Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 15:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe
-
Size
454KB
-
MD5
36422be938201fae0145f111592856c8
-
SHA1
742820e2b3a82262d4056ee19e53353191c3e31f
-
SHA256
8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8
-
SHA512
8138cc495f1dcb3baffd9013544d029857ddc5686950c2ca83918f86ab3d7a4a0e0238f2138b89df7e35f641d663728667b4ffb2bb3676dbed57fc330055086d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3708-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-838-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-1179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4292 jvdpd.exe 4952 80820.exe 1512 lfxlxrf.exe 2516 6044264.exe 5072 vpjvv.exe 3000 88806.exe 372 e04820.exe 860 bbthth.exe 4132 64002.exe 1860 62086.exe 3108 vdvdp.exe 3040 ppdvj.exe 2212 20086.exe 2812 0204208.exe 1364 2260264.exe 4640 vdvjv.exe 3872 486420.exe 4020 088264.exe 2424 djdpd.exe 1452 rrrxrlr.exe 4968 428648.exe 2668 o660860.exe 1988 ntthtn.exe 1488 484826.exe 4188 vvpjd.exe 1924 6664826.exe 4792 q82082.exe 4864 nnnbnb.exe 456 ffxrfxl.exe 1160 fxlxffr.exe 3676 40086.exe 744 3frrfxf.exe 3956 pdvjp.exe 812 88400.exe 4924 4462468.exe 1676 jvvvj.exe 1072 jvpjv.exe 1088 ddjvv.exe 1744 844866.exe 640 bnnntn.exe 1184 444220.exe 3660 jvvjv.exe 208 lrxlxrf.exe 3652 64464.exe 3156 u442826.exe 3452 lfflfrl.exe 3780 rffrlxr.exe 3200 jvdvv.exe 4768 22644.exe 4484 64648.exe 1624 nnhhbn.exe 2332 pppjv.exe 3848 frrflxl.exe 1916 flfxllx.exe 5096 202086.exe 2916 6860482.exe 992 420000.exe 3692 tbnhbt.exe 2920 ntbbnn.exe 3880 640422.exe 1224 vdvpd.exe 2888 xfxlxrr.exe 2872 jjpdv.exe 2184 tbtnhh.exe -
resource yara_rule behavioral2/memory/3708-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-729-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8648660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8266004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3708 wrote to memory of 4292 3708 8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe 83 PID 3708 wrote to memory of 4292 3708 8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe 83 PID 3708 wrote to memory of 4292 3708 8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe 83 PID 4292 wrote to memory of 4952 4292 jvdpd.exe 84 PID 4292 wrote to memory of 4952 4292 jvdpd.exe 84 PID 4292 wrote to memory of 4952 4292 jvdpd.exe 84 PID 4952 wrote to memory of 1512 4952 80820.exe 85 PID 4952 wrote to memory of 1512 4952 80820.exe 85 PID 4952 wrote to memory of 1512 4952 80820.exe 85 PID 1512 wrote to memory of 2516 1512 lfxlxrf.exe 86 PID 1512 wrote to memory of 2516 1512 lfxlxrf.exe 86 PID 1512 wrote to memory of 2516 1512 lfxlxrf.exe 86 PID 2516 wrote to memory of 5072 2516 6044264.exe 87 PID 2516 wrote to memory of 5072 2516 6044264.exe 87 PID 2516 wrote to memory of 5072 2516 6044264.exe 87 PID 5072 wrote to memory of 3000 5072 vpjvv.exe 88 PID 5072 wrote to memory of 3000 5072 vpjvv.exe 88 PID 5072 wrote to memory of 3000 5072 vpjvv.exe 88 PID 3000 wrote to memory of 372 3000 88806.exe 89 PID 3000 wrote to memory of 372 3000 88806.exe 89 PID 3000 wrote to memory of 372 3000 88806.exe 89 PID 372 wrote to memory of 860 372 e04820.exe 90 PID 372 wrote to memory of 860 372 e04820.exe 90 PID 372 wrote to memory of 860 372 e04820.exe 90 PID 860 wrote to memory of 4132 860 bbthth.exe 91 PID 860 wrote to memory of 4132 860 bbthth.exe 91 PID 860 wrote to memory of 4132 860 bbthth.exe 91 PID 4132 wrote to memory of 1860 4132 64002.exe 92 PID 4132 wrote to memory of 1860 4132 64002.exe 92 PID 4132 wrote to memory of 1860 4132 64002.exe 92 PID 1860 wrote to memory of 3108 1860 62086.exe 93 PID 1860 wrote to memory of 3108 1860 62086.exe 93 PID 1860 wrote to memory of 3108 1860 62086.exe 93 PID 3108 wrote to memory of 3040 3108 vdvdp.exe 94 PID 3108 wrote to memory of 3040 3108 vdvdp.exe 94 PID 3108 wrote to memory of 3040 3108 vdvdp.exe 94 PID 3040 wrote to memory of 2212 3040 ppdvj.exe 95 PID 3040 wrote to memory of 2212 3040 ppdvj.exe 95 PID 3040 wrote to memory of 2212 3040 ppdvj.exe 95 PID 2212 wrote to memory of 2812 2212 20086.exe 96 PID 2212 wrote to memory of 2812 2212 20086.exe 96 PID 2212 wrote to memory of 2812 2212 20086.exe 96 PID 2812 wrote to memory of 1364 2812 0204208.exe 97 PID 2812 wrote to memory of 1364 2812 0204208.exe 97 PID 2812 wrote to memory of 1364 2812 0204208.exe 97 PID 1364 wrote to memory of 4640 1364 2260264.exe 98 PID 1364 wrote to memory of 4640 1364 2260264.exe 98 PID 1364 wrote to memory of 4640 1364 2260264.exe 98 PID 4640 wrote to memory of 3872 4640 vdvjv.exe 99 PID 4640 wrote to memory of 3872 4640 vdvjv.exe 99 PID 4640 wrote to memory of 3872 4640 vdvjv.exe 99 PID 3872 wrote to memory of 4020 3872 486420.exe 100 PID 3872 wrote to memory of 4020 3872 486420.exe 100 PID 3872 wrote to memory of 4020 3872 486420.exe 100 PID 4020 wrote to memory of 2424 4020 088264.exe 101 PID 4020 wrote to memory of 2424 4020 088264.exe 101 PID 4020 wrote to memory of 2424 4020 088264.exe 101 PID 2424 wrote to memory of 1452 2424 djdpd.exe 102 PID 2424 wrote to memory of 1452 2424 djdpd.exe 102 PID 2424 wrote to memory of 1452 2424 djdpd.exe 102 PID 1452 wrote to memory of 4968 1452 rrrxrlr.exe 103 PID 1452 wrote to memory of 4968 1452 rrrxrlr.exe 103 PID 1452 wrote to memory of 4968 1452 rrrxrlr.exe 103 PID 4968 wrote to memory of 2668 4968 428648.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe"C:\Users\Admin\AppData\Local\Temp\8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\jvdpd.exec:\jvdpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\80820.exec:\80820.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\lfxlxrf.exec:\lfxlxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\6044264.exec:\6044264.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\vpjvv.exec:\vpjvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\88806.exec:\88806.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\e04820.exec:\e04820.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\bbthth.exec:\bbthth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\64002.exec:\64002.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\62086.exec:\62086.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\vdvdp.exec:\vdvdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\ppdvj.exec:\ppdvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\20086.exec:\20086.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\0204208.exec:\0204208.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\2260264.exec:\2260264.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\vdvjv.exec:\vdvjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\486420.exec:\486420.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\088264.exec:\088264.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\djdpd.exec:\djdpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\rrrxrlr.exec:\rrrxrlr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\428648.exec:\428648.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\o660860.exec:\o660860.exe23⤵
- Executes dropped EXE
PID:2668 -
\??\c:\ntthtn.exec:\ntthtn.exe24⤵
- Executes dropped EXE
PID:1988 -
\??\c:\484826.exec:\484826.exe25⤵
- Executes dropped EXE
PID:1488 -
\??\c:\vvpjd.exec:\vvpjd.exe26⤵
- Executes dropped EXE
PID:4188 -
\??\c:\6664826.exec:\6664826.exe27⤵
- Executes dropped EXE
PID:1924 -
\??\c:\q82082.exec:\q82082.exe28⤵
- Executes dropped EXE
PID:4792 -
\??\c:\nnnbnb.exec:\nnnbnb.exe29⤵
- Executes dropped EXE
PID:4864 -
\??\c:\ffxrfxl.exec:\ffxrfxl.exe30⤵
- Executes dropped EXE
PID:456 -
\??\c:\fxlxffr.exec:\fxlxffr.exe31⤵
- Executes dropped EXE
PID:1160 -
\??\c:\40086.exec:\40086.exe32⤵
- Executes dropped EXE
PID:3676 -
\??\c:\3frrfxf.exec:\3frrfxf.exe33⤵
- Executes dropped EXE
PID:744 -
\??\c:\pdvjp.exec:\pdvjp.exe34⤵
- Executes dropped EXE
PID:3956 -
\??\c:\88400.exec:\88400.exe35⤵
- Executes dropped EXE
PID:812 -
\??\c:\4462468.exec:\4462468.exe36⤵
- Executes dropped EXE
PID:4924 -
\??\c:\jvvvj.exec:\jvvvj.exe37⤵
- Executes dropped EXE
PID:1676 -
\??\c:\jvpjv.exec:\jvpjv.exe38⤵
- Executes dropped EXE
PID:1072 -
\??\c:\ddjvv.exec:\ddjvv.exe39⤵
- Executes dropped EXE
PID:1088 -
\??\c:\844866.exec:\844866.exe40⤵
- Executes dropped EXE
PID:1744 -
\??\c:\bnnntn.exec:\bnnntn.exe41⤵
- Executes dropped EXE
PID:640 -
\??\c:\444220.exec:\444220.exe42⤵
- Executes dropped EXE
PID:1184 -
\??\c:\jvvjv.exec:\jvvjv.exe43⤵
- Executes dropped EXE
PID:3660 -
\??\c:\lrxlxrf.exec:\lrxlxrf.exe44⤵
- Executes dropped EXE
PID:208 -
\??\c:\64464.exec:\64464.exe45⤵
- Executes dropped EXE
PID:3652 -
\??\c:\u442826.exec:\u442826.exe46⤵
- Executes dropped EXE
PID:3156 -
\??\c:\lfflfrl.exec:\lfflfrl.exe47⤵
- Executes dropped EXE
PID:3452 -
\??\c:\rffrlxr.exec:\rffrlxr.exe48⤵
- Executes dropped EXE
PID:3780 -
\??\c:\jvdvv.exec:\jvdvv.exe49⤵
- Executes dropped EXE
PID:3200 -
\??\c:\22644.exec:\22644.exe50⤵
- Executes dropped EXE
PID:4768 -
\??\c:\64648.exec:\64648.exe51⤵
- Executes dropped EXE
PID:4484 -
\??\c:\nnhhbn.exec:\nnhhbn.exe52⤵
- Executes dropped EXE
PID:1624 -
\??\c:\pppjv.exec:\pppjv.exe53⤵
- Executes dropped EXE
PID:2332 -
\??\c:\frrflxl.exec:\frrflxl.exe54⤵
- Executes dropped EXE
PID:3848 -
\??\c:\flfxllx.exec:\flfxllx.exe55⤵
- Executes dropped EXE
PID:1916 -
\??\c:\202086.exec:\202086.exe56⤵
- Executes dropped EXE
PID:5096 -
\??\c:\6860482.exec:\6860482.exe57⤵
- Executes dropped EXE
PID:2916 -
\??\c:\420000.exec:\420000.exe58⤵
- Executes dropped EXE
PID:992 -
\??\c:\tbnhbt.exec:\tbnhbt.exe59⤵
- Executes dropped EXE
PID:3692 -
\??\c:\ntbbnn.exec:\ntbbnn.exe60⤵
- Executes dropped EXE
PID:2920 -
\??\c:\640422.exec:\640422.exe61⤵
- Executes dropped EXE
PID:3880 -
\??\c:\vdvpd.exec:\vdvpd.exe62⤵
- Executes dropped EXE
PID:1224 -
\??\c:\xfxlxrr.exec:\xfxlxrr.exe63⤵
- Executes dropped EXE
PID:2888 -
\??\c:\jjpdv.exec:\jjpdv.exe64⤵
- Executes dropped EXE
PID:2872 -
\??\c:\tbtnhh.exec:\tbtnhh.exe65⤵
- Executes dropped EXE
PID:2184 -
\??\c:\lrxlxrf.exec:\lrxlxrf.exe66⤵PID:4972
-
\??\c:\ntbbbb.exec:\ntbbbb.exe67⤵PID:3468
-
\??\c:\w28664.exec:\w28664.exe68⤵PID:1844
-
\??\c:\20206.exec:\20206.exe69⤵PID:3040
-
\??\c:\xrlxlfx.exec:\xrlxlfx.exe70⤵PID:3556
-
\??\c:\64060.exec:\64060.exe71⤵PID:2212
-
\??\c:\fllxlfr.exec:\fllxlfr.exe72⤵PID:2496
-
\??\c:\jvpjj.exec:\jvpjj.exe73⤵PID:4624
-
\??\c:\jddvj.exec:\jddvj.exe74⤵PID:3276
-
\??\c:\60642.exec:\60642.exe75⤵PID:5076
-
\??\c:\rlrffrx.exec:\rlrffrx.exe76⤵PID:3872
-
\??\c:\jjjvj.exec:\jjjvj.exe77⤵PID:1876
-
\??\c:\6464422.exec:\6464422.exe78⤵PID:1684
-
\??\c:\0888264.exec:\0888264.exe79⤵PID:1656
-
\??\c:\llxfrxf.exec:\llxfrxf.exe80⤵PID:3316
-
\??\c:\htnbbt.exec:\htnbbt.exe81⤵PID:4176
-
\??\c:\46082.exec:\46082.exe82⤵PID:1280
-
\??\c:\bhntht.exec:\bhntht.exe83⤵PID:1760
-
\??\c:\9nhbnh.exec:\9nhbnh.exe84⤵PID:2380
-
\??\c:\08268.exec:\08268.exe85⤵PID:1664
-
\??\c:\64486.exec:\64486.exe86⤵PID:4356
-
\??\c:\5nnbnh.exec:\5nnbnh.exe87⤵PID:728
-
\??\c:\44464.exec:\44464.exe88⤵PID:4208
-
\??\c:\64066.exec:\64066.exe89⤵PID:4720
-
\??\c:\lfrfrrl.exec:\lfrfrrl.exe90⤵PID:1956
-
\??\c:\lfrlxrr.exec:\lfrlxrr.exe91⤵PID:4728
-
\??\c:\pddvp.exec:\pddvp.exe92⤵PID:2808
-
\??\c:\8482486.exec:\8482486.exe93⤵PID:1132
-
\??\c:\frlxlxl.exec:\frlxlxl.exe94⤵PID:3340
-
\??\c:\8846042.exec:\8846042.exe95⤵PID:3628
-
\??\c:\pddjv.exec:\pddjv.exe96⤵PID:3528
-
\??\c:\8860482.exec:\8860482.exe97⤵PID:744
-
\??\c:\040448.exec:\040448.exe98⤵PID:2488
-
\??\c:\jvddv.exec:\jvddv.exe99⤵PID:812
-
\??\c:\808642.exec:\808642.exe100⤵PID:1668
-
\??\c:\nbtbnb.exec:\nbtbnb.exe101⤵PID:3432
-
\??\c:\ntnbbt.exec:\ntnbbt.exe102⤵PID:2436
-
\??\c:\4442042.exec:\4442042.exe103⤵PID:1080
-
\??\c:\i208888.exec:\i208888.exe104⤵PID:1744
-
\??\c:\tnbttn.exec:\tnbttn.exe105⤵PID:640
-
\??\c:\dpvjv.exec:\dpvjv.exe106⤵PID:1184
-
\??\c:\7vvjd.exec:\7vvjd.exe107⤵PID:4520
-
\??\c:\vvjdj.exec:\vvjdj.exe108⤵PID:4608
-
\??\c:\vvvjd.exec:\vvvjd.exe109⤵PID:3968
-
\??\c:\lxlfrlf.exec:\lxlfrlf.exe110⤵PID:3156
-
\??\c:\pvddp.exec:\pvddp.exe111⤵PID:4216
-
\??\c:\i004264.exec:\i004264.exe112⤵PID:3572
-
\??\c:\flrlfff.exec:\flrlfff.exe113⤵PID:4244
-
\??\c:\bbtnbt.exec:\bbtnbt.exe114⤵PID:1852
-
\??\c:\3tbhtb.exec:\3tbhtb.exe115⤵PID:2252
-
\??\c:\dvdjv.exec:\dvdjv.exe116⤵PID:1616
-
\??\c:\fxxrfrl.exec:\fxxrfrl.exe117⤵PID:3240
-
\??\c:\bnbnbt.exec:\bnbnbt.exe118⤵PID:3356
-
\??\c:\tnnhbb.exec:\tnnhbb.exe119⤵PID:532
-
\??\c:\bnhtbn.exec:\bnhtbn.exe120⤵PID:1504
-
\??\c:\3nnbhn.exec:\3nnbhn.exe121⤵PID:1680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-