Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 00:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe
-
Size
456KB
-
MD5
dbe348da744b30037024dd7262361b8e
-
SHA1
5e7852ab769e3bce8cd22044f22c25000fea1399
-
SHA256
a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2
-
SHA512
98d00dfa5284a8488aa8c25cb634546ed03e8e5734e99d5bfa809c7b301c99917c589d41495168ddfc1a226fb145e0d73790d1e3ee76a664a1ebf272228c7e8e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4300-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-819-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-1391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2016 824822.exe 848 vjjjd.exe 3868 648826.exe 2376 4606222.exe 5008 pddvp.exe 2976 xxlfxxr.exe 2860 tbhbtt.exe 2316 7vdjd.exe 3884 20286.exe 1272 3nnhnh.exe 4272 u806048.exe 3400 nbnhtt.exe 4076 xflfrfl.exe 3524 rxflxrf.exe 4608 44262.exe 5040 86440.exe 1060 a8422.exe 4876 fxrlxrf.exe 3068 w00660.exe 3380 20082.exe 2496 9jjdp.exe 4524 a6820.exe 3500 nbhbnn.exe 4796 0860260.exe 1084 dvvjv.exe 3136 26828.exe 2776 fxffffx.exe 2744 28662.exe 3948 dvjpd.exe 1920 jvvpd.exe 4844 nbbtnh.exe 800 2282260.exe 4364 428286.exe 5108 082084.exe 912 0842048.exe 4868 1ntntt.exe 2900 06466.exe 4472 dvdvj.exe 3336 28482.exe 2104 vvpjd.exe 540 u686262.exe 536 608606.exe 4336 4840882.exe 4580 062664.exe 3512 862866.exe 1388 k46466.exe 2568 lxxrlll.exe 4112 jjvpp.exe 5112 5jpjj.exe 1496 ffrrlfx.exe 4308 1lfrlrl.exe 2928 jvjdv.exe 1944 06482.exe 1728 26004.exe 872 680062.exe 4896 1ffxrlf.exe 2272 8804882.exe 4600 lfxrlfx.exe 2620 hnnbtn.exe 4272 ppvvv.exe 4932 8842640.exe 60 622044.exe 1576 2808442.exe 2920 e86480.exe -
resource yara_rule behavioral2/memory/2016-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-586-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6448266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4300 wrote to memory of 2016 4300 a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe 83 PID 4300 wrote to memory of 2016 4300 a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe 83 PID 4300 wrote to memory of 2016 4300 a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe 83 PID 2016 wrote to memory of 848 2016 824822.exe 84 PID 2016 wrote to memory of 848 2016 824822.exe 84 PID 2016 wrote to memory of 848 2016 824822.exe 84 PID 848 wrote to memory of 3868 848 vjjjd.exe 85 PID 848 wrote to memory of 3868 848 vjjjd.exe 85 PID 848 wrote to memory of 3868 848 vjjjd.exe 85 PID 3868 wrote to memory of 2376 3868 648826.exe 86 PID 3868 wrote to memory of 2376 3868 648826.exe 86 PID 3868 wrote to memory of 2376 3868 648826.exe 86 PID 2376 wrote to memory of 5008 2376 4606222.exe 87 PID 2376 wrote to memory of 5008 2376 4606222.exe 87 PID 2376 wrote to memory of 5008 2376 4606222.exe 87 PID 5008 wrote to memory of 2976 5008 pddvp.exe 88 PID 5008 wrote to memory of 2976 5008 pddvp.exe 88 PID 5008 wrote to memory of 2976 5008 pddvp.exe 88 PID 2976 wrote to memory of 2860 2976 xxlfxxr.exe 89 PID 2976 wrote to memory of 2860 2976 xxlfxxr.exe 89 PID 2976 wrote to memory of 2860 2976 xxlfxxr.exe 89 PID 2860 wrote to memory of 2316 2860 tbhbtt.exe 90 PID 2860 wrote to memory of 2316 2860 tbhbtt.exe 90 PID 2860 wrote to memory of 2316 2860 tbhbtt.exe 90 PID 2316 wrote to memory of 3884 2316 7vdjd.exe 91 PID 2316 wrote to memory of 3884 2316 7vdjd.exe 91 PID 2316 wrote to memory of 3884 2316 7vdjd.exe 91 PID 3884 wrote to memory of 1272 3884 20286.exe 92 PID 3884 wrote to memory of 1272 3884 20286.exe 92 PID 3884 wrote to memory of 1272 3884 20286.exe 92 PID 1272 wrote to memory of 4272 1272 3nnhnh.exe 93 PID 1272 wrote to memory of 4272 1272 3nnhnh.exe 93 PID 1272 wrote to memory of 4272 1272 3nnhnh.exe 93 PID 4272 wrote to memory of 3400 4272 u806048.exe 94 PID 4272 wrote to memory of 3400 4272 u806048.exe 94 PID 4272 wrote to memory of 3400 4272 u806048.exe 94 PID 3400 wrote to memory of 4076 3400 nbnhtt.exe 95 PID 3400 wrote to memory of 4076 3400 nbnhtt.exe 95 PID 3400 wrote to memory of 4076 3400 nbnhtt.exe 95 PID 4076 wrote to memory of 3524 4076 xflfrfl.exe 96 PID 4076 wrote to memory of 3524 4076 xflfrfl.exe 96 PID 4076 wrote to memory of 3524 4076 xflfrfl.exe 96 PID 3524 wrote to memory of 4608 3524 rxflxrf.exe 97 PID 3524 wrote to memory of 4608 3524 rxflxrf.exe 97 PID 3524 wrote to memory of 4608 3524 rxflxrf.exe 97 PID 4608 wrote to memory of 5040 4608 44262.exe 98 PID 4608 wrote to memory of 5040 4608 44262.exe 98 PID 4608 wrote to memory of 5040 4608 44262.exe 98 PID 5040 wrote to memory of 1060 5040 86440.exe 99 PID 5040 wrote to memory of 1060 5040 86440.exe 99 PID 5040 wrote to memory of 1060 5040 86440.exe 99 PID 1060 wrote to memory of 4876 1060 a8422.exe 100 PID 1060 wrote to memory of 4876 1060 a8422.exe 100 PID 1060 wrote to memory of 4876 1060 a8422.exe 100 PID 4876 wrote to memory of 3068 4876 fxrlxrf.exe 101 PID 4876 wrote to memory of 3068 4876 fxrlxrf.exe 101 PID 4876 wrote to memory of 3068 4876 fxrlxrf.exe 101 PID 3068 wrote to memory of 3380 3068 w00660.exe 102 PID 3068 wrote to memory of 3380 3068 w00660.exe 102 PID 3068 wrote to memory of 3380 3068 w00660.exe 102 PID 3380 wrote to memory of 2496 3380 20082.exe 103 PID 3380 wrote to memory of 2496 3380 20082.exe 103 PID 3380 wrote to memory of 2496 3380 20082.exe 103 PID 2496 wrote to memory of 4524 2496 9jjdp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe"C:\Users\Admin\AppData\Local\Temp\a27e4fb4a4b822d163b2771b12c1411d7c82adbdb860b45b6c5965dceff0aeb2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\824822.exec:\824822.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\vjjjd.exec:\vjjjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
\??\c:\648826.exec:\648826.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\4606222.exec:\4606222.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\pddvp.exec:\pddvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\xxlfxxr.exec:\xxlfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\tbhbtt.exec:\tbhbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\7vdjd.exec:\7vdjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\20286.exec:\20286.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\3nnhnh.exec:\3nnhnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\u806048.exec:\u806048.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\nbnhtt.exec:\nbnhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\xflfrfl.exec:\xflfrfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\rxflxrf.exec:\rxflxrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\44262.exec:\44262.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\86440.exec:\86440.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\a8422.exec:\a8422.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\fxrlxrf.exec:\fxrlxrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\w00660.exec:\w00660.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\20082.exec:\20082.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\9jjdp.exec:\9jjdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\a6820.exec:\a6820.exe23⤵
- Executes dropped EXE
PID:4524 -
\??\c:\nbhbnn.exec:\nbhbnn.exe24⤵
- Executes dropped EXE
PID:3500 -
\??\c:\0860260.exec:\0860260.exe25⤵
- Executes dropped EXE
PID:4796 -
\??\c:\dvvjv.exec:\dvvjv.exe26⤵
- Executes dropped EXE
PID:1084 -
\??\c:\26828.exec:\26828.exe27⤵
- Executes dropped EXE
PID:3136 -
\??\c:\fxffffx.exec:\fxffffx.exe28⤵
- Executes dropped EXE
PID:2776 -
\??\c:\28662.exec:\28662.exe29⤵
- Executes dropped EXE
PID:2744 -
\??\c:\dvjpd.exec:\dvjpd.exe30⤵
- Executes dropped EXE
PID:3948 -
\??\c:\jvvpd.exec:\jvvpd.exe31⤵
- Executes dropped EXE
PID:1920 -
\??\c:\nbbtnh.exec:\nbbtnh.exe32⤵
- Executes dropped EXE
PID:4844 -
\??\c:\2282260.exec:\2282260.exe33⤵
- Executes dropped EXE
PID:800 -
\??\c:\428286.exec:\428286.exe34⤵
- Executes dropped EXE
PID:4364 -
\??\c:\082084.exec:\082084.exe35⤵
- Executes dropped EXE
PID:5108 -
\??\c:\0842048.exec:\0842048.exe36⤵
- Executes dropped EXE
PID:912 -
\??\c:\1ntntt.exec:\1ntntt.exe37⤵
- Executes dropped EXE
PID:4868 -
\??\c:\06466.exec:\06466.exe38⤵
- Executes dropped EXE
PID:2900 -
\??\c:\dvdvj.exec:\dvdvj.exe39⤵
- Executes dropped EXE
PID:4472 -
\??\c:\28482.exec:\28482.exe40⤵
- Executes dropped EXE
PID:3336 -
\??\c:\vvpjd.exec:\vvpjd.exe41⤵
- Executes dropped EXE
PID:2104 -
\??\c:\u686262.exec:\u686262.exe42⤵
- Executes dropped EXE
PID:540 -
\??\c:\608606.exec:\608606.exe43⤵
- Executes dropped EXE
PID:536 -
\??\c:\4840882.exec:\4840882.exe44⤵
- Executes dropped EXE
PID:4336 -
\??\c:\062664.exec:\062664.exe45⤵
- Executes dropped EXE
PID:4580 -
\??\c:\862866.exec:\862866.exe46⤵
- Executes dropped EXE
PID:3512 -
\??\c:\k46466.exec:\k46466.exe47⤵
- Executes dropped EXE
PID:1388 -
\??\c:\lxxrlll.exec:\lxxrlll.exe48⤵
- Executes dropped EXE
PID:2568 -
\??\c:\jjvpp.exec:\jjvpp.exe49⤵
- Executes dropped EXE
PID:4112 -
\??\c:\5jpjj.exec:\5jpjj.exe50⤵
- Executes dropped EXE
PID:5112 -
\??\c:\ffrrlfx.exec:\ffrrlfx.exe51⤵
- Executes dropped EXE
PID:1496 -
\??\c:\1lfrlrl.exec:\1lfrlrl.exe52⤵
- Executes dropped EXE
PID:4308 -
\??\c:\jvjdv.exec:\jvjdv.exe53⤵
- Executes dropped EXE
PID:2928 -
\??\c:\06482.exec:\06482.exe54⤵
- Executes dropped EXE
PID:1944 -
\??\c:\26004.exec:\26004.exe55⤵
- Executes dropped EXE
PID:1728 -
\??\c:\680062.exec:\680062.exe56⤵
- Executes dropped EXE
PID:872 -
\??\c:\1ffxrlf.exec:\1ffxrlf.exe57⤵
- Executes dropped EXE
PID:4896 -
\??\c:\8804882.exec:\8804882.exe58⤵
- Executes dropped EXE
PID:2272 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe59⤵
- Executes dropped EXE
PID:4600 -
\??\c:\hnnbtn.exec:\hnnbtn.exe60⤵
- Executes dropped EXE
PID:2620 -
\??\c:\ppvvv.exec:\ppvvv.exe61⤵
- Executes dropped EXE
PID:4272 -
\??\c:\8842640.exec:\8842640.exe62⤵
- Executes dropped EXE
PID:4932 -
\??\c:\622044.exec:\622044.exe63⤵
- Executes dropped EXE
PID:60 -
\??\c:\2808442.exec:\2808442.exe64⤵
- Executes dropped EXE
PID:1576 -
\??\c:\e86480.exec:\e86480.exe65⤵
- Executes dropped EXE
PID:2920 -
\??\c:\ddppj.exec:\ddppj.exe66⤵PID:5036
-
\??\c:\rlrlxrx.exec:\rlrlxrx.exe67⤵PID:1684
-
\??\c:\662600.exec:\662600.exe68⤵PID:4960
-
\??\c:\6626482.exec:\6626482.exe69⤵PID:1476
-
\??\c:\nthbtt.exec:\nthbtt.exe70⤵PID:2044
-
\??\c:\600060.exec:\600060.exe71⤵PID:1852
-
\??\c:\u408822.exec:\u408822.exe72⤵PID:2412
-
\??\c:\2842608.exec:\2842608.exe73⤵PID:1216
-
\??\c:\m8044.exec:\m8044.exe74⤵PID:2000
-
\??\c:\lxlllfl.exec:\lxlllfl.exe75⤵PID:2780
-
\??\c:\24604.exec:\24604.exe76⤵PID:1860
-
\??\c:\868660.exec:\868660.exe77⤵PID:1720
-
\??\c:\9nbbhh.exec:\9nbbhh.exe78⤵PID:624
-
\??\c:\6662004.exec:\6662004.exe79⤵PID:3012
-
\??\c:\vjjdv.exec:\vjjdv.exe80⤵PID:1696
-
\??\c:\2086262.exec:\2086262.exe81⤵PID:932
-
\??\c:\3nbbtn.exec:\3nbbtn.exe82⤵PID:2092
-
\??\c:\8204006.exec:\8204006.exe83⤵PID:2776
-
\??\c:\rllxxrl.exec:\rllxxrl.exe84⤵PID:2052
-
\??\c:\062260.exec:\062260.exe85⤵PID:5092
-
\??\c:\dvjvj.exec:\dvjvj.exe86⤵PID:4912
-
\??\c:\486482.exec:\486482.exe87⤵PID:1920
-
\??\c:\3nntnh.exec:\3nntnh.exe88⤵PID:3164
-
\??\c:\240488.exec:\240488.exe89⤵PID:2180
-
\??\c:\pdpjj.exec:\pdpjj.exe90⤵PID:1772
-
\??\c:\86204.exec:\86204.exe91⤵
- System Location Discovery: System Language Discovery
PID:5080 -
\??\c:\hhhbbt.exec:\hhhbbt.exe92⤵PID:5064
-
\??\c:\nbbbtn.exec:\nbbbtn.exe93⤵PID:4236
-
\??\c:\04206.exec:\04206.exe94⤵PID:3492
-
\??\c:\44044.exec:\44044.exe95⤵PID:3588
-
\??\c:\i804480.exec:\i804480.exe96⤵PID:2208
-
\??\c:\lfxxrxr.exec:\lfxxrxr.exe97⤵PID:1200
-
\??\c:\6086262.exec:\6086262.exe98⤵PID:3436
-
\??\c:\6642228.exec:\6642228.exe99⤵PID:4376
-
\??\c:\0022226.exec:\0022226.exe100⤵PID:4372
-
\??\c:\rlrxrfx.exec:\rlrxrfx.exe101⤵PID:2156
-
\??\c:\66826.exec:\66826.exe102⤵PID:2820
-
\??\c:\ntnhtt.exec:\ntnhtt.exe103⤵PID:4784
-
\??\c:\8840802.exec:\8840802.exe104⤵PID:4592
-
\??\c:\0462884.exec:\0462884.exe105⤵PID:4008
-
\??\c:\7ppdp.exec:\7ppdp.exe106⤵PID:4872
-
\??\c:\xffrfxr.exec:\xffrfxr.exe107⤵PID:4392
-
\??\c:\g8608.exec:\g8608.exe108⤵PID:2116
-
\??\c:\244448.exec:\244448.exe109⤵PID:4016
-
\??\c:\8428600.exec:\8428600.exe110⤵PID:3000
-
\??\c:\1hbthb.exec:\1hbthb.exe111⤵PID:3288
-
\??\c:\rfrlrrx.exec:\rfrlrrx.exe112⤵PID:2848
-
\??\c:\nhnhbb.exec:\nhnhbb.exe113⤵PID:4676
-
\??\c:\w66082.exec:\w66082.exe114⤵PID:3028
-
\??\c:\5llxllx.exec:\5llxllx.exe115⤵PID:2896
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe116⤵PID:2740
-
\??\c:\bttnhh.exec:\bttnhh.exe117⤵PID:3100
-
\??\c:\g6486.exec:\g6486.exe118⤵PID:4140
-
\??\c:\xrxrrrr.exec:\xrxrrrr.exe119⤵PID:4444
-
\??\c:\nbhbhb.exec:\nbhbhb.exe120⤵PID:936
-
\??\c:\86008.exec:\86008.exe121⤵PID:2472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-