Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d0f96ceddd83aa15ce76fe63c4905bb9fd2382089c3764539a136fe56a3d051.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8d0f96ceddd83aa15ce76fe63c4905bb9fd2382089c3764539a136fe56a3d051.exe
-
Size
453KB
-
MD5
5371c3a06b6d83729c37424b9e530779
-
SHA1
20437b26ae33536fa4a6ed40a3fde9daedf11d4a
-
SHA256
8d0f96ceddd83aa15ce76fe63c4905bb9fd2382089c3764539a136fe56a3d051
-
SHA512
9ce002f23ee512d45eac1003c9fddffef9cf1471771985248d9bc88556099de427362e4e23bbe0d358624570d438384e85229f42bc82417dc86516a4a4b08972
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1876-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/564-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-980-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-1222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-1268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-1275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4604 2026268.exe 1316 2406442.exe 528 jjdpj.exe 2424 xflxlfx.exe 2132 6660886.exe 4160 5pvvp.exe 4964 08046.exe 3252 hbhhnh.exe 1844 lxfxlfr.exe 4540 lffrlll.exe 2392 tbtnbt.exe 1392 5tthtn.exe 3272 84082.exe 4364 fxrlfxx.exe 2708 m4048.exe 32 8400482.exe 4036 0882600.exe 3832 bnnhbb.exe 1752 0082604.exe 2868 62602.exe 3084 rrflrlr.exe 5068 60866.exe 1148 tnbbbb.exe 5104 4000448.exe 2880 20604.exe 4816 lxxrlll.exe 4136 c026004.exe 4804 thhhhh.exe 3592 pvdvv.exe 2320 c808602.exe 4680 lfxlrfr.exe 1424 u286660.exe 1040 1dvvp.exe 5080 28482.exe 1824 vvjjp.exe 1764 3xlrlxl.exe 3896 9dpjp.exe 4588 m4420.exe 4512 3bbnbt.exe 2912 0064826.exe 2024 4264226.exe 2692 q68080.exe 4976 xllfxxx.exe 2328 64226.exe 2660 ppvvp.exe 4596 bhhtht.exe 3120 fffxrrl.exe 5016 82260.exe 1340 428248.exe 3800 066688.exe 4988 fllfrlx.exe 5032 4442648.exe 4516 420426.exe 1828 460442.exe 412 hbbbnh.exe 756 4404204.exe 3192 hhhbth.exe 3040 020624.exe 2132 bnthtn.exe 2572 2642424.exe 1028 ppvjd.exe 1084 862004.exe 4692 62864.exe 1588 hbtnbt.exe -
resource yara_rule behavioral2/memory/1876-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/564-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-849-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-942-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-980-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0408468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4080062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2660448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0404440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 020468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1876 wrote to memory of 4604 1876 8d0f96ceddd83aa15ce76fe63c4905bb9fd2382089c3764539a136fe56a3d051.exe 83 PID 1876 wrote to memory of 4604 1876 8d0f96ceddd83aa15ce76fe63c4905bb9fd2382089c3764539a136fe56a3d051.exe 83 PID 1876 wrote to memory of 4604 1876 8d0f96ceddd83aa15ce76fe63c4905bb9fd2382089c3764539a136fe56a3d051.exe 83 PID 4604 wrote to memory of 1316 4604 2026268.exe 84 PID 4604 wrote to memory of 1316 4604 2026268.exe 84 PID 4604 wrote to memory of 1316 4604 2026268.exe 84 PID 1316 wrote to memory of 528 1316 2406442.exe 85 PID 1316 wrote to memory of 528 1316 2406442.exe 85 PID 1316 wrote to memory of 528 1316 2406442.exe 85 PID 528 wrote to memory of 2424 528 jjdpj.exe 86 PID 528 wrote to memory of 2424 528 jjdpj.exe 86 PID 528 wrote to memory of 2424 528 jjdpj.exe 86 PID 2424 wrote to memory of 2132 2424 xflxlfx.exe 87 PID 2424 wrote to memory of 2132 2424 xflxlfx.exe 87 PID 2424 wrote to memory of 2132 2424 xflxlfx.exe 87 PID 2132 wrote to memory of 4160 2132 6660886.exe 88 PID 2132 wrote to memory of 4160 2132 6660886.exe 88 PID 2132 wrote to memory of 4160 2132 6660886.exe 88 PID 4160 wrote to memory of 4964 4160 5pvvp.exe 89 PID 4160 wrote to memory of 4964 4160 5pvvp.exe 89 PID 4160 wrote to memory of 4964 4160 5pvvp.exe 89 PID 4964 wrote to memory of 3252 4964 08046.exe 90 PID 4964 wrote to memory of 3252 4964 08046.exe 90 PID 4964 wrote to memory of 3252 4964 08046.exe 90 PID 3252 wrote to memory of 1844 3252 hbhhnh.exe 91 PID 3252 wrote to memory of 1844 3252 hbhhnh.exe 91 PID 3252 wrote to memory of 1844 3252 hbhhnh.exe 91 PID 1844 wrote to memory of 4540 1844 lxfxlfr.exe 92 PID 1844 wrote to memory of 4540 1844 lxfxlfr.exe 92 PID 1844 wrote to memory of 4540 1844 lxfxlfr.exe 92 PID 4540 wrote to memory of 2392 4540 lffrlll.exe 93 PID 4540 wrote to memory of 2392 4540 lffrlll.exe 93 PID 4540 wrote to memory of 2392 4540 lffrlll.exe 93 PID 2392 wrote to memory of 1392 2392 tbtnbt.exe 94 PID 2392 wrote to memory of 1392 2392 tbtnbt.exe 94 PID 2392 wrote to memory of 1392 2392 tbtnbt.exe 94 PID 1392 wrote to memory of 3272 1392 5tthtn.exe 95 PID 1392 wrote to memory of 3272 1392 5tthtn.exe 95 PID 1392 wrote to memory of 3272 1392 5tthtn.exe 95 PID 3272 wrote to memory of 4364 3272 84082.exe 96 PID 3272 wrote to memory of 4364 3272 84082.exe 96 PID 3272 wrote to memory of 4364 3272 84082.exe 96 PID 4364 wrote to memory of 2708 4364 fxrlfxx.exe 97 PID 4364 wrote to memory of 2708 4364 fxrlfxx.exe 97 PID 4364 wrote to memory of 2708 4364 fxrlfxx.exe 97 PID 2708 wrote to memory of 32 2708 m4048.exe 98 PID 2708 wrote to memory of 32 2708 m4048.exe 98 PID 2708 wrote to memory of 32 2708 m4048.exe 98 PID 32 wrote to memory of 4036 32 8400482.exe 99 PID 32 wrote to memory of 4036 32 8400482.exe 99 PID 32 wrote to memory of 4036 32 8400482.exe 99 PID 4036 wrote to memory of 3832 4036 0882600.exe 100 PID 4036 wrote to memory of 3832 4036 0882600.exe 100 PID 4036 wrote to memory of 3832 4036 0882600.exe 100 PID 3832 wrote to memory of 1752 3832 bnnhbb.exe 101 PID 3832 wrote to memory of 1752 3832 bnnhbb.exe 101 PID 3832 wrote to memory of 1752 3832 bnnhbb.exe 101 PID 1752 wrote to memory of 2868 1752 0082604.exe 102 PID 1752 wrote to memory of 2868 1752 0082604.exe 102 PID 1752 wrote to memory of 2868 1752 0082604.exe 102 PID 2868 wrote to memory of 3084 2868 62602.exe 103 PID 2868 wrote to memory of 3084 2868 62602.exe 103 PID 2868 wrote to memory of 3084 2868 62602.exe 103 PID 3084 wrote to memory of 5068 3084 rrflrlr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d0f96ceddd83aa15ce76fe63c4905bb9fd2382089c3764539a136fe56a3d051.exe"C:\Users\Admin\AppData\Local\Temp\8d0f96ceddd83aa15ce76fe63c4905bb9fd2382089c3764539a136fe56a3d051.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\2026268.exec:\2026268.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\2406442.exec:\2406442.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\jjdpj.exec:\jjdpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\xflxlfx.exec:\xflxlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\6660886.exec:\6660886.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\5pvvp.exec:\5pvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\08046.exec:\08046.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\hbhhnh.exec:\hbhhnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\lxfxlfr.exec:\lxfxlfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\lffrlll.exec:\lffrlll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\tbtnbt.exec:\tbtnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\5tthtn.exec:\5tthtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\84082.exec:\84082.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\fxrlfxx.exec:\fxrlfxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\m4048.exec:\m4048.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\8400482.exec:\8400482.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\0882600.exec:\0882600.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\bnnhbb.exec:\bnnhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\0082604.exec:\0082604.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\62602.exec:\62602.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\rrflrlr.exec:\rrflrlr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\60866.exec:\60866.exe23⤵
- Executes dropped EXE
PID:5068 -
\??\c:\tnbbbb.exec:\tnbbbb.exe24⤵
- Executes dropped EXE
PID:1148 -
\??\c:\4000448.exec:\4000448.exe25⤵
- Executes dropped EXE
PID:5104 -
\??\c:\20604.exec:\20604.exe26⤵
- Executes dropped EXE
PID:2880 -
\??\c:\lxxrlll.exec:\lxxrlll.exe27⤵
- Executes dropped EXE
PID:4816 -
\??\c:\c026004.exec:\c026004.exe28⤵
- Executes dropped EXE
PID:4136 -
\??\c:\thhhhh.exec:\thhhhh.exe29⤵
- Executes dropped EXE
PID:4804 -
\??\c:\pvdvv.exec:\pvdvv.exe30⤵
- Executes dropped EXE
PID:3592 -
\??\c:\c808602.exec:\c808602.exe31⤵
- Executes dropped EXE
PID:2320 -
\??\c:\lfxlrfr.exec:\lfxlrfr.exe32⤵
- Executes dropped EXE
PID:4680 -
\??\c:\u286660.exec:\u286660.exe33⤵
- Executes dropped EXE
PID:1424 -
\??\c:\1dvvp.exec:\1dvvp.exe34⤵
- Executes dropped EXE
PID:1040 -
\??\c:\28482.exec:\28482.exe35⤵
- Executes dropped EXE
PID:5080 -
\??\c:\vvjjp.exec:\vvjjp.exe36⤵
- Executes dropped EXE
PID:1824 -
\??\c:\3xlrlxl.exec:\3xlrlxl.exe37⤵
- Executes dropped EXE
PID:1764 -
\??\c:\9dpjp.exec:\9dpjp.exe38⤵
- Executes dropped EXE
PID:3896 -
\??\c:\m4420.exec:\m4420.exe39⤵
- Executes dropped EXE
PID:4588 -
\??\c:\3bbnbt.exec:\3bbnbt.exe40⤵
- Executes dropped EXE
PID:4512 -
\??\c:\0064826.exec:\0064826.exe41⤵
- Executes dropped EXE
PID:2912 -
\??\c:\4264226.exec:\4264226.exe42⤵
- Executes dropped EXE
PID:2024 -
\??\c:\q68080.exec:\q68080.exe43⤵
- Executes dropped EXE
PID:2692 -
\??\c:\xllfxxx.exec:\xllfxxx.exe44⤵
- Executes dropped EXE
PID:4976 -
\??\c:\64226.exec:\64226.exe45⤵
- Executes dropped EXE
PID:2328 -
\??\c:\ppvvp.exec:\ppvvp.exe46⤵
- Executes dropped EXE
PID:2660 -
\??\c:\bhhtht.exec:\bhhtht.exe47⤵
- Executes dropped EXE
PID:4596 -
\??\c:\fffxrrl.exec:\fffxrrl.exe48⤵
- Executes dropped EXE
PID:3120 -
\??\c:\82260.exec:\82260.exe49⤵
- Executes dropped EXE
PID:5016 -
\??\c:\428248.exec:\428248.exe50⤵
- Executes dropped EXE
PID:1340 -
\??\c:\066688.exec:\066688.exe51⤵
- Executes dropped EXE
PID:3800 -
\??\c:\fllfrlx.exec:\fllfrlx.exe52⤵
- Executes dropped EXE
PID:4988 -
\??\c:\4442648.exec:\4442648.exe53⤵
- Executes dropped EXE
PID:5032 -
\??\c:\420426.exec:\420426.exe54⤵
- Executes dropped EXE
PID:4516 -
\??\c:\460442.exec:\460442.exe55⤵
- Executes dropped EXE
PID:1828 -
\??\c:\hbbbnh.exec:\hbbbnh.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:412 -
\??\c:\4404204.exec:\4404204.exe57⤵
- Executes dropped EXE
PID:756 -
\??\c:\hhhbth.exec:\hhhbth.exe58⤵
- Executes dropped EXE
PID:3192 -
\??\c:\020624.exec:\020624.exe59⤵
- Executes dropped EXE
PID:3040 -
\??\c:\bnthtn.exec:\bnthtn.exe60⤵
- Executes dropped EXE
PID:2132 -
\??\c:\2642424.exec:\2642424.exe61⤵
- Executes dropped EXE
PID:2572 -
\??\c:\ppvjd.exec:\ppvjd.exe62⤵
- Executes dropped EXE
PID:1028 -
\??\c:\862004.exec:\862004.exe63⤵
- Executes dropped EXE
PID:1084 -
\??\c:\62864.exec:\62864.exe64⤵
- Executes dropped EXE
PID:4692 -
\??\c:\hbtnbt.exec:\hbtnbt.exe65⤵
- Executes dropped EXE
PID:1588 -
\??\c:\9llxlff.exec:\9llxlff.exe66⤵PID:4292
-
\??\c:\0408468.exec:\0408468.exe67⤵
- System Location Discovery: System Language Discovery
PID:1020 -
\??\c:\s6086.exec:\s6086.exe68⤵PID:1392
-
\??\c:\u028488.exec:\u028488.exe69⤵PID:2392
-
\??\c:\5xfxxlx.exec:\5xfxxlx.exe70⤵PID:3276
-
\??\c:\jdpjp.exec:\jdpjp.exe71⤵PID:2600
-
\??\c:\pvdpd.exec:\pvdpd.exe72⤵
- System Location Discovery: System Language Discovery
PID:3608 -
\??\c:\862644.exec:\862644.exe73⤵PID:2748
-
\??\c:\xrxlxfx.exec:\xrxlxfx.exe74⤵PID:1960
-
\??\c:\q46066.exec:\q46066.exe75⤵PID:2568
-
\??\c:\5vvpj.exec:\5vvpj.exe76⤵PID:4652
-
\??\c:\4006882.exec:\4006882.exe77⤵PID:3724
-
\??\c:\202064.exec:\202064.exe78⤵PID:4616
-
\??\c:\xllxrlx.exec:\xllxrlx.exe79⤵PID:1552
-
\??\c:\bhntnh.exec:\bhntnh.exe80⤵PID:4404
-
\??\c:\nbhbbb.exec:\nbhbbb.exe81⤵PID:1712
-
\??\c:\8882048.exec:\8882048.exe82⤵PID:1884
-
\??\c:\7hthtt.exec:\7hthtt.exe83⤵
- System Location Discovery: System Language Discovery
PID:4856 -
\??\c:\406082.exec:\406082.exe84⤵PID:2804
-
\??\c:\6482042.exec:\6482042.exe85⤵PID:1128
-
\??\c:\2848642.exec:\2848642.exe86⤵PID:468
-
\??\c:\o886482.exec:\o886482.exe87⤵PID:5104
-
\??\c:\dvvpp.exec:\dvvpp.exe88⤵PID:2880
-
\??\c:\pddpd.exec:\pddpd.exe89⤵PID:1608
-
\??\c:\622422.exec:\622422.exe90⤵PID:4816
-
\??\c:\thhbnt.exec:\thhbnt.exe91⤵PID:4060
-
\??\c:\600808.exec:\600808.exe92⤵PID:3576
-
\??\c:\lxllffx.exec:\lxllffx.exe93⤵PID:900
-
\??\c:\8422082.exec:\8422082.exe94⤵PID:5100
-
\??\c:\60446.exec:\60446.exe95⤵PID:3224
-
\??\c:\vpvvp.exec:\vpvvp.exe96⤵PID:4384
-
\??\c:\5rrlffx.exec:\5rrlffx.exe97⤵PID:2988
-
\??\c:\442600.exec:\442600.exe98⤵PID:4880
-
\??\c:\rlxrxff.exec:\rlxrxff.exe99⤵PID:2736
-
\??\c:\bbnhtb.exec:\bbnhtb.exe100⤵PID:2348
-
\??\c:\jdjjd.exec:\jdjjd.exe101⤵PID:2992
-
\??\c:\s6886.exec:\s6886.exe102⤵PID:3428
-
\??\c:\m2006.exec:\m2006.exe103⤵PID:4592
-
\??\c:\284444.exec:\284444.exe104⤵PID:4248
-
\??\c:\848600.exec:\848600.exe105⤵PID:1760
-
\??\c:\88040.exec:\88040.exe106⤵PID:2280
-
\??\c:\rllfffr.exec:\rllfffr.exe107⤵PID:1548
-
\??\c:\hnttnt.exec:\hnttnt.exe108⤵PID:1352
-
\??\c:\nhhnnn.exec:\nhhnnn.exe109⤵PID:4660
-
\??\c:\48662.exec:\48662.exe110⤵PID:1132
-
\??\c:\3djdj.exec:\3djdj.exe111⤵PID:4932
-
\??\c:\bhtttt.exec:\bhtttt.exe112⤵PID:2004
-
\??\c:\jvvjv.exec:\jvvjv.exe113⤵PID:4944
-
\??\c:\pdpjd.exec:\pdpjd.exe114⤵PID:2148
-
\??\c:\000486.exec:\000486.exe115⤵PID:4340
-
\??\c:\ddvpd.exec:\ddvpd.exe116⤵PID:4356
-
\??\c:\846848.exec:\846848.exe117⤵PID:1876
-
\??\c:\044822.exec:\044822.exe118⤵PID:1508
-
\??\c:\ttttht.exec:\ttttht.exe119⤵PID:2956
-
\??\c:\pdddv.exec:\pdddv.exe120⤵PID:3920
-
\??\c:\i848226.exec:\i848226.exe121⤵PID:760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-