Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 23:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
892cabcf2f712dbd6d20073858c3090fc34596eb03fa9d9d2143d1c0c9549d7e.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
892cabcf2f712dbd6d20073858c3090fc34596eb03fa9d9d2143d1c0c9549d7e.exe
-
Size
454KB
-
MD5
32c503734c19314ee45dd6faee045a7e
-
SHA1
7e30ff9341d3c82ebe21fa4b68dc8bcaca8809a3
-
SHA256
892cabcf2f712dbd6d20073858c3090fc34596eb03fa9d9d2143d1c0c9549d7e
-
SHA512
69e660f4d669c3451cf05f8fe1b7bde9afdc9603d6010ea27d67c694215f1dec3bb74bb0412d6b84206dc10e5cbe80beb55b9544047745add4fbfdd1171d666b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbecMt:q7Tc2NYHUrAwfMp3CDpt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1168-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-807-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-1060-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-1447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-1810-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1796 1ddvp.exe 4740 266600.exe 1520 ppddd.exe 3520 4400004.exe 4912 628882.exe 4768 428260.exe 4460 86688.exe 1496 80604.exe 4464 ffllxlr.exe 960 fxllrrx.exe 2032 bbnnbb.exe 1176 vpvpd.exe 4296 pdjvp.exe 100 4626026.exe 4012 pjvdd.exe 2628 xrxrrrl.exe 3724 2426048.exe 3668 lfffffx.exe 60 600262.exe 4648 1djjd.exe 5012 xlrlllf.exe 4676 tbhbtn.exe 3688 pjdvp.exe 1988 26826.exe 2020 684488.exe 2372 468828.exe 3124 2800444.exe 5004 4206846.exe 2260 frlfllr.exe 3672 002822.exe 5064 thtntn.exe 4828 tbbtbh.exe 1656 o004260.exe 3744 20682.exe 2168 frxlfxr.exe 2556 2604860.exe 4088 440822.exe 2152 thnhbh.exe 2452 686802.exe 4928 htnbnb.exe 1064 2688440.exe 1420 dvddd.exe 392 hbbhbn.exe 2204 fxxrlll.exe 3956 pjpjd.exe 636 jdvpj.exe 1904 rlfxlxr.exe 4444 pvppj.exe 316 1hnbtt.exe 1796 02628.exe 3252 bnthbt.exe 4740 240426.exe 4940 lxlflfx.exe 4244 4408264.exe 2272 rxfxfxx.exe 1180 6464266.exe 840 806048.exe 3760 rrlffxx.exe 4544 24680.exe 1280 40048.exe 3152 m6086.exe 2040 82426.exe 4308 tnbtbb.exe 3556 8208888.exe -
resource yara_rule behavioral2/memory/1168-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-1060-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 402888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 446462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u682008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0442046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44260.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1168 wrote to memory of 1796 1168 892cabcf2f712dbd6d20073858c3090fc34596eb03fa9d9d2143d1c0c9549d7e.exe 82 PID 1168 wrote to memory of 1796 1168 892cabcf2f712dbd6d20073858c3090fc34596eb03fa9d9d2143d1c0c9549d7e.exe 82 PID 1168 wrote to memory of 1796 1168 892cabcf2f712dbd6d20073858c3090fc34596eb03fa9d9d2143d1c0c9549d7e.exe 82 PID 1796 wrote to memory of 4740 1796 1ddvp.exe 83 PID 1796 wrote to memory of 4740 1796 1ddvp.exe 83 PID 1796 wrote to memory of 4740 1796 1ddvp.exe 83 PID 4740 wrote to memory of 1520 4740 266600.exe 84 PID 4740 wrote to memory of 1520 4740 266600.exe 84 PID 4740 wrote to memory of 1520 4740 266600.exe 84 PID 1520 wrote to memory of 3520 1520 ppddd.exe 85 PID 1520 wrote to memory of 3520 1520 ppddd.exe 85 PID 1520 wrote to memory of 3520 1520 ppddd.exe 85 PID 3520 wrote to memory of 4912 3520 4400004.exe 86 PID 3520 wrote to memory of 4912 3520 4400004.exe 86 PID 3520 wrote to memory of 4912 3520 4400004.exe 86 PID 4912 wrote to memory of 4768 4912 628882.exe 87 PID 4912 wrote to memory of 4768 4912 628882.exe 87 PID 4912 wrote to memory of 4768 4912 628882.exe 87 PID 4768 wrote to memory of 4460 4768 428260.exe 88 PID 4768 wrote to memory of 4460 4768 428260.exe 88 PID 4768 wrote to memory of 4460 4768 428260.exe 88 PID 4460 wrote to memory of 1496 4460 86688.exe 89 PID 4460 wrote to memory of 1496 4460 86688.exe 89 PID 4460 wrote to memory of 1496 4460 86688.exe 89 PID 1496 wrote to memory of 4464 1496 80604.exe 90 PID 1496 wrote to memory of 4464 1496 80604.exe 90 PID 1496 wrote to memory of 4464 1496 80604.exe 90 PID 4464 wrote to memory of 960 4464 ffllxlr.exe 91 PID 4464 wrote to memory of 960 4464 ffllxlr.exe 91 PID 4464 wrote to memory of 960 4464 ffllxlr.exe 91 PID 960 wrote to memory of 2032 960 fxllrrx.exe 92 PID 960 wrote to memory of 2032 960 fxllrrx.exe 92 PID 960 wrote to memory of 2032 960 fxllrrx.exe 92 PID 2032 wrote to memory of 1176 2032 bbnnbb.exe 93 PID 2032 wrote to memory of 1176 2032 bbnnbb.exe 93 PID 2032 wrote to memory of 1176 2032 bbnnbb.exe 93 PID 1176 wrote to memory of 4296 1176 vpvpd.exe 94 PID 1176 wrote to memory of 4296 1176 vpvpd.exe 94 PID 1176 wrote to memory of 4296 1176 vpvpd.exe 94 PID 4296 wrote to memory of 100 4296 pdjvp.exe 95 PID 4296 wrote to memory of 100 4296 pdjvp.exe 95 PID 4296 wrote to memory of 100 4296 pdjvp.exe 95 PID 100 wrote to memory of 4012 100 4626026.exe 96 PID 100 wrote to memory of 4012 100 4626026.exe 96 PID 100 wrote to memory of 4012 100 4626026.exe 96 PID 4012 wrote to memory of 2628 4012 pjvdd.exe 97 PID 4012 wrote to memory of 2628 4012 pjvdd.exe 97 PID 4012 wrote to memory of 2628 4012 pjvdd.exe 97 PID 2628 wrote to memory of 3724 2628 xrxrrrl.exe 98 PID 2628 wrote to memory of 3724 2628 xrxrrrl.exe 98 PID 2628 wrote to memory of 3724 2628 xrxrrrl.exe 98 PID 3724 wrote to memory of 3668 3724 2426048.exe 99 PID 3724 wrote to memory of 3668 3724 2426048.exe 99 PID 3724 wrote to memory of 3668 3724 2426048.exe 99 PID 3668 wrote to memory of 60 3668 lfffffx.exe 100 PID 3668 wrote to memory of 60 3668 lfffffx.exe 100 PID 3668 wrote to memory of 60 3668 lfffffx.exe 100 PID 60 wrote to memory of 4648 60 600262.exe 101 PID 60 wrote to memory of 4648 60 600262.exe 101 PID 60 wrote to memory of 4648 60 600262.exe 101 PID 4648 wrote to memory of 5012 4648 1djjd.exe 102 PID 4648 wrote to memory of 5012 4648 1djjd.exe 102 PID 4648 wrote to memory of 5012 4648 1djjd.exe 102 PID 5012 wrote to memory of 4676 5012 xlrlllf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\892cabcf2f712dbd6d20073858c3090fc34596eb03fa9d9d2143d1c0c9549d7e.exe"C:\Users\Admin\AppData\Local\Temp\892cabcf2f712dbd6d20073858c3090fc34596eb03fa9d9d2143d1c0c9549d7e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\1ddvp.exec:\1ddvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\266600.exec:\266600.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\ppddd.exec:\ppddd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\4400004.exec:\4400004.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\628882.exec:\628882.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\428260.exec:\428260.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\86688.exec:\86688.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\80604.exec:\80604.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\ffllxlr.exec:\ffllxlr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\fxllrrx.exec:\fxllrrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\bbnnbb.exec:\bbnnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\vpvpd.exec:\vpvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\pdjvp.exec:\pdjvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\4626026.exec:\4626026.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\pjvdd.exec:\pjvdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\xrxrrrl.exec:\xrxrrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\2426048.exec:\2426048.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\lfffffx.exec:\lfffffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\600262.exec:\600262.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\1djjd.exec:\1djjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\xlrlllf.exec:\xlrlllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\tbhbtn.exec:\tbhbtn.exe23⤵
- Executes dropped EXE
PID:4676 -
\??\c:\pjdvp.exec:\pjdvp.exe24⤵
- Executes dropped EXE
PID:3688 -
\??\c:\26826.exec:\26826.exe25⤵
- Executes dropped EXE
PID:1988 -
\??\c:\684488.exec:\684488.exe26⤵
- Executes dropped EXE
PID:2020 -
\??\c:\468828.exec:\468828.exe27⤵
- Executes dropped EXE
PID:2372 -
\??\c:\2800444.exec:\2800444.exe28⤵
- Executes dropped EXE
PID:3124 -
\??\c:\4206846.exec:\4206846.exe29⤵
- Executes dropped EXE
PID:5004 -
\??\c:\frlfllr.exec:\frlfllr.exe30⤵
- Executes dropped EXE
PID:2260 -
\??\c:\002822.exec:\002822.exe31⤵
- Executes dropped EXE
PID:3672 -
\??\c:\thtntn.exec:\thtntn.exe32⤵
- Executes dropped EXE
PID:5064 -
\??\c:\tbbtbh.exec:\tbbtbh.exe33⤵
- Executes dropped EXE
PID:4828 -
\??\c:\o004260.exec:\o004260.exe34⤵
- Executes dropped EXE
PID:1656 -
\??\c:\20682.exec:\20682.exe35⤵
- Executes dropped EXE
PID:3744 -
\??\c:\frxlfxr.exec:\frxlfxr.exe36⤵
- Executes dropped EXE
PID:2168 -
\??\c:\2604860.exec:\2604860.exe37⤵
- Executes dropped EXE
PID:2556 -
\??\c:\440822.exec:\440822.exe38⤵
- Executes dropped EXE
PID:4088 -
\??\c:\thnhbh.exec:\thnhbh.exe39⤵
- Executes dropped EXE
PID:2152 -
\??\c:\686802.exec:\686802.exe40⤵
- Executes dropped EXE
PID:2452 -
\??\c:\htnbnb.exec:\htnbnb.exe41⤵
- Executes dropped EXE
PID:4928 -
\??\c:\2688440.exec:\2688440.exe42⤵
- Executes dropped EXE
PID:1064 -
\??\c:\dvddd.exec:\dvddd.exe43⤵
- Executes dropped EXE
PID:1420 -
\??\c:\hbbhbn.exec:\hbbhbn.exe44⤵
- Executes dropped EXE
PID:392 -
\??\c:\fxxrlll.exec:\fxxrlll.exe45⤵
- Executes dropped EXE
PID:2204 -
\??\c:\pjpjd.exec:\pjpjd.exe46⤵
- Executes dropped EXE
PID:3956 -
\??\c:\jdvpj.exec:\jdvpj.exe47⤵
- Executes dropped EXE
PID:636 -
\??\c:\rlfxlxr.exec:\rlfxlxr.exe48⤵
- Executes dropped EXE
PID:1904 -
\??\c:\pvppj.exec:\pvppj.exe49⤵
- Executes dropped EXE
PID:4444 -
\??\c:\1hnbtt.exec:\1hnbtt.exe50⤵
- Executes dropped EXE
PID:316 -
\??\c:\02628.exec:\02628.exe51⤵
- Executes dropped EXE
PID:1796 -
\??\c:\bnthbt.exec:\bnthbt.exe52⤵
- Executes dropped EXE
PID:3252 -
\??\c:\240426.exec:\240426.exe53⤵
- Executes dropped EXE
PID:4740 -
\??\c:\lxlflfx.exec:\lxlflfx.exe54⤵
- Executes dropped EXE
PID:4940 -
\??\c:\4408264.exec:\4408264.exe55⤵
- Executes dropped EXE
PID:4244 -
\??\c:\rxfxfxx.exec:\rxfxfxx.exe56⤵
- Executes dropped EXE
PID:2272 -
\??\c:\6464266.exec:\6464266.exe57⤵
- Executes dropped EXE
PID:1180 -
\??\c:\806048.exec:\806048.exe58⤵
- Executes dropped EXE
PID:840 -
\??\c:\rrlffxx.exec:\rrlffxx.exe59⤵
- Executes dropped EXE
PID:3760 -
\??\c:\24680.exec:\24680.exe60⤵
- Executes dropped EXE
PID:4544 -
\??\c:\40048.exec:\40048.exe61⤵
- Executes dropped EXE
PID:1280 -
\??\c:\m6086.exec:\m6086.exe62⤵
- Executes dropped EXE
PID:3152 -
\??\c:\82426.exec:\82426.exe63⤵
- Executes dropped EXE
PID:2040 -
\??\c:\tnbtbb.exec:\tnbtbb.exe64⤵
- Executes dropped EXE
PID:4308 -
\??\c:\8208888.exec:\8208888.exe65⤵
- Executes dropped EXE
PID:3556 -
\??\c:\1xrflfr.exec:\1xrflfr.exe66⤵PID:3204
-
\??\c:\28446.exec:\28446.exe67⤵PID:2028
-
\??\c:\dvpdv.exec:\dvpdv.exe68⤵PID:3880
-
\??\c:\7vvjj.exec:\7vvjj.exe69⤵PID:4092
-
\??\c:\2604848.exec:\2604848.exe70⤵PID:2004
-
\??\c:\xxfxfxf.exec:\xxfxfxf.exe71⤵PID:2160
-
\??\c:\pjjdj.exec:\pjjdj.exe72⤵PID:4788
-
\??\c:\28426.exec:\28426.exe73⤵PID:4852
-
\??\c:\8260848.exec:\8260848.exe74⤵PID:512
-
\??\c:\thnhbb.exec:\thnhbb.exe75⤵PID:4652
-
\??\c:\1jdpd.exec:\1jdpd.exe76⤵PID:1076
-
\??\c:\4228848.exec:\4228848.exe77⤵PID:4016
-
\??\c:\hbhhbb.exec:\hbhhbb.exe78⤵PID:64
-
\??\c:\lfrlflf.exec:\lfrlflf.exe79⤵
- System Location Discovery: System Language Discovery
PID:3076 -
\??\c:\xrxxffr.exec:\xrxxffr.exe80⤵PID:3180
-
\??\c:\dvpvv.exec:\dvpvv.exe81⤵PID:3236
-
\??\c:\200040.exec:\200040.exe82⤵
- System Location Discovery: System Language Discovery
PID:3476 -
\??\c:\nhnnhh.exec:\nhnnhh.exe83⤵PID:3900
-
\??\c:\tthhhh.exec:\tthhhh.exe84⤵PID:2572
-
\??\c:\pjjdd.exec:\pjjdd.exe85⤵PID:4956
-
\??\c:\202048.exec:\202048.exe86⤵PID:2372
-
\??\c:\djpdp.exec:\djpdp.exe87⤵PID:3244
-
\??\c:\5fxrfrf.exec:\5fxrfrf.exe88⤵PID:3268
-
\??\c:\jvpjd.exec:\jvpjd.exe89⤵
- System Location Discovery: System Language Discovery
PID:3280 -
\??\c:\20284.exec:\20284.exe90⤵PID:2364
-
\??\c:\420444.exec:\420444.exe91⤵PID:3624
-
\??\c:\9llfllr.exec:\9llfllr.exe92⤵PID:1008
-
\??\c:\vvdvp.exec:\vvdvp.exe93⤵PID:2548
-
\??\c:\rrfxfxf.exec:\rrfxfxf.exe94⤵PID:3384
-
\??\c:\284220.exec:\284220.exe95⤵PID:4884
-
\??\c:\xrflxrl.exec:\xrflxrl.exe96⤵PID:1368
-
\??\c:\jdjdj.exec:\jdjdj.exe97⤵PID:4992
-
\??\c:\5pdpj.exec:\5pdpj.exe98⤵PID:3544
-
\??\c:\pddpp.exec:\pddpp.exe99⤵PID:4036
-
\??\c:\860666.exec:\860666.exe100⤵PID:3500
-
\??\c:\04066.exec:\04066.exe101⤵PID:4844
-
\??\c:\4686448.exec:\4686448.exe102⤵PID:364
-
\??\c:\tnhbtn.exec:\tnhbtn.exe103⤵PID:4428
-
\??\c:\e80482.exec:\e80482.exe104⤵PID:4608
-
\??\c:\e64848.exec:\e64848.exe105⤵PID:2484
-
\??\c:\bhhnbb.exec:\bhhnbb.exe106⤵PID:1096
-
\??\c:\fxxlfrx.exec:\fxxlfrx.exe107⤵PID:1144
-
\??\c:\44260.exec:\44260.exe108⤵
- System Location Discovery: System Language Discovery
PID:3552 -
\??\c:\08822.exec:\08822.exe109⤵PID:4384
-
\??\c:\vvvpp.exec:\vvvpp.exe110⤵PID:3452
-
\??\c:\8886482.exec:\8886482.exe111⤵PID:844
-
\??\c:\288086.exec:\288086.exe112⤵PID:4504
-
\??\c:\rlrlfrx.exec:\rlrlfrx.exe113⤵PID:3840
-
\??\c:\6666666.exec:\6666666.exe114⤵PID:3408
-
\??\c:\hbnhnh.exec:\hbnhnh.exe115⤵PID:1232
-
\??\c:\66660.exec:\66660.exe116⤵PID:1384
-
\??\c:\04266.exec:\04266.exe117⤵PID:4940
-
\??\c:\2248660.exec:\2248660.exe118⤵PID:3520
-
\??\c:\6004226.exec:\6004226.exe119⤵PID:4780
-
\??\c:\bthbnh.exec:\bthbnh.exe120⤵PID:3692
-
\??\c:\bhtnbb.exec:\bhtnbb.exe121⤵PID:3700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-