Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 09:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
11a9129695ceaa7e8416397242fd42786f8857cef71cb767976d89ad273a2688.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
11a9129695ceaa7e8416397242fd42786f8857cef71cb767976d89ad273a2688.exe
-
Size
455KB
-
MD5
73840ae348c002e76799d16e9cb1ec38
-
SHA1
1085bb6307d1fc9c075fabfb1b279e1009813be3
-
SHA256
11a9129695ceaa7e8416397242fd42786f8857cef71cb767976d89ad273a2688
-
SHA512
2f0a6ede90d4cba102fb3bac83373c0d671d014ca422559ef2081f81f4a0ee1b35c715425f543190274060787cb965e161bcebffc87a56e3bbae32c87d14018b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2108-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-1145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-1584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-1780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2108 20082.exe 1356 jvvjd.exe 4212 4800622.exe 64 880600.exe 3176 xxxxrrx.exe 3484 808266.exe 3164 dvvpj.exe 3352 bthbtn.exe 3184 2022262.exe 3548 o284822.exe 3204 vjppj.exe 4564 nbhbtt.exe 1264 04088.exe 5048 680444.exe 2820 484882.exe 876 82222.exe 1708 pvjjd.exe 3016 ppddp.exe 4980 22888.exe 4520 48882.exe 3964 02222.exe 872 tnhbtt.exe 1232 djdvj.exe 3792 tthhhh.exe 4452 vvvpj.exe 3592 82260.exe 2948 llrlfxr.exe 4352 hhthnn.exe 2980 llxxxfx.exe 1800 9flfxxx.exe 2076 fxfrllf.exe 2388 hbhbtt.exe 3336 lflfxff.exe 2792 hhnnnn.exe 2112 rfffxxr.exe 2840 htbtnh.exe 4620 nhntbt.exe 2204 ppdpv.exe 1496 bbbtnn.exe 744 xrrlffx.exe 3476 206226.exe 4428 8620482.exe 3692 rlllfxx.exe 1840 bhhbbb.exe 4488 fllffll.exe 1548 8622260.exe 4652 88822.exe 1428 60fllxl.exe 3040 vddvv.exe 4632 dppjj.exe 4284 628826.exe 212 fxffxxr.exe 2440 w80826.exe 4040 82268.exe 1596 224486.exe 4440 9nhhhh.exe 4808 tnbtbb.exe 64 3tbtnt.exe 4084 hnbtnh.exe 3468 28442.exe 4188 o222660.exe 3292 frxlfxr.exe 3504 pvvpv.exe 3352 bnnhtn.exe -
resource yara_rule behavioral2/memory/2108-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-664-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0480026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8028246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8022826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k80660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8226048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfl42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8624286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2022262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4800622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2108 2220 11a9129695ceaa7e8416397242fd42786f8857cef71cb767976d89ad273a2688.exe 83 PID 2220 wrote to memory of 2108 2220 11a9129695ceaa7e8416397242fd42786f8857cef71cb767976d89ad273a2688.exe 83 PID 2220 wrote to memory of 2108 2220 11a9129695ceaa7e8416397242fd42786f8857cef71cb767976d89ad273a2688.exe 83 PID 2108 wrote to memory of 1356 2108 20082.exe 84 PID 2108 wrote to memory of 1356 2108 20082.exe 84 PID 2108 wrote to memory of 1356 2108 20082.exe 84 PID 1356 wrote to memory of 4212 1356 jvvjd.exe 85 PID 1356 wrote to memory of 4212 1356 jvvjd.exe 85 PID 1356 wrote to memory of 4212 1356 jvvjd.exe 85 PID 4212 wrote to memory of 64 4212 4800622.exe 140 PID 4212 wrote to memory of 64 4212 4800622.exe 140 PID 4212 wrote to memory of 64 4212 4800622.exe 140 PID 64 wrote to memory of 3176 64 880600.exe 87 PID 64 wrote to memory of 3176 64 880600.exe 87 PID 64 wrote to memory of 3176 64 880600.exe 87 PID 3176 wrote to memory of 3484 3176 xxxxrrx.exe 88 PID 3176 wrote to memory of 3484 3176 xxxxrrx.exe 88 PID 3176 wrote to memory of 3484 3176 xxxxrrx.exe 88 PID 3484 wrote to memory of 3164 3484 808266.exe 89 PID 3484 wrote to memory of 3164 3484 808266.exe 89 PID 3484 wrote to memory of 3164 3484 808266.exe 89 PID 3164 wrote to memory of 3352 3164 dvvpj.exe 146 PID 3164 wrote to memory of 3352 3164 dvvpj.exe 146 PID 3164 wrote to memory of 3352 3164 dvvpj.exe 146 PID 3352 wrote to memory of 3184 3352 bthbtn.exe 91 PID 3352 wrote to memory of 3184 3352 bthbtn.exe 91 PID 3352 wrote to memory of 3184 3352 bthbtn.exe 91 PID 3184 wrote to memory of 3548 3184 2022262.exe 92 PID 3184 wrote to memory of 3548 3184 2022262.exe 92 PID 3184 wrote to memory of 3548 3184 2022262.exe 92 PID 3548 wrote to memory of 3204 3548 o284822.exe 93 PID 3548 wrote to memory of 3204 3548 o284822.exe 93 PID 3548 wrote to memory of 3204 3548 o284822.exe 93 PID 3204 wrote to memory of 4564 3204 vjppj.exe 94 PID 3204 wrote to memory of 4564 3204 vjppj.exe 94 PID 3204 wrote to memory of 4564 3204 vjppj.exe 94 PID 4564 wrote to memory of 1264 4564 nbhbtt.exe 95 PID 4564 wrote to memory of 1264 4564 nbhbtt.exe 95 PID 4564 wrote to memory of 1264 4564 nbhbtt.exe 95 PID 1264 wrote to memory of 5048 1264 04088.exe 96 PID 1264 wrote to memory of 5048 1264 04088.exe 96 PID 1264 wrote to memory of 5048 1264 04088.exe 96 PID 5048 wrote to memory of 2820 5048 680444.exe 97 PID 5048 wrote to memory of 2820 5048 680444.exe 97 PID 5048 wrote to memory of 2820 5048 680444.exe 97 PID 2820 wrote to memory of 876 2820 484882.exe 98 PID 2820 wrote to memory of 876 2820 484882.exe 98 PID 2820 wrote to memory of 876 2820 484882.exe 98 PID 876 wrote to memory of 1708 876 82222.exe 99 PID 876 wrote to memory of 1708 876 82222.exe 99 PID 876 wrote to memory of 1708 876 82222.exe 99 PID 1708 wrote to memory of 3016 1708 pvjjd.exe 100 PID 1708 wrote to memory of 3016 1708 pvjjd.exe 100 PID 1708 wrote to memory of 3016 1708 pvjjd.exe 100 PID 3016 wrote to memory of 4980 3016 ppddp.exe 101 PID 3016 wrote to memory of 4980 3016 ppddp.exe 101 PID 3016 wrote to memory of 4980 3016 ppddp.exe 101 PID 4980 wrote to memory of 4520 4980 22888.exe 102 PID 4980 wrote to memory of 4520 4980 22888.exe 102 PID 4980 wrote to memory of 4520 4980 22888.exe 102 PID 4520 wrote to memory of 3964 4520 48882.exe 103 PID 4520 wrote to memory of 3964 4520 48882.exe 103 PID 4520 wrote to memory of 3964 4520 48882.exe 103 PID 3964 wrote to memory of 872 3964 02222.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\11a9129695ceaa7e8416397242fd42786f8857cef71cb767976d89ad273a2688.exe"C:\Users\Admin\AppData\Local\Temp\11a9129695ceaa7e8416397242fd42786f8857cef71cb767976d89ad273a2688.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\20082.exec:\20082.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\jvvjd.exec:\jvvjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\4800622.exec:\4800622.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\880600.exec:\880600.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\xxxxrrx.exec:\xxxxrrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\808266.exec:\808266.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\dvvpj.exec:\dvvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\bthbtn.exec:\bthbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\2022262.exec:\2022262.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\o284822.exec:\o284822.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\vjppj.exec:\vjppj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\nbhbtt.exec:\nbhbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\04088.exec:\04088.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\680444.exec:\680444.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\484882.exec:\484882.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\82222.exec:\82222.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\pvjjd.exec:\pvjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\ppddp.exec:\ppddp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\22888.exec:\22888.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\48882.exec:\48882.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\02222.exec:\02222.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\tnhbtt.exec:\tnhbtt.exe23⤵
- Executes dropped EXE
PID:872 -
\??\c:\djdvj.exec:\djdvj.exe24⤵
- Executes dropped EXE
PID:1232 -
\??\c:\tthhhh.exec:\tthhhh.exe25⤵
- Executes dropped EXE
PID:3792 -
\??\c:\vvvpj.exec:\vvvpj.exe26⤵
- Executes dropped EXE
PID:4452 -
\??\c:\82260.exec:\82260.exe27⤵
- Executes dropped EXE
PID:3592 -
\??\c:\llrlfxr.exec:\llrlfxr.exe28⤵
- Executes dropped EXE
PID:2948 -
\??\c:\hhthnn.exec:\hhthnn.exe29⤵
- Executes dropped EXE
PID:4352 -
\??\c:\llxxxfx.exec:\llxxxfx.exe30⤵
- Executes dropped EXE
PID:2980 -
\??\c:\9flfxxx.exec:\9flfxxx.exe31⤵
- Executes dropped EXE
PID:1800 -
\??\c:\fxfrllf.exec:\fxfrllf.exe32⤵
- Executes dropped EXE
PID:2076 -
\??\c:\hbhbtt.exec:\hbhbtt.exe33⤵
- Executes dropped EXE
PID:2388 -
\??\c:\lflfxff.exec:\lflfxff.exe34⤵
- Executes dropped EXE
PID:3336 -
\??\c:\hhnnnn.exec:\hhnnnn.exe35⤵
- Executes dropped EXE
PID:2792 -
\??\c:\rfffxxr.exec:\rfffxxr.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2112 -
\??\c:\htbtnh.exec:\htbtnh.exe37⤵
- Executes dropped EXE
PID:2840 -
\??\c:\nhntbt.exec:\nhntbt.exe38⤵
- Executes dropped EXE
PID:4620 -
\??\c:\ppdpv.exec:\ppdpv.exe39⤵
- Executes dropped EXE
PID:2204 -
\??\c:\bbbtnn.exec:\bbbtnn.exe40⤵
- Executes dropped EXE
PID:1496 -
\??\c:\xrrlffx.exec:\xrrlffx.exe41⤵
- Executes dropped EXE
PID:744 -
\??\c:\206226.exec:\206226.exe42⤵
- Executes dropped EXE
PID:3476 -
\??\c:\8620482.exec:\8620482.exe43⤵
- Executes dropped EXE
PID:4428 -
\??\c:\rlllfxx.exec:\rlllfxx.exe44⤵
- Executes dropped EXE
PID:3692 -
\??\c:\bhhbbb.exec:\bhhbbb.exe45⤵
- Executes dropped EXE
PID:1840 -
\??\c:\fllffll.exec:\fllffll.exe46⤵
- Executes dropped EXE
PID:4488 -
\??\c:\8622260.exec:\8622260.exe47⤵
- Executes dropped EXE
PID:1548 -
\??\c:\88822.exec:\88822.exe48⤵
- Executes dropped EXE
PID:4652 -
\??\c:\60fllxl.exec:\60fllxl.exe49⤵
- Executes dropped EXE
PID:1428 -
\??\c:\vddvv.exec:\vddvv.exe50⤵
- Executes dropped EXE
PID:3040 -
\??\c:\dppjj.exec:\dppjj.exe51⤵
- Executes dropped EXE
PID:4632 -
\??\c:\628826.exec:\628826.exe52⤵
- Executes dropped EXE
PID:4284 -
\??\c:\fxffxxr.exec:\fxffxxr.exe53⤵
- Executes dropped EXE
PID:212 -
\??\c:\w80826.exec:\w80826.exe54⤵
- Executes dropped EXE
PID:2440 -
\??\c:\82268.exec:\82268.exe55⤵
- Executes dropped EXE
PID:4040 -
\??\c:\224486.exec:\224486.exe56⤵
- Executes dropped EXE
PID:1596 -
\??\c:\9nhhhh.exec:\9nhhhh.exe57⤵
- Executes dropped EXE
PID:4440 -
\??\c:\tnbtbb.exec:\tnbtbb.exe58⤵
- Executes dropped EXE
PID:4808 -
\??\c:\3tbtnt.exec:\3tbtnt.exe59⤵
- Executes dropped EXE
PID:64 -
\??\c:\hnbtnh.exec:\hnbtnh.exe60⤵
- Executes dropped EXE
PID:4084 -
\??\c:\28442.exec:\28442.exe61⤵
- Executes dropped EXE
PID:3468 -
\??\c:\o222660.exec:\o222660.exe62⤵
- Executes dropped EXE
PID:4188 -
\??\c:\frxlfxr.exec:\frxlfxr.exe63⤵
- Executes dropped EXE
PID:3292 -
\??\c:\pvvpv.exec:\pvvpv.exe64⤵
- Executes dropped EXE
PID:3504 -
\??\c:\bnnhtn.exec:\bnnhtn.exe65⤵
- Executes dropped EXE
PID:3352 -
\??\c:\tnbttn.exec:\tnbttn.exe66⤵PID:3656
-
\??\c:\dpdvp.exec:\dpdvp.exe67⤵PID:3616
-
\??\c:\9xffllr.exec:\9xffllr.exe68⤵PID:2140
-
\??\c:\200868.exec:\200868.exe69⤵PID:3084
-
\??\c:\vjdvd.exec:\vjdvd.exe70⤵PID:2652
-
\??\c:\624808.exec:\624808.exe71⤵PID:2296
-
\??\c:\xllflfx.exec:\xllflfx.exe72⤵PID:3768
-
\??\c:\246404.exec:\246404.exe73⤵PID:2956
-
\??\c:\jvddd.exec:\jvddd.exe74⤵PID:3700
-
\??\c:\pjdvp.exec:\pjdvp.exe75⤵PID:5028
-
\??\c:\42648.exec:\42648.exe76⤵PID:4728
-
\??\c:\2048604.exec:\2048604.exe77⤵PID:1672
-
\??\c:\pdddp.exec:\pdddp.exe78⤵PID:1632
-
\??\c:\k46084.exec:\k46084.exe79⤵PID:1700
-
\??\c:\frffrlx.exec:\frffrlx.exe80⤵PID:4876
-
\??\c:\nbhtth.exec:\nbhtth.exe81⤵PID:3008
-
\??\c:\jvpdp.exec:\jvpdp.exe82⤵PID:3592
-
\??\c:\lffxlrr.exec:\lffxlrr.exe83⤵PID:1688
-
\??\c:\u482648.exec:\u482648.exe84⤵PID:920
-
\??\c:\frxrfxr.exec:\frxrfxr.exe85⤵PID:3320
-
\??\c:\20228.exec:\20228.exe86⤵PID:1480
-
\??\c:\7tnbnh.exec:\7tnbnh.exe87⤵PID:1804
-
\??\c:\u066408.exec:\u066408.exe88⤵PID:1412
-
\??\c:\vpvpj.exec:\vpvpj.exe89⤵PID:3928
-
\??\c:\204828.exec:\204828.exe90⤵PID:1424
-
\??\c:\088260.exec:\088260.exe91⤵PID:4136
-
\??\c:\9vpjd.exec:\9vpjd.exe92⤵PID:4336
-
\??\c:\lfxxxrr.exec:\lfxxxrr.exe93⤵PID:2696
-
\??\c:\864444.exec:\864444.exe94⤵PID:2204
-
\??\c:\7fxlxrl.exec:\7fxlxrl.exe95⤵PID:744
-
\??\c:\442024.exec:\442024.exe96⤵PID:1980
-
\??\c:\nhbnbb.exec:\nhbnbb.exe97⤵PID:1516
-
\??\c:\nhnhnb.exec:\nhnhnb.exe98⤵PID:3124
-
\??\c:\bnnhbt.exec:\bnnhbt.exe99⤵PID:1240
-
\??\c:\rllfrll.exec:\rllfrll.exe100⤵PID:2292
-
\??\c:\8400486.exec:\8400486.exe101⤵PID:1600
-
\??\c:\htbttn.exec:\htbttn.exe102⤵PID:2580
-
\??\c:\jjvpj.exec:\jjvpj.exe103⤵PID:4128
-
\??\c:\rlfrlfx.exec:\rlfrlfx.exe104⤵PID:1608
-
\??\c:\608884.exec:\608884.exe105⤵PID:4020
-
\??\c:\3jvpv.exec:\3jvpv.exe106⤵PID:4904
-
\??\c:\5rfxrxx.exec:\5rfxrxx.exe107⤵PID:636
-
\??\c:\04008.exec:\04008.exe108⤵PID:1704
-
\??\c:\ddjdd.exec:\ddjdd.exe109⤵PID:4292
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe110⤵PID:1520
-
\??\c:\s4404.exec:\s4404.exe111⤵PID:1100
-
\??\c:\rrrfxxx.exec:\rrrfxxx.exe112⤵PID:224
-
\??\c:\dvvpj.exec:\dvvpj.exe113⤵PID:2124
-
\??\c:\u462222.exec:\u462222.exe114⤵PID:4808
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe115⤵PID:524
-
\??\c:\e80260.exec:\e80260.exe116⤵PID:3280
-
\??\c:\20006.exec:\20006.exe117⤵PID:2064
-
\??\c:\828822.exec:\828822.exe118⤵PID:3468
-
\??\c:\466464.exec:\466464.exe119⤵PID:4928
-
\??\c:\nthbbb.exec:\nthbbb.exe120⤵PID:3372
-
\??\c:\nntttt.exec:\nntttt.exe121⤵PID:1032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-