Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 06:07
Behavioral task
behavioral1
Sample
d53cfc28257cc9c4c6e04a9c8750ad70fcd5f91efc6f7ede6e93bb4b65d257c7.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d53cfc28257cc9c4c6e04a9c8750ad70fcd5f91efc6f7ede6e93bb4b65d257c7.exe
-
Size
334KB
-
MD5
24100bc39797540dd09b43cbc94d5b8d
-
SHA1
5e59aaee194f445c3f04b4ba61139c0a9c567bf3
-
SHA256
d53cfc28257cc9c4c6e04a9c8750ad70fcd5f91efc6f7ede6e93bb4b65d257c7
-
SHA512
6ee4d72189ba9e27598edb9c3f19728aab4038e789c6043e0c4726571a5457b00e23d262cc8ade95d24c91f447e9f6041ed3ef2d268dbac9332462bc6b072c4a
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tH:94wFHoStJdSjylh2b77BoTMA9gX59sTf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2004-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2852-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1448-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2060-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4648-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2472-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4504-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1440-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2328-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2704-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2572-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2868-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/60-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3924-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2628-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2576-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/948-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4692-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2224-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4328-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3192-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3172-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1280-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2700-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1960-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4836-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2276-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1516-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1324-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3880-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4124-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4156-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3048-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3496-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2852-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2972-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-463-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1500-502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3860-561-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-688-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1560-695-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1500-756-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4648 8468444.exe 2472 jvdvv.exe 4828 rrxxlxx.exe 2060 626222.exe 1448 dvjjd.exe 2852 a4608.exe 4504 s6468.exe 1664 ppvpv.exe 1440 rrxxxxx.exe 2328 4426048.exe 400 1jdvp.exe 2864 q86666.exe 2704 jddvd.exe 2572 4846828.exe 2868 q24448.exe 4204 8020826.exe 3196 240426.exe 4400 6804260.exe 3528 rrxrrxx.exe 60 462648.exe 4124 284860.exe 5116 a0062.exe 3924 224866.exe 1536 pddvj.exe 4736 rrflffx.exe 4844 9bhtnt.exe 2628 662648.exe 2200 84084.exe 2576 jdjvv.exe 4988 886426.exe 180 jjjdv.exe 948 0408260.exe 792 082004.exe 2184 xffrlfr.exe 5028 vjddp.exe 5064 vdvvp.exe 4692 q64482.exe 4316 pjdpj.exe 1232 5ffxxrr.exe 1180 800426.exe 3388 4286228.exe 4592 tnbthb.exe 2224 86466.exe 4328 lflxlrf.exe 2040 9ffxrrl.exe 4732 nhttnn.exe 3192 hbbtnn.exe 5072 nbbtnh.exe 3172 dvjjj.exe 2232 3tnbtt.exe 1280 1ffxllx.exe 828 5jjdj.exe 4060 468404.exe 1500 a8088.exe 2700 9rfxrxx.exe 1960 3vdpp.exe 1316 1vpjv.exe 4744 0886082.exe 4836 hbbtnn.exe 2060 vpjdd.exe 1448 5rrlfrl.exe 2276 68688.exe 1044 w66408.exe 3036 600648.exe -
resource yara_rule behavioral2/memory/2004-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023ba1-3.dat upx behavioral2/memory/4648-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2004-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c93-9.dat upx behavioral2/files/0x0007000000023c97-11.dat upx behavioral2/files/0x0007000000023c99-26.dat upx behavioral2/files/0x0007000000023c9a-31.dat upx behavioral2/memory/2852-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1448-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2060-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-21.dat upx behavioral2/memory/4648-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4828-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2472-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-35.dat upx behavioral2/files/0x0007000000023c9d-39.dat upx behavioral2/memory/4504-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-44.dat upx behavioral2/files/0x0007000000023c9f-48.dat upx behavioral2/memory/1440-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-53.dat upx behavioral2/memory/2328-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-58.dat upx behavioral2/files/0x0007000000023ca2-63.dat upx behavioral2/memory/2704-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-68.dat upx behavioral2/memory/2572-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2864-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-73.dat upx behavioral2/files/0x0007000000023ca5-77.dat upx behavioral2/memory/4204-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4400-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-94.dat upx behavioral2/memory/3196-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-98.dat upx behavioral2/files/0x0007000000023ca7-88.dat upx behavioral2/files/0x0007000000023ca6-84.dat upx behavioral2/memory/2868-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/60-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5116-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-112.dat upx behavioral2/memory/3924-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-116.dat upx behavioral2/files/0x0007000000023cab-107.dat upx behavioral2/files/0x0007000000023caa-102.dat upx behavioral2/files/0x0007000000023cae-120.dat upx behavioral2/memory/1536-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-126.dat upx behavioral2/files/0x0007000000023cb0-129.dat upx behavioral2/memory/4844-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2628-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-135.dat upx behavioral2/files/0x0007000000023cb2-140.dat upx behavioral2/memory/2576-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-144.dat upx behavioral2/files/0x0007000000023cb4-148.dat upx behavioral2/files/0x0007000000023cb5-153.dat upx behavioral2/memory/948-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2184-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5064-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4692-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4316-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4592-181-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6248866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0460828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u042404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8848822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfflrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 248420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2004 wrote to memory of 4648 2004 d53cfc28257cc9c4c6e04a9c8750ad70fcd5f91efc6f7ede6e93bb4b65d257c7.exe 83 PID 2004 wrote to memory of 4648 2004 d53cfc28257cc9c4c6e04a9c8750ad70fcd5f91efc6f7ede6e93bb4b65d257c7.exe 83 PID 2004 wrote to memory of 4648 2004 d53cfc28257cc9c4c6e04a9c8750ad70fcd5f91efc6f7ede6e93bb4b65d257c7.exe 83 PID 4648 wrote to memory of 2472 4648 8468444.exe 84 PID 4648 wrote to memory of 2472 4648 8468444.exe 84 PID 4648 wrote to memory of 2472 4648 8468444.exe 84 PID 2472 wrote to memory of 4828 2472 jvdvv.exe 85 PID 2472 wrote to memory of 4828 2472 jvdvv.exe 85 PID 2472 wrote to memory of 4828 2472 jvdvv.exe 85 PID 4828 wrote to memory of 2060 4828 rrxxlxx.exe 86 PID 4828 wrote to memory of 2060 4828 rrxxlxx.exe 86 PID 4828 wrote to memory of 2060 4828 rrxxlxx.exe 86 PID 2060 wrote to memory of 1448 2060 626222.exe 87 PID 2060 wrote to memory of 1448 2060 626222.exe 87 PID 2060 wrote to memory of 1448 2060 626222.exe 87 PID 1448 wrote to memory of 2852 1448 dvjjd.exe 88 PID 1448 wrote to memory of 2852 1448 dvjjd.exe 88 PID 1448 wrote to memory of 2852 1448 dvjjd.exe 88 PID 2852 wrote to memory of 4504 2852 a4608.exe 89 PID 2852 wrote to memory of 4504 2852 a4608.exe 89 PID 2852 wrote to memory of 4504 2852 a4608.exe 89 PID 4504 wrote to memory of 1664 4504 s6468.exe 90 PID 4504 wrote to memory of 1664 4504 s6468.exe 90 PID 4504 wrote to memory of 1664 4504 s6468.exe 90 PID 1664 wrote to memory of 1440 1664 ppvpv.exe 91 PID 1664 wrote to memory of 1440 1664 ppvpv.exe 91 PID 1664 wrote to memory of 1440 1664 ppvpv.exe 91 PID 1440 wrote to memory of 2328 1440 rrxxxxx.exe 92 PID 1440 wrote to memory of 2328 1440 rrxxxxx.exe 92 PID 1440 wrote to memory of 2328 1440 rrxxxxx.exe 92 PID 2328 wrote to memory of 400 2328 4426048.exe 93 PID 2328 wrote to memory of 400 2328 4426048.exe 93 PID 2328 wrote to memory of 400 2328 4426048.exe 93 PID 400 wrote to memory of 2864 400 1jdvp.exe 94 PID 400 wrote to memory of 2864 400 1jdvp.exe 94 PID 400 wrote to memory of 2864 400 1jdvp.exe 94 PID 2864 wrote to memory of 2704 2864 q86666.exe 95 PID 2864 wrote to memory of 2704 2864 q86666.exe 95 PID 2864 wrote to memory of 2704 2864 q86666.exe 95 PID 2704 wrote to memory of 2572 2704 jddvd.exe 96 PID 2704 wrote to memory of 2572 2704 jddvd.exe 96 PID 2704 wrote to memory of 2572 2704 jddvd.exe 96 PID 2572 wrote to memory of 2868 2572 4846828.exe 97 PID 2572 wrote to memory of 2868 2572 4846828.exe 97 PID 2572 wrote to memory of 2868 2572 4846828.exe 97 PID 2868 wrote to memory of 4204 2868 q24448.exe 98 PID 2868 wrote to memory of 4204 2868 q24448.exe 98 PID 2868 wrote to memory of 4204 2868 q24448.exe 98 PID 4204 wrote to memory of 3196 4204 8020826.exe 99 PID 4204 wrote to memory of 3196 4204 8020826.exe 99 PID 4204 wrote to memory of 3196 4204 8020826.exe 99 PID 3196 wrote to memory of 4400 3196 240426.exe 100 PID 3196 wrote to memory of 4400 3196 240426.exe 100 PID 3196 wrote to memory of 4400 3196 240426.exe 100 PID 4400 wrote to memory of 3528 4400 6804260.exe 101 PID 4400 wrote to memory of 3528 4400 6804260.exe 101 PID 4400 wrote to memory of 3528 4400 6804260.exe 101 PID 3528 wrote to memory of 60 3528 rrxrrxx.exe 102 PID 3528 wrote to memory of 60 3528 rrxrrxx.exe 102 PID 3528 wrote to memory of 60 3528 rrxrrxx.exe 102 PID 60 wrote to memory of 4124 60 462648.exe 103 PID 60 wrote to memory of 4124 60 462648.exe 103 PID 60 wrote to memory of 4124 60 462648.exe 103 PID 4124 wrote to memory of 5116 4124 284860.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d53cfc28257cc9c4c6e04a9c8750ad70fcd5f91efc6f7ede6e93bb4b65d257c7.exe"C:\Users\Admin\AppData\Local\Temp\d53cfc28257cc9c4c6e04a9c8750ad70fcd5f91efc6f7ede6e93bb4b65d257c7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\8468444.exec:\8468444.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\jvdvv.exec:\jvdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\rrxxlxx.exec:\rrxxlxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\626222.exec:\626222.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\dvjjd.exec:\dvjjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\a4608.exec:\a4608.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\s6468.exec:\s6468.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\ppvpv.exec:\ppvpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\4426048.exec:\4426048.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\1jdvp.exec:\1jdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\q86666.exec:\q86666.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\jddvd.exec:\jddvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\4846828.exec:\4846828.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\q24448.exec:\q24448.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\8020826.exec:\8020826.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\240426.exec:\240426.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\6804260.exec:\6804260.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\rrxrrxx.exec:\rrxrrxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\462648.exec:\462648.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\284860.exec:\284860.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\a0062.exec:\a0062.exe23⤵
- Executes dropped EXE
PID:5116 -
\??\c:\224866.exec:\224866.exe24⤵
- Executes dropped EXE
PID:3924 -
\??\c:\pddvj.exec:\pddvj.exe25⤵
- Executes dropped EXE
PID:1536 -
\??\c:\rrflffx.exec:\rrflffx.exe26⤵
- Executes dropped EXE
PID:4736 -
\??\c:\9bhtnt.exec:\9bhtnt.exe27⤵
- Executes dropped EXE
PID:4844 -
\??\c:\662648.exec:\662648.exe28⤵
- Executes dropped EXE
PID:2628 -
\??\c:\84084.exec:\84084.exe29⤵
- Executes dropped EXE
PID:2200 -
\??\c:\jdjvv.exec:\jdjvv.exe30⤵
- Executes dropped EXE
PID:2576 -
\??\c:\886426.exec:\886426.exe31⤵
- Executes dropped EXE
PID:4988 -
\??\c:\jjjdv.exec:\jjjdv.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:180 -
\??\c:\0408260.exec:\0408260.exe33⤵
- Executes dropped EXE
PID:948 -
\??\c:\082004.exec:\082004.exe34⤵
- Executes dropped EXE
PID:792 -
\??\c:\xffrlfr.exec:\xffrlfr.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
\??\c:\vjddp.exec:\vjddp.exe36⤵
- Executes dropped EXE
PID:5028 -
\??\c:\vdvvp.exec:\vdvvp.exe37⤵
- Executes dropped EXE
PID:5064 -
\??\c:\q64482.exec:\q64482.exe38⤵
- Executes dropped EXE
PID:4692 -
\??\c:\pjdpj.exec:\pjdpj.exe39⤵
- Executes dropped EXE
PID:4316 -
\??\c:\5ffxxrr.exec:\5ffxxrr.exe40⤵
- Executes dropped EXE
PID:1232 -
\??\c:\800426.exec:\800426.exe41⤵
- Executes dropped EXE
PID:1180 -
\??\c:\4286228.exec:\4286228.exe42⤵
- Executes dropped EXE
PID:3388 -
\??\c:\tnbthb.exec:\tnbthb.exe43⤵
- Executes dropped EXE
PID:4592 -
\??\c:\86466.exec:\86466.exe44⤵
- Executes dropped EXE
PID:2224 -
\??\c:\lflxlrf.exec:\lflxlrf.exe45⤵
- Executes dropped EXE
PID:4328 -
\??\c:\9ffxrrl.exec:\9ffxrrl.exe46⤵
- Executes dropped EXE
PID:2040 -
\??\c:\nhttnn.exec:\nhttnn.exe47⤵
- Executes dropped EXE
PID:4732 -
\??\c:\hbbtnn.exec:\hbbtnn.exe48⤵
- Executes dropped EXE
PID:3192 -
\??\c:\nbbtnh.exec:\nbbtnh.exe49⤵
- Executes dropped EXE
PID:5072 -
\??\c:\dvjjj.exec:\dvjjj.exe50⤵
- Executes dropped EXE
PID:3172 -
\??\c:\3tnbtt.exec:\3tnbtt.exe51⤵
- Executes dropped EXE
PID:2232 -
\??\c:\1ffxllx.exec:\1ffxllx.exe52⤵
- Executes dropped EXE
PID:1280 -
\??\c:\5jjdj.exec:\5jjdj.exe53⤵
- Executes dropped EXE
PID:828 -
\??\c:\468404.exec:\468404.exe54⤵
- Executes dropped EXE
PID:4060 -
\??\c:\a8088.exec:\a8088.exe55⤵
- Executes dropped EXE
PID:1500 -
\??\c:\9rfxrxx.exec:\9rfxrxx.exe56⤵
- Executes dropped EXE
PID:2700 -
\??\c:\3vdpp.exec:\3vdpp.exe57⤵
- Executes dropped EXE
PID:1960 -
\??\c:\1vpjv.exec:\1vpjv.exe58⤵
- Executes dropped EXE
PID:1316 -
\??\c:\0886082.exec:\0886082.exe59⤵
- Executes dropped EXE
PID:4744 -
\??\c:\hbbtnn.exec:\hbbtnn.exe60⤵
- Executes dropped EXE
PID:4836 -
\??\c:\vpjdd.exec:\vpjdd.exe61⤵
- Executes dropped EXE
PID:2060 -
\??\c:\5rrlfrl.exec:\5rrlfrl.exe62⤵
- Executes dropped EXE
PID:1448 -
\??\c:\68688.exec:\68688.exe63⤵
- Executes dropped EXE
PID:2276 -
\??\c:\w66408.exec:\w66408.exe64⤵
- Executes dropped EXE
PID:1044 -
\??\c:\600648.exec:\600648.exe65⤵
- Executes dropped EXE
PID:3036 -
\??\c:\3tnbnh.exec:\3tnbnh.exe66⤵PID:4268
-
\??\c:\00264.exec:\00264.exe67⤵PID:808
-
\??\c:\608882.exec:\608882.exe68⤵PID:4792
-
\??\c:\rlrfxrl.exec:\rlrfxrl.exe69⤵PID:1292
-
\??\c:\5xflfrl.exec:\5xflfrl.exe70⤵PID:2312
-
\??\c:\08608.exec:\08608.exe71⤵PID:3140
-
\??\c:\bhhbnb.exec:\bhhbnb.exe72⤵PID:4532
-
\??\c:\fflxlfr.exec:\fflxlfr.exe73⤵PID:4980
-
\??\c:\lflflfr.exec:\lflflfr.exe74⤵PID:400
-
\??\c:\pvdvp.exec:\pvdvp.exe75⤵PID:3104
-
\??\c:\lllfxrl.exec:\lllfxrl.exe76⤵PID:3940
-
\??\c:\frrlxxr.exec:\frrlxxr.exe77⤵PID:4892
-
\??\c:\0248260.exec:\0248260.exe78⤵PID:1516
-
\??\c:\66264.exec:\66264.exe79⤵PID:1324
-
\??\c:\hhthbb.exec:\hhthbb.exe80⤵PID:3880
-
\??\c:\040448.exec:\040448.exe81⤵PID:3396
-
\??\c:\thhbtt.exec:\thhbtt.exe82⤵PID:5104
-
\??\c:\flrfxxx.exec:\flrfxxx.exe83⤵PID:1656
-
\??\c:\jjdjj.exec:\jjdjj.exe84⤵PID:4280
-
\??\c:\6808220.exec:\6808220.exe85⤵PID:2972
-
\??\c:\xfffffx.exec:\xfffffx.exe86⤵PID:3060
-
\??\c:\4866224.exec:\4866224.exe87⤵PID:4124
-
\??\c:\4062846.exec:\4062846.exe88⤵PID:5116
-
\??\c:\rllffll.exec:\rllffll.exe89⤵PID:3924
-
\??\c:\httnnn.exec:\httnnn.exe90⤵PID:1264
-
\??\c:\5nthbb.exec:\5nthbb.exe91⤵PID:3676
-
\??\c:\22864.exec:\22864.exe92⤵PID:1536
-
\??\c:\8464826.exec:\8464826.exe93⤵PID:4156
-
\??\c:\i626602.exec:\i626602.exe94⤵PID:4920
-
\??\c:\hthnhh.exec:\hthnhh.exe95⤵PID:1452
-
\??\c:\xxxrfll.exec:\xxxrfll.exe96⤵PID:616
-
\??\c:\822604.exec:\822604.exe97⤵PID:3708
-
\??\c:\bttnbb.exec:\bttnbb.exe98⤵PID:3048
-
\??\c:\vdpdp.exec:\vdpdp.exe99⤵PID:2064
-
\??\c:\xfffxff.exec:\xfffxff.exe100⤵PID:4660
-
\??\c:\pjppj.exec:\pjppj.exe101⤵PID:1680
-
\??\c:\40086.exec:\40086.exe102⤵PID:1812
-
\??\c:\frlfxrl.exec:\frlfxrl.exe103⤵PID:4272
-
\??\c:\42488.exec:\42488.exe104⤵PID:792
-
\??\c:\xrlfrxr.exec:\xrlfrxr.exe105⤵PID:2184
-
\??\c:\3djvj.exec:\3djvj.exe106⤵PID:1468
-
\??\c:\0404882.exec:\0404882.exe107⤵PID:3496
-
\??\c:\8844200.exec:\8844200.exe108⤵PID:4228
-
\??\c:\40648.exec:\40648.exe109⤵PID:1972
-
\??\c:\262600.exec:\262600.exe110⤵PID:3452
-
\??\c:\5nnhbb.exec:\5nnhbb.exe111⤵PID:4100
-
\??\c:\862648.exec:\862648.exe112⤵PID:2896
-
\??\c:\2204888.exec:\2204888.exe113⤵PID:2796
-
\??\c:\4286004.exec:\4286004.exe114⤵PID:4392
-
\??\c:\664822.exec:\664822.exe115⤵PID:1508
-
\??\c:\i626060.exec:\i626060.exe116⤵PID:3464
-
\??\c:\m6208.exec:\m6208.exe117⤵PID:4700
-
\??\c:\4460820.exec:\4460820.exe118⤵PID:3652
-
\??\c:\jdjdv.exec:\jdjdv.exe119⤵PID:628
-
\??\c:\6248288.exec:\6248288.exe120⤵PID:5072
-
\??\c:\000444.exec:\000444.exe121⤵PID:4964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-