Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 00:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe
-
Size
456KB
-
MD5
96b5302905713cbc556dba40b2724fd6
-
SHA1
059cb0172902c0c0aa6bd56642b8d1003d36ec46
-
SHA256
ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8
-
SHA512
d6130a9c5496181423b107f6177695ee1fbc0e7625d2c811de46da75f094bec476e14962137240e1e12b4dd010f37f4d8b9bbe1c987b05db2ae6dc3bf89a5403
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRg:q7Tc2NYHUrAwfMp3CDRg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3484-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/784-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-1080-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-1252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-1473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-1529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4768 vvpvj.exe 2844 64622.exe 532 2066240.exe 2408 g8644.exe 4560 4844066.exe 1072 lrrrrxx.exe 3092 xxrrrll.exe 4012 602846.exe 4192 2684000.exe 3244 jddvp.exe 4504 64220.exe 116 rlxrxxx.exe 3848 ppdpd.exe 2940 djdpv.exe 5112 tbbthh.exe 4856 jjvpp.exe 1988 40266.exe 4528 4862868.exe 2892 vpdvv.exe 1920 82882.exe 1992 dvjdd.exe 1504 tnhhbt.exe 1244 g4086.exe 2508 1hbttt.exe 4440 0800602.exe 1272 bnnhtt.exe 2332 bbnbhh.exe 3328 lxxrffx.exe 2988 20260.exe 4264 7nthbt.exe 2840 lffrlfx.exe 1544 60264.exe 3860 nthbhb.exe 4984 8266482.exe 2240 4266084.exe 3892 48860.exe 3364 o608608.exe 4484 64282.exe 1904 s2262.exe 3360 0604826.exe 780 xflfxrl.exe 4408 06208.exe 3320 080004.exe 448 22820.exe 1280 lxlfxrf.exe 4016 bnhtnh.exe 2200 88800.exe 4308 204088.exe 4672 nnhthb.exe 5080 628640.exe 4904 426480.exe 4740 hhnhbt.exe 4700 frxlq42.exe 1732 426262.exe 2944 8842642.exe 3904 66866.exe 2740 tntnht.exe 1840 2826482.exe 4772 nnnbnb.exe 2004 vjdpd.exe 3148 bnnbth.exe 4192 2828884.exe 1208 k68860.exe 2236 4862020.exe -
resource yara_rule behavioral2/memory/3484-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/784-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-617-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 800860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0604826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2404482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u208882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 4768 3484 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 83 PID 3484 wrote to memory of 4768 3484 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 83 PID 3484 wrote to memory of 4768 3484 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 83 PID 4768 wrote to memory of 2844 4768 vvpvj.exe 84 PID 4768 wrote to memory of 2844 4768 vvpvj.exe 84 PID 4768 wrote to memory of 2844 4768 vvpvj.exe 84 PID 2844 wrote to memory of 532 2844 64622.exe 85 PID 2844 wrote to memory of 532 2844 64622.exe 85 PID 2844 wrote to memory of 532 2844 64622.exe 85 PID 532 wrote to memory of 2408 532 2066240.exe 86 PID 532 wrote to memory of 2408 532 2066240.exe 86 PID 532 wrote to memory of 2408 532 2066240.exe 86 PID 2408 wrote to memory of 4560 2408 g8644.exe 87 PID 2408 wrote to memory of 4560 2408 g8644.exe 87 PID 2408 wrote to memory of 4560 2408 g8644.exe 87 PID 4560 wrote to memory of 1072 4560 4844066.exe 88 PID 4560 wrote to memory of 1072 4560 4844066.exe 88 PID 4560 wrote to memory of 1072 4560 4844066.exe 88 PID 1072 wrote to memory of 3092 1072 lrrrrxx.exe 89 PID 1072 wrote to memory of 3092 1072 lrrrrxx.exe 89 PID 1072 wrote to memory of 3092 1072 lrrrrxx.exe 89 PID 3092 wrote to memory of 4012 3092 xxrrrll.exe 90 PID 3092 wrote to memory of 4012 3092 xxrrrll.exe 90 PID 3092 wrote to memory of 4012 3092 xxrrrll.exe 90 PID 4012 wrote to memory of 4192 4012 602846.exe 91 PID 4012 wrote to memory of 4192 4012 602846.exe 91 PID 4012 wrote to memory of 4192 4012 602846.exe 91 PID 4192 wrote to memory of 3244 4192 2684000.exe 92 PID 4192 wrote to memory of 3244 4192 2684000.exe 92 PID 4192 wrote to memory of 3244 4192 2684000.exe 92 PID 3244 wrote to memory of 4504 3244 jddvp.exe 93 PID 3244 wrote to memory of 4504 3244 jddvp.exe 93 PID 3244 wrote to memory of 4504 3244 jddvp.exe 93 PID 4504 wrote to memory of 116 4504 64220.exe 94 PID 4504 wrote to memory of 116 4504 64220.exe 94 PID 4504 wrote to memory of 116 4504 64220.exe 94 PID 116 wrote to memory of 3848 116 rlxrxxx.exe 95 PID 116 wrote to memory of 3848 116 rlxrxxx.exe 95 PID 116 wrote to memory of 3848 116 rlxrxxx.exe 95 PID 3848 wrote to memory of 2940 3848 ppdpd.exe 96 PID 3848 wrote to memory of 2940 3848 ppdpd.exe 96 PID 3848 wrote to memory of 2940 3848 ppdpd.exe 96 PID 2940 wrote to memory of 5112 2940 djdpv.exe 97 PID 2940 wrote to memory of 5112 2940 djdpv.exe 97 PID 2940 wrote to memory of 5112 2940 djdpv.exe 97 PID 5112 wrote to memory of 4856 5112 tbbthh.exe 98 PID 5112 wrote to memory of 4856 5112 tbbthh.exe 98 PID 5112 wrote to memory of 4856 5112 tbbthh.exe 98 PID 4856 wrote to memory of 1988 4856 jjvpp.exe 99 PID 4856 wrote to memory of 1988 4856 jjvpp.exe 99 PID 4856 wrote to memory of 1988 4856 jjvpp.exe 99 PID 1988 wrote to memory of 4528 1988 40266.exe 100 PID 1988 wrote to memory of 4528 1988 40266.exe 100 PID 1988 wrote to memory of 4528 1988 40266.exe 100 PID 4528 wrote to memory of 2892 4528 4862868.exe 101 PID 4528 wrote to memory of 2892 4528 4862868.exe 101 PID 4528 wrote to memory of 2892 4528 4862868.exe 101 PID 2892 wrote to memory of 1920 2892 vpdvv.exe 102 PID 2892 wrote to memory of 1920 2892 vpdvv.exe 102 PID 2892 wrote to memory of 1920 2892 vpdvv.exe 102 PID 1920 wrote to memory of 1992 1920 82882.exe 103 PID 1920 wrote to memory of 1992 1920 82882.exe 103 PID 1920 wrote to memory of 1992 1920 82882.exe 103 PID 1992 wrote to memory of 1504 1992 dvjdd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe"C:\Users\Admin\AppData\Local\Temp\ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\vvpvj.exec:\vvpvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\64622.exec:\64622.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\2066240.exec:\2066240.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\g8644.exec:\g8644.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\4844066.exec:\4844066.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\lrrrrxx.exec:\lrrrrxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\xxrrrll.exec:\xxrrrll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\602846.exec:\602846.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\2684000.exec:\2684000.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\jddvp.exec:\jddvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\64220.exec:\64220.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\rlxrxxx.exec:\rlxrxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\ppdpd.exec:\ppdpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\djdpv.exec:\djdpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\tbbthh.exec:\tbbthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\jjvpp.exec:\jjvpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\40266.exec:\40266.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\4862868.exec:\4862868.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\vpdvv.exec:\vpdvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\82882.exec:\82882.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\dvjdd.exec:\dvjdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\tnhhbt.exec:\tnhhbt.exe23⤵
- Executes dropped EXE
PID:1504 -
\??\c:\g4086.exec:\g4086.exe24⤵
- Executes dropped EXE
PID:1244 -
\??\c:\1hbttt.exec:\1hbttt.exe25⤵
- Executes dropped EXE
PID:2508 -
\??\c:\0800602.exec:\0800602.exe26⤵
- Executes dropped EXE
PID:4440 -
\??\c:\bnnhtt.exec:\bnnhtt.exe27⤵
- Executes dropped EXE
PID:1272 -
\??\c:\bbnbhh.exec:\bbnbhh.exe28⤵
- Executes dropped EXE
PID:2332 -
\??\c:\lxxrffx.exec:\lxxrffx.exe29⤵
- Executes dropped EXE
PID:3328 -
\??\c:\20260.exec:\20260.exe30⤵
- Executes dropped EXE
PID:2988 -
\??\c:\7nthbt.exec:\7nthbt.exe31⤵
- Executes dropped EXE
PID:4264 -
\??\c:\lffrlfx.exec:\lffrlfx.exe32⤵
- Executes dropped EXE
PID:2840 -
\??\c:\60264.exec:\60264.exe33⤵
- Executes dropped EXE
PID:1544 -
\??\c:\nthbhb.exec:\nthbhb.exe34⤵
- Executes dropped EXE
PID:3860 -
\??\c:\8266482.exec:\8266482.exe35⤵
- Executes dropped EXE
PID:4984 -
\??\c:\4266084.exec:\4266084.exe36⤵
- Executes dropped EXE
PID:2240 -
\??\c:\48860.exec:\48860.exe37⤵
- Executes dropped EXE
PID:3892 -
\??\c:\o608608.exec:\o608608.exe38⤵
- Executes dropped EXE
PID:3364 -
\??\c:\64282.exec:\64282.exe39⤵
- Executes dropped EXE
PID:4484 -
\??\c:\s2262.exec:\s2262.exe40⤵
- Executes dropped EXE
PID:1904 -
\??\c:\0604826.exec:\0604826.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3360 -
\??\c:\xflfxrl.exec:\xflfxrl.exe42⤵
- Executes dropped EXE
PID:780 -
\??\c:\06208.exec:\06208.exe43⤵
- Executes dropped EXE
PID:4408 -
\??\c:\080004.exec:\080004.exe44⤵
- Executes dropped EXE
PID:3320 -
\??\c:\22820.exec:\22820.exe45⤵
- Executes dropped EXE
PID:448 -
\??\c:\lxlfxrf.exec:\lxlfxrf.exe46⤵
- Executes dropped EXE
PID:1280 -
\??\c:\bnhtnh.exec:\bnhtnh.exe47⤵
- Executes dropped EXE
PID:4016 -
\??\c:\88800.exec:\88800.exe48⤵
- Executes dropped EXE
PID:2200 -
\??\c:\204088.exec:\204088.exe49⤵
- Executes dropped EXE
PID:4308 -
\??\c:\nnhthb.exec:\nnhthb.exe50⤵
- Executes dropped EXE
PID:4672 -
\??\c:\628640.exec:\628640.exe51⤵
- Executes dropped EXE
PID:5080 -
\??\c:\426480.exec:\426480.exe52⤵
- Executes dropped EXE
PID:4904 -
\??\c:\hhnhbt.exec:\hhnhbt.exe53⤵
- Executes dropped EXE
PID:4740 -
\??\c:\frxlq42.exec:\frxlq42.exe54⤵
- Executes dropped EXE
PID:4700 -
\??\c:\426262.exec:\426262.exe55⤵
- Executes dropped EXE
PID:1732 -
\??\c:\8842642.exec:\8842642.exe56⤵
- Executes dropped EXE
PID:2944 -
\??\c:\66866.exec:\66866.exe57⤵
- Executes dropped EXE
PID:3904 -
\??\c:\tntnht.exec:\tntnht.exe58⤵
- Executes dropped EXE
PID:2740 -
\??\c:\2826482.exec:\2826482.exe59⤵
- Executes dropped EXE
PID:1840 -
\??\c:\nnnbnb.exec:\nnnbnb.exe60⤵
- Executes dropped EXE
PID:4772 -
\??\c:\vjdpd.exec:\vjdpd.exe61⤵
- Executes dropped EXE
PID:2004 -
\??\c:\bnnbth.exec:\bnnbth.exe62⤵
- Executes dropped EXE
PID:3148 -
\??\c:\2828884.exec:\2828884.exe63⤵
- Executes dropped EXE
PID:4192 -
\??\c:\k68860.exec:\k68860.exe64⤵
- Executes dropped EXE
PID:1208 -
\??\c:\4862020.exec:\4862020.exe65⤵
- Executes dropped EXE
PID:2236 -
\??\c:\nnnhnn.exec:\nnnhnn.exe66⤵PID:3592
-
\??\c:\208220.exec:\208220.exe67⤵PID:116
-
\??\c:\40244.exec:\40244.exe68⤵PID:3996
-
\??\c:\rxfrfxr.exec:\rxfrfxr.exe69⤵PID:1616
-
\??\c:\406420.exec:\406420.exe70⤵PID:4472
-
\??\c:\0226048.exec:\0226048.exe71⤵PID:1780
-
\??\c:\2024422.exec:\2024422.exe72⤵PID:1552
-
\??\c:\rrxflxl.exec:\rrxflxl.exe73⤵PID:1856
-
\??\c:\86644.exec:\86644.exe74⤵PID:4528
-
\??\c:\m2422.exec:\m2422.exe75⤵PID:2892
-
\??\c:\vjdpd.exec:\vjdpd.exe76⤵PID:2960
-
\??\c:\424426.exec:\424426.exe77⤵PID:4684
-
\??\c:\jpvpp.exec:\jpvpp.exe78⤵PID:2468
-
\??\c:\jjppv.exec:\jjppv.exe79⤵PID:1264
-
\??\c:\2888642.exec:\2888642.exe80⤵PID:2460
-
\??\c:\s4486.exec:\s4486.exe81⤵PID:4244
-
\??\c:\86042.exec:\86042.exe82⤵PID:3160
-
\??\c:\9fxrffr.exec:\9fxrffr.exe83⤵PID:4224
-
\??\c:\822644.exec:\822644.exe84⤵PID:784
-
\??\c:\jjpjd.exec:\jjpjd.exe85⤵PID:5048
-
\??\c:\8622086.exec:\8622086.exe86⤵PID:4960
-
\??\c:\8462242.exec:\8462242.exe87⤵PID:4940
-
\??\c:\5lxlxlr.exec:\5lxlxlr.exe88⤵PID:900
-
\??\c:\244860.exec:\244860.exe89⤵PID:1308
-
\??\c:\4244666.exec:\4244666.exe90⤵PID:3656
-
\??\c:\jvvjv.exec:\jvvjv.exe91⤵PID:1232
-
\??\c:\20482.exec:\20482.exe92⤵PID:1620
-
\??\c:\hnthth.exec:\hnthth.exe93⤵PID:4808
-
\??\c:\pddvj.exec:\pddvj.exe94⤵PID:1544
-
\??\c:\ppdpj.exec:\ppdpj.exe95⤵PID:3860
-
\??\c:\tbnbnh.exec:\tbnbnh.exe96⤵PID:2976
-
\??\c:\044860.exec:\044860.exe97⤵PID:1392
-
\??\c:\nbtttb.exec:\nbtttb.exe98⤵PID:2452
-
\??\c:\860860.exec:\860860.exe99⤵PID:5060
-
\??\c:\hbhbnh.exec:\hbhbnh.exe100⤵PID:1788
-
\??\c:\fxrrfll.exec:\fxrrfll.exe101⤵PID:2900
-
\??\c:\pvvjv.exec:\pvvjv.exe102⤵PID:1292
-
\??\c:\6442648.exec:\6442648.exe103⤵PID:1464
-
\??\c:\6446488.exec:\6446488.exe104⤵PID:3432
-
\??\c:\8844226.exec:\8844226.exe105⤵PID:3320
-
\??\c:\jdjpd.exec:\jdjpd.exe106⤵PID:3932
-
\??\c:\24666.exec:\24666.exe107⤵PID:1628
-
\??\c:\pjdvv.exec:\pjdvv.exe108⤵PID:2328
-
\??\c:\66008.exec:\66008.exe109⤵PID:4300
-
\??\c:\42488.exec:\42488.exe110⤵PID:3008
-
\??\c:\42808.exec:\42808.exe111⤵PID:4712
-
\??\c:\e28226.exec:\e28226.exe112⤵PID:2672
-
\??\c:\9nthnh.exec:\9nthnh.exe113⤵PID:4108
-
\??\c:\pjvjj.exec:\pjvjj.exe114⤵PID:4904
-
\??\c:\xrxrxxx.exec:\xrxrxxx.exe115⤵PID:4740
-
\??\c:\1llxrrl.exec:\1llxrrl.exe116⤵PID:4700
-
\??\c:\9rfrfxl.exec:\9rfrfxl.exe117⤵PID:4628
-
\??\c:\vjdvj.exec:\vjdvj.exe118⤵PID:3392
-
\??\c:\42608.exec:\42608.exe119⤵PID:3604
-
\??\c:\02264.exec:\02264.exe120⤵PID:4432
-
\??\c:\bnthbb.exec:\bnthbb.exe121⤵PID:1140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-