Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 11:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0267679d201c437d001b1bea688c5642dadde324f4617e80cf16b8834da8198a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0267679d201c437d001b1bea688c5642dadde324f4617e80cf16b8834da8198a.exe
-
Size
454KB
-
MD5
52628940128b7538e06e15f537615f90
-
SHA1
3894297d789357897fe5128c1c2c06f43735a9bb
-
SHA256
0267679d201c437d001b1bea688c5642dadde324f4617e80cf16b8834da8198a
-
SHA512
2504a886bf8806f48d2b6c72ce8079b8aa16c46706ded2e9bd085a6f5b06bd70329d2ab7eb4c304194d6e7081b3ec81950113ce524c51b6690648d47faf36514
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2120-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-1264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3204 0206880.exe 4284 264848.exe 2912 824266.exe 3324 7vddj.exe 1380 0828260.exe 4392 208024.exe 1272 s0828.exe 3704 606622.exe 1440 66888.exe 2476 084260.exe 1364 rxxllff.exe 940 28268.exe 4676 88826.exe 2604 2082082.exe 4040 ppdvp.exe 1452 vvvvv.exe 1384 846844.exe 3516 084868.exe 4328 0804848.exe 4920 pvjdv.exe 1456 08244.exe 3536 a6666.exe 4208 6486668.exe 1420 nhhhnt.exe 924 vpjdv.exe 4048 hbhbtb.exe 3624 6204888.exe 4868 rlfxrfr.exe 3572 48268.exe 1880 22248.exe 3152 08482.exe 1988 5tbbbn.exe 232 ttbtnb.exe 3452 lrrfrfx.exe 3484 24688.exe 2852 m0824.exe 2800 xxlfrxl.exe 2876 62666.exe 3504 nntnnn.exe 4136 w80466.exe 3204 26260.exe 4456 4627thh.exe 3764 nhbttn.exe 1648 bttnhb.exe 208 pvddd.exe 3628 c886048.exe 3324 808624.exe 1096 068262.exe 3472 rflffxf.exe 3524 8448660.exe 2424 vvpjp.exe 3004 646826.exe 1980 pjppp.exe 2904 bhnnhh.exe 4444 q00662.exe 4760 nhnhnb.exe 3476 llrfxxr.exe 2496 q24462.exe 3816 i626000.exe 3616 2284888.exe 2676 hhnnhh.exe 3720 a8000.exe 5020 jjvvv.exe 3868 rflffff.exe -
resource yara_rule behavioral2/memory/2120-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-686-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4082666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 024884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 064826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8448660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 680606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 3204 2120 0267679d201c437d001b1bea688c5642dadde324f4617e80cf16b8834da8198a.exe 85 PID 2120 wrote to memory of 3204 2120 0267679d201c437d001b1bea688c5642dadde324f4617e80cf16b8834da8198a.exe 85 PID 2120 wrote to memory of 3204 2120 0267679d201c437d001b1bea688c5642dadde324f4617e80cf16b8834da8198a.exe 85 PID 3204 wrote to memory of 4284 3204 0206880.exe 86 PID 3204 wrote to memory of 4284 3204 0206880.exe 86 PID 3204 wrote to memory of 4284 3204 0206880.exe 86 PID 4284 wrote to memory of 2912 4284 264848.exe 87 PID 4284 wrote to memory of 2912 4284 264848.exe 87 PID 4284 wrote to memory of 2912 4284 264848.exe 87 PID 2912 wrote to memory of 3324 2912 824266.exe 131 PID 2912 wrote to memory of 3324 2912 824266.exe 131 PID 2912 wrote to memory of 3324 2912 824266.exe 131 PID 3324 wrote to memory of 1380 3324 7vddj.exe 89 PID 3324 wrote to memory of 1380 3324 7vddj.exe 89 PID 3324 wrote to memory of 1380 3324 7vddj.exe 89 PID 1380 wrote to memory of 4392 1380 0828260.exe 90 PID 1380 wrote to memory of 4392 1380 0828260.exe 90 PID 1380 wrote to memory of 4392 1380 0828260.exe 90 PID 4392 wrote to memory of 1272 4392 208024.exe 91 PID 4392 wrote to memory of 1272 4392 208024.exe 91 PID 4392 wrote to memory of 1272 4392 208024.exe 91 PID 1272 wrote to memory of 3704 1272 s0828.exe 92 PID 1272 wrote to memory of 3704 1272 s0828.exe 92 PID 1272 wrote to memory of 3704 1272 s0828.exe 92 PID 3704 wrote to memory of 1440 3704 606622.exe 93 PID 3704 wrote to memory of 1440 3704 606622.exe 93 PID 3704 wrote to memory of 1440 3704 606622.exe 93 PID 1440 wrote to memory of 2476 1440 66888.exe 94 PID 1440 wrote to memory of 2476 1440 66888.exe 94 PID 1440 wrote to memory of 2476 1440 66888.exe 94 PID 2476 wrote to memory of 1364 2476 084260.exe 95 PID 2476 wrote to memory of 1364 2476 084260.exe 95 PID 2476 wrote to memory of 1364 2476 084260.exe 95 PID 1364 wrote to memory of 940 1364 rxxllff.exe 96 PID 1364 wrote to memory of 940 1364 rxxllff.exe 96 PID 1364 wrote to memory of 940 1364 rxxllff.exe 96 PID 940 wrote to memory of 4676 940 28268.exe 97 PID 940 wrote to memory of 4676 940 28268.exe 97 PID 940 wrote to memory of 4676 940 28268.exe 97 PID 4676 wrote to memory of 2604 4676 88826.exe 98 PID 4676 wrote to memory of 2604 4676 88826.exe 98 PID 4676 wrote to memory of 2604 4676 88826.exe 98 PID 2604 wrote to memory of 4040 2604 2082082.exe 99 PID 2604 wrote to memory of 4040 2604 2082082.exe 99 PID 2604 wrote to memory of 4040 2604 2082082.exe 99 PID 4040 wrote to memory of 1452 4040 ppdvp.exe 100 PID 4040 wrote to memory of 1452 4040 ppdvp.exe 100 PID 4040 wrote to memory of 1452 4040 ppdvp.exe 100 PID 1452 wrote to memory of 1384 1452 vvvvv.exe 101 PID 1452 wrote to memory of 1384 1452 vvvvv.exe 101 PID 1452 wrote to memory of 1384 1452 vvvvv.exe 101 PID 1384 wrote to memory of 3516 1384 846844.exe 102 PID 1384 wrote to memory of 3516 1384 846844.exe 102 PID 1384 wrote to memory of 3516 1384 846844.exe 102 PID 3516 wrote to memory of 4328 3516 084868.exe 156 PID 3516 wrote to memory of 4328 3516 084868.exe 156 PID 3516 wrote to memory of 4328 3516 084868.exe 156 PID 4328 wrote to memory of 4920 4328 0804848.exe 104 PID 4328 wrote to memory of 4920 4328 0804848.exe 104 PID 4328 wrote to memory of 4920 4328 0804848.exe 104 PID 4920 wrote to memory of 1456 4920 pvjdv.exe 105 PID 4920 wrote to memory of 1456 4920 pvjdv.exe 105 PID 4920 wrote to memory of 1456 4920 pvjdv.exe 105 PID 1456 wrote to memory of 3536 1456 08244.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\0267679d201c437d001b1bea688c5642dadde324f4617e80cf16b8834da8198a.exe"C:\Users\Admin\AppData\Local\Temp\0267679d201c437d001b1bea688c5642dadde324f4617e80cf16b8834da8198a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\0206880.exec:\0206880.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\264848.exec:\264848.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\824266.exec:\824266.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\7vddj.exec:\7vddj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\0828260.exec:\0828260.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\208024.exec:\208024.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\s0828.exec:\s0828.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\606622.exec:\606622.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\66888.exec:\66888.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\084260.exec:\084260.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\rxxllff.exec:\rxxllff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\28268.exec:\28268.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\88826.exec:\88826.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\2082082.exec:\2082082.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\ppdvp.exec:\ppdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\vvvvv.exec:\vvvvv.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\846844.exec:\846844.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\084868.exec:\084868.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\0804848.exec:\0804848.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\pvjdv.exec:\pvjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\08244.exec:\08244.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\a6666.exec:\a6666.exe23⤵
- Executes dropped EXE
PID:3536 -
\??\c:\6486668.exec:\6486668.exe24⤵
- Executes dropped EXE
PID:4208 -
\??\c:\nhhhnt.exec:\nhhhnt.exe25⤵
- Executes dropped EXE
PID:1420 -
\??\c:\vpjdv.exec:\vpjdv.exe26⤵
- Executes dropped EXE
PID:924 -
\??\c:\hbhbtb.exec:\hbhbtb.exe27⤵
- Executes dropped EXE
PID:4048 -
\??\c:\6204888.exec:\6204888.exe28⤵
- Executes dropped EXE
PID:3624 -
\??\c:\rlfxrfr.exec:\rlfxrfr.exe29⤵
- Executes dropped EXE
PID:4868 -
\??\c:\48268.exec:\48268.exe30⤵
- Executes dropped EXE
PID:3572 -
\??\c:\22248.exec:\22248.exe31⤵
- Executes dropped EXE
PID:1880 -
\??\c:\08482.exec:\08482.exe32⤵
- Executes dropped EXE
PID:3152 -
\??\c:\5tbbbn.exec:\5tbbbn.exe33⤵
- Executes dropped EXE
PID:1988 -
\??\c:\ttbtnb.exec:\ttbtnb.exe34⤵
- Executes dropped EXE
PID:232 -
\??\c:\lrrfrfx.exec:\lrrfrfx.exe35⤵
- Executes dropped EXE
PID:3452 -
\??\c:\24688.exec:\24688.exe36⤵
- Executes dropped EXE
PID:3484 -
\??\c:\m0824.exec:\m0824.exe37⤵
- Executes dropped EXE
PID:2852 -
\??\c:\xxlfrxl.exec:\xxlfrxl.exe38⤵
- Executes dropped EXE
PID:2800 -
\??\c:\62666.exec:\62666.exe39⤵
- Executes dropped EXE
PID:2876 -
\??\c:\nntnnn.exec:\nntnnn.exe40⤵
- Executes dropped EXE
PID:3504 -
\??\c:\w80466.exec:\w80466.exe41⤵
- Executes dropped EXE
PID:4136 -
\??\c:\26260.exec:\26260.exe42⤵
- Executes dropped EXE
PID:3204 -
\??\c:\4627thh.exec:\4627thh.exe43⤵
- Executes dropped EXE
PID:4456 -
\??\c:\nhbttn.exec:\nhbttn.exe44⤵
- Executes dropped EXE
PID:3764 -
\??\c:\bttnhb.exec:\bttnhb.exe45⤵
- Executes dropped EXE
PID:1648 -
\??\c:\pvddd.exec:\pvddd.exe46⤵
- Executes dropped EXE
PID:208 -
\??\c:\c886048.exec:\c886048.exe47⤵
- Executes dropped EXE
PID:3628 -
\??\c:\808624.exec:\808624.exe48⤵
- Executes dropped EXE
PID:3324 -
\??\c:\068262.exec:\068262.exe49⤵
- Executes dropped EXE
PID:1096 -
\??\c:\rflffxf.exec:\rflffxf.exe50⤵
- Executes dropped EXE
PID:3472 -
\??\c:\8448660.exec:\8448660.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3524 -
\??\c:\vvpjp.exec:\vvpjp.exe52⤵
- Executes dropped EXE
PID:2424 -
\??\c:\646826.exec:\646826.exe53⤵
- Executes dropped EXE
PID:3004 -
\??\c:\pjppp.exec:\pjppp.exe54⤵
- Executes dropped EXE
PID:1980 -
\??\c:\bhnnhh.exec:\bhnnhh.exe55⤵
- Executes dropped EXE
PID:2904 -
\??\c:\q00662.exec:\q00662.exe56⤵
- Executes dropped EXE
PID:4444 -
\??\c:\nhnhnb.exec:\nhnhnb.exe57⤵
- Executes dropped EXE
PID:4760 -
\??\c:\llrfxxr.exec:\llrfxxr.exe58⤵
- Executes dropped EXE
PID:3476 -
\??\c:\q24462.exec:\q24462.exe59⤵
- Executes dropped EXE
PID:2496 -
\??\c:\i626000.exec:\i626000.exe60⤵
- Executes dropped EXE
PID:3816 -
\??\c:\2284888.exec:\2284888.exe61⤵
- Executes dropped EXE
PID:3616 -
\??\c:\hhnnhh.exec:\hhnnhh.exe62⤵
- Executes dropped EXE
PID:2676 -
\??\c:\a8000.exec:\a8000.exe63⤵
- Executes dropped EXE
PID:3720 -
\??\c:\jjvvv.exec:\jjvvv.exe64⤵
- Executes dropped EXE
PID:5020 -
\??\c:\rflffff.exec:\rflffff.exe65⤵
- Executes dropped EXE
PID:3868 -
\??\c:\jpdpd.exec:\jpdpd.exe66⤵PID:2892
-
\??\c:\5tbhhb.exec:\5tbhhb.exe67⤵PID:216
-
\??\c:\40886.exec:\40886.exe68⤵PID:3468
-
\??\c:\jdjdv.exec:\jdjdv.exe69⤵PID:4828
-
\??\c:\444844.exec:\444844.exe70⤵PID:3180
-
\??\c:\xxrxrrr.exec:\xxrxrrr.exe71⤵PID:4744
-
\??\c:\2626622.exec:\2626622.exe72⤵PID:3600
-
\??\c:\nbhnnt.exec:\nbhnnt.exe73⤵PID:4328
-
\??\c:\ppdvp.exec:\ppdvp.exe74⤵PID:4808
-
\??\c:\k80048.exec:\k80048.exe75⤵PID:3060
-
\??\c:\20806.exec:\20806.exe76⤵PID:3172
-
\??\c:\bntbtb.exec:\bntbtb.exe77⤵PID:2672
-
\??\c:\tbbbbt.exec:\tbbbbt.exe78⤵PID:4564
-
\??\c:\0684666.exec:\0684666.exe79⤵PID:2712
-
\??\c:\i626604.exec:\i626604.exe80⤵PID:880
-
\??\c:\llrrlfr.exec:\llrrlfr.exe81⤵PID:5024
-
\??\c:\nbtnhn.exec:\nbtnhn.exe82⤵PID:4984
-
\??\c:\s4228.exec:\s4228.exe83⤵PID:5056
-
\??\c:\vvvvp.exec:\vvvvp.exe84⤵PID:3624
-
\??\c:\dddjv.exec:\dddjv.exe85⤵PID:396
-
\??\c:\dpdvp.exec:\dpdvp.exe86⤵PID:5004
-
\??\c:\xllfrxl.exec:\xllfrxl.exe87⤵PID:2948
-
\??\c:\60228.exec:\60228.exe88⤵PID:4068
-
\??\c:\024884.exec:\024884.exe89⤵
- System Location Discovery: System Language Discovery
PID:5080 -
\??\c:\9vpdv.exec:\9vpdv.exe90⤵PID:348
-
\??\c:\9hnhbt.exec:\9hnhbt.exe91⤵PID:1104
-
\??\c:\pjvpj.exec:\pjvpj.exe92⤵PID:1988
-
\??\c:\680088.exec:\680088.exe93⤵PID:400
-
\??\c:\lfxlffx.exec:\lfxlffx.exe94⤵PID:852
-
\??\c:\dvddv.exec:\dvddv.exe95⤵PID:4192
-
\??\c:\o464648.exec:\o464648.exe96⤵PID:4404
-
\??\c:\w02222.exec:\w02222.exe97⤵PID:4484
-
\??\c:\8626082.exec:\8626082.exe98⤵PID:2876
-
\??\c:\24484.exec:\24484.exe99⤵PID:1612
-
\??\c:\rrffxfl.exec:\rrffxfl.exe100⤵PID:4672
-
\??\c:\btnhbb.exec:\btnhbb.exe101⤵PID:3532
-
\??\c:\20222.exec:\20222.exe102⤵PID:2832
-
\??\c:\44882.exec:\44882.exe103⤵PID:3000
-
\??\c:\462600.exec:\462600.exe104⤵PID:4284
-
\??\c:\o248488.exec:\o248488.exe105⤵PID:2336
-
\??\c:\vjjvp.exec:\vjjvp.exe106⤵PID:4100
-
\??\c:\6066060.exec:\6066060.exe107⤵PID:2632
-
\??\c:\pjjdv.exec:\pjjdv.exe108⤵PID:2420
-
\??\c:\lxlxrrr.exec:\lxlxrrr.exe109⤵PID:772
-
\??\c:\40204.exec:\40204.exe110⤵PID:3672
-
\??\c:\i408260.exec:\i408260.exe111⤵PID:3196
-
\??\c:\806868.exec:\806868.exe112⤵PID:2428
-
\??\c:\vdvpj.exec:\vdvpj.exe113⤵PID:3952
-
\??\c:\i282600.exec:\i282600.exe114⤵PID:3004
-
\??\c:\844822.exec:\844822.exe115⤵PID:3704
-
\??\c:\pdvdd.exec:\pdvdd.exe116⤵PID:4628
-
\??\c:\680282.exec:\680282.exe117⤵PID:4444
-
\??\c:\a0044.exec:\a0044.exe118⤵PID:4476
-
\??\c:\9jdvj.exec:\9jdvj.exe119⤵PID:1816
-
\??\c:\pvddj.exec:\pvddj.exe120⤵PID:4352
-
\??\c:\866428.exec:\866428.exe121⤵PID:2796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-