Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe
-
Size
454KB
-
MD5
28721825a0ddc521165ed2c08b3d04d6
-
SHA1
a9aa4493550b4b1dffb483e460621ac4116a9e0d
-
SHA256
4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2
-
SHA512
89e6d461b3e2e322f8e002357a7f1b284f8332d1450ee7042d66b88ab348c0247cdaf6a3ecd7017b9d65e689786184c8b99bd120df1be20132e451a841e94640
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1784-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-861-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-983-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-1068-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-1201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-1202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2148 w62442.exe 2596 622868.exe 2552 08822.exe 4816 c626000.exe 3640 q28660.exe 324 1dvjv.exe 1060 o626048.exe 5084 6044848.exe 1928 jvdvp.exe 4336 vddvp.exe 2160 xxlfxrl.exe 2996 xrlrlrl.exe 5028 rfrlfff.exe 1696 btntnn.exe 4660 8800488.exe 5076 c248864.exe 4572 4602260.exe 3728 ddjvj.exe 3384 g4042.exe 1416 42220.exe 4952 26060.exe 1532 pppjd.exe 3908 xrrlrrr.exe 1176 42828.exe 1712 00604.exe 4820 nbnhbb.exe 4500 200482.exe 2656 ttnhbt.exe 3360 hbbtnn.exe 948 nhhbtt.exe 4508 240826.exe 4656 60068.exe 1580 fxfxfxx.exe 1324 bnthbn.exe 1672 pvdvp.exe 2640 7tbbnn.exe 4404 24000.exe 1480 ffxrlxr.exe 4416 ththhh.exe 1316 402288.exe 3168 hhnhnb.exe 1656 vvvpp.exe 1804 vjppj.exe 32 40648.exe 1572 462008.exe 1836 i044264.exe 920 ppvpv.exe 4368 684822.exe 4288 806600.exe 4188 jvpjd.exe 544 080448.exe 4848 5tbtbb.exe 540 s0204.exe 4232 o286448.exe 1796 u286048.exe 3752 bnnnhb.exe 3640 vpdvv.exe 2008 rxxxrll.exe 3988 dvvpd.exe 4856 6848204.exe 1892 1nnbhb.exe 2608 488200.exe 3532 26620.exe 4336 42660.exe -
resource yara_rule behavioral2/memory/1784-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-861-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 026420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c800680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0686004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8022660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4626040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8606662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8604226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0800448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w6661h.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c060882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1784 wrote to memory of 2148 1784 4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe 83 PID 1784 wrote to memory of 2148 1784 4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe 83 PID 1784 wrote to memory of 2148 1784 4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe 83 PID 2148 wrote to memory of 2596 2148 w62442.exe 84 PID 2148 wrote to memory of 2596 2148 w62442.exe 84 PID 2148 wrote to memory of 2596 2148 w62442.exe 84 PID 2596 wrote to memory of 2552 2596 622868.exe 85 PID 2596 wrote to memory of 2552 2596 622868.exe 85 PID 2596 wrote to memory of 2552 2596 622868.exe 85 PID 2552 wrote to memory of 4816 2552 08822.exe 86 PID 2552 wrote to memory of 4816 2552 08822.exe 86 PID 2552 wrote to memory of 4816 2552 08822.exe 86 PID 4816 wrote to memory of 3640 4816 c626000.exe 87 PID 4816 wrote to memory of 3640 4816 c626000.exe 87 PID 4816 wrote to memory of 3640 4816 c626000.exe 87 PID 3640 wrote to memory of 324 3640 q28660.exe 88 PID 3640 wrote to memory of 324 3640 q28660.exe 88 PID 3640 wrote to memory of 324 3640 q28660.exe 88 PID 324 wrote to memory of 1060 324 1dvjv.exe 89 PID 324 wrote to memory of 1060 324 1dvjv.exe 89 PID 324 wrote to memory of 1060 324 1dvjv.exe 89 PID 1060 wrote to memory of 5084 1060 o626048.exe 90 PID 1060 wrote to memory of 5084 1060 o626048.exe 90 PID 1060 wrote to memory of 5084 1060 o626048.exe 90 PID 5084 wrote to memory of 1928 5084 6044848.exe 91 PID 5084 wrote to memory of 1928 5084 6044848.exe 91 PID 5084 wrote to memory of 1928 5084 6044848.exe 91 PID 1928 wrote to memory of 4336 1928 jvdvp.exe 92 PID 1928 wrote to memory of 4336 1928 jvdvp.exe 92 PID 1928 wrote to memory of 4336 1928 jvdvp.exe 92 PID 4336 wrote to memory of 2160 4336 vddvp.exe 93 PID 4336 wrote to memory of 2160 4336 vddvp.exe 93 PID 4336 wrote to memory of 2160 4336 vddvp.exe 93 PID 2160 wrote to memory of 2996 2160 xxlfxrl.exe 94 PID 2160 wrote to memory of 2996 2160 xxlfxrl.exe 94 PID 2160 wrote to memory of 2996 2160 xxlfxrl.exe 94 PID 2996 wrote to memory of 5028 2996 xrlrlrl.exe 95 PID 2996 wrote to memory of 5028 2996 xrlrlrl.exe 95 PID 2996 wrote to memory of 5028 2996 xrlrlrl.exe 95 PID 5028 wrote to memory of 1696 5028 rfrlfff.exe 96 PID 5028 wrote to memory of 1696 5028 rfrlfff.exe 96 PID 5028 wrote to memory of 1696 5028 rfrlfff.exe 96 PID 1696 wrote to memory of 4660 1696 btntnn.exe 97 PID 1696 wrote to memory of 4660 1696 btntnn.exe 97 PID 1696 wrote to memory of 4660 1696 btntnn.exe 97 PID 4660 wrote to memory of 5076 4660 8800488.exe 98 PID 4660 wrote to memory of 5076 4660 8800488.exe 98 PID 4660 wrote to memory of 5076 4660 8800488.exe 98 PID 5076 wrote to memory of 4572 5076 c248864.exe 99 PID 5076 wrote to memory of 4572 5076 c248864.exe 99 PID 5076 wrote to memory of 4572 5076 c248864.exe 99 PID 4572 wrote to memory of 3728 4572 4602260.exe 100 PID 4572 wrote to memory of 3728 4572 4602260.exe 100 PID 4572 wrote to memory of 3728 4572 4602260.exe 100 PID 3728 wrote to memory of 3384 3728 ddjvj.exe 101 PID 3728 wrote to memory of 3384 3728 ddjvj.exe 101 PID 3728 wrote to memory of 3384 3728 ddjvj.exe 101 PID 3384 wrote to memory of 1416 3384 g4042.exe 102 PID 3384 wrote to memory of 1416 3384 g4042.exe 102 PID 3384 wrote to memory of 1416 3384 g4042.exe 102 PID 1416 wrote to memory of 4952 1416 42220.exe 103 PID 1416 wrote to memory of 4952 1416 42220.exe 103 PID 1416 wrote to memory of 4952 1416 42220.exe 103 PID 4952 wrote to memory of 1532 4952 26060.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe"C:\Users\Admin\AppData\Local\Temp\4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\w62442.exec:\w62442.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\622868.exec:\622868.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\08822.exec:\08822.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\c626000.exec:\c626000.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\q28660.exec:\q28660.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\1dvjv.exec:\1dvjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\o626048.exec:\o626048.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\6044848.exec:\6044848.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\jvdvp.exec:\jvdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\vddvp.exec:\vddvp.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\xxlfxrl.exec:\xxlfxrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\xrlrlrl.exec:\xrlrlrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\rfrlfff.exec:\rfrlfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\btntnn.exec:\btntnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\8800488.exec:\8800488.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\c248864.exec:\c248864.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\4602260.exec:\4602260.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\ddjvj.exec:\ddjvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\g4042.exec:\g4042.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\42220.exec:\42220.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\26060.exec:\26060.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\pppjd.exec:\pppjd.exe23⤵
- Executes dropped EXE
PID:1532 -
\??\c:\xrrlrrr.exec:\xrrlrrr.exe24⤵
- Executes dropped EXE
PID:3908 -
\??\c:\42828.exec:\42828.exe25⤵
- Executes dropped EXE
PID:1176 -
\??\c:\00604.exec:\00604.exe26⤵
- Executes dropped EXE
PID:1712 -
\??\c:\nbnhbb.exec:\nbnhbb.exe27⤵
- Executes dropped EXE
PID:4820 -
\??\c:\200482.exec:\200482.exe28⤵
- Executes dropped EXE
PID:4500 -
\??\c:\ttnhbt.exec:\ttnhbt.exe29⤵
- Executes dropped EXE
PID:2656 -
\??\c:\hbbtnn.exec:\hbbtnn.exe30⤵
- Executes dropped EXE
PID:3360 -
\??\c:\nhhbtt.exec:\nhhbtt.exe31⤵
- Executes dropped EXE
PID:948 -
\??\c:\240826.exec:\240826.exe32⤵
- Executes dropped EXE
PID:4508 -
\??\c:\60068.exec:\60068.exe33⤵
- Executes dropped EXE
PID:4656 -
\??\c:\fxfxfxx.exec:\fxfxfxx.exe34⤵
- Executes dropped EXE
PID:1580 -
\??\c:\bnthbn.exec:\bnthbn.exe35⤵
- Executes dropped EXE
PID:1324 -
\??\c:\pvdvp.exec:\pvdvp.exe36⤵
- Executes dropped EXE
PID:1672 -
\??\c:\7tbbnn.exec:\7tbbnn.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
\??\c:\24000.exec:\24000.exe38⤵
- Executes dropped EXE
PID:4404 -
\??\c:\ffxrlxr.exec:\ffxrlxr.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1480 -
\??\c:\ththhh.exec:\ththhh.exe40⤵
- Executes dropped EXE
PID:4416 -
\??\c:\402288.exec:\402288.exe41⤵
- Executes dropped EXE
PID:1316 -
\??\c:\hhnhnb.exec:\hhnhnb.exe42⤵
- Executes dropped EXE
PID:3168 -
\??\c:\vvvpp.exec:\vvvpp.exe43⤵
- Executes dropped EXE
PID:1656 -
\??\c:\vjppj.exec:\vjppj.exe44⤵
- Executes dropped EXE
PID:1804 -
\??\c:\40648.exec:\40648.exe45⤵
- Executes dropped EXE
PID:32 -
\??\c:\462008.exec:\462008.exe46⤵
- Executes dropped EXE
PID:1572 -
\??\c:\i044264.exec:\i044264.exe47⤵
- Executes dropped EXE
PID:1836 -
\??\c:\ppvpv.exec:\ppvpv.exe48⤵
- Executes dropped EXE
PID:920 -
\??\c:\684822.exec:\684822.exe49⤵
- Executes dropped EXE
PID:4368 -
\??\c:\806600.exec:\806600.exe50⤵
- Executes dropped EXE
PID:4288 -
\??\c:\jvpjd.exec:\jvpjd.exe51⤵
- Executes dropped EXE
PID:4188 -
\??\c:\080448.exec:\080448.exe52⤵
- Executes dropped EXE
PID:544 -
\??\c:\5tbtbb.exec:\5tbtbb.exe53⤵
- Executes dropped EXE
PID:4848 -
\??\c:\s0204.exec:\s0204.exe54⤵
- Executes dropped EXE
PID:540 -
\??\c:\o286448.exec:\o286448.exe55⤵
- Executes dropped EXE
PID:4232 -
\??\c:\u286048.exec:\u286048.exe56⤵
- Executes dropped EXE
PID:1796 -
\??\c:\bnnnhb.exec:\bnnnhb.exe57⤵
- Executes dropped EXE
PID:3752 -
\??\c:\vpdvv.exec:\vpdvv.exe58⤵
- Executes dropped EXE
PID:3640 -
\??\c:\rxxxrll.exec:\rxxxrll.exe59⤵
- Executes dropped EXE
PID:2008 -
\??\c:\dvvpd.exec:\dvvpd.exe60⤵
- Executes dropped EXE
PID:3988 -
\??\c:\6848204.exec:\6848204.exe61⤵
- Executes dropped EXE
PID:4856 -
\??\c:\1nnbhb.exec:\1nnbhb.exe62⤵
- Executes dropped EXE
PID:1892 -
\??\c:\488200.exec:\488200.exe63⤵
- Executes dropped EXE
PID:2608 -
\??\c:\26620.exec:\26620.exe64⤵
- Executes dropped EXE
PID:3532 -
\??\c:\42660.exec:\42660.exe65⤵
- Executes dropped EXE
PID:4336 -
\??\c:\440488.exec:\440488.exe66⤵PID:796
-
\??\c:\dpvpd.exec:\dpvpd.exe67⤵PID:3476
-
\??\c:\0804884.exec:\0804884.exe68⤵PID:2716
-
\??\c:\llfxllf.exec:\llfxllf.exe69⤵PID:4844
-
\??\c:\rlllflf.exec:\rlllflf.exe70⤵PID:4184
-
\??\c:\fllxrrl.exec:\fllxrrl.exe71⤵PID:220
-
\??\c:\7xxlfxr.exec:\7xxlfxr.exe72⤵PID:4212
-
\??\c:\846244.exec:\846244.exe73⤵PID:3380
-
\??\c:\7djdj.exec:\7djdj.exe74⤵PID:4976
-
\??\c:\k82244.exec:\k82244.exe75⤵PID:1016
-
\??\c:\420004.exec:\420004.exe76⤵PID:5040
-
\??\c:\20206.exec:\20206.exe77⤵PID:1380
-
\??\c:\vjpjv.exec:\vjpjv.exe78⤵PID:1200
-
\??\c:\5ttntt.exec:\5ttntt.exe79⤵PID:3688
-
\??\c:\4448260.exec:\4448260.exe80⤵PID:1236
-
\??\c:\80048.exec:\80048.exe81⤵PID:4952
-
\??\c:\7rfxrrr.exec:\7rfxrrr.exe82⤵PID:780
-
\??\c:\ddpjd.exec:\ddpjd.exe83⤵PID:4468
-
\??\c:\c060882.exec:\c060882.exe84⤵
- System Location Discovery: System Language Discovery
PID:3896 -
\??\c:\nntntt.exec:\nntntt.exe85⤵PID:4020
-
\??\c:\7rlfxrl.exec:\7rlfxrl.exe86⤵PID:5072
-
\??\c:\frrxrrl.exec:\frrxrrl.exe87⤵PID:4440
-
\??\c:\0882600.exec:\0882600.exe88⤵PID:3260
-
\??\c:\xflfxxr.exec:\xflfxxr.exe89⤵PID:4712
-
\??\c:\tbbtnh.exec:\tbbtnh.exe90⤵PID:1560
-
\??\c:\88044.exec:\88044.exe91⤵PID:944
-
\??\c:\840488.exec:\840488.exe92⤵PID:4716
-
\??\c:\7jpvp.exec:\7jpvp.exe93⤵PID:2176
-
\??\c:\nbhbtt.exec:\nbhbtt.exe94⤵PID:3548
-
\??\c:\ntbnhh.exec:\ntbnhh.exe95⤵PID:3316
-
\??\c:\0402266.exec:\0402266.exe96⤵PID:4640
-
\??\c:\nntnbb.exec:\nntnbb.exe97⤵PID:1596
-
\??\c:\nnnttn.exec:\nnnttn.exe98⤵PID:3588
-
\??\c:\84004.exec:\84004.exe99⤵PID:4400
-
\??\c:\8448822.exec:\8448822.exe100⤵PID:4916
-
\??\c:\q68260.exec:\q68260.exe101⤵PID:4480
-
\??\c:\djjdj.exec:\djjdj.exe102⤵
- System Location Discovery: System Language Discovery
PID:4416 -
\??\c:\20004.exec:\20004.exe103⤵PID:1316
-
\??\c:\68882.exec:\68882.exe104⤵PID:3168
-
\??\c:\k60002.exec:\k60002.exe105⤵PID:5000
-
\??\c:\u888262.exec:\u888262.exe106⤵PID:4960
-
\??\c:\jdpdd.exec:\jdpdd.exe107⤵PID:676
-
\??\c:\g4042.exec:\g4042.exe108⤵PID:3100
-
\??\c:\8248226.exec:\8248226.exe109⤵PID:4760
-
\??\c:\4266486.exec:\4266486.exe110⤵PID:2100
-
\??\c:\k84888.exec:\k84888.exe111⤵PID:1272
-
\??\c:\hbtnhb.exec:\hbtnhb.exe112⤵PID:4352
-
\??\c:\620826.exec:\620826.exe113⤵PID:768
-
\??\c:\840044.exec:\840044.exe114⤵PID:736
-
\??\c:\w28266.exec:\w28266.exe115⤵PID:4552
-
\??\c:\24008.exec:\24008.exe116⤵PID:4788
-
\??\c:\pvvdp.exec:\pvvdp.exe117⤵PID:5116
-
\??\c:\086426.exec:\086426.exe118⤵PID:4364
-
\??\c:\08826.exec:\08826.exe119⤵PID:1448
-
\??\c:\3pjdv.exec:\3pjdv.exe120⤵PID:4340
-
\??\c:\lrlxrlf.exec:\lrlxrlf.exe121⤵PID:4736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-