Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 03:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe
-
Size
453KB
-
MD5
26cf3cda4e28c363c1baea91fa96e3d6
-
SHA1
9b5965b7c46f4554757716f97a3cac6398f2833c
-
SHA256
dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97
-
SHA512
139098b143df2ffa28ba482168b5f8ee03fe351b1b75fe0da95ef8433bb6db9d849ba37e090accd1fcd40fb800a1571b4782b1ac346f45fda5b2918d8b3f5186
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeh:q7Tc2NYHUrAwfMp3CDh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2032-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-772-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-845-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-1126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-1148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-1219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3008 ffllllf.exe 4912 1ddvp.exe 4644 028266.exe 2168 vdpvp.exe 2092 26266.exe 452 o602006.exe 2084 6062222.exe 3540 tnnnhh.exe 620 o686066.exe 4148 frlxfxr.exe 2776 rxflxff.exe 4284 tbhbbb.exe 5056 60262.exe 4544 88444.exe 3152 rfxxfff.exe 828 0264608.exe 2296 bbnhtn.exe 4924 pjppp.exe 1960 dvvjv.exe 4580 480064.exe 956 3tbnhb.exe 3052 68484.exe 3724 xfllfff.exe 2308 pppjd.exe 2328 4442604.exe 960 dvjvj.exe 1252 4848888.exe 4800 08242.exe 1088 rrfrxxx.exe 4104 g4662.exe 2724 5tnbbt.exe 4732 xxxlxrf.exe 2460 rlfrffr.exe 700 k00406.exe 2340 jvdpj.exe 384 00642.exe 3140 llrlxrl.exe 1284 hbbtht.exe 2852 0882660.exe 1472 42400.exe 2172 bnhbnh.exe 4136 xxxlxrl.exe 1900 1hbbnh.exe 4032 u224826.exe 3784 w82446.exe 3308 pjvjd.exe 676 q62606.exe 2848 682228.exe 3664 22640.exe 368 xfrrfll.exe 1624 jpdpp.exe 3676 rxfrlfr.exe 2624 nnthhb.exe 2828 662082.exe 4816 5tthhb.exe 2472 00486.exe 3844 ddvjp.exe 4392 nbthtn.exe 1456 tttnhb.exe 4644 dppdp.exe 4012 3jvpd.exe 2092 6608260.exe 3416 4448604.exe 184 28848.exe -
resource yara_rule behavioral2/memory/2032-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-845-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-1104-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2848204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 248664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c848264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 3008 2032 dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe 83 PID 2032 wrote to memory of 3008 2032 dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe 83 PID 2032 wrote to memory of 3008 2032 dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe 83 PID 3008 wrote to memory of 4912 3008 ffllllf.exe 84 PID 3008 wrote to memory of 4912 3008 ffllllf.exe 84 PID 3008 wrote to memory of 4912 3008 ffllllf.exe 84 PID 4912 wrote to memory of 4644 4912 1ddvp.exe 85 PID 4912 wrote to memory of 4644 4912 1ddvp.exe 85 PID 4912 wrote to memory of 4644 4912 1ddvp.exe 85 PID 4644 wrote to memory of 2168 4644 028266.exe 86 PID 4644 wrote to memory of 2168 4644 028266.exe 86 PID 4644 wrote to memory of 2168 4644 028266.exe 86 PID 2168 wrote to memory of 2092 2168 vdpvp.exe 87 PID 2168 wrote to memory of 2092 2168 vdpvp.exe 87 PID 2168 wrote to memory of 2092 2168 vdpvp.exe 87 PID 2092 wrote to memory of 452 2092 26266.exe 88 PID 2092 wrote to memory of 452 2092 26266.exe 88 PID 2092 wrote to memory of 452 2092 26266.exe 88 PID 452 wrote to memory of 2084 452 o602006.exe 89 PID 452 wrote to memory of 2084 452 o602006.exe 89 PID 452 wrote to memory of 2084 452 o602006.exe 89 PID 2084 wrote to memory of 3540 2084 6062222.exe 90 PID 2084 wrote to memory of 3540 2084 6062222.exe 90 PID 2084 wrote to memory of 3540 2084 6062222.exe 90 PID 3540 wrote to memory of 620 3540 tnnnhh.exe 91 PID 3540 wrote to memory of 620 3540 tnnnhh.exe 91 PID 3540 wrote to memory of 620 3540 tnnnhh.exe 91 PID 620 wrote to memory of 4148 620 o686066.exe 92 PID 620 wrote to memory of 4148 620 o686066.exe 92 PID 620 wrote to memory of 4148 620 o686066.exe 92 PID 4148 wrote to memory of 2776 4148 frlxfxr.exe 93 PID 4148 wrote to memory of 2776 4148 frlxfxr.exe 93 PID 4148 wrote to memory of 2776 4148 frlxfxr.exe 93 PID 2776 wrote to memory of 4284 2776 rxflxff.exe 94 PID 2776 wrote to memory of 4284 2776 rxflxff.exe 94 PID 2776 wrote to memory of 4284 2776 rxflxff.exe 94 PID 4284 wrote to memory of 5056 4284 tbhbbb.exe 95 PID 4284 wrote to memory of 5056 4284 tbhbbb.exe 95 PID 4284 wrote to memory of 5056 4284 tbhbbb.exe 95 PID 5056 wrote to memory of 4544 5056 60262.exe 96 PID 5056 wrote to memory of 4544 5056 60262.exe 96 PID 5056 wrote to memory of 4544 5056 60262.exe 96 PID 4544 wrote to memory of 3152 4544 88444.exe 97 PID 4544 wrote to memory of 3152 4544 88444.exe 97 PID 4544 wrote to memory of 3152 4544 88444.exe 97 PID 3152 wrote to memory of 828 3152 rfxxfff.exe 98 PID 3152 wrote to memory of 828 3152 rfxxfff.exe 98 PID 3152 wrote to memory of 828 3152 rfxxfff.exe 98 PID 828 wrote to memory of 2296 828 0264608.exe 99 PID 828 wrote to memory of 2296 828 0264608.exe 99 PID 828 wrote to memory of 2296 828 0264608.exe 99 PID 2296 wrote to memory of 4924 2296 bbnhtn.exe 100 PID 2296 wrote to memory of 4924 2296 bbnhtn.exe 100 PID 2296 wrote to memory of 4924 2296 bbnhtn.exe 100 PID 4924 wrote to memory of 1960 4924 pjppp.exe 101 PID 4924 wrote to memory of 1960 4924 pjppp.exe 101 PID 4924 wrote to memory of 1960 4924 pjppp.exe 101 PID 1960 wrote to memory of 4580 1960 dvvjv.exe 102 PID 1960 wrote to memory of 4580 1960 dvvjv.exe 102 PID 1960 wrote to memory of 4580 1960 dvvjv.exe 102 PID 4580 wrote to memory of 956 4580 480064.exe 103 PID 4580 wrote to memory of 956 4580 480064.exe 103 PID 4580 wrote to memory of 956 4580 480064.exe 103 PID 956 wrote to memory of 3052 956 3tbnhb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe"C:\Users\Admin\AppData\Local\Temp\dbf59bee28522b6b8b4a70f6604b0e5663151d4c07141f38f881cf251e66fe97.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\ffllllf.exec:\ffllllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\1ddvp.exec:\1ddvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\028266.exec:\028266.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\vdpvp.exec:\vdpvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\26266.exec:\26266.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\o602006.exec:\o602006.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\6062222.exec:\6062222.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\tnnnhh.exec:\tnnnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\o686066.exec:\o686066.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\frlxfxr.exec:\frlxfxr.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\rxflxff.exec:\rxflxff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\tbhbbb.exec:\tbhbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\60262.exec:\60262.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\88444.exec:\88444.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\rfxxfff.exec:\rfxxfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\0264608.exec:\0264608.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\bbnhtn.exec:\bbnhtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\pjppp.exec:\pjppp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\dvvjv.exec:\dvvjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\480064.exec:\480064.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\3tbnhb.exec:\3tbnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
\??\c:\68484.exec:\68484.exe23⤵
- Executes dropped EXE
PID:3052 -
\??\c:\xfllfff.exec:\xfllfff.exe24⤵
- Executes dropped EXE
PID:3724 -
\??\c:\pppjd.exec:\pppjd.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2308 -
\??\c:\4442604.exec:\4442604.exe26⤵
- Executes dropped EXE
PID:2328 -
\??\c:\dvjvj.exec:\dvjvj.exe27⤵
- Executes dropped EXE
PID:960 -
\??\c:\4848888.exec:\4848888.exe28⤵
- Executes dropped EXE
PID:1252 -
\??\c:\08242.exec:\08242.exe29⤵
- Executes dropped EXE
PID:4800 -
\??\c:\rrfrxxx.exec:\rrfrxxx.exe30⤵
- Executes dropped EXE
PID:1088 -
\??\c:\g4662.exec:\g4662.exe31⤵
- Executes dropped EXE
PID:4104 -
\??\c:\5tnbbt.exec:\5tnbbt.exe32⤵
- Executes dropped EXE
PID:2724 -
\??\c:\xxxlxrf.exec:\xxxlxrf.exe33⤵
- Executes dropped EXE
PID:4732 -
\??\c:\rlfrffr.exec:\rlfrffr.exe34⤵
- Executes dropped EXE
PID:2460 -
\??\c:\k00406.exec:\k00406.exe35⤵
- Executes dropped EXE
PID:700 -
\??\c:\jvdpj.exec:\jvdpj.exe36⤵
- Executes dropped EXE
PID:2340 -
\??\c:\00642.exec:\00642.exe37⤵
- Executes dropped EXE
PID:384 -
\??\c:\llrlxrl.exec:\llrlxrl.exe38⤵
- Executes dropped EXE
PID:3140 -
\??\c:\hbbtht.exec:\hbbtht.exe39⤵
- Executes dropped EXE
PID:1284 -
\??\c:\0882660.exec:\0882660.exe40⤵
- Executes dropped EXE
PID:2852 -
\??\c:\42400.exec:\42400.exe41⤵
- Executes dropped EXE
PID:1472 -
\??\c:\bnhbnh.exec:\bnhbnh.exe42⤵
- Executes dropped EXE
PID:2172 -
\??\c:\xxxlxrl.exec:\xxxlxrl.exe43⤵
- Executes dropped EXE
PID:4136 -
\??\c:\1hbbnh.exec:\1hbbnh.exe44⤵
- Executes dropped EXE
PID:1900 -
\??\c:\u224826.exec:\u224826.exe45⤵
- Executes dropped EXE
PID:4032 -
\??\c:\w82446.exec:\w82446.exe46⤵
- Executes dropped EXE
PID:3784 -
\??\c:\pjvjd.exec:\pjvjd.exe47⤵
- Executes dropped EXE
PID:3308 -
\??\c:\q62606.exec:\q62606.exe48⤵
- Executes dropped EXE
PID:676 -
\??\c:\682228.exec:\682228.exe49⤵
- Executes dropped EXE
PID:2848 -
\??\c:\22640.exec:\22640.exe50⤵
- Executes dropped EXE
PID:3664 -
\??\c:\xfrrfll.exec:\xfrrfll.exe51⤵
- Executes dropped EXE
PID:368 -
\??\c:\jpdpp.exec:\jpdpp.exe52⤵
- Executes dropped EXE
PID:1624 -
\??\c:\rxfrlfr.exec:\rxfrlfr.exe53⤵
- Executes dropped EXE
PID:3676 -
\??\c:\nnthhb.exec:\nnthhb.exe54⤵
- Executes dropped EXE
PID:2624 -
\??\c:\662082.exec:\662082.exe55⤵
- Executes dropped EXE
PID:2828 -
\??\c:\s2648.exec:\s2648.exe56⤵PID:4460
-
\??\c:\5tthhb.exec:\5tthhb.exe57⤵
- Executes dropped EXE
PID:4816 -
\??\c:\00486.exec:\00486.exe58⤵
- Executes dropped EXE
PID:2472 -
\??\c:\ddvjp.exec:\ddvjp.exe59⤵
- Executes dropped EXE
PID:3844 -
\??\c:\nbthtn.exec:\nbthtn.exe60⤵
- Executes dropped EXE
PID:4392 -
\??\c:\tttnhb.exec:\tttnhb.exe61⤵
- Executes dropped EXE
PID:1456 -
\??\c:\dppdp.exec:\dppdp.exe62⤵
- Executes dropped EXE
PID:4644 -
\??\c:\3jvpd.exec:\3jvpd.exe63⤵
- Executes dropped EXE
PID:4012 -
\??\c:\6608260.exec:\6608260.exe64⤵
- Executes dropped EXE
PID:2092 -
\??\c:\4448604.exec:\4448604.exe65⤵
- Executes dropped EXE
PID:3416 -
\??\c:\28848.exec:\28848.exe66⤵
- Executes dropped EXE
PID:184 -
\??\c:\pjjvv.exec:\pjjvv.exe67⤵PID:3556
-
\??\c:\dvdvp.exec:\dvdvp.exe68⤵PID:1820
-
\??\c:\vjpjd.exec:\vjpjd.exe69⤵PID:4400
-
\??\c:\xffxlfl.exec:\xffxlfl.exe70⤵PID:1488
-
\??\c:\vdvvp.exec:\vdvvp.exe71⤵PID:620
-
\??\c:\jdppv.exec:\jdppv.exe72⤵PID:1908
-
\??\c:\u826246.exec:\u826246.exe73⤵PID:2772
-
\??\c:\c408482.exec:\c408482.exe74⤵PID:748
-
\??\c:\e62426.exec:\e62426.exe75⤵PID:1968
-
\??\c:\vjpdp.exec:\vjpdp.exe76⤵PID:2220
-
\??\c:\9jjjv.exec:\9jjjv.exe77⤵PID:3088
-
\??\c:\hhbbnn.exec:\hhbbnn.exe78⤵PID:4932
-
\??\c:\648260.exec:\648260.exe79⤵PID:3652
-
\??\c:\s8826.exec:\s8826.exe80⤵PID:2012
-
\??\c:\k02004.exec:\k02004.exe81⤵PID:2516
-
\??\c:\5ffxrrl.exec:\5ffxrrl.exe82⤵PID:4220
-
\??\c:\i842242.exec:\i842242.exe83⤵PID:3184
-
\??\c:\q44260.exec:\q44260.exe84⤵PID:1164
-
\??\c:\9rlfrrf.exec:\9rlfrrf.exe85⤵PID:2300
-
\??\c:\pjjvj.exec:\pjjvj.exe86⤵PID:4708
-
\??\c:\006082.exec:\006082.exe87⤵PID:4512
-
\??\c:\282242.exec:\282242.exe88⤵PID:2824
-
\??\c:\648208.exec:\648208.exe89⤵PID:1988
-
\??\c:\g4442.exec:\g4442.exe90⤵PID:5052
-
\??\c:\w84866.exec:\w84866.exe91⤵PID:1088
-
\??\c:\42266.exec:\42266.exe92⤵PID:4872
-
\??\c:\jpvjd.exec:\jpvjd.exe93⤵PID:636
-
\??\c:\vdjvp.exec:\vdjvp.exe94⤵PID:4040
-
\??\c:\rlffrfr.exec:\rlffrfr.exe95⤵PID:1236
-
\??\c:\1fxrfxr.exec:\1fxrfxr.exe96⤵PID:2812
-
\??\c:\dpvpd.exec:\dpvpd.exe97⤵PID:1096
-
\??\c:\o060606.exec:\o060606.exe98⤵PID:1284
-
\??\c:\666286.exec:\666286.exe99⤵PID:1580
-
\??\c:\6282048.exec:\6282048.exe100⤵PID:1800
-
\??\c:\60648.exec:\60648.exe101⤵PID:2172
-
\??\c:\7lxxrrf.exec:\7lxxrrf.exe102⤵PID:1900
-
\??\c:\c848264.exec:\c848264.exe103⤵
- System Location Discovery: System Language Discovery
PID:3528 -
\??\c:\028222.exec:\028222.exe104⤵PID:4032
-
\??\c:\hntnnt.exec:\hntnnt.exe105⤵PID:4600
-
\??\c:\djvpd.exec:\djvpd.exe106⤵PID:4092
-
\??\c:\frlfrxr.exec:\frlfrxr.exe107⤵PID:2780
-
\??\c:\jpvpd.exec:\jpvpd.exe108⤵PID:2492
-
\??\c:\26648.exec:\26648.exe109⤵PID:3872
-
\??\c:\6484826.exec:\6484826.exe110⤵PID:3288
-
\??\c:\nhbbbb.exec:\nhbbbb.exe111⤵PID:716
-
\??\c:\nnnbnh.exec:\nnnbnh.exe112⤵PID:4744
-
\??\c:\0406048.exec:\0406048.exe113⤵PID:736
-
\??\c:\i660442.exec:\i660442.exe114⤵PID:4156
-
\??\c:\28482.exec:\28482.exe115⤵PID:4548
-
\??\c:\84486.exec:\84486.exe116⤵PID:4816
-
\??\c:\0004826.exec:\0004826.exe117⤵PID:4448
-
\??\c:\xllrfxl.exec:\xllrfxl.exe118⤵PID:2032
-
\??\c:\htthbb.exec:\htthbb.exe119⤵PID:2764
-
\??\c:\nbnbbt.exec:\nbnbbt.exe120⤵PID:832
-
\??\c:\848202.exec:\848202.exe121⤵PID:4376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-