Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 22:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
31361a9ea82726e631b7317dcc2d3fe10df57e5c370a97e03ebf764071cb9638.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
31361a9ea82726e631b7317dcc2d3fe10df57e5c370a97e03ebf764071cb9638.exe
-
Size
453KB
-
MD5
82ef3b69ce334a2addbbb2c2f1513f94
-
SHA1
7894dde28b156bd8b6a7c094eae645e7c72c413f
-
SHA256
31361a9ea82726e631b7317dcc2d3fe10df57e5c370a97e03ebf764071cb9638
-
SHA512
581a8e35c1dbab70d1c9b53b02dbaefb9c9abb039b5b4675a97911ef417159d891e6540abd6768993934bdeafc86385a6d70dc127869cb0b727b1cb8cae0c344
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4860-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-817-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-895-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-1109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-1113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-1418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3388 m6862.exe 1964 lrxlfxx.exe 4100 djjvj.exe 1096 8486486.exe 1764 vpjjv.exe 5092 hhhhhh.exe 3604 rlfrfxf.exe 1868 xrfxxrr.exe 712 628260.exe 2608 8404226.exe 5048 28482.exe 2596 8220048.exe 3720 88604.exe 5020 9dppj.exe 1200 4028882.exe 4972 m8886.exe 3032 lrrlfxr.exe 4908 a2268.exe 5040 ddjdv.exe 4312 482204.exe 1684 006426.exe 2440 ntbhth.exe 4932 a0204.exe 4884 7bhbtb.exe 3980 djjvp.exe 5036 htnnhn.exe 2640 28048.exe 3624 bhnttb.exe 4648 84048.exe 3572 64448.exe 4636 vdjjd.exe 2724 nhhbtn.exe 2920 04666.exe 3480 1thtnh.exe 348 0060822.exe 1988 pjjdv.exe 4156 02828.exe 1372 g0260.exe 2800 4404004.exe 5072 9ntnnn.exe 2840 vvpjd.exe 4456 64640.exe 3308 pppjj.exe 4428 428222.exe 4144 lffxrrl.exe 3448 42208.exe 3628 bbhbtt.exe 2632 thbtbt.exe 1096 3jdvp.exe 2684 xffxrlf.exe 4900 8620448.exe 3888 w68666.exe 1440 26664.exe 4352 pjpdd.exe 400 thhtht.exe 1364 a0648.exe 2208 64628.exe 468 64082.exe 2796 0848604.exe 3932 xlrflxf.exe 388 m2220.exe 2956 40604.exe 4148 g2486.exe 4804 4820408.exe -
resource yara_rule behavioral2/memory/4860-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-792-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o288848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2684628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4222662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u620820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q82620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w04804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6488222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4860 wrote to memory of 3388 4860 31361a9ea82726e631b7317dcc2d3fe10df57e5c370a97e03ebf764071cb9638.exe 85 PID 4860 wrote to memory of 3388 4860 31361a9ea82726e631b7317dcc2d3fe10df57e5c370a97e03ebf764071cb9638.exe 85 PID 4860 wrote to memory of 3388 4860 31361a9ea82726e631b7317dcc2d3fe10df57e5c370a97e03ebf764071cb9638.exe 85 PID 3388 wrote to memory of 1964 3388 m6862.exe 86 PID 3388 wrote to memory of 1964 3388 m6862.exe 86 PID 3388 wrote to memory of 1964 3388 m6862.exe 86 PID 1964 wrote to memory of 4100 1964 lrxlfxx.exe 87 PID 1964 wrote to memory of 4100 1964 lrxlfxx.exe 87 PID 1964 wrote to memory of 4100 1964 lrxlfxx.exe 87 PID 4100 wrote to memory of 1096 4100 djjvj.exe 88 PID 4100 wrote to memory of 1096 4100 djjvj.exe 88 PID 4100 wrote to memory of 1096 4100 djjvj.exe 88 PID 1096 wrote to memory of 1764 1096 8486486.exe 89 PID 1096 wrote to memory of 1764 1096 8486486.exe 89 PID 1096 wrote to memory of 1764 1096 8486486.exe 89 PID 1764 wrote to memory of 5092 1764 vpjjv.exe 90 PID 1764 wrote to memory of 5092 1764 vpjjv.exe 90 PID 1764 wrote to memory of 5092 1764 vpjjv.exe 90 PID 5092 wrote to memory of 3604 5092 hhhhhh.exe 91 PID 5092 wrote to memory of 3604 5092 hhhhhh.exe 91 PID 5092 wrote to memory of 3604 5092 hhhhhh.exe 91 PID 3604 wrote to memory of 1868 3604 rlfrfxf.exe 92 PID 3604 wrote to memory of 1868 3604 rlfrfxf.exe 92 PID 3604 wrote to memory of 1868 3604 rlfrfxf.exe 92 PID 1868 wrote to memory of 712 1868 xrfxxrr.exe 93 PID 1868 wrote to memory of 712 1868 xrfxxrr.exe 93 PID 1868 wrote to memory of 712 1868 xrfxxrr.exe 93 PID 712 wrote to memory of 2608 712 628260.exe 94 PID 712 wrote to memory of 2608 712 628260.exe 94 PID 712 wrote to memory of 2608 712 628260.exe 94 PID 2608 wrote to memory of 5048 2608 8404226.exe 95 PID 2608 wrote to memory of 5048 2608 8404226.exe 95 PID 2608 wrote to memory of 5048 2608 8404226.exe 95 PID 5048 wrote to memory of 2596 5048 28482.exe 96 PID 5048 wrote to memory of 2596 5048 28482.exe 96 PID 5048 wrote to memory of 2596 5048 28482.exe 96 PID 2596 wrote to memory of 3720 2596 8220048.exe 97 PID 2596 wrote to memory of 3720 2596 8220048.exe 97 PID 2596 wrote to memory of 3720 2596 8220048.exe 97 PID 3720 wrote to memory of 5020 3720 88604.exe 98 PID 3720 wrote to memory of 5020 3720 88604.exe 98 PID 3720 wrote to memory of 5020 3720 88604.exe 98 PID 5020 wrote to memory of 1200 5020 9dppj.exe 99 PID 5020 wrote to memory of 1200 5020 9dppj.exe 99 PID 5020 wrote to memory of 1200 5020 9dppj.exe 99 PID 1200 wrote to memory of 4972 1200 4028882.exe 100 PID 1200 wrote to memory of 4972 1200 4028882.exe 100 PID 1200 wrote to memory of 4972 1200 4028882.exe 100 PID 4972 wrote to memory of 3032 4972 m8886.exe 101 PID 4972 wrote to memory of 3032 4972 m8886.exe 101 PID 4972 wrote to memory of 3032 4972 m8886.exe 101 PID 3032 wrote to memory of 4908 3032 lrrlfxr.exe 102 PID 3032 wrote to memory of 4908 3032 lrrlfxr.exe 102 PID 3032 wrote to memory of 4908 3032 lrrlfxr.exe 102 PID 4908 wrote to memory of 5040 4908 a2268.exe 103 PID 4908 wrote to memory of 5040 4908 a2268.exe 103 PID 4908 wrote to memory of 5040 4908 a2268.exe 103 PID 5040 wrote to memory of 4312 5040 ddjdv.exe 104 PID 5040 wrote to memory of 4312 5040 ddjdv.exe 104 PID 5040 wrote to memory of 4312 5040 ddjdv.exe 104 PID 4312 wrote to memory of 1684 4312 482204.exe 105 PID 4312 wrote to memory of 1684 4312 482204.exe 105 PID 4312 wrote to memory of 1684 4312 482204.exe 105 PID 1684 wrote to memory of 2440 1684 006426.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\31361a9ea82726e631b7317dcc2d3fe10df57e5c370a97e03ebf764071cb9638.exe"C:\Users\Admin\AppData\Local\Temp\31361a9ea82726e631b7317dcc2d3fe10df57e5c370a97e03ebf764071cb9638.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\m6862.exec:\m6862.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\lrxlfxx.exec:\lrxlfxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\djjvj.exec:\djjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\8486486.exec:\8486486.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\vpjjv.exec:\vpjjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\hhhhhh.exec:\hhhhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\rlfrfxf.exec:\rlfrfxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\xrfxxrr.exec:\xrfxxrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\628260.exec:\628260.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\8404226.exec:\8404226.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\28482.exec:\28482.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\8220048.exec:\8220048.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\88604.exec:\88604.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\9dppj.exec:\9dppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\4028882.exec:\4028882.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\m8886.exec:\m8886.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\lrrlfxr.exec:\lrrlfxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\a2268.exec:\a2268.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\ddjdv.exec:\ddjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\482204.exec:\482204.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\006426.exec:\006426.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\ntbhth.exec:\ntbhth.exe23⤵
- Executes dropped EXE
PID:2440 -
\??\c:\a0204.exec:\a0204.exe24⤵
- Executes dropped EXE
PID:4932 -
\??\c:\7bhbtb.exec:\7bhbtb.exe25⤵
- Executes dropped EXE
PID:4884 -
\??\c:\djjvp.exec:\djjvp.exe26⤵
- Executes dropped EXE
PID:3980 -
\??\c:\htnnhn.exec:\htnnhn.exe27⤵
- Executes dropped EXE
PID:5036 -
\??\c:\28048.exec:\28048.exe28⤵
- Executes dropped EXE
PID:2640 -
\??\c:\bhnttb.exec:\bhnttb.exe29⤵
- Executes dropped EXE
PID:3624 -
\??\c:\84048.exec:\84048.exe30⤵
- Executes dropped EXE
PID:4648 -
\??\c:\64448.exec:\64448.exe31⤵
- Executes dropped EXE
PID:3572 -
\??\c:\vdjjd.exec:\vdjjd.exe32⤵
- Executes dropped EXE
PID:4636 -
\??\c:\nhhbtn.exec:\nhhbtn.exe33⤵
- Executes dropped EXE
PID:2724 -
\??\c:\04666.exec:\04666.exe34⤵
- Executes dropped EXE
PID:2920 -
\??\c:\1thtnh.exec:\1thtnh.exe35⤵
- Executes dropped EXE
PID:3480 -
\??\c:\0060822.exec:\0060822.exe36⤵
- Executes dropped EXE
PID:348 -
\??\c:\pjjdv.exec:\pjjdv.exe37⤵
- Executes dropped EXE
PID:1988 -
\??\c:\02828.exec:\02828.exe38⤵
- Executes dropped EXE
PID:4156 -
\??\c:\g0260.exec:\g0260.exe39⤵
- Executes dropped EXE
PID:1372 -
\??\c:\w62000.exec:\w62000.exe40⤵PID:4412
-
\??\c:\4404004.exec:\4404004.exe41⤵
- Executes dropped EXE
PID:2800 -
\??\c:\9ntnnn.exec:\9ntnnn.exe42⤵
- Executes dropped EXE
PID:5072 -
\??\c:\vvpjd.exec:\vvpjd.exe43⤵
- Executes dropped EXE
PID:2840 -
\??\c:\64640.exec:\64640.exe44⤵
- Executes dropped EXE
PID:4456 -
\??\c:\pppjj.exec:\pppjj.exe45⤵
- Executes dropped EXE
PID:3308 -
\??\c:\428222.exec:\428222.exe46⤵
- Executes dropped EXE
PID:4428 -
\??\c:\lffxrrl.exec:\lffxrrl.exe47⤵
- Executes dropped EXE
PID:4144 -
\??\c:\42208.exec:\42208.exe48⤵
- Executes dropped EXE
PID:3448 -
\??\c:\bbhbtt.exec:\bbhbtt.exe49⤵
- Executes dropped EXE
PID:3628 -
\??\c:\thbtbt.exec:\thbtbt.exe50⤵
- Executes dropped EXE
PID:2632 -
\??\c:\3jdvp.exec:\3jdvp.exe51⤵
- Executes dropped EXE
PID:1096 -
\??\c:\xffxrlf.exec:\xffxrlf.exe52⤵
- Executes dropped EXE
PID:2684 -
\??\c:\8620448.exec:\8620448.exe53⤵
- Executes dropped EXE
PID:4900 -
\??\c:\w68666.exec:\w68666.exe54⤵
- Executes dropped EXE
PID:3888 -
\??\c:\26664.exec:\26664.exe55⤵
- Executes dropped EXE
PID:1440 -
\??\c:\pjpdd.exec:\pjpdd.exe56⤵
- Executes dropped EXE
PID:4352 -
\??\c:\thhtht.exec:\thhtht.exe57⤵
- Executes dropped EXE
PID:400 -
\??\c:\a0648.exec:\a0648.exe58⤵
- Executes dropped EXE
PID:1364 -
\??\c:\64628.exec:\64628.exe59⤵
- Executes dropped EXE
PID:2208 -
\??\c:\64082.exec:\64082.exe60⤵
- Executes dropped EXE
PID:468 -
\??\c:\0848604.exec:\0848604.exe61⤵
- Executes dropped EXE
PID:2796 -
\??\c:\xlrflxf.exec:\xlrflxf.exe62⤵
- Executes dropped EXE
PID:3932 -
\??\c:\m2220.exec:\m2220.exe63⤵
- Executes dropped EXE
PID:388 -
\??\c:\40604.exec:\40604.exe64⤵
- Executes dropped EXE
PID:2956 -
\??\c:\g2486.exec:\g2486.exe65⤵
- Executes dropped EXE
PID:4148 -
\??\c:\4820408.exec:\4820408.exe66⤵
- Executes dropped EXE
PID:4804 -
\??\c:\240024.exec:\240024.exe67⤵PID:3868
-
\??\c:\flrlxxl.exec:\flrlxxl.exe68⤵PID:1628
-
\??\c:\42604.exec:\42604.exe69⤵PID:2884
-
\??\c:\tnnnhh.exec:\tnnnhh.exe70⤵PID:4972
-
\??\c:\4882660.exec:\4882660.exe71⤵PID:2100
-
\??\c:\840422.exec:\840422.exe72⤵PID:2176
-
\??\c:\1xfrrrr.exec:\1xfrrrr.exe73⤵PID:4828
-
\??\c:\0824882.exec:\0824882.exe74⤵PID:2900
-
\??\c:\pddvp.exec:\pddvp.exe75⤵PID:5040
-
\??\c:\08808.exec:\08808.exe76⤵PID:4312
-
\??\c:\s2286.exec:\s2286.exe77⤵PID:3028
-
\??\c:\ddjdv.exec:\ddjdv.exe78⤵PID:3284
-
\??\c:\9hbhtt.exec:\9hbhtt.exe79⤵PID:3536
-
\??\c:\xrlfrrl.exec:\xrlfrrl.exe80⤵PID:4208
-
\??\c:\9dvdv.exec:\9dvdv.exe81⤵PID:4932
-
\??\c:\806604.exec:\806604.exe82⤵PID:4084
-
\??\c:\628226.exec:\628226.exe83⤵PID:1032
-
\??\c:\08886.exec:\08886.exe84⤵PID:2712
-
\??\c:\5xrfrrl.exec:\5xrfrrl.exe85⤵PID:8
-
\??\c:\vjjdv.exec:\vjjdv.exe86⤵PID:5036
-
\??\c:\86242.exec:\86242.exe87⤵PID:5056
-
\??\c:\e46042.exec:\e46042.exe88⤵PID:4320
-
\??\c:\8804264.exec:\8804264.exe89⤵PID:2024
-
\??\c:\lxxfrll.exec:\lxxfrll.exe90⤵PID:4648
-
\??\c:\402048.exec:\402048.exe91⤵PID:3768
-
\??\c:\httnnh.exec:\httnnh.exe92⤵PID:1852
-
\??\c:\000426.exec:\000426.exe93⤵PID:4636
-
\??\c:\86466.exec:\86466.exe94⤵PID:2724
-
\??\c:\806008.exec:\806008.exe95⤵PID:2920
-
\??\c:\e00804.exec:\e00804.exe96⤵PID:3480
-
\??\c:\thnhtn.exec:\thnhtn.exe97⤵PID:2740
-
\??\c:\jvdpj.exec:\jvdpj.exe98⤵PID:1784
-
\??\c:\ppvjd.exec:\ppvjd.exe99⤵PID:3692
-
\??\c:\hnnbnt.exec:\hnnbnt.exe100⤵PID:64
-
\??\c:\464242.exec:\464242.exe101⤵PID:4416
-
\??\c:\e06826.exec:\e06826.exe102⤵PID:4856
-
\??\c:\7hhbnh.exec:\7hhbnh.exe103⤵PID:4136
-
\??\c:\jvdpv.exec:\jvdpv.exe104⤵PID:1648
-
\??\c:\88422.exec:\88422.exe105⤵PID:4764
-
\??\c:\84048.exec:\84048.exe106⤵PID:2600
-
\??\c:\08420.exec:\08420.exe107⤵PID:4960
-
\??\c:\w24822.exec:\w24822.exe108⤵PID:4428
-
\??\c:\0686044.exec:\0686044.exe109⤵PID:3188
-
\??\c:\jvvjd.exec:\jvvjd.exe110⤵PID:3448
-
\??\c:\w80260.exec:\w80260.exe111⤵PID:1088
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe112⤵PID:2632
-
\??\c:\dvvpd.exec:\dvvpd.exe113⤵PID:1920
-
\??\c:\nbbhnt.exec:\nbbhnt.exe114⤵PID:4524
-
\??\c:\9xfxlff.exec:\9xfxlff.exe115⤵PID:3160
-
\??\c:\flrxxlx.exec:\flrxxlx.exe116⤵PID:3888
-
\??\c:\ddjdp.exec:\ddjdp.exe117⤵PID:1440
-
\??\c:\44426.exec:\44426.exe118⤵PID:1804
-
\??\c:\86288.exec:\86288.exe119⤵PID:1848
-
\??\c:\vjjdj.exec:\vjjdj.exe120⤵PID:3576
-
\??\c:\4282828.exec:\4282828.exe121⤵PID:3864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-