Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 02:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9ca9f427289dc9b355b7a4f1d2a0edaf344bfc2fd4b6140fbed5c3b480aee017N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9ca9f427289dc9b355b7a4f1d2a0edaf344bfc2fd4b6140fbed5c3b480aee017N.exe
-
Size
453KB
-
MD5
4461cbcec22a2b5dc3a8c7715e8f3100
-
SHA1
63701a5c48c341a922e6c10a0527f06c291d52bd
-
SHA256
9ca9f427289dc9b355b7a4f1d2a0edaf344bfc2fd4b6140fbed5c3b480aee017
-
SHA512
d54e9f1600e3e8dbf99dad2829372341ad71def4045fd3476d2ad8abf2470aefa97aeaa9e58955ddb9e04986771f7273cf3beddb6c2456f0f90de8d3a86ad1e6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbey:q7Tc2NYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2456-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-905-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-951-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-1064-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4748 42024.exe 4852 jvjvj.exe 3968 2486048.exe 4896 xrxrrxx.exe 3284 0480280.exe 840 i666006.exe 3172 3jjjv.exe 4492 60482.exe 4192 60822.exe 3244 rfllllf.exe 2956 20048.exe 1332 lxlxrrl.exe 4844 nhnhhh.exe 3996 60860.exe 2068 dddjj.exe 4312 0440426.exe 4920 dvpvd.exe 1552 0484888.exe 1816 c282660.exe 1284 nhnnnh.exe 4900 hbhnhh.exe 2468 64044.exe 664 828846.exe 1264 xffxxxx.exe 4244 rfxxrxl.exe 2188 ddjdv.exe 3548 s6482.exe 2676 xlxrrxr.exe 560 62482.exe 1028 004426.exe 1276 ffffxll.exe 2712 64206.exe 5076 dvvpd.exe 4808 82482.exe 4436 dvppj.exe 4804 jdjdd.exe 2976 82660.exe 1228 i662266.exe 3424 044882.exe 652 nttnnt.exe 4836 7dppp.exe 3360 dvjjp.exe 2312 lflflfx.exe 4408 i882048.exe 3320 266082.exe 2716 lrxlfxr.exe 1152 pppdp.exe 1184 nnhhhh.exe 1120 flrxlrx.exe 4004 8064420.exe 4380 88424.exe 3100 rrxrlfl.exe 4748 bttntt.exe 5040 684866.exe 3812 djdpj.exe 4896 dvdvp.exe 2076 440822.exe 4916 nhhbbb.exe 648 nhbhhb.exe 2740 00608.exe 1412 88222.exe 1420 0482604.exe 3896 60002.exe 5052 thhhhn.exe -
resource yara_rule behavioral2/memory/2456-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-119-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0444822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k62628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o282048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6626488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i882048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 440446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2456 wrote to memory of 4748 2456 9ca9f427289dc9b355b7a4f1d2a0edaf344bfc2fd4b6140fbed5c3b480aee017N.exe 83 PID 2456 wrote to memory of 4748 2456 9ca9f427289dc9b355b7a4f1d2a0edaf344bfc2fd4b6140fbed5c3b480aee017N.exe 83 PID 2456 wrote to memory of 4748 2456 9ca9f427289dc9b355b7a4f1d2a0edaf344bfc2fd4b6140fbed5c3b480aee017N.exe 83 PID 4748 wrote to memory of 4852 4748 42024.exe 265 PID 4748 wrote to memory of 4852 4748 42024.exe 265 PID 4748 wrote to memory of 4852 4748 42024.exe 265 PID 4852 wrote to memory of 3968 4852 jvjvj.exe 199 PID 4852 wrote to memory of 3968 4852 jvjvj.exe 199 PID 4852 wrote to memory of 3968 4852 jvjvj.exe 199 PID 3968 wrote to memory of 4896 3968 2486048.exe 138 PID 3968 wrote to memory of 4896 3968 2486048.exe 138 PID 3968 wrote to memory of 4896 3968 2486048.exe 138 PID 4896 wrote to memory of 3284 4896 xrxrrxx.exe 87 PID 4896 wrote to memory of 3284 4896 xrxrrxx.exe 87 PID 4896 wrote to memory of 3284 4896 xrxrrxx.exe 87 PID 3284 wrote to memory of 840 3284 0480280.exe 88 PID 3284 wrote to memory of 840 3284 0480280.exe 88 PID 3284 wrote to memory of 840 3284 0480280.exe 88 PID 840 wrote to memory of 3172 840 i666006.exe 206 PID 840 wrote to memory of 3172 840 i666006.exe 206 PID 840 wrote to memory of 3172 840 i666006.exe 206 PID 3172 wrote to memory of 4492 3172 3jjjv.exe 90 PID 3172 wrote to memory of 4492 3172 3jjjv.exe 90 PID 3172 wrote to memory of 4492 3172 3jjjv.exe 90 PID 4492 wrote to memory of 4192 4492 60482.exe 91 PID 4492 wrote to memory of 4192 4492 60482.exe 91 PID 4492 wrote to memory of 4192 4492 60482.exe 91 PID 4192 wrote to memory of 3244 4192 60822.exe 92 PID 4192 wrote to memory of 3244 4192 60822.exe 92 PID 4192 wrote to memory of 3244 4192 60822.exe 92 PID 3244 wrote to memory of 2956 3244 rfllllf.exe 93 PID 3244 wrote to memory of 2956 3244 rfllllf.exe 93 PID 3244 wrote to memory of 2956 3244 rfllllf.exe 93 PID 2956 wrote to memory of 1332 2956 20048.exe 94 PID 2956 wrote to memory of 1332 2956 20048.exe 94 PID 2956 wrote to memory of 1332 2956 20048.exe 94 PID 1332 wrote to memory of 4844 1332 lxlxrrl.exe 95 PID 1332 wrote to memory of 4844 1332 lxlxrrl.exe 95 PID 1332 wrote to memory of 4844 1332 lxlxrrl.exe 95 PID 4844 wrote to memory of 3996 4844 nhnhhh.exe 96 PID 4844 wrote to memory of 3996 4844 nhnhhh.exe 96 PID 4844 wrote to memory of 3996 4844 nhnhhh.exe 96 PID 3996 wrote to memory of 2068 3996 60860.exe 97 PID 3996 wrote to memory of 2068 3996 60860.exe 97 PID 3996 wrote to memory of 2068 3996 60860.exe 97 PID 2068 wrote to memory of 4312 2068 dddjj.exe 98 PID 2068 wrote to memory of 4312 2068 dddjj.exe 98 PID 2068 wrote to memory of 4312 2068 dddjj.exe 98 PID 4312 wrote to memory of 4920 4312 0440426.exe 99 PID 4312 wrote to memory of 4920 4312 0440426.exe 99 PID 4312 wrote to memory of 4920 4312 0440426.exe 99 PID 4920 wrote to memory of 1552 4920 dvpvd.exe 100 PID 4920 wrote to memory of 1552 4920 dvpvd.exe 100 PID 4920 wrote to memory of 1552 4920 dvpvd.exe 100 PID 1552 wrote to memory of 1816 1552 0484888.exe 290 PID 1552 wrote to memory of 1816 1552 0484888.exe 290 PID 1552 wrote to memory of 1816 1552 0484888.exe 290 PID 1816 wrote to memory of 1284 1816 c282660.exe 102 PID 1816 wrote to memory of 1284 1816 c282660.exe 102 PID 1816 wrote to memory of 1284 1816 c282660.exe 102 PID 1284 wrote to memory of 4900 1284 nhnnnh.exe 103 PID 1284 wrote to memory of 4900 1284 nhnnnh.exe 103 PID 1284 wrote to memory of 4900 1284 nhnnnh.exe 103 PID 4900 wrote to memory of 2468 4900 hbhnhh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ca9f427289dc9b355b7a4f1d2a0edaf344bfc2fd4b6140fbed5c3b480aee017N.exe"C:\Users\Admin\AppData\Local\Temp\9ca9f427289dc9b355b7a4f1d2a0edaf344bfc2fd4b6140fbed5c3b480aee017N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\42024.exec:\42024.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\jvjvj.exec:\jvjvj.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\2486048.exec:\2486048.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\xrxrrxx.exec:\xrxrrxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\0480280.exec:\0480280.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\i666006.exec:\i666006.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\3jjjv.exec:\3jjjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\60482.exec:\60482.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\60822.exec:\60822.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\rfllllf.exec:\rfllllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\20048.exec:\20048.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\lxlxrrl.exec:\lxlxrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\nhnhhh.exec:\nhnhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\60860.exec:\60860.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\dddjj.exec:\dddjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\0440426.exec:\0440426.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\dvpvd.exec:\dvpvd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\0484888.exec:\0484888.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\c282660.exec:\c282660.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\nhnnnh.exec:\nhnnnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\hbhnhh.exec:\hbhnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\64044.exec:\64044.exe23⤵
- Executes dropped EXE
PID:2468 -
\??\c:\828846.exec:\828846.exe24⤵
- Executes dropped EXE
PID:664 -
\??\c:\xffxxxx.exec:\xffxxxx.exe25⤵
- Executes dropped EXE
PID:1264 -
\??\c:\rfxxrxl.exec:\rfxxrxl.exe26⤵
- Executes dropped EXE
PID:4244 -
\??\c:\ddjdv.exec:\ddjdv.exe27⤵
- Executes dropped EXE
PID:2188 -
\??\c:\s6482.exec:\s6482.exe28⤵
- Executes dropped EXE
PID:3548 -
\??\c:\xlxrrxr.exec:\xlxrrxr.exe29⤵
- Executes dropped EXE
PID:2676 -
\??\c:\62482.exec:\62482.exe30⤵
- Executes dropped EXE
PID:560 -
\??\c:\004426.exec:\004426.exe31⤵
- Executes dropped EXE
PID:1028 -
\??\c:\ffffxll.exec:\ffffxll.exe32⤵
- Executes dropped EXE
PID:1276 -
\??\c:\64206.exec:\64206.exe33⤵
- Executes dropped EXE
PID:2712 -
\??\c:\dvvpd.exec:\dvvpd.exe34⤵
- Executes dropped EXE
PID:5076 -
\??\c:\82482.exec:\82482.exe35⤵
- Executes dropped EXE
PID:4808 -
\??\c:\dvppj.exec:\dvppj.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4436 -
\??\c:\jdjdd.exec:\jdjdd.exe37⤵
- Executes dropped EXE
PID:4804 -
\??\c:\82660.exec:\82660.exe38⤵
- Executes dropped EXE
PID:2976 -
\??\c:\i662266.exec:\i662266.exe39⤵
- Executes dropped EXE
PID:1228 -
\??\c:\044882.exec:\044882.exe40⤵
- Executes dropped EXE
PID:3424 -
\??\c:\nttnnt.exec:\nttnnt.exe41⤵
- Executes dropped EXE
PID:652 -
\??\c:\7dppp.exec:\7dppp.exe42⤵
- Executes dropped EXE
PID:4836 -
\??\c:\dvjjp.exec:\dvjjp.exe43⤵
- Executes dropped EXE
PID:3360 -
\??\c:\lflflfx.exec:\lflflfx.exe44⤵
- Executes dropped EXE
PID:2312 -
\??\c:\i882048.exec:\i882048.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408 -
\??\c:\266082.exec:\266082.exe46⤵
- Executes dropped EXE
PID:3320 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe47⤵
- Executes dropped EXE
PID:2716 -
\??\c:\pppdp.exec:\pppdp.exe48⤵
- Executes dropped EXE
PID:1152 -
\??\c:\nnhhhh.exec:\nnhhhh.exe49⤵
- Executes dropped EXE
PID:1184 -
\??\c:\flrxlrx.exec:\flrxlrx.exe50⤵
- Executes dropped EXE
PID:1120 -
\??\c:\8064420.exec:\8064420.exe51⤵
- Executes dropped EXE
PID:4004 -
\??\c:\88424.exec:\88424.exe52⤵
- Executes dropped EXE
PID:4380 -
\??\c:\rrxrlfl.exec:\rrxrlfl.exe53⤵
- Executes dropped EXE
PID:3100 -
\??\c:\bttntt.exec:\bttntt.exe54⤵
- Executes dropped EXE
PID:4748 -
\??\c:\684866.exec:\684866.exe55⤵
- Executes dropped EXE
PID:5040 -
\??\c:\djdpj.exec:\djdpj.exe56⤵
- Executes dropped EXE
PID:3812 -
\??\c:\dvdvp.exec:\dvdvp.exe57⤵
- Executes dropped EXE
PID:4896 -
\??\c:\440822.exec:\440822.exe58⤵
- Executes dropped EXE
PID:2076 -
\??\c:\nhhbbb.exec:\nhhbbb.exe59⤵
- Executes dropped EXE
PID:4916 -
\??\c:\nhbhhb.exec:\nhbhhb.exe60⤵
- Executes dropped EXE
PID:648 -
\??\c:\00608.exec:\00608.exe61⤵
- Executes dropped EXE
PID:2740 -
\??\c:\88222.exec:\88222.exe62⤵
- Executes dropped EXE
PID:1412 -
\??\c:\0482604.exec:\0482604.exe63⤵
- Executes dropped EXE
PID:1420 -
\??\c:\60002.exec:\60002.exe64⤵
- Executes dropped EXE
PID:3896 -
\??\c:\thhhhn.exec:\thhhhn.exe65⤵
- Executes dropped EXE
PID:5052 -
\??\c:\82004.exec:\82004.exe66⤵PID:116
-
\??\c:\fxffllr.exec:\fxffllr.exe67⤵PID:2304
-
\??\c:\6000000.exec:\6000000.exe68⤵PID:2848
-
\??\c:\06682.exec:\06682.exe69⤵PID:1416
-
\??\c:\084822.exec:\084822.exe70⤵PID:4672
-
\??\c:\00208.exec:\00208.exe71⤵PID:1836
-
\??\c:\a2822.exec:\a2822.exe72⤵PID:4136
-
\??\c:\bhbnhh.exec:\bhbnhh.exe73⤵PID:4060
-
\??\c:\frfxxxf.exec:\frfxxxf.exe74⤵PID:100
-
\??\c:\jjddv.exec:\jjddv.exe75⤵PID:2960
-
\??\c:\248462.exec:\248462.exe76⤵PID:488
-
\??\c:\60604.exec:\60604.exe77⤵PID:5028
-
\??\c:\8264846.exec:\8264846.exe78⤵PID:1920
-
\??\c:\202266.exec:\202266.exe79⤵PID:4664
-
\??\c:\0260468.exec:\0260468.exe80⤵PID:4900
-
\??\c:\8882048.exec:\8882048.exe81⤵PID:5104
-
\??\c:\q22604.exec:\q22604.exe82⤵PID:2820
-
\??\c:\pdpdd.exec:\pdpdd.exe83⤵PID:664
-
\??\c:\nbthtt.exec:\nbthtt.exe84⤵PID:1044
-
\??\c:\xlfxlfx.exec:\xlfxlfx.exe85⤵PID:1992
-
\??\c:\688226.exec:\688226.exe86⤵PID:220
-
\??\c:\2008608.exec:\2008608.exe87⤵PID:2188
-
\??\c:\8822400.exec:\8822400.exe88⤵PID:2364
-
\??\c:\4060082.exec:\4060082.exe89⤵PID:3328
-
\??\c:\60608.exec:\60608.exe90⤵PID:2988
-
\??\c:\tnbtnh.exec:\tnbtnh.exe91⤵PID:900
-
\??\c:\46422.exec:\46422.exe92⤵PID:1640
-
\??\c:\88602.exec:\88602.exe93⤵PID:2840
-
\??\c:\xrlffxr.exec:\xrlffxr.exe94⤵PID:2712
-
\??\c:\26822.exec:\26822.exe95⤵PID:1040
-
\??\c:\0688244.exec:\0688244.exe96⤵PID:2180
-
\??\c:\2000888.exec:\2000888.exe97⤵PID:4788
-
\??\c:\flffxlf.exec:\flffxlf.exe98⤵PID:2100
-
\??\c:\6222042.exec:\6222042.exe99⤵PID:3760
-
\??\c:\48060.exec:\48060.exe100⤵PID:464
-
\??\c:\4008260.exec:\4008260.exe101⤵PID:2264
-
\??\c:\ddvjv.exec:\ddvjv.exe102⤵PID:1844
-
\??\c:\i444448.exec:\i444448.exe103⤵PID:4812
-
\??\c:\nnhhhh.exec:\nnhhhh.exe104⤵PID:4444
-
\??\c:\tnthth.exec:\tnthth.exe105⤵PID:2736
-
\??\c:\dvvvv.exec:\dvvvv.exe106⤵PID:4268
-
\??\c:\e00868.exec:\e00868.exe107⤵PID:1624
-
\??\c:\2082826.exec:\2082826.exe108⤵PID:2396
-
\??\c:\9jjdd.exec:\9jjdd.exe109⤵PID:3644
-
\??\c:\42822.exec:\42822.exe110⤵PID:2764
-
\??\c:\w46448.exec:\w46448.exe111⤵PID:1100
-
\??\c:\jdvdj.exec:\jdvdj.exe112⤵PID:4924
-
\??\c:\9bbtnt.exec:\9bbtnt.exe113⤵PID:4796
-
\??\c:\bntnnn.exec:\bntnnn.exe114⤵PID:4308
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe115⤵PID:3676
-
\??\c:\062240.exec:\062240.exe116⤵
- System Location Discovery: System Language Discovery
PID:4032 -
\??\c:\lfrrlxx.exec:\lfrrlxx.exe117⤵PID:1060
-
\??\c:\2004260.exec:\2004260.exe118⤵PID:3968
-
\??\c:\642248.exec:\642248.exe119⤵PID:2372
-
\??\c:\8604882.exec:\8604882.exe120⤵PID:5088
-
\??\c:\hthbbh.exec:\hthbbh.exe121⤵PID:1072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-