Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 00:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe
-
Size
454KB
-
MD5
1390d192e4d3caaf5d1e113cbe77b659
-
SHA1
ae2efe64d9791170c790fb700a14ed4999ec667b
-
SHA256
91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051
-
SHA512
5698693d36b45f5a5b5cf591bc7b3eb702ac960f9cd00482d7f8c42abcc95310eb0030188ecad03319173d4f8516b1bd0ef4108a260e0cce849890b4d241b630
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1344-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-1078-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-1277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-1955-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 884 06602.exe 3612 0244264.exe 3876 rffrlfx.exe 1968 200860.exe 1688 84648.exe 2184 642282.exe 3748 04240.exe 5092 2648002.exe 972 jvdvd.exe 396 vvpjj.exe 2288 68822.exe 3472 26888.exe 3236 7xrlxfl.exe 3116 jdpjp.exe 4044 hnnhbb.exe 1536 xfllffx.exe 2916 80604.exe 3244 flxflxl.exe 3428 thbbhh.exe 4716 xflfxxr.exe 2476 frxrrlf.exe 3644 vdjjd.exe 5012 0822600.exe 4232 0804040.exe 3964 djjdd.exe 1820 bntnnn.exe 184 6448268.exe 4256 02862.exe 3592 jdjvj.exe 4932 rxxrlfx.exe 3732 48266.exe 372 pvddv.exe 456 jdjdv.exe 2324 488888.exe 3728 nthbbb.exe 2604 60882.exe 2708 202622.exe 3772 xrfxffl.exe 2636 24082.exe 612 828266.exe 5112 04042.exe 2440 nhbbhh.exe 220 4066482.exe 4996 6064226.exe 4768 nbnhbt.exe 4576 hntntt.exe 4412 djvvp.exe 1584 hbbnnh.exe 4228 a8486.exe 1668 i684826.exe 4800 7dddv.exe 1380 rflffxx.exe 592 3rrlllf.exe 4384 lxxlxrl.exe 2676 884648.exe 1644 hbhhbb.exe 1412 q40800.exe 5096 66602.exe 2244 bhnbbt.exe 2816 xxfxllr.exe 4416 86866.exe 4128 800444.exe 1524 8808200.exe 2308 88442.exe -
resource yara_rule behavioral2/memory/1344-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-650-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0406048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 066486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0804040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rfrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8808200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1344 wrote to memory of 884 1344 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 83 PID 1344 wrote to memory of 884 1344 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 83 PID 1344 wrote to memory of 884 1344 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 83 PID 884 wrote to memory of 3612 884 06602.exe 84 PID 884 wrote to memory of 3612 884 06602.exe 84 PID 884 wrote to memory of 3612 884 06602.exe 84 PID 3612 wrote to memory of 3876 3612 0244264.exe 85 PID 3612 wrote to memory of 3876 3612 0244264.exe 85 PID 3612 wrote to memory of 3876 3612 0244264.exe 85 PID 3876 wrote to memory of 1968 3876 rffrlfx.exe 86 PID 3876 wrote to memory of 1968 3876 rffrlfx.exe 86 PID 3876 wrote to memory of 1968 3876 rffrlfx.exe 86 PID 1968 wrote to memory of 1688 1968 200860.exe 87 PID 1968 wrote to memory of 1688 1968 200860.exe 87 PID 1968 wrote to memory of 1688 1968 200860.exe 87 PID 1688 wrote to memory of 2184 1688 84648.exe 88 PID 1688 wrote to memory of 2184 1688 84648.exe 88 PID 1688 wrote to memory of 2184 1688 84648.exe 88 PID 2184 wrote to memory of 3748 2184 642282.exe 89 PID 2184 wrote to memory of 3748 2184 642282.exe 89 PID 2184 wrote to memory of 3748 2184 642282.exe 89 PID 3748 wrote to memory of 5092 3748 04240.exe 90 PID 3748 wrote to memory of 5092 3748 04240.exe 90 PID 3748 wrote to memory of 5092 3748 04240.exe 90 PID 5092 wrote to memory of 972 5092 2648002.exe 91 PID 5092 wrote to memory of 972 5092 2648002.exe 91 PID 5092 wrote to memory of 972 5092 2648002.exe 91 PID 972 wrote to memory of 396 972 jvdvd.exe 92 PID 972 wrote to memory of 396 972 jvdvd.exe 92 PID 972 wrote to memory of 396 972 jvdvd.exe 92 PID 396 wrote to memory of 2288 396 vvpjj.exe 93 PID 396 wrote to memory of 2288 396 vvpjj.exe 93 PID 396 wrote to memory of 2288 396 vvpjj.exe 93 PID 2288 wrote to memory of 3472 2288 68822.exe 94 PID 2288 wrote to memory of 3472 2288 68822.exe 94 PID 2288 wrote to memory of 3472 2288 68822.exe 94 PID 3472 wrote to memory of 3236 3472 26888.exe 95 PID 3472 wrote to memory of 3236 3472 26888.exe 95 PID 3472 wrote to memory of 3236 3472 26888.exe 95 PID 3236 wrote to memory of 3116 3236 7xrlxfl.exe 96 PID 3236 wrote to memory of 3116 3236 7xrlxfl.exe 96 PID 3236 wrote to memory of 3116 3236 7xrlxfl.exe 96 PID 3116 wrote to memory of 4044 3116 jdpjp.exe 97 PID 3116 wrote to memory of 4044 3116 jdpjp.exe 97 PID 3116 wrote to memory of 4044 3116 jdpjp.exe 97 PID 4044 wrote to memory of 1536 4044 hnnhbb.exe 98 PID 4044 wrote to memory of 1536 4044 hnnhbb.exe 98 PID 4044 wrote to memory of 1536 4044 hnnhbb.exe 98 PID 1536 wrote to memory of 2916 1536 xfllffx.exe 99 PID 1536 wrote to memory of 2916 1536 xfllffx.exe 99 PID 1536 wrote to memory of 2916 1536 xfllffx.exe 99 PID 2916 wrote to memory of 3244 2916 80604.exe 100 PID 2916 wrote to memory of 3244 2916 80604.exe 100 PID 2916 wrote to memory of 3244 2916 80604.exe 100 PID 3244 wrote to memory of 3428 3244 flxflxl.exe 101 PID 3244 wrote to memory of 3428 3244 flxflxl.exe 101 PID 3244 wrote to memory of 3428 3244 flxflxl.exe 101 PID 3428 wrote to memory of 4716 3428 thbbhh.exe 102 PID 3428 wrote to memory of 4716 3428 thbbhh.exe 102 PID 3428 wrote to memory of 4716 3428 thbbhh.exe 102 PID 4716 wrote to memory of 2476 4716 xflfxxr.exe 103 PID 4716 wrote to memory of 2476 4716 xflfxxr.exe 103 PID 4716 wrote to memory of 2476 4716 xflfxxr.exe 103 PID 2476 wrote to memory of 3644 2476 frxrrlf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe"C:\Users\Admin\AppData\Local\Temp\91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\06602.exec:\06602.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\0244264.exec:\0244264.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\rffrlfx.exec:\rffrlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\200860.exec:\200860.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\84648.exec:\84648.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\642282.exec:\642282.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\04240.exec:\04240.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\2648002.exec:\2648002.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\jvdvd.exec:\jvdvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\vvpjj.exec:\vvpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\68822.exec:\68822.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\26888.exec:\26888.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\7xrlxfl.exec:\7xrlxfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\jdpjp.exec:\jdpjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\hnnhbb.exec:\hnnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\xfllffx.exec:\xfllffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\80604.exec:\80604.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\flxflxl.exec:\flxflxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\thbbhh.exec:\thbbhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\xflfxxr.exec:\xflfxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\frxrrlf.exec:\frxrrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\vdjjd.exec:\vdjjd.exe23⤵
- Executes dropped EXE
PID:3644 -
\??\c:\0822600.exec:\0822600.exe24⤵
- Executes dropped EXE
PID:5012 -
\??\c:\0804040.exec:\0804040.exe25⤵
- Executes dropped EXE
PID:4232 -
\??\c:\djjdd.exec:\djjdd.exe26⤵
- Executes dropped EXE
PID:3964 -
\??\c:\bntnnn.exec:\bntnnn.exe27⤵
- Executes dropped EXE
PID:1820 -
\??\c:\6448268.exec:\6448268.exe28⤵
- Executes dropped EXE
PID:184 -
\??\c:\02862.exec:\02862.exe29⤵
- Executes dropped EXE
PID:4256 -
\??\c:\jdjvj.exec:\jdjvj.exe30⤵
- Executes dropped EXE
PID:3592 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe31⤵
- Executes dropped EXE
PID:4932 -
\??\c:\48266.exec:\48266.exe32⤵
- Executes dropped EXE
PID:3732 -
\??\c:\pvddv.exec:\pvddv.exe33⤵
- Executes dropped EXE
PID:372 -
\??\c:\jdjdv.exec:\jdjdv.exe34⤵
- Executes dropped EXE
PID:456 -
\??\c:\488888.exec:\488888.exe35⤵
- Executes dropped EXE
PID:2324 -
\??\c:\nthbbb.exec:\nthbbb.exe36⤵
- Executes dropped EXE
PID:3728 -
\??\c:\60882.exec:\60882.exe37⤵
- Executes dropped EXE
PID:2604 -
\??\c:\202622.exec:\202622.exe38⤵
- Executes dropped EXE
PID:2708 -
\??\c:\xrfxffl.exec:\xrfxffl.exe39⤵
- Executes dropped EXE
PID:3772 -
\??\c:\24082.exec:\24082.exe40⤵
- Executes dropped EXE
PID:2636 -
\??\c:\828266.exec:\828266.exe41⤵
- Executes dropped EXE
PID:612 -
\??\c:\04042.exec:\04042.exe42⤵
- Executes dropped EXE
PID:5112 -
\??\c:\nhbbhh.exec:\nhbbhh.exe43⤵
- Executes dropped EXE
PID:2440 -
\??\c:\4066482.exec:\4066482.exe44⤵
- Executes dropped EXE
PID:220 -
\??\c:\6064226.exec:\6064226.exe45⤵
- Executes dropped EXE
PID:4996 -
\??\c:\nbnhbt.exec:\nbnhbt.exe46⤵
- Executes dropped EXE
PID:4768 -
\??\c:\hntntt.exec:\hntntt.exe47⤵
- Executes dropped EXE
PID:4576 -
\??\c:\djvvp.exec:\djvvp.exe48⤵
- Executes dropped EXE
PID:4412 -
\??\c:\hbbnnh.exec:\hbbnnh.exe49⤵
- Executes dropped EXE
PID:1584 -
\??\c:\a8486.exec:\a8486.exe50⤵
- Executes dropped EXE
PID:4228 -
\??\c:\i684826.exec:\i684826.exe51⤵
- Executes dropped EXE
PID:1668 -
\??\c:\7dddv.exec:\7dddv.exe52⤵
- Executes dropped EXE
PID:4800 -
\??\c:\rflffxx.exec:\rflffxx.exe53⤵
- Executes dropped EXE
PID:1380 -
\??\c:\3rrlllf.exec:\3rrlllf.exe54⤵
- Executes dropped EXE
PID:592 -
\??\c:\lxxlxrl.exec:\lxxlxrl.exe55⤵
- Executes dropped EXE
PID:4384 -
\??\c:\884648.exec:\884648.exe56⤵
- Executes dropped EXE
PID:2676 -
\??\c:\hbhhbb.exec:\hbhhbb.exe57⤵
- Executes dropped EXE
PID:1644 -
\??\c:\q40800.exec:\q40800.exe58⤵
- Executes dropped EXE
PID:1412 -
\??\c:\66602.exec:\66602.exe59⤵
- Executes dropped EXE
PID:5096 -
\??\c:\bhnbbt.exec:\bhnbbt.exe60⤵
- Executes dropped EXE
PID:2244 -
\??\c:\xxfxllr.exec:\xxfxllr.exe61⤵
- Executes dropped EXE
PID:2816 -
\??\c:\86866.exec:\86866.exe62⤵
- Executes dropped EXE
PID:4416 -
\??\c:\800444.exec:\800444.exe63⤵
- Executes dropped EXE
PID:4128 -
\??\c:\8808200.exec:\8808200.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524 -
\??\c:\88442.exec:\88442.exe65⤵
- Executes dropped EXE
PID:2308 -
\??\c:\lfrlfxl.exec:\lfrlfxl.exe66⤵PID:2288
-
\??\c:\66826.exec:\66826.exe67⤵PID:624
-
\??\c:\666026.exec:\666026.exe68⤵PID:4824
-
\??\c:\06286.exec:\06286.exe69⤵PID:2168
-
\??\c:\nhbtnn.exec:\nhbtnn.exe70⤵PID:4436
-
\??\c:\426422.exec:\426422.exe71⤵PID:3920
-
\??\c:\nnhbnb.exec:\nnhbnb.exe72⤵PID:4060
-
\??\c:\0080200.exec:\0080200.exe73⤵PID:4712
-
\??\c:\hhhnnb.exec:\hhhnnb.exe74⤵PID:4464
-
\??\c:\xxrflfr.exec:\xxrflfr.exe75⤵PID:3468
-
\??\c:\86484.exec:\86484.exe76⤵PID:1744
-
\??\c:\88480.exec:\88480.exe77⤵PID:3392
-
\??\c:\jdjvd.exec:\jdjvd.exe78⤵PID:2800
-
\??\c:\k64604.exec:\k64604.exe79⤵PID:1484
-
\??\c:\8842064.exec:\8842064.exe80⤵PID:2476
-
\??\c:\jjddv.exec:\jjddv.exe81⤵PID:1080
-
\??\c:\440828.exec:\440828.exe82⤵PID:4592
-
\??\c:\fxlxlfx.exec:\fxlxlfx.exe83⤵PID:3604
-
\??\c:\dppjv.exec:\dppjv.exe84⤵PID:2132
-
\??\c:\c404822.exec:\c404822.exe85⤵PID:3408
-
\??\c:\lxxrlff.exec:\lxxrlff.exe86⤵PID:2196
-
\??\c:\406648.exec:\406648.exe87⤵PID:4648
-
\??\c:\5pjdp.exec:\5pjdp.exe88⤵PID:3200
-
\??\c:\6882604.exec:\6882604.exe89⤵PID:1200
-
\??\c:\8606066.exec:\8606066.exe90⤵PID:1520
-
\??\c:\9xfxrrr.exec:\9xfxrrr.exe91⤵PID:1792
-
\??\c:\hhhbtb.exec:\hhhbtb.exe92⤵PID:4408
-
\??\c:\7ppdv.exec:\7ppdv.exe93⤵PID:640
-
\??\c:\fxxrrrl.exec:\fxxrrrl.exe94⤵PID:2608
-
\??\c:\rxxrllf.exec:\rxxrllf.exe95⤵PID:5080
-
\??\c:\ddvvp.exec:\ddvvp.exe96⤵PID:3432
-
\??\c:\60828.exec:\60828.exe97⤵PID:3204
-
\??\c:\lfllxxf.exec:\lfllxxf.exe98⤵PID:4796
-
\??\c:\htbtnn.exec:\htbtnn.exe99⤵PID:3648
-
\??\c:\86222.exec:\86222.exe100⤵PID:4088
-
\??\c:\jjjdd.exec:\jjjdd.exe101⤵PID:4268
-
\??\c:\bnttth.exec:\bnttth.exe102⤵PID:1436
-
\??\c:\rfllfff.exec:\rfllfff.exe103⤵PID:4504
-
\??\c:\6604882.exec:\6604882.exe104⤵PID:1336
-
\??\c:\hbhtth.exec:\hbhtth.exe105⤵PID:1072
-
\??\c:\vpvpj.exec:\vpvpj.exe106⤵PID:3264
-
\??\c:\jjjjd.exec:\jjjjd.exe107⤵PID:3584
-
\??\c:\5fffxfl.exec:\5fffxfl.exe108⤵PID:1392
-
\??\c:\0626604.exec:\0626604.exe109⤵PID:2460
-
\??\c:\1nnnhh.exec:\1nnnhh.exe110⤵PID:3156
-
\??\c:\4844604.exec:\4844604.exe111⤵PID:2508
-
\??\c:\ddpvp.exec:\ddpvp.exe112⤵PID:4080
-
\??\c:\rllxxrl.exec:\rllxxrl.exe113⤵PID:1668
-
\??\c:\4860662.exec:\4860662.exe114⤵PID:4800
-
\??\c:\66060.exec:\66060.exe115⤵PID:1380
-
\??\c:\i848266.exec:\i848266.exe116⤵PID:824
-
\??\c:\ttbttn.exec:\ttbttn.exe117⤵PID:4220
-
\??\c:\400044.exec:\400044.exe118⤵PID:4536
-
\??\c:\ttbnnn.exec:\ttbnnn.exe119⤵PID:1644
-
\??\c:\vjjdp.exec:\vjjdp.exe120⤵PID:1412
-
\??\c:\0066804.exec:\0066804.exe121⤵PID:3272
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-