Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 22:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe
-
Size
456KB
-
MD5
2f5a81ff4be3901a96c9ee57ca57ee1f
-
SHA1
98edefc1d7ec94393f4e4427f9396ce7d50261f5
-
SHA256
104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca
-
SHA512
4229b7fb9e0c9469bcb75dbafaa2fd5dbd7ef0df69ea774fdb60cfbedb15b1afa2a66cd3bd52a41f6e8df0aba641281497c66a939c328a231488cdd02eec095f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR2:q7Tc2NYHUrAwfMp3CDR2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4552-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-950-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-1357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-1690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-1897-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 556 0626600.exe 4356 xfllffx.exe 4272 vpdvd.exe 4580 thnhbb.exe 1560 rrflxrf.exe 3620 vjvvp.exe 4940 8248480.exe 4684 82008.exe 4412 jvdvd.exe 2248 3ffxrrl.exe 2952 4626448.exe 4076 xxrrxxl.exe 4048 bbnnnt.exe 2272 pvdjd.exe 5096 fllxllf.exe 4532 hnnnhh.exe 4180 nbhnnh.exe 4836 c886044.exe 5056 bhhhbb.exe 2368 hhhbbh.exe 2388 bnbtnt.exe 4964 htnbht.exe 5112 4044422.exe 4908 bbtntt.exe 4012 jdvpj.exe 920 c682000.exe 2844 2626622.exe 1768 frfxxrr.exe 3148 hnbnbn.exe 3728 2600044.exe 4832 0622642.exe 1120 tnttnn.exe 3116 btbbhb.exe 4588 0626622.exe 916 64848.exe 1348 vdvdd.exe 3000 vpdpj.exe 2876 pppjv.exe 4364 o008866.exe 4472 3nnbtb.exe 4432 28688.exe 1408 28208.exe 1952 6266482.exe 4356 4204208.exe 1724 k40604.exe 2576 222642.exe 2928 c286082.exe 3692 ffxxxxr.exe 4852 086482.exe 3676 k40404.exe 3492 2226048.exe 3996 8640000.exe 3548 6448882.exe 440 fxxfxrl.exe 4412 2882048.exe 3476 4226482.exe 2812 640482.exe 2952 bnnbhb.exe 2372 ddjjd.exe 2648 424644.exe 3276 rffrfxr.exe 2272 xflfxfr.exe 732 fflxrlf.exe 5012 jdvpd.exe -
resource yara_rule behavioral2/memory/4552-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-718-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e60428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8220820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2060604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2084222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 848260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i620042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4428462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c246266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u064606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6482026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0220820.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4552 wrote to memory of 556 4552 104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe 83 PID 4552 wrote to memory of 556 4552 104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe 83 PID 4552 wrote to memory of 556 4552 104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe 83 PID 556 wrote to memory of 4356 556 0626600.exe 126 PID 556 wrote to memory of 4356 556 0626600.exe 126 PID 556 wrote to memory of 4356 556 0626600.exe 126 PID 4356 wrote to memory of 4272 4356 xfllffx.exe 85 PID 4356 wrote to memory of 4272 4356 xfllffx.exe 85 PID 4356 wrote to memory of 4272 4356 xfllffx.exe 85 PID 4272 wrote to memory of 4580 4272 vpdvd.exe 86 PID 4272 wrote to memory of 4580 4272 vpdvd.exe 86 PID 4272 wrote to memory of 4580 4272 vpdvd.exe 86 PID 4580 wrote to memory of 1560 4580 thnhbb.exe 87 PID 4580 wrote to memory of 1560 4580 thnhbb.exe 87 PID 4580 wrote to memory of 1560 4580 thnhbb.exe 87 PID 1560 wrote to memory of 3620 1560 rrflxrf.exe 88 PID 1560 wrote to memory of 3620 1560 rrflxrf.exe 88 PID 1560 wrote to memory of 3620 1560 rrflxrf.exe 88 PID 3620 wrote to memory of 4940 3620 vjvvp.exe 89 PID 3620 wrote to memory of 4940 3620 vjvvp.exe 89 PID 3620 wrote to memory of 4940 3620 vjvvp.exe 89 PID 4940 wrote to memory of 4684 4940 8248480.exe 90 PID 4940 wrote to memory of 4684 4940 8248480.exe 90 PID 4940 wrote to memory of 4684 4940 8248480.exe 90 PID 4684 wrote to memory of 4412 4684 82008.exe 320 PID 4684 wrote to memory of 4412 4684 82008.exe 320 PID 4684 wrote to memory of 4412 4684 82008.exe 320 PID 4412 wrote to memory of 2248 4412 jvdvd.exe 92 PID 4412 wrote to memory of 2248 4412 jvdvd.exe 92 PID 4412 wrote to memory of 2248 4412 jvdvd.exe 92 PID 2248 wrote to memory of 2952 2248 3ffxrrl.exe 140 PID 2248 wrote to memory of 2952 2248 3ffxrrl.exe 140 PID 2248 wrote to memory of 2952 2248 3ffxrrl.exe 140 PID 2952 wrote to memory of 4076 2952 4626448.exe 259 PID 2952 wrote to memory of 4076 2952 4626448.exe 259 PID 2952 wrote to memory of 4076 2952 4626448.exe 259 PID 4076 wrote to memory of 4048 4076 xxrrxxl.exe 95 PID 4076 wrote to memory of 4048 4076 xxrrxxl.exe 95 PID 4076 wrote to memory of 4048 4076 xxrrxxl.exe 95 PID 4048 wrote to memory of 2272 4048 bbnnnt.exe 263 PID 4048 wrote to memory of 2272 4048 bbnnnt.exe 263 PID 4048 wrote to memory of 2272 4048 bbnnnt.exe 263 PID 2272 wrote to memory of 5096 2272 pvdjd.exe 262 PID 2272 wrote to memory of 5096 2272 pvdjd.exe 262 PID 2272 wrote to memory of 5096 2272 pvdjd.exe 262 PID 5096 wrote to memory of 4532 5096 fllxllf.exe 98 PID 5096 wrote to memory of 4532 5096 fllxllf.exe 98 PID 5096 wrote to memory of 4532 5096 fllxllf.exe 98 PID 4532 wrote to memory of 4180 4532 hnnnhh.exe 99 PID 4532 wrote to memory of 4180 4532 hnnnhh.exe 99 PID 4532 wrote to memory of 4180 4532 hnnnhh.exe 99 PID 4180 wrote to memory of 4836 4180 nbhnnh.exe 100 PID 4180 wrote to memory of 4836 4180 nbhnnh.exe 100 PID 4180 wrote to memory of 4836 4180 nbhnnh.exe 100 PID 4836 wrote to memory of 5056 4836 c886044.exe 332 PID 4836 wrote to memory of 5056 4836 c886044.exe 332 PID 4836 wrote to memory of 5056 4836 c886044.exe 332 PID 5056 wrote to memory of 2368 5056 bhhhbb.exe 102 PID 5056 wrote to memory of 2368 5056 bhhhbb.exe 102 PID 5056 wrote to memory of 2368 5056 bhhhbb.exe 102 PID 2368 wrote to memory of 2388 2368 hhhbbh.exe 336 PID 2368 wrote to memory of 2388 2368 hhhbbh.exe 336 PID 2368 wrote to memory of 2388 2368 hhhbbh.exe 336 PID 2388 wrote to memory of 4964 2388 bnbtnt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe"C:\Users\Admin\AppData\Local\Temp\104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\0626600.exec:\0626600.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\xfllffx.exec:\xfllffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\vpdvd.exec:\vpdvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\thnhbb.exec:\thnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\rrflxrf.exec:\rrflxrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\vjvvp.exec:\vjvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\8248480.exec:\8248480.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\82008.exec:\82008.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\jvdvd.exec:\jvdvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\3ffxrrl.exec:\3ffxrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\4626448.exec:\4626448.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\xxrrxxl.exec:\xxrrxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\bbnnnt.exec:\bbnnnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\pvdjd.exec:\pvdjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\fllxllf.exec:\fllxllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\hnnnhh.exec:\hnnnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\nbhnnh.exec:\nbhnnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\c886044.exec:\c886044.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\bhhhbb.exec:\bhhhbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\hhhbbh.exec:\hhhbbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\bnbtnt.exec:\bnbtnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\htnbht.exec:\htnbht.exe23⤵
- Executes dropped EXE
PID:4964 -
\??\c:\4044422.exec:\4044422.exe24⤵
- Executes dropped EXE
PID:5112 -
\??\c:\bbtntt.exec:\bbtntt.exe25⤵
- Executes dropped EXE
PID:4908 -
\??\c:\jdvpj.exec:\jdvpj.exe26⤵
- Executes dropped EXE
PID:4012 -
\??\c:\c682000.exec:\c682000.exe27⤵
- Executes dropped EXE
PID:920 -
\??\c:\2626622.exec:\2626622.exe28⤵
- Executes dropped EXE
PID:2844 -
\??\c:\frfxxrr.exec:\frfxxrr.exe29⤵
- Executes dropped EXE
PID:1768 -
\??\c:\hnbnbn.exec:\hnbnbn.exe30⤵
- Executes dropped EXE
PID:3148 -
\??\c:\2600044.exec:\2600044.exe31⤵
- Executes dropped EXE
PID:3728 -
\??\c:\0622642.exec:\0622642.exe32⤵
- Executes dropped EXE
PID:4832 -
\??\c:\tnttnn.exec:\tnttnn.exe33⤵
- Executes dropped EXE
PID:1120 -
\??\c:\btbbhb.exec:\btbbhb.exe34⤵
- Executes dropped EXE
PID:3116 -
\??\c:\0626622.exec:\0626622.exe35⤵
- Executes dropped EXE
PID:4588 -
\??\c:\64848.exec:\64848.exe36⤵
- Executes dropped EXE
PID:916 -
\??\c:\vdvdd.exec:\vdvdd.exe37⤵
- Executes dropped EXE
PID:1348 -
\??\c:\vpdpj.exec:\vpdpj.exe38⤵
- Executes dropped EXE
PID:3000 -
\??\c:\pppjv.exec:\pppjv.exe39⤵
- Executes dropped EXE
PID:2876 -
\??\c:\o008866.exec:\o008866.exe40⤵
- Executes dropped EXE
PID:4364 -
\??\c:\3nnbtb.exec:\3nnbtb.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4472 -
\??\c:\28688.exec:\28688.exe42⤵
- Executes dropped EXE
PID:4432 -
\??\c:\28208.exec:\28208.exe43⤵
- Executes dropped EXE
PID:1408 -
\??\c:\6266482.exec:\6266482.exe44⤵
- Executes dropped EXE
PID:1952 -
\??\c:\4204208.exec:\4204208.exe45⤵
- Executes dropped EXE
PID:4356 -
\??\c:\k40604.exec:\k40604.exe46⤵
- Executes dropped EXE
PID:1724 -
\??\c:\222642.exec:\222642.exe47⤵
- Executes dropped EXE
PID:2576 -
\??\c:\c286082.exec:\c286082.exe48⤵
- Executes dropped EXE
PID:2928 -
\??\c:\ffxxxxr.exec:\ffxxxxr.exe49⤵
- Executes dropped EXE
PID:3692 -
\??\c:\086482.exec:\086482.exe50⤵
- Executes dropped EXE
PID:4852 -
\??\c:\k40404.exec:\k40404.exe51⤵
- Executes dropped EXE
PID:3676 -
\??\c:\2226048.exec:\2226048.exe52⤵
- Executes dropped EXE
PID:3492 -
\??\c:\8640000.exec:\8640000.exe53⤵
- Executes dropped EXE
PID:3996 -
\??\c:\6448882.exec:\6448882.exe54⤵
- Executes dropped EXE
PID:3548 -
\??\c:\fxxfxrl.exec:\fxxfxrl.exe55⤵
- Executes dropped EXE
PID:440 -
\??\c:\2882048.exec:\2882048.exe56⤵
- Executes dropped EXE
PID:4412 -
\??\c:\4226482.exec:\4226482.exe57⤵
- Executes dropped EXE
PID:3476 -
\??\c:\640482.exec:\640482.exe58⤵
- Executes dropped EXE
PID:2812 -
\??\c:\bnnbhb.exec:\bnnbhb.exe59⤵
- Executes dropped EXE
PID:2952 -
\??\c:\ddjjd.exec:\ddjjd.exe60⤵
- Executes dropped EXE
PID:2372 -
\??\c:\424644.exec:\424644.exe61⤵
- Executes dropped EXE
PID:2648 -
\??\c:\rffrfxr.exec:\rffrfxr.exe62⤵
- Executes dropped EXE
PID:3276 -
\??\c:\xflfxfr.exec:\xflfxfr.exe63⤵
- Executes dropped EXE
PID:2272 -
\??\c:\fflxrlf.exec:\fflxrlf.exe64⤵
- Executes dropped EXE
PID:732 -
\??\c:\jdvpd.exec:\jdvpd.exe65⤵
- Executes dropped EXE
PID:5012 -
\??\c:\dpjdp.exec:\dpjdp.exe66⤵PID:1344
-
\??\c:\08826.exec:\08826.exe67⤵PID:4116
-
\??\c:\rrffxxr.exec:\rrffxxr.exe68⤵PID:4512
-
\??\c:\42604.exec:\42604.exe69⤵PID:2940
-
\??\c:\1nnnhh.exec:\1nnnhh.exe70⤵PID:964
-
\??\c:\i442608.exec:\i442608.exe71⤵PID:3048
-
\??\c:\hbhthb.exec:\hbhthb.exe72⤵PID:4800
-
\??\c:\htnhtn.exec:\htnhtn.exe73⤵PID:2204
-
\??\c:\rfxlrlf.exec:\rfxlrlf.exe74⤵PID:4088
-
\??\c:\66260.exec:\66260.exe75⤵PID:1956
-
\??\c:\2064264.exec:\2064264.exe76⤵PID:940
-
\??\c:\m6208.exec:\m6208.exe77⤵PID:4904
-
\??\c:\8848080.exec:\8848080.exe78⤵PID:3256
-
\??\c:\lxxrlxr.exec:\lxxrlxr.exe79⤵PID:4496
-
\??\c:\ffffxxx.exec:\ffffxxx.exe80⤵PID:4832
-
\??\c:\80000.exec:\80000.exe81⤵PID:1120
-
\??\c:\48226.exec:\48226.exe82⤵PID:4920
-
\??\c:\6888222.exec:\6888222.exe83⤵PID:3868
-
\??\c:\vvdvv.exec:\vvdvv.exe84⤵PID:5052
-
\??\c:\60086.exec:\60086.exe85⤵PID:412
-
\??\c:\084882.exec:\084882.exe86⤵PID:3932
-
\??\c:\hbhbhh.exec:\hbhbhh.exe87⤵PID:1712
-
\??\c:\hhtntt.exec:\hhtntt.exe88⤵PID:4236
-
\??\c:\2888888.exec:\2888888.exe89⤵PID:800
-
\??\c:\lrxxffx.exec:\lrxxffx.exe90⤵PID:3172
-
\??\c:\thhnhb.exec:\thhnhb.exe91⤵PID:1464
-
\??\c:\bbbbtt.exec:\bbbbtt.exe92⤵PID:4436
-
\??\c:\06864.exec:\06864.exe93⤵PID:2208
-
\??\c:\lfxxrrr.exec:\lfxxrrr.exe94⤵PID:4432
-
\??\c:\20604.exec:\20604.exe95⤵PID:864
-
\??\c:\fxlfxfr.exec:\fxlfxfr.exe96⤵PID:556
-
\??\c:\8026422.exec:\8026422.exe97⤵PID:4332
-
\??\c:\bhtnbt.exec:\bhtnbt.exe98⤵PID:4348
-
\??\c:\vdvvj.exec:\vdvvj.exe99⤵PID:3976
-
\??\c:\4662622.exec:\4662622.exe100⤵PID:4912
-
\??\c:\ttnbhh.exec:\ttnbhh.exe101⤵PID:2928
-
\??\c:\48620.exec:\48620.exe102⤵PID:3580
-
\??\c:\9rlfxxr.exec:\9rlfxxr.exe103⤵
- System Location Discovery: System Language Discovery
PID:380 -
\??\c:\02822.exec:\02822.exe104⤵PID:2880
-
\??\c:\xrfrffx.exec:\xrfrffx.exe105⤵PID:2076
-
\??\c:\llxxrff.exec:\llxxrff.exe106⤵PID:3828
-
\??\c:\rxxrfxl.exec:\rxxrfxl.exe107⤵PID:3964
-
\??\c:\02888.exec:\02888.exe108⤵PID:1836
-
\??\c:\60642.exec:\60642.exe109⤵PID:3928
-
\??\c:\40048.exec:\40048.exe110⤵PID:404
-
\??\c:\nhttnn.exec:\nhttnn.exe111⤵PID:3476
-
\??\c:\2848822.exec:\2848822.exe112⤵PID:4976
-
\??\c:\48444.exec:\48444.exe113⤵PID:3780
-
\??\c:\pvpjv.exec:\pvpjv.exe114⤵PID:4048
-
\??\c:\i620820.exec:\i620820.exe115⤵PID:2004
-
\??\c:\jdvvp.exec:\jdvvp.exe116⤵PID:3276
-
\??\c:\rrxlxfx.exec:\rrxlxfx.exe117⤵PID:4612
-
\??\c:\7nnhbb.exec:\7nnhbb.exe118⤵PID:2644
-
\??\c:\8244006.exec:\8244006.exe119⤵PID:452
-
\??\c:\0626466.exec:\0626466.exe120⤵PID:2620
-
\??\c:\btbtnt.exec:\btbtnt.exe121⤵PID:2432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-