Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 00:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f48fa7bc50559c6ab05957248fe59794c67b4711a55b6d0a24ba2699a5fc275.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9f48fa7bc50559c6ab05957248fe59794c67b4711a55b6d0a24ba2699a5fc275.exe
-
Size
456KB
-
MD5
40c6f98489d9475490e87702b7b6da72
-
SHA1
2a5d09692a8b578a9742c9de74eddc616da84c57
-
SHA256
9f48fa7bc50559c6ab05957248fe59794c67b4711a55b6d0a24ba2699a5fc275
-
SHA512
9bbbd816bad0466e4f294a3546d5298551600f89329ebe1279739a69c75b959953858b8205ca1d281c5ec2b0dc23fcde9b394e68a61e0f8cd9c57b68f8207d75
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRr:q7Tc2NYHUrAwfMp3CDRr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2752-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-831-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-940-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-1165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-1193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 228 42048.exe 1500 0428400.exe 1980 dvdvp.exe 3928 4084000.exe 3528 rlrlffx.exe 2580 80866.exe 4292 lffxrxl.exe 4760 02408.exe 1924 6844888.exe 1572 4804062.exe 1876 xlfxxxx.exe 1192 6648006.exe 4524 lrxrxxx.exe 1408 8882220.exe 4472 628222.exe 4652 024400.exe 4772 8264228.exe 948 hnnhtt.exe 1300 4060442.exe 1808 xxxxxff.exe 4348 rlrrrxx.exe 3560 84482.exe 2196 jvvpp.exe 4684 dvddv.exe 2596 40804.exe 2572 8668080.exe 4224 1ffxrlx.exe 3744 lllfxrx.exe 4324 djppd.exe 2324 3ttnhb.exe 3436 rllllfx.exe 4980 9bnnhb.exe 4568 bhbnhb.exe 1540 s0886.exe 2336 7pdvd.exe 972 nttbtt.exe 2288 xffxlll.exe 4144 bnbtht.exe 2032 nhnhbb.exe 2796 5tnhtt.exe 2864 4648022.exe 1388 xrxrllf.exe 3080 640822.exe 2236 hnbhbh.exe 4088 lxffffx.exe 2984 5flfxxr.exe 3600 000826.exe 720 w80406.exe 3592 44082.exe 4240 o404488.exe 3204 htbnbt.exe 4592 djvjd.exe 2280 xrxrfxr.exe 1204 82484.exe 3384 rlrflfx.exe 2156 440482.exe 3812 jvdvj.exe 3872 4226600.exe 1480 8686266.exe 5116 pvjjd.exe 1392 2604660.exe 1720 ddjjv.exe 1088 hhthnh.exe 4992 frlfxxx.exe -
resource yara_rule behavioral2/memory/2752-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-754-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0068004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e66488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 024660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 028822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0004264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2752 wrote to memory of 228 2752 9f48fa7bc50559c6ab05957248fe59794c67b4711a55b6d0a24ba2699a5fc275.exe 83 PID 2752 wrote to memory of 228 2752 9f48fa7bc50559c6ab05957248fe59794c67b4711a55b6d0a24ba2699a5fc275.exe 83 PID 2752 wrote to memory of 228 2752 9f48fa7bc50559c6ab05957248fe59794c67b4711a55b6d0a24ba2699a5fc275.exe 83 PID 228 wrote to memory of 1500 228 42048.exe 84 PID 228 wrote to memory of 1500 228 42048.exe 84 PID 228 wrote to memory of 1500 228 42048.exe 84 PID 1500 wrote to memory of 1980 1500 0428400.exe 85 PID 1500 wrote to memory of 1980 1500 0428400.exe 85 PID 1500 wrote to memory of 1980 1500 0428400.exe 85 PID 1980 wrote to memory of 3928 1980 dvdvp.exe 86 PID 1980 wrote to memory of 3928 1980 dvdvp.exe 86 PID 1980 wrote to memory of 3928 1980 dvdvp.exe 86 PID 3928 wrote to memory of 3528 3928 4084000.exe 87 PID 3928 wrote to memory of 3528 3928 4084000.exe 87 PID 3928 wrote to memory of 3528 3928 4084000.exe 87 PID 3528 wrote to memory of 2580 3528 rlrlffx.exe 88 PID 3528 wrote to memory of 2580 3528 rlrlffx.exe 88 PID 3528 wrote to memory of 2580 3528 rlrlffx.exe 88 PID 2580 wrote to memory of 4292 2580 80866.exe 89 PID 2580 wrote to memory of 4292 2580 80866.exe 89 PID 2580 wrote to memory of 4292 2580 80866.exe 89 PID 4292 wrote to memory of 4760 4292 lffxrxl.exe 90 PID 4292 wrote to memory of 4760 4292 lffxrxl.exe 90 PID 4292 wrote to memory of 4760 4292 lffxrxl.exe 90 PID 4760 wrote to memory of 1924 4760 02408.exe 91 PID 4760 wrote to memory of 1924 4760 02408.exe 91 PID 4760 wrote to memory of 1924 4760 02408.exe 91 PID 1924 wrote to memory of 1572 1924 6844888.exe 92 PID 1924 wrote to memory of 1572 1924 6844888.exe 92 PID 1924 wrote to memory of 1572 1924 6844888.exe 92 PID 1572 wrote to memory of 1876 1572 4804062.exe 93 PID 1572 wrote to memory of 1876 1572 4804062.exe 93 PID 1572 wrote to memory of 1876 1572 4804062.exe 93 PID 1876 wrote to memory of 1192 1876 xlfxxxx.exe 94 PID 1876 wrote to memory of 1192 1876 xlfxxxx.exe 94 PID 1876 wrote to memory of 1192 1876 xlfxxxx.exe 94 PID 1192 wrote to memory of 4524 1192 6648006.exe 95 PID 1192 wrote to memory of 4524 1192 6648006.exe 95 PID 1192 wrote to memory of 4524 1192 6648006.exe 95 PID 4524 wrote to memory of 1408 4524 lrxrxxx.exe 96 PID 4524 wrote to memory of 1408 4524 lrxrxxx.exe 96 PID 4524 wrote to memory of 1408 4524 lrxrxxx.exe 96 PID 1408 wrote to memory of 4472 1408 8882220.exe 97 PID 1408 wrote to memory of 4472 1408 8882220.exe 97 PID 1408 wrote to memory of 4472 1408 8882220.exe 97 PID 4472 wrote to memory of 4652 4472 628222.exe 98 PID 4472 wrote to memory of 4652 4472 628222.exe 98 PID 4472 wrote to memory of 4652 4472 628222.exe 98 PID 4652 wrote to memory of 4772 4652 024400.exe 99 PID 4652 wrote to memory of 4772 4652 024400.exe 99 PID 4652 wrote to memory of 4772 4652 024400.exe 99 PID 4772 wrote to memory of 948 4772 8264228.exe 100 PID 4772 wrote to memory of 948 4772 8264228.exe 100 PID 4772 wrote to memory of 948 4772 8264228.exe 100 PID 948 wrote to memory of 1300 948 hnnhtt.exe 101 PID 948 wrote to memory of 1300 948 hnnhtt.exe 101 PID 948 wrote to memory of 1300 948 hnnhtt.exe 101 PID 1300 wrote to memory of 1808 1300 4060442.exe 102 PID 1300 wrote to memory of 1808 1300 4060442.exe 102 PID 1300 wrote to memory of 1808 1300 4060442.exe 102 PID 1808 wrote to memory of 4348 1808 xxxxxff.exe 103 PID 1808 wrote to memory of 4348 1808 xxxxxff.exe 103 PID 1808 wrote to memory of 4348 1808 xxxxxff.exe 103 PID 4348 wrote to memory of 3560 4348 rlrrrxx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f48fa7bc50559c6ab05957248fe59794c67b4711a55b6d0a24ba2699a5fc275.exe"C:\Users\Admin\AppData\Local\Temp\9f48fa7bc50559c6ab05957248fe59794c67b4711a55b6d0a24ba2699a5fc275.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\42048.exec:\42048.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\0428400.exec:\0428400.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\dvdvp.exec:\dvdvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\4084000.exec:\4084000.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\rlrlffx.exec:\rlrlffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\80866.exec:\80866.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\lffxrxl.exec:\lffxrxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\02408.exec:\02408.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\6844888.exec:\6844888.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\4804062.exec:\4804062.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\xlfxxxx.exec:\xlfxxxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\6648006.exec:\6648006.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\lrxrxxx.exec:\lrxrxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\8882220.exec:\8882220.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\628222.exec:\628222.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\024400.exec:\024400.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\8264228.exec:\8264228.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\hnnhtt.exec:\hnnhtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\4060442.exec:\4060442.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\xxxxxff.exec:\xxxxxff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\rlrrrxx.exec:\rlrrrxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\84482.exec:\84482.exe23⤵
- Executes dropped EXE
PID:3560 -
\??\c:\jvvpp.exec:\jvvpp.exe24⤵
- Executes dropped EXE
PID:2196 -
\??\c:\dvddv.exec:\dvddv.exe25⤵
- Executes dropped EXE
PID:4684 -
\??\c:\40804.exec:\40804.exe26⤵
- Executes dropped EXE
PID:2596 -
\??\c:\8668080.exec:\8668080.exe27⤵
- Executes dropped EXE
PID:2572 -
\??\c:\1ffxrlx.exec:\1ffxrlx.exe28⤵
- Executes dropped EXE
PID:4224 -
\??\c:\lllfxrx.exec:\lllfxrx.exe29⤵
- Executes dropped EXE
PID:3744 -
\??\c:\djppd.exec:\djppd.exe30⤵
- Executes dropped EXE
PID:4324 -
\??\c:\3ttnhb.exec:\3ttnhb.exe31⤵
- Executes dropped EXE
PID:2324 -
\??\c:\rllllfx.exec:\rllllfx.exe32⤵
- Executes dropped EXE
PID:3436 -
\??\c:\9bnnhb.exec:\9bnnhb.exe33⤵
- Executes dropped EXE
PID:4980 -
\??\c:\bhbnhb.exec:\bhbnhb.exe34⤵
- Executes dropped EXE
PID:4568 -
\??\c:\s0886.exec:\s0886.exe35⤵
- Executes dropped EXE
PID:1540 -
\??\c:\7pdvd.exec:\7pdvd.exe36⤵
- Executes dropped EXE
PID:2336 -
\??\c:\nttbtt.exec:\nttbtt.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:972 -
\??\c:\xffxlll.exec:\xffxlll.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288 -
\??\c:\bnbtht.exec:\bnbtht.exe39⤵
- Executes dropped EXE
PID:4144 -
\??\c:\nhnhbb.exec:\nhnhbb.exe40⤵
- Executes dropped EXE
PID:2032 -
\??\c:\5tnhtt.exec:\5tnhtt.exe41⤵
- Executes dropped EXE
PID:2796 -
\??\c:\4648022.exec:\4648022.exe42⤵
- Executes dropped EXE
PID:2864 -
\??\c:\xrxrllf.exec:\xrxrllf.exe43⤵
- Executes dropped EXE
PID:1388 -
\??\c:\640822.exec:\640822.exe44⤵
- Executes dropped EXE
PID:3080 -
\??\c:\hnbhbh.exec:\hnbhbh.exe45⤵
- Executes dropped EXE
PID:2236 -
\??\c:\lxffffx.exec:\lxffffx.exe46⤵
- Executes dropped EXE
PID:4088 -
\??\c:\5flfxxr.exec:\5flfxxr.exe47⤵
- Executes dropped EXE
PID:2984 -
\??\c:\000826.exec:\000826.exe48⤵
- Executes dropped EXE
PID:3600 -
\??\c:\w80406.exec:\w80406.exe49⤵
- Executes dropped EXE
PID:720 -
\??\c:\44082.exec:\44082.exe50⤵
- Executes dropped EXE
PID:3592 -
\??\c:\o404488.exec:\o404488.exe51⤵
- Executes dropped EXE
PID:4240 -
\??\c:\htbnbt.exec:\htbnbt.exe52⤵
- Executes dropped EXE
PID:3204 -
\??\c:\djvjd.exec:\djvjd.exe53⤵
- Executes dropped EXE
PID:4592 -
\??\c:\xrxrfxr.exec:\xrxrfxr.exe54⤵
- Executes dropped EXE
PID:2280 -
\??\c:\82484.exec:\82484.exe55⤵
- Executes dropped EXE
PID:1204 -
\??\c:\rlrflfx.exec:\rlrflfx.exe56⤵
- Executes dropped EXE
PID:3384 -
\??\c:\440482.exec:\440482.exe57⤵
- Executes dropped EXE
PID:2156 -
\??\c:\jvdvj.exec:\jvdvj.exe58⤵
- Executes dropped EXE
PID:3812 -
\??\c:\4226600.exec:\4226600.exe59⤵
- Executes dropped EXE
PID:3872 -
\??\c:\8686266.exec:\8686266.exe60⤵
- Executes dropped EXE
PID:1480 -
\??\c:\pvjjd.exec:\pvjjd.exe61⤵
- Executes dropped EXE
PID:5116 -
\??\c:\2604660.exec:\2604660.exe62⤵
- Executes dropped EXE
PID:1392 -
\??\c:\ddjjv.exec:\ddjjv.exe63⤵
- Executes dropped EXE
PID:1720 -
\??\c:\hhthnh.exec:\hhthnh.exe64⤵
- Executes dropped EXE
PID:1088 -
\??\c:\frlfxxx.exec:\frlfxxx.exe65⤵
- Executes dropped EXE
PID:4992 -
\??\c:\bhnhtt.exec:\bhnhtt.exe66⤵PID:4636
-
\??\c:\i448604.exec:\i448604.exe67⤵PID:2500
-
\??\c:\224040.exec:\224040.exe68⤵PID:4584
-
\??\c:\lrlffxx.exec:\lrlffxx.exe69⤵PID:1180
-
\??\c:\hhhhbb.exec:\hhhhbb.exe70⤵PID:1816
-
\??\c:\m4486.exec:\m4486.exe71⤵PID:3624
-
\??\c:\fflfllr.exec:\fflfllr.exe72⤵PID:3756
-
\??\c:\9ppdv.exec:\9ppdv.exe73⤵PID:4828
-
\??\c:\660800.exec:\660800.exe74⤵PID:2384
-
\??\c:\7rrlfff.exec:\7rrlfff.exe75⤵PID:2476
-
\??\c:\ttttnn.exec:\ttttnn.exe76⤵PID:1896
-
\??\c:\6060600.exec:\6060600.exe77⤵PID:4348
-
\??\c:\4844888.exec:\4844888.exe78⤵PID:1932
-
\??\c:\8282880.exec:\8282880.exe79⤵PID:624
-
\??\c:\9bhbbb.exec:\9bhbbb.exe80⤵PID:3000
-
\??\c:\rfrllff.exec:\rfrllff.exe81⤵PID:1920
-
\??\c:\88482.exec:\88482.exe82⤵PID:4052
-
\??\c:\686244.exec:\686244.exe83⤵PID:4364
-
\??\c:\bbhnnt.exec:\bbhnnt.exe84⤵PID:3908
-
\??\c:\rrrrlll.exec:\rrrrlll.exe85⤵PID:1964
-
\??\c:\862488.exec:\862488.exe86⤵PID:3744
-
\??\c:\nbnbhh.exec:\nbnbhh.exe87⤵
- System Location Discovery: System Language Discovery
PID:1320 -
\??\c:\pvjdd.exec:\pvjdd.exe88⤵PID:2488
-
\??\c:\g8422.exec:\g8422.exe89⤵PID:2260
-
\??\c:\dppdd.exec:\dppdd.exe90⤵PID:1004
-
\??\c:\nbbtbt.exec:\nbbtbt.exe91⤵PID:1276
-
\??\c:\80204.exec:\80204.exe92⤵PID:404
-
\??\c:\60600.exec:\60600.exe93⤵PID:4988
-
\??\c:\82226.exec:\82226.exe94⤵PID:2012
-
\??\c:\s4606.exec:\s4606.exe95⤵PID:1892
-
\??\c:\rrrrlrl.exec:\rrrrlrl.exe96⤵PID:3316
-
\??\c:\o848226.exec:\o848226.exe97⤵PID:3208
-
\??\c:\lrxlffl.exec:\lrxlffl.exe98⤵PID:2104
-
\??\c:\222682.exec:\222682.exe99⤵PID:2644
-
\??\c:\bhnntb.exec:\bhnntb.exe100⤵PID:4060
-
\??\c:\622626.exec:\622626.exe101⤵PID:4188
-
\??\c:\jjpdj.exec:\jjpdj.exe102⤵PID:3884
-
\??\c:\5bthbb.exec:\5bthbb.exe103⤵PID:3184
-
\??\c:\8480842.exec:\8480842.exe104⤵PID:4432
-
\??\c:\rxllfff.exec:\rxllfff.exe105⤵PID:860
-
\??\c:\002222.exec:\002222.exe106⤵PID:4340
-
\??\c:\088664.exec:\088664.exe107⤵PID:3796
-
\??\c:\6086600.exec:\6086600.exe108⤵PID:3600
-
\??\c:\40644.exec:\40644.exe109⤵PID:2480
-
\??\c:\46266.exec:\46266.exe110⤵PID:1500
-
\??\c:\24406.exec:\24406.exe111⤵PID:2024
-
\??\c:\82604.exec:\82604.exe112⤵PID:1980
-
\??\c:\6282000.exec:\6282000.exe113⤵PID:964
-
\??\c:\2420026.exec:\2420026.exe114⤵PID:3720
-
\??\c:\86604.exec:\86604.exe115⤵PID:844
-
\??\c:\m6264.exec:\m6264.exe116⤵PID:4764
-
\??\c:\tntnht.exec:\tntnht.exe117⤵PID:3824
-
\??\c:\1tnnhb.exec:\1tnnhb.exe118⤵PID:2264
-
\??\c:\bbttnn.exec:\bbttnn.exe119⤵PID:3872
-
\??\c:\nhhbtb.exec:\nhhbtb.exe120⤵PID:2880
-
\??\c:\3jdvp.exec:\3jdvp.exe121⤵PID:3840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-