Analysis
-
max time kernel
120s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0f34f40599eb2f2414e6561e5c20289d5211435281ed1d4281276e699de45495.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0f34f40599eb2f2414e6561e5c20289d5211435281ed1d4281276e699de45495.exe
-
Size
453KB
-
MD5
fad318d505929d97baf0f6bd0d0e2967
-
SHA1
41290d12401f6c05b5f097131b358751ac0b452b
-
SHA256
0f34f40599eb2f2414e6561e5c20289d5211435281ed1d4281276e699de45495
-
SHA512
3f4c768b86a83985a010d9080f1799480e52de6d81b7d19ea8f51d96ec8d7c7e137e59b8ebd49a509eadc8a3334f09a9098bf030a2f904d497b9514164b25ee3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1700-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-793-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-1067-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-1300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-1331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-1426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-1520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4976 6482266.exe 4420 thtnnh.exe 2168 462608.exe 3432 vvjvj.exe 3864 xfxrlfx.exe 4832 pppvp.exe 4492 86604.exe 2736 vjvvv.exe 2496 000600.exe 3436 k28262.exe 2652 3bhbbb.exe 2416 2800422.exe 4000 lxfxfrl.exe 3804 lxxxrrr.exe 528 7xxxxlf.exe 5040 vvppj.exe 4516 dvvpp.exe 2016 jpvjd.exe 3284 06882.exe 1848 86220.exe 5080 0002666.exe 1612 620044.exe 3244 5hhbnn.exe 536 dpvpj.exe 4052 dvpjj.exe 3732 vpvpp.exe 5024 6048882.exe 1396 8444888.exe 2860 6660826.exe 3836 lrlfrlf.exe 916 08266.exe 3140 vjdvd.exe 4380 2442042.exe 3032 6008262.exe 1656 5hnhhb.exe 2880 bttbnb.exe 4788 htnbnh.exe 2768 lfrlfll.exe 4148 rffrlxl.exe 3192 3tnbht.exe 2664 1flfxxr.exe 8 862222.exe 2784 jpvjp.exe 808 4844884.exe 3224 2660448.exe 3676 vvvvp.exe 3656 w84608.exe 4104 48606.exe 952 frxrfxr.exe 232 thntnn.exe 4084 i626000.exe 4896 rflrxlx.exe 1836 280448.exe 3268 4888440.exe 2908 086420.exe 2168 5nhthb.exe 1248 vpvpj.exe 348 1nbtnt.exe 1568 2066004.exe 3936 62260.exe 968 6448204.exe 880 rxfxxfx.exe 3132 hnnhbb.exe 2004 226026.exe -
resource yara_rule behavioral2/memory/1700-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-793-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fffrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 244424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o666266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e28824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rllffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 4976 1700 0f34f40599eb2f2414e6561e5c20289d5211435281ed1d4281276e699de45495.exe 83 PID 1700 wrote to memory of 4976 1700 0f34f40599eb2f2414e6561e5c20289d5211435281ed1d4281276e699de45495.exe 83 PID 1700 wrote to memory of 4976 1700 0f34f40599eb2f2414e6561e5c20289d5211435281ed1d4281276e699de45495.exe 83 PID 4976 wrote to memory of 4420 4976 6482266.exe 84 PID 4976 wrote to memory of 4420 4976 6482266.exe 84 PID 4976 wrote to memory of 4420 4976 6482266.exe 84 PID 4420 wrote to memory of 2168 4420 thtnnh.exe 85 PID 4420 wrote to memory of 2168 4420 thtnnh.exe 85 PID 4420 wrote to memory of 2168 4420 thtnnh.exe 85 PID 2168 wrote to memory of 3432 2168 462608.exe 86 PID 2168 wrote to memory of 3432 2168 462608.exe 86 PID 2168 wrote to memory of 3432 2168 462608.exe 86 PID 3432 wrote to memory of 3864 3432 vvjvj.exe 87 PID 3432 wrote to memory of 3864 3432 vvjvj.exe 87 PID 3432 wrote to memory of 3864 3432 vvjvj.exe 87 PID 3864 wrote to memory of 4832 3864 xfxrlfx.exe 88 PID 3864 wrote to memory of 4832 3864 xfxrlfx.exe 88 PID 3864 wrote to memory of 4832 3864 xfxrlfx.exe 88 PID 4832 wrote to memory of 4492 4832 pppvp.exe 89 PID 4832 wrote to memory of 4492 4832 pppvp.exe 89 PID 4832 wrote to memory of 4492 4832 pppvp.exe 89 PID 4492 wrote to memory of 2736 4492 86604.exe 90 PID 4492 wrote to memory of 2736 4492 86604.exe 90 PID 4492 wrote to memory of 2736 4492 86604.exe 90 PID 2736 wrote to memory of 2496 2736 vjvvv.exe 91 PID 2736 wrote to memory of 2496 2736 vjvvv.exe 91 PID 2736 wrote to memory of 2496 2736 vjvvv.exe 91 PID 2496 wrote to memory of 3436 2496 000600.exe 92 PID 2496 wrote to memory of 3436 2496 000600.exe 92 PID 2496 wrote to memory of 3436 2496 000600.exe 92 PID 3436 wrote to memory of 2652 3436 k28262.exe 93 PID 3436 wrote to memory of 2652 3436 k28262.exe 93 PID 3436 wrote to memory of 2652 3436 k28262.exe 93 PID 2652 wrote to memory of 2416 2652 3bhbbb.exe 94 PID 2652 wrote to memory of 2416 2652 3bhbbb.exe 94 PID 2652 wrote to memory of 2416 2652 3bhbbb.exe 94 PID 2416 wrote to memory of 4000 2416 2800422.exe 95 PID 2416 wrote to memory of 4000 2416 2800422.exe 95 PID 2416 wrote to memory of 4000 2416 2800422.exe 95 PID 4000 wrote to memory of 3804 4000 lxfxfrl.exe 96 PID 4000 wrote to memory of 3804 4000 lxfxfrl.exe 96 PID 4000 wrote to memory of 3804 4000 lxfxfrl.exe 96 PID 3804 wrote to memory of 528 3804 lxxxrrr.exe 97 PID 3804 wrote to memory of 528 3804 lxxxrrr.exe 97 PID 3804 wrote to memory of 528 3804 lxxxrrr.exe 97 PID 528 wrote to memory of 5040 528 7xxxxlf.exe 98 PID 528 wrote to memory of 5040 528 7xxxxlf.exe 98 PID 528 wrote to memory of 5040 528 7xxxxlf.exe 98 PID 5040 wrote to memory of 4516 5040 vvppj.exe 99 PID 5040 wrote to memory of 4516 5040 vvppj.exe 99 PID 5040 wrote to memory of 4516 5040 vvppj.exe 99 PID 4516 wrote to memory of 2016 4516 dvvpp.exe 100 PID 4516 wrote to memory of 2016 4516 dvvpp.exe 100 PID 4516 wrote to memory of 2016 4516 dvvpp.exe 100 PID 2016 wrote to memory of 3284 2016 jpvjd.exe 101 PID 2016 wrote to memory of 3284 2016 jpvjd.exe 101 PID 2016 wrote to memory of 3284 2016 jpvjd.exe 101 PID 3284 wrote to memory of 1848 3284 06882.exe 102 PID 3284 wrote to memory of 1848 3284 06882.exe 102 PID 3284 wrote to memory of 1848 3284 06882.exe 102 PID 1848 wrote to memory of 5080 1848 86220.exe 103 PID 1848 wrote to memory of 5080 1848 86220.exe 103 PID 1848 wrote to memory of 5080 1848 86220.exe 103 PID 5080 wrote to memory of 1612 5080 0002666.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f34f40599eb2f2414e6561e5c20289d5211435281ed1d4281276e699de45495.exe"C:\Users\Admin\AppData\Local\Temp\0f34f40599eb2f2414e6561e5c20289d5211435281ed1d4281276e699de45495.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\6482266.exec:\6482266.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\thtnnh.exec:\thtnnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\462608.exec:\462608.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\vvjvj.exec:\vvjvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\xfxrlfx.exec:\xfxrlfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\pppvp.exec:\pppvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\86604.exec:\86604.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\vjvvv.exec:\vjvvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\000600.exec:\000600.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\k28262.exec:\k28262.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\3bhbbb.exec:\3bhbbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\2800422.exec:\2800422.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\lxfxfrl.exec:\lxfxfrl.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
\??\c:\7xxxxlf.exec:\7xxxxlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\vvppj.exec:\vvppj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\dvvpp.exec:\dvvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\jpvjd.exec:\jpvjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\06882.exec:\06882.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\86220.exec:\86220.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\0002666.exec:\0002666.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\620044.exec:\620044.exe23⤵
- Executes dropped EXE
PID:1612 -
\??\c:\5hhbnn.exec:\5hhbnn.exe24⤵
- Executes dropped EXE
PID:3244 -
\??\c:\dpvpj.exec:\dpvpj.exe25⤵
- Executes dropped EXE
PID:536 -
\??\c:\dvpjj.exec:\dvpjj.exe26⤵
- Executes dropped EXE
PID:4052 -
\??\c:\vpvpp.exec:\vpvpp.exe27⤵
- Executes dropped EXE
PID:3732 -
\??\c:\6048882.exec:\6048882.exe28⤵
- Executes dropped EXE
PID:5024 -
\??\c:\8444888.exec:\8444888.exe29⤵
- Executes dropped EXE
PID:1396 -
\??\c:\6660826.exec:\6660826.exe30⤵
- Executes dropped EXE
PID:2860 -
\??\c:\lrlfrlf.exec:\lrlfrlf.exe31⤵
- Executes dropped EXE
PID:3836 -
\??\c:\08266.exec:\08266.exe32⤵
- Executes dropped EXE
PID:916 -
\??\c:\vjdvd.exec:\vjdvd.exe33⤵
- Executes dropped EXE
PID:3140 -
\??\c:\2442042.exec:\2442042.exe34⤵
- Executes dropped EXE
PID:4380 -
\??\c:\6008262.exec:\6008262.exe35⤵
- Executes dropped EXE
PID:3032 -
\??\c:\5hnhhb.exec:\5hnhhb.exe36⤵
- Executes dropped EXE
PID:1656 -
\??\c:\bttbnb.exec:\bttbnb.exe37⤵
- Executes dropped EXE
PID:2880 -
\??\c:\htnbnh.exec:\htnbnh.exe38⤵
- Executes dropped EXE
PID:4788 -
\??\c:\lfrlfll.exec:\lfrlfll.exe39⤵
- Executes dropped EXE
PID:2768 -
\??\c:\rffrlxl.exec:\rffrlxl.exe40⤵
- Executes dropped EXE
PID:4148 -
\??\c:\3tnbht.exec:\3tnbht.exe41⤵
- Executes dropped EXE
PID:3192 -
\??\c:\1flfxxr.exec:\1flfxxr.exe42⤵
- Executes dropped EXE
PID:2664 -
\??\c:\862222.exec:\862222.exe43⤵
- Executes dropped EXE
PID:8 -
\??\c:\jpvjp.exec:\jpvjp.exe44⤵
- Executes dropped EXE
PID:2784 -
\??\c:\4844884.exec:\4844884.exe45⤵
- Executes dropped EXE
PID:808 -
\??\c:\2660448.exec:\2660448.exe46⤵
- Executes dropped EXE
PID:3224 -
\??\c:\vvvvp.exec:\vvvvp.exe47⤵
- Executes dropped EXE
PID:3676 -
\??\c:\w84608.exec:\w84608.exe48⤵
- Executes dropped EXE
PID:3656 -
\??\c:\48606.exec:\48606.exe49⤵
- Executes dropped EXE
PID:4104 -
\??\c:\frxrfxr.exec:\frxrfxr.exe50⤵
- Executes dropped EXE
PID:952 -
\??\c:\thntnn.exec:\thntnn.exe51⤵
- Executes dropped EXE
PID:232 -
\??\c:\84004.exec:\84004.exe52⤵PID:4968
-
\??\c:\i626000.exec:\i626000.exe53⤵
- Executes dropped EXE
PID:4084 -
\??\c:\rflrxlx.exec:\rflrxlx.exe54⤵
- Executes dropped EXE
PID:4896 -
\??\c:\280448.exec:\280448.exe55⤵
- Executes dropped EXE
PID:1836 -
\??\c:\4888440.exec:\4888440.exe56⤵
- Executes dropped EXE
PID:3268 -
\??\c:\086420.exec:\086420.exe57⤵
- Executes dropped EXE
PID:2908 -
\??\c:\5nhthb.exec:\5nhthb.exe58⤵
- Executes dropped EXE
PID:2168 -
\??\c:\vpvpj.exec:\vpvpj.exe59⤵
- Executes dropped EXE
PID:1248 -
\??\c:\1nbtnt.exec:\1nbtnt.exe60⤵
- Executes dropped EXE
PID:348 -
\??\c:\2066004.exec:\2066004.exe61⤵
- Executes dropped EXE
PID:1568 -
\??\c:\62260.exec:\62260.exe62⤵
- Executes dropped EXE
PID:3936 -
\??\c:\6448204.exec:\6448204.exe63⤵
- Executes dropped EXE
PID:968 -
\??\c:\rxfxxfx.exec:\rxfxxfx.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:880 -
\??\c:\hnnhbb.exec:\hnnhbb.exe65⤵
- Executes dropped EXE
PID:3132 -
\??\c:\226026.exec:\226026.exe66⤵
- Executes dropped EXE
PID:2004 -
\??\c:\o664260.exec:\o664260.exe67⤵PID:4032
-
\??\c:\pjjjd.exec:\pjjjd.exe68⤵PID:1512
-
\??\c:\4446820.exec:\4446820.exe69⤵PID:3436
-
\??\c:\vvpjp.exec:\vvpjp.exe70⤵PID:448
-
\??\c:\xfrllxr.exec:\xfrllxr.exe71⤵PID:4300
-
\??\c:\8004884.exec:\8004884.exe72⤵PID:208
-
\??\c:\9bbtnh.exec:\9bbtnh.exe73⤵PID:4000
-
\??\c:\hthbbb.exec:\hthbbb.exe74⤵PID:3852
-
\??\c:\tbhbtn.exec:\tbhbtn.exe75⤵PID:3644
-
\??\c:\2004820.exec:\2004820.exe76⤵PID:4692
-
\??\c:\lfxrflx.exec:\lfxrflx.exe77⤵PID:4496
-
\??\c:\dvdpd.exec:\dvdpd.exe78⤵PID:2068
-
\??\c:\s4488.exec:\s4488.exe79⤵PID:388
-
\??\c:\djpdp.exec:\djpdp.exe80⤵PID:2016
-
\??\c:\4264608.exec:\4264608.exe81⤵PID:3252
-
\??\c:\bhthhb.exec:\bhthhb.exe82⤵PID:2388
-
\??\c:\vjvpj.exec:\vjvpj.exe83⤵
- System Location Discovery: System Language Discovery
PID:4560 -
\??\c:\llfrfxl.exec:\llfrfxl.exe84⤵PID:3376
-
\??\c:\8026004.exec:\8026004.exe85⤵PID:3680
-
\??\c:\g4046.exec:\g4046.exe86⤵PID:3664
-
\??\c:\06882.exec:\06882.exe87⤵PID:2232
-
\??\c:\026822.exec:\026822.exe88⤵PID:2960
-
\??\c:\pddvj.exec:\pddvj.exe89⤵PID:4768
-
\??\c:\fxlflfl.exec:\fxlflfl.exe90⤵PID:4196
-
\??\c:\48860.exec:\48860.exe91⤵PID:3732
-
\??\c:\0444440.exec:\0444440.exe92⤵PID:4064
-
\??\c:\m6642.exec:\m6642.exe93⤵PID:4972
-
\??\c:\thnbbt.exec:\thnbbt.exe94⤵PID:4716
-
\??\c:\rfxlfxl.exec:\rfxlfxl.exe95⤵
- System Location Discovery: System Language Discovery
PID:2860 -
\??\c:\20822.exec:\20822.exe96⤵PID:3388
-
\??\c:\i220820.exec:\i220820.exe97⤵PID:3428
-
\??\c:\lxllffx.exec:\lxllffx.exe98⤵PID:2428
-
\??\c:\vpjdp.exec:\vpjdp.exe99⤵PID:1176
-
\??\c:\8860006.exec:\8860006.exe100⤵PID:4088
-
\??\c:\frffxxf.exec:\frffxxf.exe101⤵PID:2988
-
\??\c:\2664860.exec:\2664860.exe102⤵PID:4232
-
\??\c:\4408866.exec:\4408866.exe103⤵PID:1908
-
\??\c:\bbbttb.exec:\bbbttb.exe104⤵PID:440
-
\??\c:\xxrlffx.exec:\xxrlffx.exe105⤵PID:2696
-
\??\c:\lrrlffx.exec:\lrrlffx.exe106⤵PID:2728
-
\??\c:\w00080.exec:\w00080.exe107⤵PID:5100
-
\??\c:\jjjdd.exec:\jjjdd.exe108⤵PID:2612
-
\??\c:\btttnn.exec:\btttnn.exe109⤵PID:3812
-
\??\c:\486468.exec:\486468.exe110⤵PID:1856
-
\??\c:\2260482.exec:\2260482.exe111⤵PID:4244
-
\??\c:\k66448.exec:\k66448.exe112⤵PID:2668
-
\??\c:\w28604.exec:\w28604.exe113⤵PID:1556
-
\??\c:\08660.exec:\08660.exe114⤵PID:4848
-
\??\c:\602884.exec:\602884.exe115⤵PID:4104
-
\??\c:\9fxxxlf.exec:\9fxxxlf.exe116⤵PID:4880
-
\??\c:\4022266.exec:\4022266.exe117⤵PID:4424
-
\??\c:\u444488.exec:\u444488.exe118⤵PID:1996
-
\??\c:\jvdvv.exec:\jvdvv.exe119⤵PID:1736
-
\??\c:\262044.exec:\262044.exe120⤵PID:4136
-
\??\c:\jjvpv.exec:\jjvpv.exe121⤵PID:2252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-