Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 07:28
Behavioral task
behavioral1
Sample
f7f62498fbbe8864ff93b80d3e30ef58e27d36e16926c1df3315cce0644e3c83.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
f7f62498fbbe8864ff93b80d3e30ef58e27d36e16926c1df3315cce0644e3c83.exe
-
Size
331KB
-
MD5
66c41fcd25a3f167c7e660f07ab216e0
-
SHA1
649fd91841a87af119689e5fa820e28ba35117fd
-
SHA256
f7f62498fbbe8864ff93b80d3e30ef58e27d36e16926c1df3315cce0644e3c83
-
SHA512
c54f19ed259b24728a117664b7b13921942df050767bfbb45ff9ac6b0b1c5b9c47e5714feacc7ed51aed3efd656912b2dbd8038b46d94e493d9b52f826c5a2bb
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7t4:94wFHoStJdSjylh2b77BoTMA9gX59sTA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2940-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3168-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1844-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2308-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3892-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1992-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2420-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3268-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2520-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3508-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1140-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2264-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3572-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2320-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1112-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1980-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1332-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4492-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4676-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4304-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2176-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2840-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1628-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2620-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4368-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3316-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3564-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3176-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1636-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3000-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1280-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2788-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1876-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3620-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2340-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1424-405-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4752-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1584-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-458-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1912-465-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-497-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2340-535-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-578-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-663-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-690-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3168 dpdvp.exe 1312 0822226.exe 3368 80042.exe 4568 8224486.exe 3528 800042.exe 4480 8800004.exe 4608 866044.exe 4420 0248202.exe 1844 dvdpd.exe 2308 048226.exe 2720 8004826.exe 3532 lxfxrlf.exe 3892 400020.exe 2236 642600.exe 1992 ddddd.exe 372 2404826.exe 2420 dvdvj.exe 4456 2866482.exe 2204 060488.exe 3268 48448.exe 4980 0648488.exe 4600 xrrrllf.exe 4968 4060044.exe 2520 e62626.exe 3508 4828888.exe 4128 bhnhbb.exe 1924 6004880.exe 1140 624004.exe 3928 nbtnhh.exe 2264 84042.exe 3572 86422.exe 1812 2644440.exe 2320 7dpjj.exe 2488 lxffrrl.exe 1112 xlxxrrl.exe 468 pppjd.exe 1980 062600.exe 3668 00260.exe 3432 24660.exe 1332 468024.exe 4492 vpvpj.exe 1984 nntnnt.exe 4676 nhnhhh.exe 4304 dvddd.exe 2176 nhnnhh.exe 4664 1frflfl.exe 2116 tbbtbt.exe 4716 6060488.exe 2840 8204440.exe 1628 hhnnhn.exe 4120 jjpjj.exe 2620 flrrlll.exe 3024 42048.exe 2512 xrxfffx.exe 4368 rrxrlfx.exe 4612 tnttnn.exe 3316 htntbb.exe 4300 624866.exe 4908 04480.exe 3564 lflllll.exe 1048 dvjdd.exe 2380 622266.exe 1312 xffrlfx.exe 3368 bhhbtt.exe -
resource yara_rule behavioral2/memory/2940-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2940-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c59-3.dat upx behavioral2/memory/3168-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-9.dat upx behavioral2/files/0x0007000000023cc3-11.dat upx behavioral2/files/0x0007000000023cc4-17.dat upx behavioral2/memory/3368-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-22.dat upx behavioral2/memory/4568-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-28.dat upx behavioral2/memory/4480-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3528-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-34.dat upx behavioral2/memory/4608-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc9-38.dat upx behavioral2/memory/4608-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-43.dat upx behavioral2/memory/4420-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1844-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cbf-54.dat upx behavioral2/memory/2720-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2308-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccb-49.dat upx behavioral2/files/0x0007000000023ccc-61.dat upx behavioral2/memory/2720-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccd-64.dat upx behavioral2/memory/3532-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cce-69.dat upx behavioral2/memory/3892-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccf-75.dat upx behavioral2/files/0x0007000000023cd0-81.dat upx behavioral2/memory/1992-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1992-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2236-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd1-85.dat upx behavioral2/memory/2420-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd2-91.dat upx behavioral2/files/0x0007000000023cd3-95.dat upx behavioral2/memory/2204-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd4-100.dat upx behavioral2/memory/3268-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd5-105.dat upx behavioral2/memory/4980-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd6-109.dat upx behavioral2/memory/4600-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd7-115.dat upx behavioral2/files/0x0007000000023cd8-118.dat upx behavioral2/files/0x0007000000023cd9-122.dat upx behavioral2/memory/2520-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cda-127.dat upx behavioral2/memory/3508-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cdb-132.dat upx behavioral2/files/0x0007000000023cdc-137.dat upx behavioral2/memory/1924-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1140-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cdd-142.dat upx behavioral2/files/0x0007000000023cde-146.dat upx behavioral2/files/0x0007000000023cdf-149.dat upx behavioral2/memory/2264-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3572-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce0-155.dat upx behavioral2/memory/2320-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1112-167-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u844226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u466000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2940 wrote to memory of 3168 2940 f7f62498fbbe8864ff93b80d3e30ef58e27d36e16926c1df3315cce0644e3c83.exe 82 PID 2940 wrote to memory of 3168 2940 f7f62498fbbe8864ff93b80d3e30ef58e27d36e16926c1df3315cce0644e3c83.exe 82 PID 2940 wrote to memory of 3168 2940 f7f62498fbbe8864ff93b80d3e30ef58e27d36e16926c1df3315cce0644e3c83.exe 82 PID 3168 wrote to memory of 1312 3168 dpdvp.exe 83 PID 3168 wrote to memory of 1312 3168 dpdvp.exe 83 PID 3168 wrote to memory of 1312 3168 dpdvp.exe 83 PID 1312 wrote to memory of 3368 1312 0822226.exe 84 PID 1312 wrote to memory of 3368 1312 0822226.exe 84 PID 1312 wrote to memory of 3368 1312 0822226.exe 84 PID 3368 wrote to memory of 4568 3368 80042.exe 85 PID 3368 wrote to memory of 4568 3368 80042.exe 85 PID 3368 wrote to memory of 4568 3368 80042.exe 85 PID 4568 wrote to memory of 3528 4568 8224486.exe 86 PID 4568 wrote to memory of 3528 4568 8224486.exe 86 PID 4568 wrote to memory of 3528 4568 8224486.exe 86 PID 3528 wrote to memory of 4480 3528 800042.exe 87 PID 3528 wrote to memory of 4480 3528 800042.exe 87 PID 3528 wrote to memory of 4480 3528 800042.exe 87 PID 4480 wrote to memory of 4608 4480 8800004.exe 88 PID 4480 wrote to memory of 4608 4480 8800004.exe 88 PID 4480 wrote to memory of 4608 4480 8800004.exe 88 PID 4608 wrote to memory of 4420 4608 866044.exe 89 PID 4608 wrote to memory of 4420 4608 866044.exe 89 PID 4608 wrote to memory of 4420 4608 866044.exe 89 PID 4420 wrote to memory of 1844 4420 0248202.exe 90 PID 4420 wrote to memory of 1844 4420 0248202.exe 90 PID 4420 wrote to memory of 1844 4420 0248202.exe 90 PID 1844 wrote to memory of 2308 1844 dvdpd.exe 91 PID 1844 wrote to memory of 2308 1844 dvdpd.exe 91 PID 1844 wrote to memory of 2308 1844 dvdpd.exe 91 PID 2308 wrote to memory of 2720 2308 048226.exe 92 PID 2308 wrote to memory of 2720 2308 048226.exe 92 PID 2308 wrote to memory of 2720 2308 048226.exe 92 PID 2720 wrote to memory of 3532 2720 8004826.exe 93 PID 2720 wrote to memory of 3532 2720 8004826.exe 93 PID 2720 wrote to memory of 3532 2720 8004826.exe 93 PID 3532 wrote to memory of 3892 3532 lxfxrlf.exe 94 PID 3532 wrote to memory of 3892 3532 lxfxrlf.exe 94 PID 3532 wrote to memory of 3892 3532 lxfxrlf.exe 94 PID 3892 wrote to memory of 2236 3892 400020.exe 95 PID 3892 wrote to memory of 2236 3892 400020.exe 95 PID 3892 wrote to memory of 2236 3892 400020.exe 95 PID 2236 wrote to memory of 1992 2236 642600.exe 96 PID 2236 wrote to memory of 1992 2236 642600.exe 96 PID 2236 wrote to memory of 1992 2236 642600.exe 96 PID 1992 wrote to memory of 372 1992 ddddd.exe 97 PID 1992 wrote to memory of 372 1992 ddddd.exe 97 PID 1992 wrote to memory of 372 1992 ddddd.exe 97 PID 372 wrote to memory of 2420 372 2404826.exe 98 PID 372 wrote to memory of 2420 372 2404826.exe 98 PID 372 wrote to memory of 2420 372 2404826.exe 98 PID 2420 wrote to memory of 4456 2420 dvdvj.exe 99 PID 2420 wrote to memory of 4456 2420 dvdvj.exe 99 PID 2420 wrote to memory of 4456 2420 dvdvj.exe 99 PID 4456 wrote to memory of 2204 4456 2866482.exe 100 PID 4456 wrote to memory of 2204 4456 2866482.exe 100 PID 4456 wrote to memory of 2204 4456 2866482.exe 100 PID 2204 wrote to memory of 3268 2204 060488.exe 101 PID 2204 wrote to memory of 3268 2204 060488.exe 101 PID 2204 wrote to memory of 3268 2204 060488.exe 101 PID 3268 wrote to memory of 4980 3268 48448.exe 102 PID 3268 wrote to memory of 4980 3268 48448.exe 102 PID 3268 wrote to memory of 4980 3268 48448.exe 102 PID 4980 wrote to memory of 4600 4980 0648488.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7f62498fbbe8864ff93b80d3e30ef58e27d36e16926c1df3315cce0644e3c83.exe"C:\Users\Admin\AppData\Local\Temp\f7f62498fbbe8864ff93b80d3e30ef58e27d36e16926c1df3315cce0644e3c83.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\dpdvp.exec:\dpdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\0822226.exec:\0822226.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\80042.exec:\80042.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\8224486.exec:\8224486.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\800042.exec:\800042.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\8800004.exec:\8800004.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\866044.exec:\866044.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\0248202.exec:\0248202.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\dvdpd.exec:\dvdpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\048226.exec:\048226.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\8004826.exec:\8004826.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\lxfxrlf.exec:\lxfxrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\400020.exec:\400020.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\642600.exec:\642600.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\ddddd.exec:\ddddd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\2404826.exec:\2404826.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\dvdvj.exec:\dvdvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\2866482.exec:\2866482.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\060488.exec:\060488.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\48448.exec:\48448.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\0648488.exec:\0648488.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\xrrrllf.exec:\xrrrllf.exe23⤵
- Executes dropped EXE
PID:4600 -
\??\c:\4060044.exec:\4060044.exe24⤵
- Executes dropped EXE
PID:4968 -
\??\c:\e62626.exec:\e62626.exe25⤵
- Executes dropped EXE
PID:2520 -
\??\c:\4828888.exec:\4828888.exe26⤵
- Executes dropped EXE
PID:3508 -
\??\c:\bhnhbb.exec:\bhnhbb.exe27⤵
- Executes dropped EXE
PID:4128 -
\??\c:\6004880.exec:\6004880.exe28⤵
- Executes dropped EXE
PID:1924 -
\??\c:\624004.exec:\624004.exe29⤵
- Executes dropped EXE
PID:1140 -
\??\c:\nbtnhh.exec:\nbtnhh.exe30⤵
- Executes dropped EXE
PID:3928 -
\??\c:\84042.exec:\84042.exe31⤵
- Executes dropped EXE
PID:2264 -
\??\c:\86422.exec:\86422.exe32⤵
- Executes dropped EXE
PID:3572 -
\??\c:\2644440.exec:\2644440.exe33⤵
- Executes dropped EXE
PID:1812 -
\??\c:\7dpjj.exec:\7dpjj.exe34⤵
- Executes dropped EXE
PID:2320 -
\??\c:\lxffrrl.exec:\lxffrrl.exe35⤵
- Executes dropped EXE
PID:2488 -
\??\c:\xlxxrrl.exec:\xlxxrrl.exe36⤵
- Executes dropped EXE
PID:1112 -
\??\c:\pppjd.exec:\pppjd.exe37⤵
- Executes dropped EXE
PID:468 -
\??\c:\062600.exec:\062600.exe38⤵
- Executes dropped EXE
PID:1980 -
\??\c:\00260.exec:\00260.exe39⤵
- Executes dropped EXE
PID:3668 -
\??\c:\24660.exec:\24660.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3432 -
\??\c:\468024.exec:\468024.exe41⤵
- Executes dropped EXE
PID:1332 -
\??\c:\vpvpj.exec:\vpvpj.exe42⤵
- Executes dropped EXE
PID:4492 -
\??\c:\nntnnt.exec:\nntnnt.exe43⤵
- Executes dropped EXE
PID:1984 -
\??\c:\nhnhhh.exec:\nhnhhh.exe44⤵
- Executes dropped EXE
PID:4676 -
\??\c:\dvddd.exec:\dvddd.exe45⤵
- Executes dropped EXE
PID:4304 -
\??\c:\nhnnhh.exec:\nhnnhh.exe46⤵
- Executes dropped EXE
PID:2176 -
\??\c:\1frflfl.exec:\1frflfl.exe47⤵
- Executes dropped EXE
PID:4664 -
\??\c:\tbbtbt.exec:\tbbtbt.exe48⤵
- Executes dropped EXE
PID:2116 -
\??\c:\6060488.exec:\6060488.exe49⤵
- Executes dropped EXE
PID:4716 -
\??\c:\8204440.exec:\8204440.exe50⤵
- Executes dropped EXE
PID:2840 -
\??\c:\hhnnhn.exec:\hhnnhn.exe51⤵
- Executes dropped EXE
PID:1628 -
\??\c:\jjpjj.exec:\jjpjj.exe52⤵
- Executes dropped EXE
PID:4120 -
\??\c:\flrrlll.exec:\flrrlll.exe53⤵
- Executes dropped EXE
PID:2620 -
\??\c:\42048.exec:\42048.exe54⤵
- Executes dropped EXE
PID:3024 -
\??\c:\xrxfffx.exec:\xrxfffx.exe55⤵
- Executes dropped EXE
PID:2512 -
\??\c:\rrxrlfx.exec:\rrxrlfx.exe56⤵
- Executes dropped EXE
PID:4368 -
\??\c:\tnttnn.exec:\tnttnn.exe57⤵
- Executes dropped EXE
PID:4612 -
\??\c:\htntbb.exec:\htntbb.exe58⤵
- Executes dropped EXE
PID:3316 -
\??\c:\624866.exec:\624866.exe59⤵
- Executes dropped EXE
PID:4300 -
\??\c:\04480.exec:\04480.exe60⤵
- Executes dropped EXE
PID:4908 -
\??\c:\lflllll.exec:\lflllll.exe61⤵
- Executes dropped EXE
PID:3564 -
\??\c:\dvjdd.exec:\dvjdd.exe62⤵
- Executes dropped EXE
PID:1048 -
\??\c:\622266.exec:\622266.exe63⤵
- Executes dropped EXE
PID:2380 -
\??\c:\xffrlfx.exec:\xffrlfx.exe64⤵
- Executes dropped EXE
PID:1312 -
\??\c:\bhhbtt.exec:\bhhbtt.exe65⤵
- Executes dropped EXE
PID:3368 -
\??\c:\46826.exec:\46826.exe66⤵PID:3176
-
\??\c:\jjjjj.exec:\jjjjj.exe67⤵PID:2268
-
\??\c:\vppjd.exec:\vppjd.exe68⤵PID:2276
-
\??\c:\3ddpj.exec:\3ddpj.exe69⤵PID:3064
-
\??\c:\xffxxxx.exec:\xffxxxx.exe70⤵PID:1476
-
\??\c:\xxrlxrx.exec:\xxrlxrx.exe71⤵PID:4480
-
\??\c:\g0608.exec:\g0608.exe72⤵PID:4608
-
\??\c:\btbbtt.exec:\btbbtt.exe73⤵PID:1636
-
\??\c:\nhhhbt.exec:\nhhhbt.exe74⤵PID:1696
-
\??\c:\4022060.exec:\4022060.exe75⤵PID:1844
-
\??\c:\o404826.exec:\o404826.exe76⤵PID:1196
-
\??\c:\xxfrlfx.exec:\xxfrlfx.exe77⤵PID:1152
-
\??\c:\02882.exec:\02882.exe78⤵
- System Location Discovery: System Language Discovery
PID:2636 -
\??\c:\vjjpp.exec:\vjjpp.exe79⤵PID:3956
-
\??\c:\jdjvj.exec:\jdjvj.exe80⤵PID:3532
-
\??\c:\084860.exec:\084860.exe81⤵PID:4068
-
\??\c:\lllrfff.exec:\lllrfff.exe82⤵PID:3760
-
\??\c:\lrlrlff.exec:\lrlrlff.exe83⤵PID:4072
-
\??\c:\xxlfrlx.exec:\xxlfrlx.exe84⤵PID:1536
-
\??\c:\86264.exec:\86264.exe85⤵PID:3000
-
\??\c:\vpvpj.exec:\vpvpj.exe86⤵PID:372
-
\??\c:\fxlllxx.exec:\fxlllxx.exe87⤵PID:5108
-
\??\c:\8084660.exec:\8084660.exe88⤵PID:4124
-
\??\c:\pjdjd.exec:\pjdjd.exe89⤵PID:4456
-
\??\c:\dvddj.exec:\dvddj.exe90⤵PID:3684
-
\??\c:\646048.exec:\646048.exe91⤵PID:3268
-
\??\c:\8444882.exec:\8444882.exe92⤵PID:4312
-
\??\c:\lrfxffx.exec:\lrfxffx.exe93⤵PID:4468
-
\??\c:\064826.exec:\064826.exe94⤵PID:1052
-
\??\c:\40266.exec:\40266.exe95⤵PID:2936
-
\??\c:\20648.exec:\20648.exe96⤵PID:3436
-
\??\c:\bttnbb.exec:\bttnbb.exe97⤵PID:2120
-
\??\c:\284822.exec:\284822.exe98⤵PID:1280
-
\??\c:\xflfrrl.exec:\xflfrrl.exe99⤵PID:816
-
\??\c:\m8808.exec:\m8808.exe100⤵PID:4128
-
\??\c:\424880.exec:\424880.exe101⤵PID:2336
-
\??\c:\nhnnnh.exec:\nhnnnh.exe102⤵PID:2672
-
\??\c:\fxrllll.exec:\fxrllll.exe103⤵PID:1532
-
\??\c:\bbbttt.exec:\bbbttt.exe104⤵PID:4952
-
\??\c:\s6282.exec:\s6282.exe105⤵PID:4376
-
\??\c:\o282666.exec:\o282666.exe106⤵PID:1976
-
\??\c:\jdjjd.exec:\jdjjd.exe107⤵PID:2084
-
\??\c:\06448.exec:\06448.exe108⤵PID:1096
-
\??\c:\dvjdd.exec:\dvjdd.exe109⤵PID:4424
-
\??\c:\ffrlrrl.exec:\ffrlrrl.exe110⤵PID:3944
-
\??\c:\vjdvp.exec:\vjdvp.exe111⤵PID:2788
-
\??\c:\tthtnn.exec:\tthtnn.exe112⤵PID:1164
-
\??\c:\88444.exec:\88444.exe113⤵PID:436
-
\??\c:\a0648.exec:\a0648.exe114⤵PID:2596
-
\??\c:\jdjdv.exec:\jdjdv.exe115⤵PID:1876
-
\??\c:\vpppj.exec:\vpppj.exe116⤵PID:4784
-
\??\c:\g0660.exec:\g0660.exe117⤵PID:2540
-
\??\c:\tnhbtn.exec:\tnhbtn.exe118⤵PID:4868
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe119⤵PID:708
-
\??\c:\04000.exec:\04000.exe120⤵PID:320
-
\??\c:\00660.exec:\00660.exe121⤵PID:3924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-