 -
\??\c:\84840.exec:\84840.exe42⤵
- Executes dropped EXE
PID:1504 -
\??\c:\s0642.exec:\s0642.exe43⤵
- Executes dropped EXE
PID:3000 -
\??\c:\dvpdj.exec:\dvpdj.exe44⤵
- Executes dropped EXE
PID:3620 -
\??\c:\824822.exec:\824822.exe45⤵
- Executes dropped EXE
PID:4160 -
\??\c:\tbhhht.exec:\tbhhht.exe46⤵
- Executes dropped EXE
PID:1236 -
\??\c:\rfllfll.exec:\rfllfll.exe47⤵
- Executes dropped EXE
PID:4336 -
\??\c:\nbbtnn.exec:\nbbtnn.exe48⤵
- Executes dropped EXE
PID:3628 -
\??\c:\pjvpv.exec:\pjvpv.exe49⤵
- Executes dropped EXE
PID:2936 -
\??\c:\6448626.exec:\6448626.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4272 -
\??\c:\jdvvj.exec:\jdvvj.exe51⤵
- Executes dropped EXE
PID:1648 -
\??\c:\684000.exec:\684000.exe52⤵
- Executes dropped EXE
PID:668 -
\??\c:\k08666.exec:\k08666.exe53⤵
- Executes dropped EXE
PID:4468 -
\??\c:\44884.exec:\44884.exe54⤵
- Executes dropped EXE
PID:3136 -
\??\c:\m2826.exec:\m2826.exe55⤵
- Executes dropped EXE
PID:3980 -
\??\c:\bhbbhn.exec:\bhbbhn.exe56⤵
- Executes dropped EXE
PID:4676 -
\??\c:\e22828.exec:\e22828.exe57⤵
- Executes dropped EXE
PID:1880 -
\??\c:\frfrrrl.exec:\frfrrrl.exe58⤵
- Executes dropped EXE
PID:3256 -
\??\c:\jjjjj.exec:\jjjjj.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5068 -
\??\c:\3ttbbh.exec:\3ttbbh.exe60⤵
- Executes dropped EXE
PID:4060 -
\??\c:\5hnnbh.exec:\5hnnbh.exe61⤵
- Executes dropped EXE
PID:692 -
\??\c:\vdppp.exec:\vdppp.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3924 -
\??\c:\206404.exec:\206404.exe63⤵
- Executes dropped EXE
PID:1388 -
\??\c:\e86062.exec:\e86062.exe64⤵
- Executes dropped EXE
PID:3056 -
\??\c:\6442828.exec:\6442828.exe65⤵
- Executes dropped EXE
PID:2080 -
\??\c:\2844062.exec:\2844062.exe66⤵PID:4376
-
\??\c:\vdjdp.exec:\vdjdp.exe67⤵PID:1432
-
\??\c:\7ffffll.exec:\7ffffll.exe68⤵PID:2308
-
\??\c:\vjjjj.exec:\vjjjj.exe69⤵PID:2100
-
\??\c:\62660.exec:\62660.exe70⤵PID:2704
-
\??\c:\68604.exec:\68604.exe71⤵PID:2808
-
\??\c:\462482.exec:\462482.exe72⤵PID:4808
-
\??\c:\062888.exec:\062888.exe73⤵PID:4392
-
\??\c:\64406.exec:\64406.exe74⤵PID:3132
-
\??\c:\e44488.exec:\e44488.exe75⤵PID:3192
-
\??\c:\062224.exec:\062224.exe76⤵PID:3840
-
\??\c:\djvvp.exec:\djvvp.exe77⤵PID:3572
-
\??\c:\ddvjp.exec:\ddvjp.exe78⤵PID:3892
-
\??\c:\9vjjd.exec:\9vjjd.exe79⤵PID:3728
-
\??\c:\rrxxllr.exec:\rrxxllr.exe80⤵PID:3888
-
\??\c:\4066622.exec:\4066622.exe81⤵PID:1088
-
\??\c:\nnbbtt.exec:\nnbbtt.exe82⤵PID:384
-
\??\c:\k64422.exec:\k64422.exe83⤵PID:1684
-
\??\c:\24482.exec:\24482.exe84⤵PID:1736
-
\??\c:\rlrlrrr.exec:\rlrlrrr.exe85⤵PID:4552
-
\??\c:\640266.exec:\640266.exe86⤵PID:1716
-
\??\c:\dvvdv.exec:\dvvdv.exe87⤵PID:4496
-
\??\c:\a6260.exec:\a6260.exe88⤵PID:2928
-
\??\c:\624822.exec:\624822.exe89⤵PID:3932
-
\??\c:\pjjdp.exec:\pjjdp.exe90⤵PID:412
-
\??\c:\268844.exec:\268844.exe91⤵PID:2480
-
\??\c:\nhbnht.exec:\nhbnht.exe92⤵PID:3624
-
\??\c:\xfxxrrr.exec:\xfxxrrr.exe93⤵
- System Location Discovery: System Language Discovery
PID:1808 -
\??\c:\jvjdv.exec:\jvjdv.exe94⤵PID:4388
-
\??\c:\i882022.exec:\i882022.exe95⤵PID:1620
-
\??\c:\1frrlll.exec:\1frrlll.exe96⤵PID:4008
-
\??\c:\frffxrl.exec:\frffxrl.exe97⤵PID:1896
-
\??\c:\0268082.exec:\0268082.exe98⤵PID:1160
-
\??\c:\vdvdd.exec:\vdvdd.exe99⤵PID:2748
-
\??\c:\hbtnbn.exec:\hbtnbn.exe100⤵PID:4792
-
\??\c:\484488.exec:\484488.exe101⤵PID:1504
-
\??\c:\jpddj.exec:\jpddj.exe102⤵PID:1436
-
\??\c:\g0660.exec:\g0660.exe103⤵PID:1372
-
\??\c:\0688226.exec:\0688226.exe104⤵PID:1828
-
\??\c:\ntbtnt.exec:\ntbtnt.exe105⤵PID:4160
-
\??\c:\6060060.exec:\6060060.exe106⤵PID:2552
-
\??\c:\48060.exec:\48060.exe107⤵PID:2844
-
\??\c:\6668466.exec:\6668466.exe108⤵PID:5008
-
\??\c:\nhhtbn.exec:\nhhtbn.exe109⤵PID:4960
-
\??\c:\46464.exec:\46464.exe110⤵PID:4136
-
\??\c:\84288.exec:\84288.exe111⤵PID:4272
-
\??\c:\xxllllr.exec:\xxllllr.exe112⤵PID:2856
-
\??\c:\24228.exec:\24228.exe113⤵PID:2268
-
\??\c:\pdjjj.exec:\pdjjj.exe114⤵PID:4468
-
\??\c:\2622884.exec:\2622884.exe115⤵PID:3136
-
\??\c:\pvdjv.exec:\pvdjv.exe116⤵PID:440
-
\??\c:\444888.exec:\444888.exe117⤵PID:3980
-
\??\c:\604004.exec:\604004.exe118⤵PID:4944
-
\??\c:\xrxrlll.exec:\xrxrlll.exe119⤵PID:3568
-
\??\c:\tnbtbh.exec:\tnbtbh.exe120⤵PID:4340
-
\??\c:\jjjdv.exec:\jjjdv.exe121⤵PID:4996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-