Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 20:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f6f8881fac661eca6bc2fb68f7cf598683201aa25a986390a59fe83eddf74b7.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1f6f8881fac661eca6bc2fb68f7cf598683201aa25a986390a59fe83eddf74b7.exe
-
Size
454KB
-
MD5
2b4faf2f3c904584a30d9b1b1069068d
-
SHA1
54dd12feffc7d07b934cf2c0fd75814d6ec24cd1
-
SHA256
1f6f8881fac661eca6bc2fb68f7cf598683201aa25a986390a59fe83eddf74b7
-
SHA512
6e97618c78254dd78b65a4294959db31b622c8b6655b56fbe10535f62da7b27a6a7a7a2b3457810977ceccef2e445fc5844a4e26e4990bdcb9d4c0ab78221d78
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7I:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4716-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-864-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-992-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-1077-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-1154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4716 8648260.exe 4604 nbhtnh.exe 4168 2606082.exe 760 jppdv.exe 4336 c842660.exe 1820 hnhhht.exe 2384 djdjd.exe 768 tthbnn.exe 4032 4400044.exe 1472 flfrlfr.exe 2472 m2686.exe 1348 jvddp.exe 2436 3pjvd.exe 2720 s8486.exe 2864 s2426.exe 4056 5djdv.exe 1512 8626600.exe 1536 bnhtnh.exe 3120 lfxrfxl.exe 2156 644642.exe 2688 64262.exe 4164 1ppdv.exe 4860 xrrlfff.exe 1460 httnhb.exe 3188 m0004.exe 2496 9lxlrll.exe 3296 k02044.exe 2732 i248662.exe 4092 bnnbhb.exe 2020 2044264.exe 4060 xrrfrlx.exe 4996 9xrfxrf.exe 5068 00606.exe 4664 djvjv.exe 436 4682000.exe 4516 8408664.exe 4416 66642.exe 996 3tnhbt.exe 2088 00608.exe 1636 bnnhbb.exe 2360 rxlfxfx.exe 1128 xxlxllf.exe 1600 6442604.exe 720 0464044.exe 1704 28860.exe 2108 4426048.exe 2448 k44822.exe 4488 fxxrlfx.exe 3556 1lfrrll.exe 2792 tbnbnh.exe 3512 o886048.exe 2652 8620848.exe 3304 6064826.exe 5064 pddpd.exe 2708 6444044.exe 4584 862048.exe 4296 dpvjj.exe 5084 frxrrlx.exe 3436 86008.exe 4440 284204.exe 2388 44660.exe 1892 vjpjv.exe 4056 40266.exe 4512 pjdvp.exe -
resource yara_rule behavioral2/memory/4716-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-864-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-992-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-1077-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-1093-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4060482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0842480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k88828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2806242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 622248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6464826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxffff.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3412 wrote to memory of 4716 3412 1f6f8881fac661eca6bc2fb68f7cf598683201aa25a986390a59fe83eddf74b7.exe 85 PID 3412 wrote to memory of 4716 3412 1f6f8881fac661eca6bc2fb68f7cf598683201aa25a986390a59fe83eddf74b7.exe 85 PID 3412 wrote to memory of 4716 3412 1f6f8881fac661eca6bc2fb68f7cf598683201aa25a986390a59fe83eddf74b7.exe 85 PID 4716 wrote to memory of 4604 4716 8648260.exe 86 PID 4716 wrote to memory of 4604 4716 8648260.exe 86 PID 4716 wrote to memory of 4604 4716 8648260.exe 86 PID 4604 wrote to memory of 4168 4604 nbhtnh.exe 87 PID 4604 wrote to memory of 4168 4604 nbhtnh.exe 87 PID 4604 wrote to memory of 4168 4604 nbhtnh.exe 87 PID 4168 wrote to memory of 760 4168 2606082.exe 88 PID 4168 wrote to memory of 760 4168 2606082.exe 88 PID 4168 wrote to memory of 760 4168 2606082.exe 88 PID 760 wrote to memory of 4336 760 jppdv.exe 89 PID 760 wrote to memory of 4336 760 jppdv.exe 89 PID 760 wrote to memory of 4336 760 jppdv.exe 89 PID 4336 wrote to memory of 1820 4336 c842660.exe 90 PID 4336 wrote to memory of 1820 4336 c842660.exe 90 PID 4336 wrote to memory of 1820 4336 c842660.exe 90 PID 1820 wrote to memory of 2384 1820 hnhhht.exe 91 PID 1820 wrote to memory of 2384 1820 hnhhht.exe 91 PID 1820 wrote to memory of 2384 1820 hnhhht.exe 91 PID 2384 wrote to memory of 768 2384 djdjd.exe 92 PID 2384 wrote to memory of 768 2384 djdjd.exe 92 PID 2384 wrote to memory of 768 2384 djdjd.exe 92 PID 768 wrote to memory of 4032 768 tthbnn.exe 93 PID 768 wrote to memory of 4032 768 tthbnn.exe 93 PID 768 wrote to memory of 4032 768 tthbnn.exe 93 PID 4032 wrote to memory of 1472 4032 4400044.exe 94 PID 4032 wrote to memory of 1472 4032 4400044.exe 94 PID 4032 wrote to memory of 1472 4032 4400044.exe 94 PID 1472 wrote to memory of 2472 1472 flfrlfr.exe 95 PID 1472 wrote to memory of 2472 1472 flfrlfr.exe 95 PID 1472 wrote to memory of 2472 1472 flfrlfr.exe 95 PID 2472 wrote to memory of 1348 2472 m2686.exe 96 PID 2472 wrote to memory of 1348 2472 m2686.exe 96 PID 2472 wrote to memory of 1348 2472 m2686.exe 96 PID 1348 wrote to memory of 2436 1348 jvddp.exe 97 PID 1348 wrote to memory of 2436 1348 jvddp.exe 97 PID 1348 wrote to memory of 2436 1348 jvddp.exe 97 PID 2436 wrote to memory of 2720 2436 3pjvd.exe 98 PID 2436 wrote to memory of 2720 2436 3pjvd.exe 98 PID 2436 wrote to memory of 2720 2436 3pjvd.exe 98 PID 2720 wrote to memory of 2864 2720 s8486.exe 99 PID 2720 wrote to memory of 2864 2720 s8486.exe 99 PID 2720 wrote to memory of 2864 2720 s8486.exe 99 PID 2864 wrote to memory of 4056 2864 s2426.exe 100 PID 2864 wrote to memory of 4056 2864 s2426.exe 100 PID 2864 wrote to memory of 4056 2864 s2426.exe 100 PID 4056 wrote to memory of 1512 4056 5djdv.exe 101 PID 4056 wrote to memory of 1512 4056 5djdv.exe 101 PID 4056 wrote to memory of 1512 4056 5djdv.exe 101 PID 1512 wrote to memory of 1536 1512 8626600.exe 102 PID 1512 wrote to memory of 1536 1512 8626600.exe 102 PID 1512 wrote to memory of 1536 1512 8626600.exe 102 PID 1536 wrote to memory of 3120 1536 bnhtnh.exe 103 PID 1536 wrote to memory of 3120 1536 bnhtnh.exe 103 PID 1536 wrote to memory of 3120 1536 bnhtnh.exe 103 PID 3120 wrote to memory of 2156 3120 lfxrfxl.exe 104 PID 3120 wrote to memory of 2156 3120 lfxrfxl.exe 104 PID 3120 wrote to memory of 2156 3120 lfxrfxl.exe 104 PID 2156 wrote to memory of 2688 2156 644642.exe 105 PID 2156 wrote to memory of 2688 2156 644642.exe 105 PID 2156 wrote to memory of 2688 2156 644642.exe 105 PID 2688 wrote to memory of 4164 2688 64262.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f6f8881fac661eca6bc2fb68f7cf598683201aa25a986390a59fe83eddf74b7.exe"C:\Users\Admin\AppData\Local\Temp\1f6f8881fac661eca6bc2fb68f7cf598683201aa25a986390a59fe83eddf74b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\8648260.exec:\8648260.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\nbhtnh.exec:\nbhtnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\2606082.exec:\2606082.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\jppdv.exec:\jppdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\c842660.exec:\c842660.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\hnhhht.exec:\hnhhht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\djdjd.exec:\djdjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\tthbnn.exec:\tthbnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\4400044.exec:\4400044.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\flfrlfr.exec:\flfrlfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\m2686.exec:\m2686.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\jvddp.exec:\jvddp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\3pjvd.exec:\3pjvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\s8486.exec:\s8486.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\s2426.exec:\s2426.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\5djdv.exec:\5djdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\8626600.exec:\8626600.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\bnhtnh.exec:\bnhtnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\lfxrfxl.exec:\lfxrfxl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\644642.exec:\644642.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\64262.exec:\64262.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\1ppdv.exec:\1ppdv.exe23⤵
- Executes dropped EXE
PID:4164 -
\??\c:\xrrlfff.exec:\xrrlfff.exe24⤵
- Executes dropped EXE
PID:4860 -
\??\c:\httnhb.exec:\httnhb.exe25⤵
- Executes dropped EXE
PID:1460 -
\??\c:\m0004.exec:\m0004.exe26⤵
- Executes dropped EXE
PID:3188 -
\??\c:\9lxlrll.exec:\9lxlrll.exe27⤵
- Executes dropped EXE
PID:2496 -
\??\c:\k02044.exec:\k02044.exe28⤵
- Executes dropped EXE
PID:3296 -
\??\c:\i248662.exec:\i248662.exe29⤵
- Executes dropped EXE
PID:2732 -
\??\c:\bnnbhb.exec:\bnnbhb.exe30⤵
- Executes dropped EXE
PID:4092 -
\??\c:\2044264.exec:\2044264.exe31⤵
- Executes dropped EXE
PID:2020 -
\??\c:\xrrfrlx.exec:\xrrfrlx.exe32⤵
- Executes dropped EXE
PID:4060 -
\??\c:\9xrfxrf.exec:\9xrfxrf.exe33⤵
- Executes dropped EXE
PID:4996 -
\??\c:\00606.exec:\00606.exe34⤵
- Executes dropped EXE
PID:5068 -
\??\c:\djvjv.exec:\djvjv.exe35⤵
- Executes dropped EXE
PID:4664 -
\??\c:\4682000.exec:\4682000.exe36⤵
- Executes dropped EXE
PID:436 -
\??\c:\8408664.exec:\8408664.exe37⤵
- Executes dropped EXE
PID:4516 -
\??\c:\66642.exec:\66642.exe38⤵
- Executes dropped EXE
PID:4416 -
\??\c:\3tnhbt.exec:\3tnhbt.exe39⤵
- Executes dropped EXE
PID:996 -
\??\c:\00608.exec:\00608.exe40⤵
- Executes dropped EXE
PID:2088 -
\??\c:\bnnhbb.exec:\bnnhbb.exe41⤵
- Executes dropped EXE
PID:1636 -
\??\c:\rxlfxfx.exec:\rxlfxfx.exe42⤵
- Executes dropped EXE
PID:2360 -
\??\c:\xxlxllf.exec:\xxlxllf.exe43⤵
- Executes dropped EXE
PID:1128 -
\??\c:\6442604.exec:\6442604.exe44⤵
- Executes dropped EXE
PID:1600 -
\??\c:\0464044.exec:\0464044.exe45⤵
- Executes dropped EXE
PID:720 -
\??\c:\28860.exec:\28860.exe46⤵
- Executes dropped EXE
PID:1704 -
\??\c:\4426048.exec:\4426048.exe47⤵
- Executes dropped EXE
PID:2108 -
\??\c:\k44822.exec:\k44822.exe48⤵
- Executes dropped EXE
PID:2448 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe49⤵
- Executes dropped EXE
PID:4488 -
\??\c:\1lfrrll.exec:\1lfrrll.exe50⤵
- Executes dropped EXE
PID:3556 -
\??\c:\tbnbnh.exec:\tbnbnh.exe51⤵
- Executes dropped EXE
PID:2792 -
\??\c:\o886048.exec:\o886048.exe52⤵
- Executes dropped EXE
PID:3512 -
\??\c:\8620848.exec:\8620848.exe53⤵
- Executes dropped EXE
PID:2652 -
\??\c:\6064826.exec:\6064826.exe54⤵
- Executes dropped EXE
PID:3304 -
\??\c:\pddpd.exec:\pddpd.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5064 -
\??\c:\6444044.exec:\6444044.exe56⤵
- Executes dropped EXE
PID:2708 -
\??\c:\862048.exec:\862048.exe57⤵
- Executes dropped EXE
PID:4584 -
\??\c:\dpvjj.exec:\dpvjj.exe58⤵
- Executes dropped EXE
PID:4296 -
\??\c:\frxrrlx.exec:\frxrrlx.exe59⤵
- Executes dropped EXE
PID:5084 -
\??\c:\86008.exec:\86008.exe60⤵
- Executes dropped EXE
PID:3436 -
\??\c:\284204.exec:\284204.exe61⤵
- Executes dropped EXE
PID:4440 -
\??\c:\44660.exec:\44660.exe62⤵
- Executes dropped EXE
PID:2388 -
\??\c:\vjpjv.exec:\vjpjv.exe63⤵
- Executes dropped EXE
PID:1892 -
\??\c:\40266.exec:\40266.exe64⤵
- Executes dropped EXE
PID:4056 -
\??\c:\pjdvp.exec:\pjdvp.exe65⤵
- Executes dropped EXE
PID:4512 -
\??\c:\06822.exec:\06822.exe66⤵PID:1536
-
\??\c:\8620882.exec:\8620882.exe67⤵PID:3120
-
\??\c:\860488.exec:\860488.exe68⤵PID:2156
-
\??\c:\6204006.exec:\6204006.exe69⤵PID:1000
-
\??\c:\04604.exec:\04604.exe70⤵PID:3416
-
\??\c:\jpdjv.exec:\jpdjv.exe71⤵PID:4860
-
\??\c:\2848448.exec:\2848448.exe72⤵PID:4980
-
\??\c:\jjvjd.exec:\jjvjd.exe73⤵PID:4984
-
\??\c:\462282.exec:\462282.exe74⤵PID:3896
-
\??\c:\8060488.exec:\8060488.exe75⤵PID:2296
-
\??\c:\rlxxrrl.exec:\rlxxrrl.exe76⤵PID:4104
-
\??\c:\086426.exec:\086426.exe77⤵PID:1216
-
\??\c:\2682088.exec:\2682088.exe78⤵PID:4912
-
\??\c:\446484.exec:\446484.exe79⤵PID:744
-
\??\c:\7bbttt.exec:\7bbttt.exe80⤵PID:4496
-
\??\c:\lflffxx.exec:\lflffxx.exe81⤵PID:1104
-
\??\c:\tthbbt.exec:\tthbbt.exe82⤵PID:3940
-
\??\c:\xlxfxrl.exec:\xlxfxrl.exe83⤵PID:2100
-
\??\c:\hbnhbt.exec:\hbnhbt.exe84⤵PID:4616
-
\??\c:\84404.exec:\84404.exe85⤵PID:4416
-
\??\c:\g6460.exec:\g6460.exe86⤵PID:1976
-
\??\c:\3nnhbb.exec:\3nnhbb.exe87⤵PID:2304
-
\??\c:\w82648.exec:\w82648.exe88⤵PID:4412
-
\??\c:\fxrrrrx.exec:\fxrrrrx.exe89⤵PID:3988
-
\??\c:\k00842.exec:\k00842.exe90⤵PID:4004
-
\??\c:\5rlfrfr.exec:\5rlfrfr.exe91⤵PID:1212
-
\??\c:\hbnhbt.exec:\hbnhbt.exe92⤵PID:1600
-
\??\c:\5bhtbt.exec:\5bhtbt.exe93⤵PID:4168
-
\??\c:\m0042.exec:\m0042.exe94⤵PID:1704
-
\??\c:\vjvvp.exec:\vjvvp.exe95⤵PID:1620
-
\??\c:\jddvj.exec:\jddvj.exe96⤵PID:3196
-
\??\c:\08004.exec:\08004.exe97⤵PID:1684
-
\??\c:\82402.exec:\82402.exe98⤵PID:1444
-
\??\c:\frxxlfr.exec:\frxxlfr.exe99⤵PID:632
-
\??\c:\lflxffl.exec:\lflxffl.exe100⤵PID:3512
-
\??\c:\c804264.exec:\c804264.exe101⤵PID:3192
-
\??\c:\24420.exec:\24420.exe102⤵PID:3348
-
\??\c:\3xrxfxr.exec:\3xrxfxr.exe103⤵PID:4940
-
\??\c:\66820.exec:\66820.exe104⤵PID:5064
-
\??\c:\5rrllfl.exec:\5rrllfl.exe105⤵PID:3560
-
\??\c:\vpjpd.exec:\vpjpd.exe106⤵PID:3000
-
\??\c:\k44864.exec:\k44864.exe107⤵PID:3152
-
\??\c:\7jddp.exec:\7jddp.exe108⤵PID:2172
-
\??\c:\o282048.exec:\o282048.exe109⤵PID:2164
-
\??\c:\5ddpp.exec:\5ddpp.exe110⤵PID:60
-
\??\c:\82264.exec:\82264.exe111⤵PID:4372
-
\??\c:\0026826.exec:\0026826.exe112⤵PID:2776
-
\??\c:\vvdjd.exec:\vvdjd.exe113⤵PID:4016
-
\??\c:\42086.exec:\42086.exe114⤵PID:3036
-
\??\c:\xflxrlf.exec:\xflxrlf.exe115⤵PID:4440
-
\??\c:\djjvp.exec:\djjvp.exe116⤵PID:2540
-
\??\c:\lflrrlr.exec:\lflrrlr.exe117⤵PID:1696
-
\??\c:\pdjdd.exec:\pdjdd.exe118⤵PID:2948
-
\??\c:\9nbhtn.exec:\9nbhtn.exe119⤵PID:4952
-
\??\c:\dvdjd.exec:\dvdjd.exe120⤵PID:3220
-
\??\c:\5rxllfx.exec:\5rxllfx.exe121⤵PID:3120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-