Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe
-
Size
456KB
-
MD5
a6e086eeea2c5c8625757c4ec7f5b755
-
SHA1
8de4d498e1bd91331ce320c31821191dae114b8f
-
SHA256
8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea
-
SHA512
625313061f18eac70ccd0b4cef9e98e92a21740c3b3919f83e6df7215cb1c380a18ee40a70cff5a985ae0a35b8fb7560b38ad163411aacf1d11daa0c8d4a4aa0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR2:q7Tc2NYHUrAwfMp3CDR2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2556-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/324-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/352-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-1007-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4572 006864.exe 2912 dppjj.exe 4688 e46060.exe 5108 0286488.exe 4960 2608262.exe 64 06860.exe 2024 606204.exe 5048 4804264.exe 536 00088.exe 3212 vjpjv.exe 3840 26664.exe 4980 6060488.exe 3756 628642.exe 2188 62604.exe 1948 rlxrxlr.exe 3932 xlrfxrl.exe 2496 04880.exe 5004 nhhtnn.exe 756 vjjvp.exe 3204 026420.exe 1172 u480866.exe 1532 xfxrxxf.exe 3772 7jppd.exe 4896 frrrfrl.exe 324 080604.exe 1392 9tntht.exe 4492 60262.exe 4976 48602.exe 1820 1vpjv.exe 3688 rrrllfx.exe 2368 88626.exe 3276 rxfxxrl.exe 4556 ntttnn.exe 1824 frllfff.exe 1016 rlrlxrl.exe 2384 9lrlllf.exe 3096 i406060.exe 3496 64206.exe 908 vppjp.exe 4628 jjpjd.exe 1612 2808260.exe 1360 26604.exe 3712 88442.exe 1272 tbhbtb.exe 3980 7dpjd.exe 4452 dpdvv.exe 2452 nhbttt.exe 3232 6448260.exe 4832 0064826.exe 4316 dvpjv.exe 540 0486820.exe 2592 9dvdp.exe 2912 5ffxrlr.exe 2028 g2422.exe 5108 llrlllf.exe 2136 2660404.exe 2624 fxfrllx.exe 2428 4888266.exe 2788 8248222.exe 4676 7nttnh.exe 1420 00008.exe 2448 20008.exe 4084 xlrflff.exe 1472 llrrrxx.exe -
resource yara_rule behavioral2/memory/2556-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/324-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/352-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-791-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e84260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8666486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0684226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4060448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e46060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o820826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 4572 2556 8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe 83 PID 2556 wrote to memory of 4572 2556 8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe 83 PID 2556 wrote to memory of 4572 2556 8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe 83 PID 4572 wrote to memory of 2912 4572 006864.exe 84 PID 4572 wrote to memory of 2912 4572 006864.exe 84 PID 4572 wrote to memory of 2912 4572 006864.exe 84 PID 2912 wrote to memory of 4688 2912 dppjj.exe 85 PID 2912 wrote to memory of 4688 2912 dppjj.exe 85 PID 2912 wrote to memory of 4688 2912 dppjj.exe 85 PID 4688 wrote to memory of 5108 4688 e46060.exe 86 PID 4688 wrote to memory of 5108 4688 e46060.exe 86 PID 4688 wrote to memory of 5108 4688 e46060.exe 86 PID 5108 wrote to memory of 4960 5108 0286488.exe 87 PID 5108 wrote to memory of 4960 5108 0286488.exe 87 PID 5108 wrote to memory of 4960 5108 0286488.exe 87 PID 4960 wrote to memory of 64 4960 2608262.exe 88 PID 4960 wrote to memory of 64 4960 2608262.exe 88 PID 4960 wrote to memory of 64 4960 2608262.exe 88 PID 64 wrote to memory of 2024 64 06860.exe 89 PID 64 wrote to memory of 2024 64 06860.exe 89 PID 64 wrote to memory of 2024 64 06860.exe 89 PID 2024 wrote to memory of 5048 2024 606204.exe 90 PID 2024 wrote to memory of 5048 2024 606204.exe 90 PID 2024 wrote to memory of 5048 2024 606204.exe 90 PID 5048 wrote to memory of 536 5048 4804264.exe 91 PID 5048 wrote to memory of 536 5048 4804264.exe 91 PID 5048 wrote to memory of 536 5048 4804264.exe 91 PID 536 wrote to memory of 3212 536 00088.exe 92 PID 536 wrote to memory of 3212 536 00088.exe 92 PID 536 wrote to memory of 3212 536 00088.exe 92 PID 3212 wrote to memory of 3840 3212 vjpjv.exe 93 PID 3212 wrote to memory of 3840 3212 vjpjv.exe 93 PID 3212 wrote to memory of 3840 3212 vjpjv.exe 93 PID 3840 wrote to memory of 4980 3840 26664.exe 94 PID 3840 wrote to memory of 4980 3840 26664.exe 94 PID 3840 wrote to memory of 4980 3840 26664.exe 94 PID 4980 wrote to memory of 3756 4980 6060488.exe 95 PID 4980 wrote to memory of 3756 4980 6060488.exe 95 PID 4980 wrote to memory of 3756 4980 6060488.exe 95 PID 3756 wrote to memory of 2188 3756 628642.exe 96 PID 3756 wrote to memory of 2188 3756 628642.exe 96 PID 3756 wrote to memory of 2188 3756 628642.exe 96 PID 2188 wrote to memory of 1948 2188 62604.exe 97 PID 2188 wrote to memory of 1948 2188 62604.exe 97 PID 2188 wrote to memory of 1948 2188 62604.exe 97 PID 1948 wrote to memory of 3932 1948 rlxrxlr.exe 98 PID 1948 wrote to memory of 3932 1948 rlxrxlr.exe 98 PID 1948 wrote to memory of 3932 1948 rlxrxlr.exe 98 PID 3932 wrote to memory of 2496 3932 xlrfxrl.exe 99 PID 3932 wrote to memory of 2496 3932 xlrfxrl.exe 99 PID 3932 wrote to memory of 2496 3932 xlrfxrl.exe 99 PID 2496 wrote to memory of 5004 2496 04880.exe 100 PID 2496 wrote to memory of 5004 2496 04880.exe 100 PID 2496 wrote to memory of 5004 2496 04880.exe 100 PID 5004 wrote to memory of 756 5004 nhhtnn.exe 101 PID 5004 wrote to memory of 756 5004 nhhtnn.exe 101 PID 5004 wrote to memory of 756 5004 nhhtnn.exe 101 PID 756 wrote to memory of 3204 756 vjjvp.exe 102 PID 756 wrote to memory of 3204 756 vjjvp.exe 102 PID 756 wrote to memory of 3204 756 vjjvp.exe 102 PID 3204 wrote to memory of 1172 3204 026420.exe 103 PID 3204 wrote to memory of 1172 3204 026420.exe 103 PID 3204 wrote to memory of 1172 3204 026420.exe 103 PID 1172 wrote to memory of 1532 1172 u480866.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe"C:\Users\Admin\AppData\Local\Temp\8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\006864.exec:\006864.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\dppjj.exec:\dppjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\e46060.exec:\e46060.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\0286488.exec:\0286488.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\2608262.exec:\2608262.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\06860.exec:\06860.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\606204.exec:\606204.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\4804264.exec:\4804264.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\00088.exec:\00088.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\vjpjv.exec:\vjpjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\26664.exec:\26664.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\6060488.exec:\6060488.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\628642.exec:\628642.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\62604.exec:\62604.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\rlxrxlr.exec:\rlxrxlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\xlrfxrl.exec:\xlrfxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\04880.exec:\04880.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\nhhtnn.exec:\nhhtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\vjjvp.exec:\vjjvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\026420.exec:\026420.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\u480866.exec:\u480866.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\xfxrxxf.exec:\xfxrxxf.exe23⤵
- Executes dropped EXE
PID:1532 -
\??\c:\7jppd.exec:\7jppd.exe24⤵
- Executes dropped EXE
PID:3772 -
\??\c:\frrrfrl.exec:\frrrfrl.exe25⤵
- Executes dropped EXE
PID:4896 -
\??\c:\080604.exec:\080604.exe26⤵
- Executes dropped EXE
PID:324 -
\??\c:\9tntht.exec:\9tntht.exe27⤵
- Executes dropped EXE
PID:1392 -
\??\c:\60262.exec:\60262.exe28⤵
- Executes dropped EXE
PID:4492 -
\??\c:\48602.exec:\48602.exe29⤵
- Executes dropped EXE
PID:4976 -
\??\c:\1vpjv.exec:\1vpjv.exe30⤵
- Executes dropped EXE
PID:1820 -
\??\c:\rrrllfx.exec:\rrrllfx.exe31⤵
- Executes dropped EXE
PID:3688 -
\??\c:\88626.exec:\88626.exe32⤵
- Executes dropped EXE
PID:2368 -
\??\c:\rxfxxrl.exec:\rxfxxrl.exe33⤵
- Executes dropped EXE
PID:3276 -
\??\c:\ntttnn.exec:\ntttnn.exe34⤵
- Executes dropped EXE
PID:4556 -
\??\c:\frllfff.exec:\frllfff.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1824 -
\??\c:\rlrlxrl.exec:\rlrlxrl.exe36⤵
- Executes dropped EXE
PID:1016 -
\??\c:\9lrlllf.exec:\9lrlllf.exe37⤵
- Executes dropped EXE
PID:2384 -
\??\c:\i406060.exec:\i406060.exe38⤵
- Executes dropped EXE
PID:3096 -
\??\c:\64206.exec:\64206.exe39⤵
- Executes dropped EXE
PID:3496 -
\??\c:\vppjp.exec:\vppjp.exe40⤵
- Executes dropped EXE
PID:908 -
\??\c:\jjpjd.exec:\jjpjd.exe41⤵
- Executes dropped EXE
PID:4628 -
\??\c:\2808260.exec:\2808260.exe42⤵
- Executes dropped EXE
PID:1612 -
\??\c:\26604.exec:\26604.exe43⤵
- Executes dropped EXE
PID:1360 -
\??\c:\88442.exec:\88442.exe44⤵
- Executes dropped EXE
PID:3712 -
\??\c:\tbhbtb.exec:\tbhbtb.exe45⤵
- Executes dropped EXE
PID:1272 -
\??\c:\7dpjd.exec:\7dpjd.exe46⤵
- Executes dropped EXE
PID:3980 -
\??\c:\dpdvv.exec:\dpdvv.exe47⤵
- Executes dropped EXE
PID:4452 -
\??\c:\nhbttt.exec:\nhbttt.exe48⤵
- Executes dropped EXE
PID:2452 -
\??\c:\6448260.exec:\6448260.exe49⤵
- Executes dropped EXE
PID:3232 -
\??\c:\0064826.exec:\0064826.exe50⤵
- Executes dropped EXE
PID:4832 -
\??\c:\dvpjv.exec:\dvpjv.exe51⤵
- Executes dropped EXE
PID:4316 -
\??\c:\0486820.exec:\0486820.exe52⤵
- Executes dropped EXE
PID:540 -
\??\c:\9dvdp.exec:\9dvdp.exe53⤵
- Executes dropped EXE
PID:2592 -
\??\c:\5ffxrlr.exec:\5ffxrlr.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912 -
\??\c:\g2422.exec:\g2422.exe55⤵
- Executes dropped EXE
PID:2028 -
\??\c:\llrlllf.exec:\llrlllf.exe56⤵
- Executes dropped EXE
PID:5108 -
\??\c:\2660404.exec:\2660404.exe57⤵
- Executes dropped EXE
PID:2136 -
\??\c:\fxfrllx.exec:\fxfrllx.exe58⤵
- Executes dropped EXE
PID:2624 -
\??\c:\4888266.exec:\4888266.exe59⤵
- Executes dropped EXE
PID:2428 -
\??\c:\8248222.exec:\8248222.exe60⤵
- Executes dropped EXE
PID:2788 -
\??\c:\7nttnh.exec:\7nttnh.exe61⤵
- Executes dropped EXE
PID:4676 -
\??\c:\00008.exec:\00008.exe62⤵
- Executes dropped EXE
PID:1420 -
\??\c:\20008.exec:\20008.exe63⤵
- Executes dropped EXE
PID:2448 -
\??\c:\xlrflff.exec:\xlrflff.exe64⤵
- Executes dropped EXE
PID:4084 -
\??\c:\llrrrxx.exec:\llrrrxx.exe65⤵
- Executes dropped EXE
PID:1472 -
\??\c:\dvppj.exec:\dvppj.exe66⤵PID:4956
-
\??\c:\bnnhbt.exec:\bnnhbt.exe67⤵PID:4928
-
\??\c:\nhnhbb.exec:\nhnhbb.exe68⤵PID:1344
-
\??\c:\5hhbnt.exec:\5hhbnt.exe69⤵PID:4020
-
\??\c:\rrxrlfx.exec:\rrxrlfx.exe70⤵PID:2756
-
\??\c:\468888.exec:\468888.exe71⤵PID:3996
-
\??\c:\1tbnnn.exec:\1tbnnn.exe72⤵PID:1948
-
\??\c:\2282666.exec:\2282666.exe73⤵PID:2920
-
\??\c:\pdddv.exec:\pdddv.exe74⤵PID:2284
-
\??\c:\i020882.exec:\i020882.exe75⤵PID:5004
-
\??\c:\1rxlffx.exec:\1rxlffx.exe76⤵PID:3192
-
\??\c:\864264.exec:\864264.exe77⤵PID:4800
-
\??\c:\xllxffl.exec:\xllxffl.exe78⤵PID:1944
-
\??\c:\o064888.exec:\o064888.exe79⤵PID:2972
-
\??\c:\hbtnbb.exec:\hbtnbb.exe80⤵PID:688
-
\??\c:\8666006.exec:\8666006.exe81⤵PID:1976
-
\??\c:\846048.exec:\846048.exe82⤵PID:352
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe83⤵PID:232
-
\??\c:\828260.exec:\828260.exe84⤵PID:3796
-
\??\c:\rflrlfl.exec:\rflrlfl.exe85⤵PID:4664
-
\??\c:\g4206.exec:\g4206.exe86⤵PID:1064
-
\??\c:\8666440.exec:\8666440.exe87⤵PID:4036
-
\??\c:\vjdvp.exec:\vjdvp.exe88⤵PID:2984
-
\??\c:\rrxlrlf.exec:\rrxlrlf.exe89⤵PID:3960
-
\??\c:\5xrlfxx.exec:\5xrlfxx.exe90⤵PID:2812
-
\??\c:\28040.exec:\28040.exe91⤵PID:5084
-
\??\c:\60488.exec:\60488.exe92⤵PID:2132
-
\??\c:\9ttnnn.exec:\9ttnnn.exe93⤵PID:2208
-
\??\c:\vvpjp.exec:\vvpjp.exe94⤵PID:4308
-
\??\c:\tnnhbt.exec:\tnnhbt.exe95⤵PID:2560
-
\??\c:\flrlfxr.exec:\flrlfxr.exe96⤵PID:1824
-
\??\c:\40082.exec:\40082.exe97⤵PID:1016
-
\??\c:\1flfrfr.exec:\1flfrfr.exe98⤵PID:400
-
\??\c:\6060484.exec:\6060484.exe99⤵PID:4748
-
\??\c:\tnnnhn.exec:\tnnnhn.exe100⤵PID:2440
-
\??\c:\606226.exec:\606226.exe101⤵PID:2460
-
\??\c:\ttnhtt.exec:\ttnhtt.exe102⤵PID:2748
-
\??\c:\866040.exec:\866040.exe103⤵PID:864
-
\??\c:\480664.exec:\480664.exe104⤵PID:3732
-
\??\c:\6028040.exec:\6028040.exe105⤵PID:4364
-
\??\c:\jvjpd.exec:\jvjpd.exe106⤵PID:4572
-
\??\c:\nbhbtt.exec:\nbhbtt.exe107⤵PID:4808
-
\??\c:\g2482.exec:\g2482.exe108⤵PID:2592
-
\??\c:\a4048.exec:\a4048.exe109⤵PID:2912
-
\??\c:\dvvdj.exec:\dvvdj.exe110⤵PID:4564
-
\??\c:\thnnhh.exec:\thnnhh.exe111⤵PID:4196
-
\??\c:\btnnbb.exec:\btnnbb.exe112⤵PID:5052
-
\??\c:\884826.exec:\884826.exe113⤵
- System Location Discovery: System Language Discovery
PID:2136 -
\??\c:\s2862.exec:\s2862.exe114⤵PID:2624
-
\??\c:\nbhhbh.exec:\nbhhbh.exe115⤵PID:4136
-
\??\c:\204826.exec:\204826.exe116⤵PID:2024
-
\??\c:\684226.exec:\684226.exe117⤵PID:4280
-
\??\c:\08040.exec:\08040.exe118⤵PID:1420
-
\??\c:\5tbttt.exec:\5tbttt.exe119⤵PID:2588
-
\??\c:\68482.exec:\68482.exe120⤵PID:4084
-
\??\c:\5frlxxf.exec:\5frlxxf.exe121⤵PID:2960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-