Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 04:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe
-
Size
454KB
-
MD5
0162ba193f4475d9b9a1a039efc11ef7
-
SHA1
33f480b203f23096feb996097c1033589ebbf8b7
-
SHA256
d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06
-
SHA512
0a9885636a38f43c5f93935fd18ac6e8a4be1c2f9b100086a269dfbb678effe4b8fa0df4183e0585e52f7325ec293316cf53e5c3551aab749033ab52541ab4c8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4004-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-922-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-1022-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-1216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-1253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-1648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5116 fllfxxr.exe 2464 dppjv.exe 532 00808.exe 2792 48626.exe 1504 q84242.exe 2552 1frfxfx.exe 1764 4680424.exe 2760 m8042.exe 3540 nhhbbt.exe 5060 826060.exe 3552 u448446.exe 4984 q28604.exe 4276 280006.exe 2292 rflfxfx.exe 2960 rfrxrrl.exe 4640 0442604.exe 3872 5hnnnn.exe 2948 g4606.exe 5000 tntnnn.exe 4304 frlrxlf.exe 3120 nbhbtb.exe 2380 vdvvv.exe 4852 40048.exe 3176 jjpjd.exe 4368 bhhbbb.exe 4580 vppjd.exe 1956 62226.exe 1544 hnnhhh.exe 1480 vvjjd.exe 2284 bttnnh.exe 1108 5vvpj.exe 2992 a6880.exe 1820 2260864.exe 1264 djdpd.exe 2712 lxrlxrf.exe 4716 9djdd.exe 4832 000860.exe 4544 e66482.exe 1960 4004260.exe 3936 44688.exe 3396 xlfrlfx.exe 4644 jjjdp.exe 3532 6420822.exe 3516 04666.exe 1304 20004.exe 3780 5vjvp.exe 5092 rffxlxx.exe 224 9hbnbt.exe 4484 4802082.exe 4004 pjpjv.exe 3848 frxlfrl.exe 3240 40608.exe 3476 jvdvj.exe 3464 rrrfrfx.exe 1696 8260262.exe 532 228648.exe 3884 u442042.exe 3880 dppdp.exe 3692 rxfrrlx.exe 2596 w06408.exe 1764 6808004.exe 3900 40066.exe 1804 8640444.exe 3608 jpjdp.exe -
resource yara_rule behavioral2/memory/4004-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-762-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4064826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4208422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4004 wrote to memory of 5116 4004 d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe 83 PID 4004 wrote to memory of 5116 4004 d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe 83 PID 4004 wrote to memory of 5116 4004 d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe 83 PID 5116 wrote to memory of 2464 5116 fllfxxr.exe 84 PID 5116 wrote to memory of 2464 5116 fllfxxr.exe 84 PID 5116 wrote to memory of 2464 5116 fllfxxr.exe 84 PID 2464 wrote to memory of 532 2464 dppjv.exe 85 PID 2464 wrote to memory of 532 2464 dppjv.exe 85 PID 2464 wrote to memory of 532 2464 dppjv.exe 85 PID 532 wrote to memory of 2792 532 00808.exe 86 PID 532 wrote to memory of 2792 532 00808.exe 86 PID 532 wrote to memory of 2792 532 00808.exe 86 PID 2792 wrote to memory of 1504 2792 48626.exe 87 PID 2792 wrote to memory of 1504 2792 48626.exe 87 PID 2792 wrote to memory of 1504 2792 48626.exe 87 PID 1504 wrote to memory of 2552 1504 q84242.exe 88 PID 1504 wrote to memory of 2552 1504 q84242.exe 88 PID 1504 wrote to memory of 2552 1504 q84242.exe 88 PID 2552 wrote to memory of 1764 2552 1frfxfx.exe 89 PID 2552 wrote to memory of 1764 2552 1frfxfx.exe 89 PID 2552 wrote to memory of 1764 2552 1frfxfx.exe 89 PID 1764 wrote to memory of 2760 1764 4680424.exe 90 PID 1764 wrote to memory of 2760 1764 4680424.exe 90 PID 1764 wrote to memory of 2760 1764 4680424.exe 90 PID 2760 wrote to memory of 3540 2760 m8042.exe 91 PID 2760 wrote to memory of 3540 2760 m8042.exe 91 PID 2760 wrote to memory of 3540 2760 m8042.exe 91 PID 3540 wrote to memory of 5060 3540 nhhbbt.exe 92 PID 3540 wrote to memory of 5060 3540 nhhbbt.exe 92 PID 3540 wrote to memory of 5060 3540 nhhbbt.exe 92 PID 5060 wrote to memory of 3552 5060 826060.exe 93 PID 5060 wrote to memory of 3552 5060 826060.exe 93 PID 5060 wrote to memory of 3552 5060 826060.exe 93 PID 3552 wrote to memory of 4984 3552 u448446.exe 94 PID 3552 wrote to memory of 4984 3552 u448446.exe 94 PID 3552 wrote to memory of 4984 3552 u448446.exe 94 PID 4984 wrote to memory of 4276 4984 q28604.exe 95 PID 4984 wrote to memory of 4276 4984 q28604.exe 95 PID 4984 wrote to memory of 4276 4984 q28604.exe 95 PID 4276 wrote to memory of 2292 4276 280006.exe 96 PID 4276 wrote to memory of 2292 4276 280006.exe 96 PID 4276 wrote to memory of 2292 4276 280006.exe 96 PID 2292 wrote to memory of 2960 2292 rflfxfx.exe 97 PID 2292 wrote to memory of 2960 2292 rflfxfx.exe 97 PID 2292 wrote to memory of 2960 2292 rflfxfx.exe 97 PID 2960 wrote to memory of 4640 2960 rfrxrrl.exe 98 PID 2960 wrote to memory of 4640 2960 rfrxrrl.exe 98 PID 2960 wrote to memory of 4640 2960 rfrxrrl.exe 98 PID 4640 wrote to memory of 3872 4640 0442604.exe 99 PID 4640 wrote to memory of 3872 4640 0442604.exe 99 PID 4640 wrote to memory of 3872 4640 0442604.exe 99 PID 3872 wrote to memory of 2948 3872 5hnnnn.exe 100 PID 3872 wrote to memory of 2948 3872 5hnnnn.exe 100 PID 3872 wrote to memory of 2948 3872 5hnnnn.exe 100 PID 2948 wrote to memory of 5000 2948 g4606.exe 101 PID 2948 wrote to memory of 5000 2948 g4606.exe 101 PID 2948 wrote to memory of 5000 2948 g4606.exe 101 PID 5000 wrote to memory of 4304 5000 tntnnn.exe 102 PID 5000 wrote to memory of 4304 5000 tntnnn.exe 102 PID 5000 wrote to memory of 4304 5000 tntnnn.exe 102 PID 4304 wrote to memory of 3120 4304 frlrxlf.exe 103 PID 4304 wrote to memory of 3120 4304 frlrxlf.exe 103 PID 4304 wrote to memory of 3120 4304 frlrxlf.exe 103 PID 3120 wrote to memory of 2380 3120 nbhbtb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe"C:\Users\Admin\AppData\Local\Temp\d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\fllfxxr.exec:\fllfxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\dppjv.exec:\dppjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\00808.exec:\00808.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\48626.exec:\48626.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\q84242.exec:\q84242.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\1frfxfx.exec:\1frfxfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\4680424.exec:\4680424.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\m8042.exec:\m8042.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\nhhbbt.exec:\nhhbbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\826060.exec:\826060.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\u448446.exec:\u448446.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\q28604.exec:\q28604.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\280006.exec:\280006.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\rflfxfx.exec:\rflfxfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\rfrxrrl.exec:\rfrxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\0442604.exec:\0442604.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\5hnnnn.exec:\5hnnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\g4606.exec:\g4606.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\tntnnn.exec:\tntnnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\frlrxlf.exec:\frlrxlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\nbhbtb.exec:\nbhbtb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\vdvvv.exec:\vdvvv.exe23⤵
- Executes dropped EXE
PID:2380 -
\??\c:\40048.exec:\40048.exe24⤵
- Executes dropped EXE
PID:4852 -
\??\c:\jjpjd.exec:\jjpjd.exe25⤵
- Executes dropped EXE
PID:3176 -
\??\c:\bhhbbb.exec:\bhhbbb.exe26⤵
- Executes dropped EXE
PID:4368 -
\??\c:\vppjd.exec:\vppjd.exe27⤵
- Executes dropped EXE
PID:4580 -
\??\c:\62226.exec:\62226.exe28⤵
- Executes dropped EXE
PID:1956 -
\??\c:\hnnhhh.exec:\hnnhhh.exe29⤵
- Executes dropped EXE
PID:1544 -
\??\c:\vvjjd.exec:\vvjjd.exe30⤵
- Executes dropped EXE
PID:1480 -
\??\c:\bttnnh.exec:\bttnnh.exe31⤵
- Executes dropped EXE
PID:2284 -
\??\c:\5vvpj.exec:\5vvpj.exe32⤵
- Executes dropped EXE
PID:1108 -
\??\c:\a6880.exec:\a6880.exe33⤵
- Executes dropped EXE
PID:2992 -
\??\c:\2260864.exec:\2260864.exe34⤵
- Executes dropped EXE
PID:1820 -
\??\c:\djdpd.exec:\djdpd.exe35⤵
- Executes dropped EXE
PID:1264 -
\??\c:\lxrlxrf.exec:\lxrlxrf.exe36⤵
- Executes dropped EXE
PID:2712 -
\??\c:\9djdd.exec:\9djdd.exe37⤵
- Executes dropped EXE
PID:4716 -
\??\c:\000860.exec:\000860.exe38⤵
- Executes dropped EXE
PID:4832 -
\??\c:\e66482.exec:\e66482.exe39⤵
- Executes dropped EXE
PID:4544 -
\??\c:\4004260.exec:\4004260.exe40⤵
- Executes dropped EXE
PID:1960 -
\??\c:\44688.exec:\44688.exe41⤵
- Executes dropped EXE
PID:3936 -
\??\c:\xlfrlfx.exec:\xlfrlfx.exe42⤵
- Executes dropped EXE
PID:3396 -
\??\c:\jjjdp.exec:\jjjdp.exe43⤵
- Executes dropped EXE
PID:4644 -
\??\c:\6420822.exec:\6420822.exe44⤵
- Executes dropped EXE
PID:3532 -
\??\c:\04666.exec:\04666.exe45⤵
- Executes dropped EXE
PID:3516 -
\??\c:\20004.exec:\20004.exe46⤵
- Executes dropped EXE
PID:1304 -
\??\c:\5vjvp.exec:\5vjvp.exe47⤵
- Executes dropped EXE
PID:3780 -
\??\c:\rffxlxx.exec:\rffxlxx.exe48⤵
- Executes dropped EXE
PID:5092 -
\??\c:\9hbnbt.exec:\9hbnbt.exe49⤵
- Executes dropped EXE
PID:224 -
\??\c:\4802082.exec:\4802082.exe50⤵
- Executes dropped EXE
PID:4484 -
\??\c:\pjpjv.exec:\pjpjv.exe51⤵
- Executes dropped EXE
PID:4004 -
\??\c:\frxlfrl.exec:\frxlfrl.exe52⤵
- Executes dropped EXE
PID:3848 -
\??\c:\40608.exec:\40608.exe53⤵
- Executes dropped EXE
PID:3240 -
\??\c:\jvdvj.exec:\jvdvj.exe54⤵
- Executes dropped EXE
PID:3476 -
\??\c:\rrrfrfx.exec:\rrrfrfx.exe55⤵
- Executes dropped EXE
PID:3464 -
\??\c:\8260262.exec:\8260262.exe56⤵
- Executes dropped EXE
PID:1696 -
\??\c:\228648.exec:\228648.exe57⤵
- Executes dropped EXE
PID:532 -
\??\c:\u442042.exec:\u442042.exe58⤵
- Executes dropped EXE
PID:3884 -
\??\c:\dppdp.exec:\dppdp.exe59⤵
- Executes dropped EXE
PID:3880 -
\??\c:\rxfrrlx.exec:\rxfrrlx.exe60⤵
- Executes dropped EXE
PID:3692 -
\??\c:\w06408.exec:\w06408.exe61⤵
- Executes dropped EXE
PID:2596 -
\??\c:\6808004.exec:\6808004.exe62⤵
- Executes dropped EXE
PID:1764 -
\??\c:\40066.exec:\40066.exe63⤵
- Executes dropped EXE
PID:3900 -
\??\c:\8640444.exec:\8640444.exe64⤵
- Executes dropped EXE
PID:1804 -
\??\c:\jpjdp.exec:\jpjdp.exe65⤵
- Executes dropped EXE
PID:3608 -
\??\c:\0882286.exec:\0882286.exe66⤵PID:2976
-
\??\c:\864820.exec:\864820.exe67⤵PID:1384
-
\??\c:\btthtn.exec:\btthtn.exe68⤵PID:2184
-
\??\c:\hhbnht.exec:\hhbnht.exe69⤵PID:4984
-
\??\c:\266648.exec:\266648.exe70⤵PID:1940
-
\??\c:\ddjdj.exec:\ddjdj.exe71⤵PID:2292
-
\??\c:\042288.exec:\042288.exe72⤵PID:5076
-
\??\c:\08002.exec:\08002.exe73⤵PID:2484
-
\??\c:\tnnhhb.exec:\tnnhhb.exe74⤵PID:2876
-
\??\c:\66486.exec:\66486.exe75⤵PID:4020
-
\??\c:\s6020.exec:\s6020.exe76⤵PID:2948
-
\??\c:\xfxxffl.exec:\xfxxffl.exe77⤵PID:2836
-
\??\c:\646604.exec:\646604.exe78⤵PID:2572
-
\??\c:\46226.exec:\46226.exe79⤵PID:2308
-
\??\c:\pjvjv.exec:\pjvjv.exe80⤵PID:4948
-
\??\c:\vdjjj.exec:\vdjjj.exe81⤵PID:3896
-
\??\c:\rllfrll.exec:\rllfrll.exe82⤵PID:1144
-
\??\c:\pdpjj.exec:\pdpjj.exe83⤵
- System Location Discovery: System Language Discovery
PID:4852 -
\??\c:\628204.exec:\628204.exe84⤵PID:3816
-
\??\c:\080400.exec:\080400.exe85⤵PID:2160
-
\??\c:\lrfxlll.exec:\lrfxlll.exe86⤵PID:264
-
\??\c:\6444448.exec:\6444448.exe87⤵PID:4720
-
\??\c:\3lllffx.exec:\3lllffx.exe88⤵PID:4728
-
\??\c:\e24828.exec:\e24828.exe89⤵PID:4224
-
\??\c:\3jdvp.exec:\3jdvp.exe90⤵PID:3324
-
\??\c:\tbbtbt.exec:\tbbtbt.exe91⤵PID:1480
-
\??\c:\djppd.exec:\djppd.exe92⤵PID:2852
-
\??\c:\u684260.exec:\u684260.exe93⤵PID:2956
-
\??\c:\626644.exec:\626644.exe94⤵PID:1620
-
\??\c:\240426.exec:\240426.exe95⤵PID:904
-
\??\c:\9tbntb.exec:\9tbntb.exe96⤵PID:1012
-
\??\c:\6804006.exec:\6804006.exe97⤵PID:4752
-
\??\c:\ppjvj.exec:\ppjvj.exe98⤵PID:2492
-
\??\c:\3bbtnn.exec:\3bbtnn.exe99⤵PID:1088
-
\??\c:\08482.exec:\08482.exe100⤵PID:4364
-
\??\c:\c664264.exec:\c664264.exe101⤵PID:4744
-
\??\c:\xlfrllr.exec:\xlfrllr.exe102⤵PID:4032
-
\??\c:\1jppp.exec:\1jppp.exe103⤵PID:3928
-
\??\c:\7flfrrx.exec:\7flfrrx.exe104⤵PID:3396
-
\??\c:\2204882.exec:\2204882.exe105⤵PID:112
-
\??\c:\1jpdv.exec:\1jpdv.exe106⤵PID:1248
-
\??\c:\jvdjd.exec:\jvdjd.exe107⤵PID:3664
-
\??\c:\4620486.exec:\4620486.exe108⤵PID:4592
-
\??\c:\268406.exec:\268406.exe109⤵PID:1500
-
\??\c:\s8628.exec:\s8628.exe110⤵
- System Location Discovery: System Language Discovery
PID:32 -
\??\c:\fxlflfl.exec:\fxlflfl.exe111⤵PID:436
-
\??\c:\28048.exec:\28048.exe112⤵PID:3352
-
\??\c:\xllfxxr.exec:\xllfxxr.exe113⤵PID:3356
-
\??\c:\nhthnb.exec:\nhthnb.exe114⤵PID:3848
-
\??\c:\42608.exec:\42608.exe115⤵PID:4056
-
\??\c:\20600.exec:\20600.exe116⤵PID:2588
-
\??\c:\0020826.exec:\0020826.exe117⤵PID:2916
-
\??\c:\xflxrll.exec:\xflxrll.exe118⤵PID:1696
-
\??\c:\6620820.exec:\6620820.exe119⤵PID:3000
-
\??\c:\66820.exec:\66820.exe120⤵PID:992
-
\??\c:\3xffffl.exec:\3xffffl.exe121⤵PID:1532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-