Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 04:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d4adf484f02c6e93bd0759ed341b66fee884f9af9fcd5226ff96a25a1b6421c5.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d4adf484f02c6e93bd0759ed341b66fee884f9af9fcd5226ff96a25a1b6421c5.exe
-
Size
454KB
-
MD5
bab647ed6b219dc5cf40af47a6f6796a
-
SHA1
215e1c77d9b35bdcaa112de681d81a47f9c56db5
-
SHA256
d4adf484f02c6e93bd0759ed341b66fee884f9af9fcd5226ff96a25a1b6421c5
-
SHA512
17cae0ce2242c1dc5e0cf232e821881cf3cd14defcd09ab6a219696cf0b70132741dd51b2e9cf59df65a2181ae1f546216f2a37aa5cc041d793ef13a827558f3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4208-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-958-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-1447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-1744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4356 a8826.exe 3140 vdpjp.exe 1796 1vvpp.exe 3192 2888222.exe 4040 djdvp.exe 768 084822.exe 440 5jppv.exe 1524 8866666.exe 3076 22482.exe 3648 pvvpj.exe 5000 vpppj.exe 3232 2620482.exe 4404 6460626.exe 2348 622602.exe 1764 4440404.exe 2844 88448.exe 1172 60648.exe 548 3vvpp.exe 3980 7pppj.exe 1028 q24222.exe 8 6288282.exe 1260 5tnnhh.exe 4184 nbtnhh.exe 1520 4804860.exe 1208 688260.exe 1588 rffrlxr.exe 4908 bhtntb.exe 2968 rrrrlll.exe 2824 0804282.exe 2612 vvjvv.exe 1440 e88260.exe 4648 5dpdp.exe 1444 7vjvj.exe 3960 282048.exe 5100 i646666.exe 3736 flfxrlf.exe 4428 bnhbtt.exe 1200 80244.exe 1436 2086608.exe 5024 c448660.exe 1008 lfrfrlr.exe 2616 e24260.exe 4156 m8426.exe 800 4042608.exe 4696 06260.exe 3016 thbbbt.exe 3156 6804826.exe 1020 rrxrlll.exe 1596 284448.exe 804 tnhtbn.exe 768 lfffxxx.exe 1852 tthbtn.exe 4380 48000.exe 1880 5lrrrrx.exe 4492 xrrrrrr.exe 1568 40626.exe 4936 6048266.exe 4660 1hhbbb.exe 1560 bbtbnn.exe 1176 5tbtnh.exe 4292 7ttntb.exe 3804 4662062.exe 2904 nhhhhh.exe 3212 jpjjd.exe -
resource yara_rule behavioral2/memory/4208-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-821-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-958-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8448604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4208 wrote to memory of 4356 4208 d4adf484f02c6e93bd0759ed341b66fee884f9af9fcd5226ff96a25a1b6421c5.exe 83 PID 4208 wrote to memory of 4356 4208 d4adf484f02c6e93bd0759ed341b66fee884f9af9fcd5226ff96a25a1b6421c5.exe 83 PID 4208 wrote to memory of 4356 4208 d4adf484f02c6e93bd0759ed341b66fee884f9af9fcd5226ff96a25a1b6421c5.exe 83 PID 4356 wrote to memory of 3140 4356 a8826.exe 84 PID 4356 wrote to memory of 3140 4356 a8826.exe 84 PID 4356 wrote to memory of 3140 4356 a8826.exe 84 PID 3140 wrote to memory of 1796 3140 vdpjp.exe 85 PID 3140 wrote to memory of 1796 3140 vdpjp.exe 85 PID 3140 wrote to memory of 1796 3140 vdpjp.exe 85 PID 1796 wrote to memory of 3192 1796 1vvpp.exe 86 PID 1796 wrote to memory of 3192 1796 1vvpp.exe 86 PID 1796 wrote to memory of 3192 1796 1vvpp.exe 86 PID 3192 wrote to memory of 4040 3192 2888222.exe 87 PID 3192 wrote to memory of 4040 3192 2888222.exe 87 PID 3192 wrote to memory of 4040 3192 2888222.exe 87 PID 4040 wrote to memory of 768 4040 djdvp.exe 88 PID 4040 wrote to memory of 768 4040 djdvp.exe 88 PID 4040 wrote to memory of 768 4040 djdvp.exe 88 PID 768 wrote to memory of 440 768 084822.exe 89 PID 768 wrote to memory of 440 768 084822.exe 89 PID 768 wrote to memory of 440 768 084822.exe 89 PID 440 wrote to memory of 1524 440 5jppv.exe 90 PID 440 wrote to memory of 1524 440 5jppv.exe 90 PID 440 wrote to memory of 1524 440 5jppv.exe 90 PID 1524 wrote to memory of 3076 1524 8866666.exe 91 PID 1524 wrote to memory of 3076 1524 8866666.exe 91 PID 1524 wrote to memory of 3076 1524 8866666.exe 91 PID 3076 wrote to memory of 3648 3076 22482.exe 92 PID 3076 wrote to memory of 3648 3076 22482.exe 92 PID 3076 wrote to memory of 3648 3076 22482.exe 92 PID 3648 wrote to memory of 5000 3648 pvvpj.exe 93 PID 3648 wrote to memory of 5000 3648 pvvpj.exe 93 PID 3648 wrote to memory of 5000 3648 pvvpj.exe 93 PID 5000 wrote to memory of 3232 5000 vpppj.exe 94 PID 5000 wrote to memory of 3232 5000 vpppj.exe 94 PID 5000 wrote to memory of 3232 5000 vpppj.exe 94 PID 3232 wrote to memory of 4404 3232 2620482.exe 95 PID 3232 wrote to memory of 4404 3232 2620482.exe 95 PID 3232 wrote to memory of 4404 3232 2620482.exe 95 PID 4404 wrote to memory of 2348 4404 6460626.exe 96 PID 4404 wrote to memory of 2348 4404 6460626.exe 96 PID 4404 wrote to memory of 2348 4404 6460626.exe 96 PID 2348 wrote to memory of 1764 2348 622602.exe 97 PID 2348 wrote to memory of 1764 2348 622602.exe 97 PID 2348 wrote to memory of 1764 2348 622602.exe 97 PID 1764 wrote to memory of 2844 1764 4440404.exe 98 PID 1764 wrote to memory of 2844 1764 4440404.exe 98 PID 1764 wrote to memory of 2844 1764 4440404.exe 98 PID 2844 wrote to memory of 1172 2844 88448.exe 99 PID 2844 wrote to memory of 1172 2844 88448.exe 99 PID 2844 wrote to memory of 1172 2844 88448.exe 99 PID 1172 wrote to memory of 548 1172 60648.exe 100 PID 1172 wrote to memory of 548 1172 60648.exe 100 PID 1172 wrote to memory of 548 1172 60648.exe 100 PID 548 wrote to memory of 3980 548 3vvpp.exe 101 PID 548 wrote to memory of 3980 548 3vvpp.exe 101 PID 548 wrote to memory of 3980 548 3vvpp.exe 101 PID 3980 wrote to memory of 1028 3980 7pppj.exe 102 PID 3980 wrote to memory of 1028 3980 7pppj.exe 102 PID 3980 wrote to memory of 1028 3980 7pppj.exe 102 PID 1028 wrote to memory of 8 1028 q24222.exe 103 PID 1028 wrote to memory of 8 1028 q24222.exe 103 PID 1028 wrote to memory of 8 1028 q24222.exe 103 PID 8 wrote to memory of 1260 8 6288282.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4adf484f02c6e93bd0759ed341b66fee884f9af9fcd5226ff96a25a1b6421c5.exe"C:\Users\Admin\AppData\Local\Temp\d4adf484f02c6e93bd0759ed341b66fee884f9af9fcd5226ff96a25a1b6421c5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\a8826.exec:\a8826.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\vdpjp.exec:\vdpjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\1vvpp.exec:\1vvpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\2888222.exec:\2888222.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\djdvp.exec:\djdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\084822.exec:\084822.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\5jppv.exec:\5jppv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\8866666.exec:\8866666.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\22482.exec:\22482.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\pvvpj.exec:\pvvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\vpppj.exec:\vpppj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\2620482.exec:\2620482.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\6460626.exec:\6460626.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\622602.exec:\622602.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\4440404.exec:\4440404.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\88448.exec:\88448.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\60648.exec:\60648.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\3vvpp.exec:\3vvpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\7pppj.exec:\7pppj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\q24222.exec:\q24222.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\6288282.exec:\6288282.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\5tnnhh.exec:\5tnnhh.exe23⤵
- Executes dropped EXE
PID:1260 -
\??\c:\nbtnhh.exec:\nbtnhh.exe24⤵
- Executes dropped EXE
PID:4184 -
\??\c:\4804860.exec:\4804860.exe25⤵
- Executes dropped EXE
PID:1520 -
\??\c:\688260.exec:\688260.exe26⤵
- Executes dropped EXE
PID:1208 -
\??\c:\rffrlxr.exec:\rffrlxr.exe27⤵
- Executes dropped EXE
PID:1588 -
\??\c:\bhtntb.exec:\bhtntb.exe28⤵
- Executes dropped EXE
PID:4908 -
\??\c:\rrrrlll.exec:\rrrrlll.exe29⤵
- Executes dropped EXE
PID:2968 -
\??\c:\0804282.exec:\0804282.exe30⤵
- Executes dropped EXE
PID:2824 -
\??\c:\vvjvv.exec:\vvjvv.exe31⤵
- Executes dropped EXE
PID:2612 -
\??\c:\e88260.exec:\e88260.exe32⤵
- Executes dropped EXE
PID:1440 -
\??\c:\5dpdp.exec:\5dpdp.exe33⤵
- Executes dropped EXE
PID:4648 -
\??\c:\7vjvj.exec:\7vjvj.exe34⤵
- Executes dropped EXE
PID:1444 -
\??\c:\282048.exec:\282048.exe35⤵
- Executes dropped EXE
PID:3960 -
\??\c:\i646666.exec:\i646666.exe36⤵
- Executes dropped EXE
PID:5100 -
\??\c:\flfxrlf.exec:\flfxrlf.exe37⤵
- Executes dropped EXE
PID:3736 -
\??\c:\bnhbtt.exec:\bnhbtt.exe38⤵
- Executes dropped EXE
PID:4428 -
\??\c:\80244.exec:\80244.exe39⤵
- Executes dropped EXE
PID:1200 -
\??\c:\2086608.exec:\2086608.exe40⤵
- Executes dropped EXE
PID:1436 -
\??\c:\c448660.exec:\c448660.exe41⤵
- Executes dropped EXE
PID:5024 -
\??\c:\lfrfrlr.exec:\lfrfrlr.exe42⤵
- Executes dropped EXE
PID:1008 -
\??\c:\e24260.exec:\e24260.exe43⤵
- Executes dropped EXE
PID:2616 -
\??\c:\btnbtn.exec:\btnbtn.exe44⤵PID:4312
-
\??\c:\m8426.exec:\m8426.exe45⤵
- Executes dropped EXE
PID:4156 -
\??\c:\4042608.exec:\4042608.exe46⤵
- Executes dropped EXE
PID:800 -
\??\c:\06260.exec:\06260.exe47⤵
- Executes dropped EXE
PID:4696 -
\??\c:\thbbbt.exec:\thbbbt.exe48⤵
- Executes dropped EXE
PID:3016 -
\??\c:\6804826.exec:\6804826.exe49⤵
- Executes dropped EXE
PID:3156 -
\??\c:\rrxrlll.exec:\rrxrlll.exe50⤵
- Executes dropped EXE
PID:1020 -
\??\c:\284448.exec:\284448.exe51⤵
- Executes dropped EXE
PID:1596 -
\??\c:\tnhtbn.exec:\tnhtbn.exe52⤵
- Executes dropped EXE
PID:804 -
\??\c:\lfffxxx.exec:\lfffxxx.exe53⤵
- Executes dropped EXE
PID:768 -
\??\c:\tthbtn.exec:\tthbtn.exe54⤵
- Executes dropped EXE
PID:1852 -
\??\c:\48000.exec:\48000.exe55⤵
- Executes dropped EXE
PID:4380 -
\??\c:\5lrrrrx.exec:\5lrrrrx.exe56⤵
- Executes dropped EXE
PID:1880 -
\??\c:\xrrrrrr.exec:\xrrrrrr.exe57⤵
- Executes dropped EXE
PID:4492 -
\??\c:\40626.exec:\40626.exe58⤵
- Executes dropped EXE
PID:1568 -
\??\c:\6048266.exec:\6048266.exe59⤵
- Executes dropped EXE
PID:4936 -
\??\c:\1hhbbb.exec:\1hhbbb.exe60⤵
- Executes dropped EXE
PID:4660 -
\??\c:\bbtbnn.exec:\bbtbnn.exe61⤵
- Executes dropped EXE
PID:1560 -
\??\c:\5tbtnh.exec:\5tbtnh.exe62⤵
- Executes dropped EXE
PID:1176 -
\??\c:\7ttntb.exec:\7ttntb.exe63⤵
- Executes dropped EXE
PID:4292 -
\??\c:\4662062.exec:\4662062.exe64⤵
- Executes dropped EXE
PID:3804 -
\??\c:\nhhhhh.exec:\nhhhhh.exe65⤵
- Executes dropped EXE
PID:2904 -
\??\c:\jpjjd.exec:\jpjjd.exe66⤵
- Executes dropped EXE
PID:3212 -
\??\c:\466044.exec:\466044.exe67⤵PID:3088
-
\??\c:\8822840.exec:\8822840.exe68⤵PID:1424
-
\??\c:\8880000.exec:\8880000.exe69⤵PID:2400
-
\??\c:\600022.exec:\600022.exe70⤵PID:548
-
\??\c:\m0048.exec:\m0048.exe71⤵PID:5092
-
\??\c:\822600.exec:\822600.exe72⤵PID:5048
-
\??\c:\jpvpj.exec:\jpvpj.exe73⤵PID:824
-
\??\c:\040080.exec:\040080.exe74⤵PID:1272
-
\??\c:\828484.exec:\828484.exe75⤵PID:3940
-
\??\c:\648266.exec:\648266.exe76⤵PID:4248
-
\??\c:\1jpjj.exec:\1jpjj.exe77⤵PID:3904
-
\??\c:\068882.exec:\068882.exe78⤵PID:2044
-
\??\c:\xrxrrrf.exec:\xrxrrrf.exe79⤵PID:3184
-
\??\c:\bthbtt.exec:\bthbtt.exe80⤵PID:3320
-
\??\c:\1bttnn.exec:\1bttnn.exe81⤵PID:2940
-
\??\c:\82226.exec:\82226.exe82⤵PID:4984
-
\??\c:\pddpp.exec:\pddpp.exe83⤵PID:2248
-
\??\c:\2464226.exec:\2464226.exe84⤵PID:1964
-
\??\c:\80240.exec:\80240.exe85⤵PID:1876
-
\??\c:\4804248.exec:\4804248.exe86⤵PID:3644
-
\??\c:\tthhhh.exec:\tthhhh.exe87⤵PID:4560
-
\??\c:\7jdvj.exec:\7jdvj.exe88⤵PID:212
-
\??\c:\64488.exec:\64488.exe89⤵PID:3472
-
\??\c:\260400.exec:\260400.exe90⤵PID:1444
-
\??\c:\ppjdj.exec:\ppjdj.exe91⤵PID:1940
-
\??\c:\2660888.exec:\2660888.exe92⤵PID:4268
-
\??\c:\bbttnn.exec:\bbttnn.exe93⤵PID:5072
-
\??\c:\06208.exec:\06208.exe94⤵PID:4832
-
\??\c:\84000.exec:\84000.exe95⤵PID:1200
-
\??\c:\68482.exec:\68482.exe96⤵PID:4468
-
\??\c:\thhhbb.exec:\thhhbb.exe97⤵PID:5024
-
\??\c:\w66846.exec:\w66846.exe98⤵PID:1008
-
\??\c:\26680.exec:\26680.exe99⤵PID:4452
-
\??\c:\jdvdd.exec:\jdvdd.exe100⤵PID:1652
-
\??\c:\20482.exec:\20482.exe101⤵PID:632
-
\??\c:\o460662.exec:\o460662.exe102⤵PID:456
-
\??\c:\w42288.exec:\w42288.exe103⤵PID:2644
-
\??\c:\824080.exec:\824080.exe104⤵PID:1148
-
\??\c:\nnnhnn.exec:\nnnhnn.exe105⤵PID:4076
-
\??\c:\3bnhbb.exec:\3bnhbb.exe106⤵PID:1924
-
\??\c:\5ffflll.exec:\5ffflll.exe107⤵PID:4744
-
\??\c:\jdjdj.exec:\jdjdj.exe108⤵PID:4040
-
\??\c:\dvvpj.exec:\dvvpj.exe109⤵PID:4572
-
\??\c:\thhhtt.exec:\thhhtt.exe110⤵PID:4128
-
\??\c:\840488.exec:\840488.exe111⤵PID:1728
-
\??\c:\4660040.exec:\4660040.exe112⤵PID:116
-
\??\c:\ddjdj.exec:\ddjdj.exe113⤵PID:1880
-
\??\c:\xlllffl.exec:\xlllffl.exe114⤵PID:4284
-
\??\c:\84604.exec:\84604.exe115⤵PID:1524
-
\??\c:\e20222.exec:\e20222.exe116⤵PID:3844
-
\??\c:\xxrfrlx.exec:\xxrfrlx.exe117⤵PID:2152
-
\??\c:\1jpjj.exec:\1jpjj.exe118⤵PID:3340
-
\??\c:\6082226.exec:\6082226.exe119⤵PID:1388
-
\??\c:\6406026.exec:\6406026.exe120⤵PID:4488
-
\??\c:\1hbthh.exec:\1hbthh.exe121⤵PID:4784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-