Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 23:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe
-
Size
337KB
-
MD5
a3192e9f1b5dd3cfd8cd7255e8b5850a
-
SHA1
07021ab656ef98a8d5d39346050c4b5084d6c217
-
SHA256
714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087
-
SHA512
54ea232b7d04840298af2c5a1543ece6355f905cfc7042d89aaabe7de05bd2f1e2a036dbdf381fbf3008188431f21c7bad8c907cb00be1bc5ed4156ed98cc4f6
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhk:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4028-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-736-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-907-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-1119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-1205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-1341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3768 jjvdj.exe 3020 6082606.exe 1968 860860.exe 3440 082288.exe 3180 820088.exe 5080 jvvjv.exe 4484 hbnbbt.exe 3896 tntnnn.exe 4504 66048.exe 4640 8626662.exe 760 2042604.exe 3300 xxlrrlr.exe 728 08460.exe 4800 htbnht.exe 4952 1vpjp.exe 3088 280822.exe 1756 082826.exe 4876 2446000.exe 3620 pjvjp.exe 1684 vppjd.exe 3700 4822604.exe 1032 lrxlxlf.exe 3748 28426.exe 1640 llllfll.exe 2416 xflrfxr.exe 4108 hhnbtn.exe 3332 ppvpj.exe 2628 ppjpd.exe 4136 jvvpj.exe 4924 424260.exe 1212 i448604.exe 3104 5vvdp.exe 2396 06048.exe 2444 426404.exe 2124 s2828.exe 2476 26884.exe 4832 5lflfff.exe 1744 820882.exe 924 rrxllxx.exe 4112 600048.exe 1696 5tbnbb.exe 2112 m6460.exe 3624 frfflxf.exe 2544 440422.exe 2256 xllrlfr.exe 4752 hbhttt.exe 2672 5bbthb.exe 3020 vpdpv.exe 1892 4266408.exe 548 q40044.exe 2076 228426.exe 5080 3vppd.exe 4944 btnhbb.exe 4988 48482.exe 2884 xrllrrf.exe 2036 fflrffr.exe 3244 hhhbtn.exe 4084 40048.exe 4216 bbnntb.exe 3312 0682604.exe 3300 nttnhb.exe 3064 840428.exe 2948 thhhbn.exe 5064 6060044.exe -
resource yara_rule behavioral2/memory/4028-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-749-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2642264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2266600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2060226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8442642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6848804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4028 wrote to memory of 3768 4028 714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe 87 PID 4028 wrote to memory of 3768 4028 714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe 87 PID 4028 wrote to memory of 3768 4028 714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe 87 PID 3768 wrote to memory of 3020 3768 jjvdj.exe 135 PID 3768 wrote to memory of 3020 3768 jjvdj.exe 135 PID 3768 wrote to memory of 3020 3768 jjvdj.exe 135 PID 3020 wrote to memory of 1968 3020 6082606.exe 89 PID 3020 wrote to memory of 1968 3020 6082606.exe 89 PID 3020 wrote to memory of 1968 3020 6082606.exe 89 PID 1968 wrote to memory of 3440 1968 860860.exe 90 PID 1968 wrote to memory of 3440 1968 860860.exe 90 PID 1968 wrote to memory of 3440 1968 860860.exe 90 PID 3440 wrote to memory of 3180 3440 082288.exe 91 PID 3440 wrote to memory of 3180 3440 082288.exe 91 PID 3440 wrote to memory of 3180 3440 082288.exe 91 PID 3180 wrote to memory of 5080 3180 820088.exe 139 PID 3180 wrote to memory of 5080 3180 820088.exe 139 PID 3180 wrote to memory of 5080 3180 820088.exe 139 PID 5080 wrote to memory of 4484 5080 jvvjv.exe 93 PID 5080 wrote to memory of 4484 5080 jvvjv.exe 93 PID 5080 wrote to memory of 4484 5080 jvvjv.exe 93 PID 4484 wrote to memory of 3896 4484 hbnbbt.exe 94 PID 4484 wrote to memory of 3896 4484 hbnbbt.exe 94 PID 4484 wrote to memory of 3896 4484 hbnbbt.exe 94 PID 3896 wrote to memory of 4504 3896 tntnnn.exe 95 PID 3896 wrote to memory of 4504 3896 tntnnn.exe 95 PID 3896 wrote to memory of 4504 3896 tntnnn.exe 95 PID 4504 wrote to memory of 4640 4504 66048.exe 96 PID 4504 wrote to memory of 4640 4504 66048.exe 96 PID 4504 wrote to memory of 4640 4504 66048.exe 96 PID 4640 wrote to memory of 760 4640 8626662.exe 97 PID 4640 wrote to memory of 760 4640 8626662.exe 97 PID 4640 wrote to memory of 760 4640 8626662.exe 97 PID 760 wrote to memory of 3300 760 2042604.exe 148 PID 760 wrote to memory of 3300 760 2042604.exe 148 PID 760 wrote to memory of 3300 760 2042604.exe 148 PID 3300 wrote to memory of 728 3300 xxlrrlr.exe 99 PID 3300 wrote to memory of 728 3300 xxlrrlr.exe 99 PID 3300 wrote to memory of 728 3300 xxlrrlr.exe 99 PID 728 wrote to memory of 4800 728 08460.exe 100 PID 728 wrote to memory of 4800 728 08460.exe 100 PID 728 wrote to memory of 4800 728 08460.exe 100 PID 4800 wrote to memory of 4952 4800 htbnht.exe 101 PID 4800 wrote to memory of 4952 4800 htbnht.exe 101 PID 4800 wrote to memory of 4952 4800 htbnht.exe 101 PID 4952 wrote to memory of 3088 4952 1vpjp.exe 102 PID 4952 wrote to memory of 3088 4952 1vpjp.exe 102 PID 4952 wrote to memory of 3088 4952 1vpjp.exe 102 PID 3088 wrote to memory of 1756 3088 280822.exe 103 PID 3088 wrote to memory of 1756 3088 280822.exe 103 PID 3088 wrote to memory of 1756 3088 280822.exe 103 PID 1756 wrote to memory of 4876 1756 082826.exe 104 PID 1756 wrote to memory of 4876 1756 082826.exe 104 PID 1756 wrote to memory of 4876 1756 082826.exe 104 PID 4876 wrote to memory of 3620 4876 2446000.exe 105 PID 4876 wrote to memory of 3620 4876 2446000.exe 105 PID 4876 wrote to memory of 3620 4876 2446000.exe 105 PID 3620 wrote to memory of 1684 3620 pjvjp.exe 106 PID 3620 wrote to memory of 1684 3620 pjvjp.exe 106 PID 3620 wrote to memory of 1684 3620 pjvjp.exe 106 PID 1684 wrote to memory of 3700 1684 vppjd.exe 107 PID 1684 wrote to memory of 3700 1684 vppjd.exe 107 PID 1684 wrote to memory of 3700 1684 vppjd.exe 107 PID 3700 wrote to memory of 1032 3700 4822604.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe"C:\Users\Admin\AppData\Local\Temp\714099986857c572809f753782d66cf03cdf374514814c72d297bcd82a360087.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\jjvdj.exec:\jjvdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\6082606.exec:\6082606.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\860860.exec:\860860.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\082288.exec:\082288.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\820088.exec:\820088.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\jvvjv.exec:\jvvjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\hbnbbt.exec:\hbnbbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\tntnnn.exec:\tntnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\66048.exec:\66048.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\8626662.exec:\8626662.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\2042604.exec:\2042604.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\xxlrrlr.exec:\xxlrrlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\08460.exec:\08460.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728 -
\??\c:\htbnht.exec:\htbnht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\1vpjp.exec:\1vpjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\280822.exec:\280822.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\082826.exec:\082826.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\2446000.exec:\2446000.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\pjvjp.exec:\pjvjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\vppjd.exec:\vppjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\4822604.exec:\4822604.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\lrxlxlf.exec:\lrxlxlf.exe23⤵
- Executes dropped EXE
PID:1032 -
\??\c:\28426.exec:\28426.exe24⤵
- Executes dropped EXE
PID:3748 -
\??\c:\llllfll.exec:\llllfll.exe25⤵
- Executes dropped EXE
PID:1640 -
\??\c:\xflrfxr.exec:\xflrfxr.exe26⤵
- Executes dropped EXE
PID:2416 -
\??\c:\hhnbtn.exec:\hhnbtn.exe27⤵
- Executes dropped EXE
PID:4108 -
\??\c:\ppvpj.exec:\ppvpj.exe28⤵
- Executes dropped EXE
PID:3332 -
\??\c:\ppjpd.exec:\ppjpd.exe29⤵
- Executes dropped EXE
PID:2628 -
\??\c:\jvvpj.exec:\jvvpj.exe30⤵
- Executes dropped EXE
PID:4136 -
\??\c:\424260.exec:\424260.exe31⤵
- Executes dropped EXE
PID:4924 -
\??\c:\i448604.exec:\i448604.exe32⤵
- Executes dropped EXE
PID:1212 -
\??\c:\5vvdp.exec:\5vvdp.exe33⤵
- Executes dropped EXE
PID:3104 -
\??\c:\06048.exec:\06048.exe34⤵
- Executes dropped EXE
PID:2396 -
\??\c:\426404.exec:\426404.exe35⤵
- Executes dropped EXE
PID:2444 -
\??\c:\s2828.exec:\s2828.exe36⤵
- Executes dropped EXE
PID:2124 -
\??\c:\26884.exec:\26884.exe37⤵
- Executes dropped EXE
PID:2476 -
\??\c:\5lflfff.exec:\5lflfff.exe38⤵
- Executes dropped EXE
PID:4832 -
\??\c:\820882.exec:\820882.exe39⤵
- Executes dropped EXE
PID:1744 -
\??\c:\rrxllxx.exec:\rrxllxx.exe40⤵
- Executes dropped EXE
PID:924 -
\??\c:\600048.exec:\600048.exe41⤵
- Executes dropped EXE
PID:4112 -
\??\c:\5tbnbb.exec:\5tbnbb.exe42⤵
- Executes dropped EXE
PID:1696 -
\??\c:\m6460.exec:\m6460.exe43⤵
- Executes dropped EXE
PID:2112 -
\??\c:\2480684.exec:\2480684.exe44⤵PID:4336
-
\??\c:\frfflxf.exec:\frfflxf.exe45⤵
- Executes dropped EXE
PID:3624 -
\??\c:\440422.exec:\440422.exe46⤵
- Executes dropped EXE
PID:2544 -
\??\c:\xllrlfr.exec:\xllrlfr.exe47⤵
- Executes dropped EXE
PID:2256 -
\??\c:\hbhttt.exec:\hbhttt.exe48⤵
- Executes dropped EXE
PID:4752 -
\??\c:\5bbthb.exec:\5bbthb.exe49⤵
- Executes dropped EXE
PID:2672 -
\??\c:\vpdpv.exec:\vpdpv.exe50⤵
- Executes dropped EXE
PID:3020 -
\??\c:\4266408.exec:\4266408.exe51⤵
- Executes dropped EXE
PID:1892 -
\??\c:\q40044.exec:\q40044.exe52⤵
- Executes dropped EXE
PID:548 -
\??\c:\228426.exec:\228426.exe53⤵
- Executes dropped EXE
PID:2076 -
\??\c:\3vppd.exec:\3vppd.exe54⤵
- Executes dropped EXE
PID:5080 -
\??\c:\btnhbb.exec:\btnhbb.exe55⤵
- Executes dropped EXE
PID:4944 -
\??\c:\48482.exec:\48482.exe56⤵
- Executes dropped EXE
PID:4988 -
\??\c:\xrllrrf.exec:\xrllrrf.exe57⤵
- Executes dropped EXE
PID:2884 -
\??\c:\fflrffr.exec:\fflrffr.exe58⤵
- Executes dropped EXE
PID:2036 -
\??\c:\hhhbtn.exec:\hhhbtn.exe59⤵
- Executes dropped EXE
PID:3244 -
\??\c:\40048.exec:\40048.exe60⤵
- Executes dropped EXE
PID:4084 -
\??\c:\bbnntb.exec:\bbnntb.exe61⤵
- Executes dropped EXE
PID:4216 -
\??\c:\0682604.exec:\0682604.exe62⤵
- Executes dropped EXE
PID:3312 -
\??\c:\nttnhb.exec:\nttnhb.exe63⤵
- Executes dropped EXE
PID:3300 -
\??\c:\840428.exec:\840428.exe64⤵
- Executes dropped EXE
PID:3064 -
\??\c:\thhhbn.exec:\thhhbn.exe65⤵
- Executes dropped EXE
PID:2948 -
\??\c:\6060044.exec:\6060044.exe66⤵
- Executes dropped EXE
PID:5064 -
\??\c:\vvdvd.exec:\vvdvd.exe67⤵PID:2060
-
\??\c:\64004.exec:\64004.exe68⤵PID:3516
-
\??\c:\426082.exec:\426082.exe69⤵PID:1520
-
\??\c:\s4048.exec:\s4048.exe70⤵PID:4508
-
\??\c:\c064260.exec:\c064260.exe71⤵PID:3916
-
\??\c:\q82402.exec:\q82402.exe72⤵PID:2668
-
\??\c:\frfllff.exec:\frfllff.exe73⤵PID:2464
-
\??\c:\4086420.exec:\4086420.exe74⤵PID:1144
-
\??\c:\2244226.exec:\2244226.exe75⤵PID:2460
-
\??\c:\7bhttn.exec:\7bhttn.exe76⤵PID:2992
-
\??\c:\nhhbnn.exec:\nhhbnn.exe77⤵
- System Location Discovery: System Language Discovery
PID:2752 -
\??\c:\pjvdv.exec:\pjvdv.exe78⤵PID:4300
-
\??\c:\844804.exec:\844804.exe79⤵PID:3748
-
\??\c:\xlflrfl.exec:\xlflrfl.exe80⤵PID:2416
-
\??\c:\lllfxrr.exec:\lllfxrr.exe81⤵PID:2980
-
\??\c:\pvppj.exec:\pvppj.exe82⤵PID:4424
-
\??\c:\vpjjd.exec:\vpjjd.exe83⤵PID:1264
-
\??\c:\jvpdv.exec:\jvpdv.exe84⤵PID:2600
-
\??\c:\82448.exec:\82448.exe85⤵PID:4252
-
\??\c:\0064828.exec:\0064828.exe86⤵PID:3496
-
\??\c:\flrlfxr.exec:\flrlfxr.exe87⤵PID:4924
-
\??\c:\jjpjd.exec:\jjpjd.exe88⤵PID:4276
-
\??\c:\6420826.exec:\6420826.exe89⤵PID:1560
-
\??\c:\206844.exec:\206844.exe90⤵PID:2116
-
\??\c:\pvvjd.exec:\pvvjd.exe91⤵PID:2444
-
\??\c:\7ddvp.exec:\7ddvp.exe92⤵PID:116
-
\??\c:\06226.exec:\06226.exe93⤵PID:1080
-
\??\c:\k40822.exec:\k40822.exe94⤵PID:2232
-
\??\c:\ddvpj.exec:\ddvpj.exe95⤵PID:3800
-
\??\c:\xxllflf.exec:\xxllflf.exe96⤵PID:3184
-
\??\c:\40044.exec:\40044.exe97⤵PID:3856
-
\??\c:\ffxrlxl.exec:\ffxrlxl.exe98⤵PID:2880
-
\??\c:\2206244.exec:\2206244.exe99⤵PID:4468
-
\??\c:\ddjjd.exec:\ddjjd.exe100⤵PID:4452
-
\??\c:\842080.exec:\842080.exe101⤵PID:3952
-
\??\c:\rfrlrrx.exec:\rfrlrrx.exe102⤵PID:4756
-
\??\c:\86844.exec:\86844.exe103⤵PID:3268
-
\??\c:\2626004.exec:\2626004.exe104⤵PID:2544
-
\??\c:\a8482.exec:\a8482.exe105⤵PID:4068
-
\??\c:\4040620.exec:\4040620.exe106⤵PID:1840
-
\??\c:\xfxlxlr.exec:\xfxlxlr.exe107⤵PID:4196
-
\??\c:\ffxfxrf.exec:\ffxfxrf.exe108⤵PID:2488
-
\??\c:\g0000.exec:\g0000.exe109⤵PID:3984
-
\??\c:\066600.exec:\066600.exe110⤵PID:4984
-
\??\c:\hbhtnn.exec:\hbhtnn.exe111⤵PID:2068
-
\??\c:\200404.exec:\200404.exe112⤵PID:4896
-
\??\c:\468448.exec:\468448.exe113⤵PID:1660
-
\??\c:\w64888.exec:\w64888.exe114⤵PID:2172
-
\??\c:\jpvjd.exec:\jpvjd.exe115⤵PID:1956
-
\??\c:\jdpjd.exec:\jdpjd.exe116⤵PID:4240
-
\??\c:\xxxfrlx.exec:\xxxfrlx.exe117⤵PID:4768
-
\??\c:\624242.exec:\624242.exe118⤵PID:2568
-
\??\c:\1lxrrlf.exec:\1lxrrlf.exe119⤵PID:3752
-
\??\c:\m8000.exec:\m8000.exe120⤵PID:2944
-
\??\c:\s2266.exec:\s2266.exe121⤵PID:4184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-