Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 22:28
Behavioral task
behavioral1
Sample
544ba5a2f797db1cc789edd052ed251d29b692f19b85ec0d97fd2047411ffdbc.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
544ba5a2f797db1cc789edd052ed251d29b692f19b85ec0d97fd2047411ffdbc.exe
-
Size
335KB
-
MD5
882320eab3b10774600369841adc47f5
-
SHA1
5d4e8913529b8f2bb1c732d6632daf502b3f1867
-
SHA256
544ba5a2f797db1cc789edd052ed251d29b692f19b85ec0d97fd2047411ffdbc
-
SHA512
0f5914751aa1b19904cd6892387c2f67b7c5b0087b2f4410b42c3d24d48dbb74326db1b10e6329a5bdc73eac8f585b6391d43e7fec70e71b5f21ac20e7da52a7
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeR1:R4wFHoSHYHUrAwfMp3CDR1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1936-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3356-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2356-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1680-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3692-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4108-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1484-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3292-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3760-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1940-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3868-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1656-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/760-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2308-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2352-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1488-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3816-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2524-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4032-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1548-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1628-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3660-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3476-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3692-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1708-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/756-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1856-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2072-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4492-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1108-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1548-366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4424-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-380-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2496-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2808-485-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1284-502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3296-509-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-536-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-579-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-630-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4888-691-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2332 flfxfll.exe 3356 006082.exe 4996 224866.exe 2356 ntnbtn.exe 2920 6608204.exe 1680 4006600.exe 3692 jvdvj.exe 5064 06826.exe 1484 2220426.exe 4108 868248.exe 1348 dpdpv.exe 2184 204042.exe 3292 xxfxxff.exe 4984 g8226.exe 3760 4264842.exe 2228 rfrxrlf.exe 1940 vjpjj.exe 4588 dpdvj.exe 3864 vvvdp.exe 3868 vdppv.exe 1656 pjjdp.exe 3184 rxxlfrl.exe 760 tbthbt.exe 3120 jvvdp.exe 2308 nhthbt.exe 2352 088644.exe 1488 4880826.exe 4188 dpjvj.exe 3816 fxlffxx.exe 3636 lfllrrx.exe 2028 22826.exe 2540 pdjdv.exe 4612 vpdvp.exe 1160 246662.exe 3056 pdjjd.exe 1108 pjjjj.exe 744 e40488.exe 2524 42886.exe 2280 1xfxllx.exe 1264 jjjdv.exe 1456 28060.exe 3856 26204.exe 4832 0864022.exe 1088 4628288.exe 3236 26266.exe 3524 frxrffx.exe 4032 rxfxfff.exe 3396 vjvvv.exe 3660 lrxxxxx.exe 3416 2800444.exe 1548 jvpdj.exe 2040 i060466.exe 3200 lrffxxx.exe 1628 u228266.exe 4244 66888.exe 4416 484866.exe 2460 vvdvd.exe 4936 rlffxxr.exe 1616 48820.exe 2164 2848266.exe 4656 2640482.exe 3476 20626.exe 2952 2660004.exe 1216 lrrlllf.exe -
resource yara_rule behavioral2/memory/1936-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c49-3.dat upx behavioral2/memory/1936-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ca1-8.dat upx behavioral2/memory/2332-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-11.dat upx behavioral2/memory/3356-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4996-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca6-20.dat upx behavioral2/files/0x0007000000023ca8-24.dat upx behavioral2/memory/2356-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-28.dat upx behavioral2/memory/2920-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-33.dat upx behavioral2/memory/1680-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3692-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-38.dat upx behavioral2/files/0x0007000000023cac-43.dat upx behavioral2/memory/5064-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-48.dat upx behavioral2/memory/4108-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1484-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-54.dat upx behavioral2/files/0x0008000000023ca2-59.dat upx behavioral2/memory/1348-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-63.dat upx behavioral2/memory/2184-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3292-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-69.dat upx behavioral2/files/0x0007000000023cb1-74.dat upx behavioral2/memory/3760-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4984-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-79.dat upx behavioral2/files/0x0007000000023cb3-84.dat upx behavioral2/memory/1940-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-88.dat upx behavioral2/files/0x0007000000023cb5-92.dat upx behavioral2/files/0x0007000000023cb6-96.dat upx behavioral2/memory/3864-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-102.dat upx behavioral2/memory/3868-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1656-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-107.dat upx behavioral2/files/0x0007000000023cb9-111.dat upx behavioral2/memory/760-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3184-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-117.dat upx behavioral2/memory/3120-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-122.dat upx behavioral2/memory/2308-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-129.dat upx behavioral2/memory/2352-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-133.dat upx behavioral2/memory/3120-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-137.dat upx behavioral2/memory/1488-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-142.dat upx behavioral2/files/0x0007000000023cc1-148.dat upx behavioral2/memory/3816-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3636-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-157.dat upx behavioral2/files/0x0007000000023cc2-152.dat upx behavioral2/memory/4612-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3056-167-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6426044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6048000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 624222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c660448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 442606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2332 1936 544ba5a2f797db1cc789edd052ed251d29b692f19b85ec0d97fd2047411ffdbc.exe 85 PID 1936 wrote to memory of 2332 1936 544ba5a2f797db1cc789edd052ed251d29b692f19b85ec0d97fd2047411ffdbc.exe 85 PID 1936 wrote to memory of 2332 1936 544ba5a2f797db1cc789edd052ed251d29b692f19b85ec0d97fd2047411ffdbc.exe 85 PID 2332 wrote to memory of 3356 2332 flfxfll.exe 86 PID 2332 wrote to memory of 3356 2332 flfxfll.exe 86 PID 2332 wrote to memory of 3356 2332 flfxfll.exe 86 PID 3356 wrote to memory of 4996 3356 006082.exe 87 PID 3356 wrote to memory of 4996 3356 006082.exe 87 PID 3356 wrote to memory of 4996 3356 006082.exe 87 PID 4996 wrote to memory of 2356 4996 224866.exe 88 PID 4996 wrote to memory of 2356 4996 224866.exe 88 PID 4996 wrote to memory of 2356 4996 224866.exe 88 PID 2356 wrote to memory of 2920 2356 ntnbtn.exe 89 PID 2356 wrote to memory of 2920 2356 ntnbtn.exe 89 PID 2356 wrote to memory of 2920 2356 ntnbtn.exe 89 PID 2920 wrote to memory of 1680 2920 6608204.exe 90 PID 2920 wrote to memory of 1680 2920 6608204.exe 90 PID 2920 wrote to memory of 1680 2920 6608204.exe 90 PID 1680 wrote to memory of 3692 1680 4006600.exe 91 PID 1680 wrote to memory of 3692 1680 4006600.exe 91 PID 1680 wrote to memory of 3692 1680 4006600.exe 91 PID 3692 wrote to memory of 5064 3692 jvdvj.exe 92 PID 3692 wrote to memory of 5064 3692 jvdvj.exe 92 PID 3692 wrote to memory of 5064 3692 jvdvj.exe 92 PID 5064 wrote to memory of 1484 5064 06826.exe 93 PID 5064 wrote to memory of 1484 5064 06826.exe 93 PID 5064 wrote to memory of 1484 5064 06826.exe 93 PID 1484 wrote to memory of 4108 1484 2220426.exe 94 PID 1484 wrote to memory of 4108 1484 2220426.exe 94 PID 1484 wrote to memory of 4108 1484 2220426.exe 94 PID 4108 wrote to memory of 1348 4108 868248.exe 95 PID 4108 wrote to memory of 1348 4108 868248.exe 95 PID 4108 wrote to memory of 1348 4108 868248.exe 95 PID 1348 wrote to memory of 2184 1348 dpdpv.exe 96 PID 1348 wrote to memory of 2184 1348 dpdpv.exe 96 PID 1348 wrote to memory of 2184 1348 dpdpv.exe 96 PID 2184 wrote to memory of 3292 2184 204042.exe 97 PID 2184 wrote to memory of 3292 2184 204042.exe 97 PID 2184 wrote to memory of 3292 2184 204042.exe 97 PID 3292 wrote to memory of 4984 3292 xxfxxff.exe 98 PID 3292 wrote to memory of 4984 3292 xxfxxff.exe 98 PID 3292 wrote to memory of 4984 3292 xxfxxff.exe 98 PID 4984 wrote to memory of 3760 4984 g8226.exe 99 PID 4984 wrote to memory of 3760 4984 g8226.exe 99 PID 4984 wrote to memory of 3760 4984 g8226.exe 99 PID 3760 wrote to memory of 2228 3760 4264842.exe 100 PID 3760 wrote to memory of 2228 3760 4264842.exe 100 PID 3760 wrote to memory of 2228 3760 4264842.exe 100 PID 2228 wrote to memory of 1940 2228 rfrxrlf.exe 101 PID 2228 wrote to memory of 1940 2228 rfrxrlf.exe 101 PID 2228 wrote to memory of 1940 2228 rfrxrlf.exe 101 PID 1940 wrote to memory of 4588 1940 vjpjj.exe 102 PID 1940 wrote to memory of 4588 1940 vjpjj.exe 102 PID 1940 wrote to memory of 4588 1940 vjpjj.exe 102 PID 4588 wrote to memory of 3864 4588 dpdvj.exe 103 PID 4588 wrote to memory of 3864 4588 dpdvj.exe 103 PID 4588 wrote to memory of 3864 4588 dpdvj.exe 103 PID 3864 wrote to memory of 3868 3864 vvvdp.exe 104 PID 3864 wrote to memory of 3868 3864 vvvdp.exe 104 PID 3864 wrote to memory of 3868 3864 vvvdp.exe 104 PID 3868 wrote to memory of 1656 3868 vdppv.exe 105 PID 3868 wrote to memory of 1656 3868 vdppv.exe 105 PID 3868 wrote to memory of 1656 3868 vdppv.exe 105 PID 1656 wrote to memory of 3184 1656 pjjdp.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\544ba5a2f797db1cc789edd052ed251d29b692f19b85ec0d97fd2047411ffdbc.exe"C:\Users\Admin\AppData\Local\Temp\544ba5a2f797db1cc789edd052ed251d29b692f19b85ec0d97fd2047411ffdbc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\flfxfll.exec:\flfxfll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\006082.exec:\006082.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\224866.exec:\224866.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\ntnbtn.exec:\ntnbtn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\6608204.exec:\6608204.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\4006600.exec:\4006600.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\jvdvj.exec:\jvdvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\06826.exec:\06826.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\2220426.exec:\2220426.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\868248.exec:\868248.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\dpdpv.exec:\dpdpv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\204042.exec:\204042.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\xxfxxff.exec:\xxfxxff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\g8226.exec:\g8226.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\4264842.exec:\4264842.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\rfrxrlf.exec:\rfrxrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\vjpjj.exec:\vjpjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\dpdvj.exec:\dpdvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\vvvdp.exec:\vvvdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\vdppv.exec:\vdppv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\pjjdp.exec:\pjjdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\rxxlfrl.exec:\rxxlfrl.exe23⤵
- Executes dropped EXE
PID:3184 -
\??\c:\tbthbt.exec:\tbthbt.exe24⤵
- Executes dropped EXE
PID:760 -
\??\c:\jvvdp.exec:\jvvdp.exe25⤵
- Executes dropped EXE
PID:3120 -
\??\c:\nhthbt.exec:\nhthbt.exe26⤵
- Executes dropped EXE
PID:2308 -
\??\c:\088644.exec:\088644.exe27⤵
- Executes dropped EXE
PID:2352 -
\??\c:\4880826.exec:\4880826.exe28⤵
- Executes dropped EXE
PID:1488 -
\??\c:\dpjvj.exec:\dpjvj.exe29⤵
- Executes dropped EXE
PID:4188 -
\??\c:\fxlffxx.exec:\fxlffxx.exe30⤵
- Executes dropped EXE
PID:3816 -
\??\c:\lfllrrx.exec:\lfllrrx.exe31⤵
- Executes dropped EXE
PID:3636 -
\??\c:\22826.exec:\22826.exe32⤵
- Executes dropped EXE
PID:2028 -
\??\c:\pdjdv.exec:\pdjdv.exe33⤵
- Executes dropped EXE
PID:2540 -
\??\c:\vpdvp.exec:\vpdvp.exe34⤵
- Executes dropped EXE
PID:4612 -
\??\c:\246662.exec:\246662.exe35⤵
- Executes dropped EXE
PID:1160 -
\??\c:\pdjjd.exec:\pdjjd.exe36⤵
- Executes dropped EXE
PID:3056 -
\??\c:\pjjjj.exec:\pjjjj.exe37⤵
- Executes dropped EXE
PID:1108 -
\??\c:\e40488.exec:\e40488.exe38⤵
- Executes dropped EXE
PID:744 -
\??\c:\42886.exec:\42886.exe39⤵
- Executes dropped EXE
PID:2524 -
\??\c:\1xfxllx.exec:\1xfxllx.exe40⤵
- Executes dropped EXE
PID:2280 -
\??\c:\jjjdv.exec:\jjjdv.exe41⤵
- Executes dropped EXE
PID:1264 -
\??\c:\28060.exec:\28060.exe42⤵
- Executes dropped EXE
PID:1456 -
\??\c:\26204.exec:\26204.exe43⤵
- Executes dropped EXE
PID:3856 -
\??\c:\0864022.exec:\0864022.exe44⤵
- Executes dropped EXE
PID:4832 -
\??\c:\4628288.exec:\4628288.exe45⤵
- Executes dropped EXE
PID:1088 -
\??\c:\26266.exec:\26266.exe46⤵
- Executes dropped EXE
PID:3236 -
\??\c:\frxrffx.exec:\frxrffx.exe47⤵
- Executes dropped EXE
PID:3524 -
\??\c:\rxfxfff.exec:\rxfxfff.exe48⤵
- Executes dropped EXE
PID:4032 -
\??\c:\vjvvv.exec:\vjvvv.exe49⤵
- Executes dropped EXE
PID:3396 -
\??\c:\lrxxxxx.exec:\lrxxxxx.exe50⤵
- Executes dropped EXE
PID:3660 -
\??\c:\2800444.exec:\2800444.exe51⤵
- Executes dropped EXE
PID:3416 -
\??\c:\jvpdj.exec:\jvpdj.exe52⤵
- Executes dropped EXE
PID:1548 -
\??\c:\i060466.exec:\i060466.exe53⤵
- Executes dropped EXE
PID:2040 -
\??\c:\lrffxxx.exec:\lrffxxx.exe54⤵
- Executes dropped EXE
PID:3200 -
\??\c:\u228266.exec:\u228266.exe55⤵
- Executes dropped EXE
PID:1628 -
\??\c:\66888.exec:\66888.exe56⤵
- Executes dropped EXE
PID:4244 -
\??\c:\484866.exec:\484866.exe57⤵
- Executes dropped EXE
PID:4416 -
\??\c:\vvdvd.exec:\vvdvd.exe58⤵
- Executes dropped EXE
PID:2460 -
\??\c:\rlffxxr.exec:\rlffxxr.exe59⤵
- Executes dropped EXE
PID:4936 -
\??\c:\48820.exec:\48820.exe60⤵
- Executes dropped EXE
PID:1616 -
\??\c:\2848266.exec:\2848266.exe61⤵
- Executes dropped EXE
PID:2164 -
\??\c:\2640482.exec:\2640482.exe62⤵
- Executes dropped EXE
PID:4656 -
\??\c:\20626.exec:\20626.exe63⤵
- Executes dropped EXE
PID:3476 -
\??\c:\2660004.exec:\2660004.exe64⤵
- Executes dropped EXE
PID:2952 -
\??\c:\lrrlllf.exec:\lrrlllf.exe65⤵
- Executes dropped EXE
PID:1216 -
\??\c:\622268.exec:\622268.exe66⤵PID:2596
-
\??\c:\1dddp.exec:\1dddp.exe67⤵PID:1224
-
\??\c:\bhbthh.exec:\bhbthh.exe68⤵PID:3692
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe69⤵PID:2056
-
\??\c:\80266.exec:\80266.exe70⤵PID:3900
-
\??\c:\4020804.exec:\4020804.exe71⤵PID:1260
-
\??\c:\c244006.exec:\c244006.exe72⤵PID:1388
-
\??\c:\c426662.exec:\c426662.exe73⤵PID:2888
-
\??\c:\httnbb.exec:\httnbb.exe74⤵PID:1860
-
\??\c:\a0620.exec:\a0620.exe75⤵PID:1348
-
\??\c:\802422.exec:\802422.exe76⤵PID:1708
-
\??\c:\btnnhh.exec:\btnnhh.exe77⤵PID:4788
-
\??\c:\pdjdv.exec:\pdjdv.exe78⤵PID:4276
-
\??\c:\7rrrrrl.exec:\7rrrrrl.exe79⤵PID:4428
-
\??\c:\84048.exec:\84048.exe80⤵PID:4740
-
\??\c:\1bhbhh.exec:\1bhbhh.exe81⤵PID:756
-
\??\c:\48268.exec:\48268.exe82⤵PID:2496
-
\??\c:\608406.exec:\608406.exe83⤵PID:2772
-
\??\c:\xxlfxrl.exec:\xxlfxrl.exe84⤵PID:5076
-
\??\c:\nbhbtn.exec:\nbhbtn.exe85⤵PID:2344
-
\??\c:\rrlfffx.exec:\rrlfffx.exe86⤵PID:2804
-
\??\c:\1nhnhh.exec:\1nhnhh.exe87⤵PID:1856
-
\??\c:\0842206.exec:\0842206.exe88⤵PID:768
-
\??\c:\802224.exec:\802224.exe89⤵PID:4504
-
\??\c:\262268.exec:\262268.exe90⤵PID:3316
-
\??\c:\68006.exec:\68006.exe91⤵PID:4492
-
\??\c:\886082.exec:\886082.exe92⤵PID:760
-
\??\c:\vvddv.exec:\vvddv.exe93⤵PID:2288
-
\??\c:\5flfrrl.exec:\5flfrrl.exe94⤵PID:3120
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe95⤵PID:2668
-
\??\c:\vvjdj.exec:\vvjdj.exe96⤵PID:2072
-
\??\c:\pjjdv.exec:\pjjdv.exe97⤵PID:3656
-
\??\c:\60886.exec:\60886.exe98⤵PID:1488
-
\??\c:\0444048.exec:\0444048.exe99⤵PID:3176
-
\??\c:\24604.exec:\24604.exe100⤵PID:3136
-
\??\c:\g4266.exec:\g4266.exe101⤵PID:2232
-
\??\c:\9tbthb.exec:\9tbthb.exe102⤵PID:1956
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe103⤵PID:4368
-
\??\c:\c660448.exec:\c660448.exe104⤵
- System Location Discovery: System Language Discovery
PID:2248 -
\??\c:\8466666.exec:\8466666.exe105⤵PID:3520
-
\??\c:\dvjdd.exec:\dvjdd.exe106⤵PID:3892
-
\??\c:\1fffrrf.exec:\1fffrrf.exe107⤵PID:3248
-
\??\c:\8244440.exec:\8244440.exe108⤵PID:3340
-
\??\c:\604844.exec:\604844.exe109⤵PID:3600
-
\??\c:\28066.exec:\28066.exe110⤵PID:1108
-
\??\c:\642288.exec:\642288.exe111⤵PID:744
-
\??\c:\2464046.exec:\2464046.exe112⤵PID:4012
-
\??\c:\bthbbb.exec:\bthbbb.exe113⤵PID:2280
-
\??\c:\rxflrfl.exec:\rxflrfl.exe114⤵PID:1264
-
\??\c:\vjppj.exec:\vjppj.exe115⤵PID:1048
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe116⤵PID:3824
-
\??\c:\dpddj.exec:\dpddj.exe117⤵PID:2436
-
\??\c:\k44266.exec:\k44266.exe118⤵PID:4364
-
\??\c:\tntnbt.exec:\tntnbt.exe119⤵PID:1636
-
\??\c:\3tthbh.exec:\3tthbh.exe120⤵PID:840
-
\??\c:\06482.exec:\06482.exe121⤵PID:3928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-