Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
84200848d084711eaec802779f6b34e23ebe33e5af548d91c8cbd011ca4e2ad8N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
84200848d084711eaec802779f6b34e23ebe33e5af548d91c8cbd011ca4e2ad8N.exe
-
Size
456KB
-
MD5
c8a114ce78d29dae7100cc6d9215daf0
-
SHA1
9a46d3d6953bf26ef8a3f7557370a51b2dcde14b
-
SHA256
84200848d084711eaec802779f6b34e23ebe33e5af548d91c8cbd011ca4e2ad8
-
SHA512
611b4e45810f85c8ecd258ccd102fefb60198e3f2bd57af76ebb74721f81bbafe3d95974a6fc85f68a4e6cce58b1a7ba3016d11cae8ee7a7a5f0ec3f847a4fe4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRc:q7Tc2NYHUrAwfMp3CDRc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3940-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/424-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-898-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-1023-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-1070-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4600 862266.exe 2192 jdjvv.exe 4836 fxlfxxr.exe 1872 jjvpj.exe 3492 0448666.exe 2228 4646200.exe 4000 822040.exe 4696 vpjdv.exe 2580 g6882.exe 3628 482622.exe 964 262222.exe 552 pjvvp.exe 3232 806080.exe 2868 vvvdv.exe 3432 2600488.exe 2928 04086.exe 632 i442662.exe 1744 c626048.exe 3060 vjjdv.exe 1052 hnttnh.exe 3924 pddvp.exe 2656 rllffxx.exe 3208 lrfrllf.exe 3584 5vdvv.exe 444 0026048.exe 2200 6048260.exe 2900 lrxllff.exe 4988 rxfxrlf.exe 344 68024.exe 1696 k24288.exe 792 840040.exe 836 2664600.exe 4276 866204.exe 4692 42288.exe 2488 xllxrrl.exe 5084 e46488.exe 4488 dvppp.exe 4100 42208.exe 2920 w44860.exe 696 jvpjp.exe 4556 a2226.exe 3960 nbhbtt.exe 3192 e62644.exe 1832 7pjjd.exe 424 2848260.exe 4368 xrxrxxr.exe 4820 tnttnh.exe 4968 rfxlfxr.exe 4364 vjvjv.exe 2472 hnbtnh.exe 2728 800040.exe 4808 9lflfff.exe 5040 3ppjj.exe 2888 nbbhhn.exe 5008 xxffffx.exe 3996 vddjd.exe 4504 frrfrxr.exe 3096 3rrlffx.exe 3164 dppjv.exe 4000 pjpdv.exe 3140 42266.exe 3292 pjdpd.exe 2860 k86048.exe 428 w04206.exe -
resource yara_rule behavioral2/memory/3940-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/424-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-786-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 800040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c004226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2880428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 662048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o442086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3940 wrote to memory of 4600 3940 84200848d084711eaec802779f6b34e23ebe33e5af548d91c8cbd011ca4e2ad8N.exe 83 PID 3940 wrote to memory of 4600 3940 84200848d084711eaec802779f6b34e23ebe33e5af548d91c8cbd011ca4e2ad8N.exe 83 PID 3940 wrote to memory of 4600 3940 84200848d084711eaec802779f6b34e23ebe33e5af548d91c8cbd011ca4e2ad8N.exe 83 PID 4600 wrote to memory of 2192 4600 862266.exe 84 PID 4600 wrote to memory of 2192 4600 862266.exe 84 PID 4600 wrote to memory of 2192 4600 862266.exe 84 PID 2192 wrote to memory of 4836 2192 jdjvv.exe 85 PID 2192 wrote to memory of 4836 2192 jdjvv.exe 85 PID 2192 wrote to memory of 4836 2192 jdjvv.exe 85 PID 4836 wrote to memory of 1872 4836 fxlfxxr.exe 86 PID 4836 wrote to memory of 1872 4836 fxlfxxr.exe 86 PID 4836 wrote to memory of 1872 4836 fxlfxxr.exe 86 PID 1872 wrote to memory of 3492 1872 jjvpj.exe 87 PID 1872 wrote to memory of 3492 1872 jjvpj.exe 87 PID 1872 wrote to memory of 3492 1872 jjvpj.exe 87 PID 3492 wrote to memory of 2228 3492 0448666.exe 88 PID 3492 wrote to memory of 2228 3492 0448666.exe 88 PID 3492 wrote to memory of 2228 3492 0448666.exe 88 PID 2228 wrote to memory of 4000 2228 4646200.exe 89 PID 2228 wrote to memory of 4000 2228 4646200.exe 89 PID 2228 wrote to memory of 4000 2228 4646200.exe 89 PID 4000 wrote to memory of 4696 4000 822040.exe 90 PID 4000 wrote to memory of 4696 4000 822040.exe 90 PID 4000 wrote to memory of 4696 4000 822040.exe 90 PID 4696 wrote to memory of 2580 4696 vpjdv.exe 91 PID 4696 wrote to memory of 2580 4696 vpjdv.exe 91 PID 4696 wrote to memory of 2580 4696 vpjdv.exe 91 PID 2580 wrote to memory of 3628 2580 g6882.exe 92 PID 2580 wrote to memory of 3628 2580 g6882.exe 92 PID 2580 wrote to memory of 3628 2580 g6882.exe 92 PID 3628 wrote to memory of 964 3628 482622.exe 93 PID 3628 wrote to memory of 964 3628 482622.exe 93 PID 3628 wrote to memory of 964 3628 482622.exe 93 PID 964 wrote to memory of 552 964 262222.exe 94 PID 964 wrote to memory of 552 964 262222.exe 94 PID 964 wrote to memory of 552 964 262222.exe 94 PID 552 wrote to memory of 3232 552 pjvvp.exe 95 PID 552 wrote to memory of 3232 552 pjvvp.exe 95 PID 552 wrote to memory of 3232 552 pjvvp.exe 95 PID 3232 wrote to memory of 2868 3232 806080.exe 96 PID 3232 wrote to memory of 2868 3232 806080.exe 96 PID 3232 wrote to memory of 2868 3232 806080.exe 96 PID 2868 wrote to memory of 3432 2868 vvvdv.exe 97 PID 2868 wrote to memory of 3432 2868 vvvdv.exe 97 PID 2868 wrote to memory of 3432 2868 vvvdv.exe 97 PID 3432 wrote to memory of 2928 3432 2600488.exe 98 PID 3432 wrote to memory of 2928 3432 2600488.exe 98 PID 3432 wrote to memory of 2928 3432 2600488.exe 98 PID 2928 wrote to memory of 632 2928 04086.exe 99 PID 2928 wrote to memory of 632 2928 04086.exe 99 PID 2928 wrote to memory of 632 2928 04086.exe 99 PID 632 wrote to memory of 1744 632 i442662.exe 100 PID 632 wrote to memory of 1744 632 i442662.exe 100 PID 632 wrote to memory of 1744 632 i442662.exe 100 PID 1744 wrote to memory of 3060 1744 c626048.exe 101 PID 1744 wrote to memory of 3060 1744 c626048.exe 101 PID 1744 wrote to memory of 3060 1744 c626048.exe 101 PID 3060 wrote to memory of 1052 3060 vjjdv.exe 102 PID 3060 wrote to memory of 1052 3060 vjjdv.exe 102 PID 3060 wrote to memory of 1052 3060 vjjdv.exe 102 PID 1052 wrote to memory of 3924 1052 hnttnh.exe 103 PID 1052 wrote to memory of 3924 1052 hnttnh.exe 103 PID 1052 wrote to memory of 3924 1052 hnttnh.exe 103 PID 3924 wrote to memory of 2656 3924 pddvp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\84200848d084711eaec802779f6b34e23ebe33e5af548d91c8cbd011ca4e2ad8N.exe"C:\Users\Admin\AppData\Local\Temp\84200848d084711eaec802779f6b34e23ebe33e5af548d91c8cbd011ca4e2ad8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\862266.exec:\862266.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\jdjvv.exec:\jdjvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\fxlfxxr.exec:\fxlfxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\jjvpj.exec:\jjvpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\0448666.exec:\0448666.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\4646200.exec:\4646200.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\822040.exec:\822040.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\vpjdv.exec:\vpjdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\g6882.exec:\g6882.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\482622.exec:\482622.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\262222.exec:\262222.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\pjvvp.exec:\pjvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\806080.exec:\806080.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\vvvdv.exec:\vvvdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\2600488.exec:\2600488.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\04086.exec:\04086.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\i442662.exec:\i442662.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\c626048.exec:\c626048.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\vjjdv.exec:\vjjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\hnttnh.exec:\hnttnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\pddvp.exec:\pddvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\rllffxx.exec:\rllffxx.exe23⤵
- Executes dropped EXE
PID:2656 -
\??\c:\lrfrllf.exec:\lrfrllf.exe24⤵
- Executes dropped EXE
PID:3208 -
\??\c:\5vdvv.exec:\5vdvv.exe25⤵
- Executes dropped EXE
PID:3584 -
\??\c:\0026048.exec:\0026048.exe26⤵
- Executes dropped EXE
PID:444 -
\??\c:\6048260.exec:\6048260.exe27⤵
- Executes dropped EXE
PID:2200 -
\??\c:\lrxllff.exec:\lrxllff.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe29⤵
- Executes dropped EXE
PID:4988 -
\??\c:\68024.exec:\68024.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:344 -
\??\c:\k24288.exec:\k24288.exe31⤵
- Executes dropped EXE
PID:1696 -
\??\c:\840040.exec:\840040.exe32⤵
- Executes dropped EXE
PID:792 -
\??\c:\2664600.exec:\2664600.exe33⤵
- Executes dropped EXE
PID:836 -
\??\c:\866204.exec:\866204.exe34⤵
- Executes dropped EXE
PID:4276 -
\??\c:\42288.exec:\42288.exe35⤵
- Executes dropped EXE
PID:4692 -
\??\c:\xllxrrl.exec:\xllxrrl.exe36⤵
- Executes dropped EXE
PID:2488 -
\??\c:\e46488.exec:\e46488.exe37⤵
- Executes dropped EXE
PID:5084 -
\??\c:\dvppp.exec:\dvppp.exe38⤵
- Executes dropped EXE
PID:4488 -
\??\c:\42208.exec:\42208.exe39⤵
- Executes dropped EXE
PID:4100 -
\??\c:\w44860.exec:\w44860.exe40⤵
- Executes dropped EXE
PID:2920 -
\??\c:\jvpjp.exec:\jvpjp.exe41⤵
- Executes dropped EXE
PID:696 -
\??\c:\a2226.exec:\a2226.exe42⤵
- Executes dropped EXE
PID:4556 -
\??\c:\nbhbtt.exec:\nbhbtt.exe43⤵
- Executes dropped EXE
PID:3960 -
\??\c:\e62644.exec:\e62644.exe44⤵
- Executes dropped EXE
PID:3192 -
\??\c:\7pjjd.exec:\7pjjd.exe45⤵
- Executes dropped EXE
PID:1832 -
\??\c:\2848260.exec:\2848260.exe46⤵
- Executes dropped EXE
PID:424 -
\??\c:\xrxrxxr.exec:\xrxrxxr.exe47⤵
- Executes dropped EXE
PID:4368 -
\??\c:\tnttnh.exec:\tnttnh.exe48⤵
- Executes dropped EXE
PID:4820 -
\??\c:\rfxlfxr.exec:\rfxlfxr.exe49⤵
- Executes dropped EXE
PID:4968 -
\??\c:\vjvjv.exec:\vjvjv.exe50⤵
- Executes dropped EXE
PID:4364 -
\??\c:\hnbtnh.exec:\hnbtnh.exe51⤵
- Executes dropped EXE
PID:2472 -
\??\c:\800040.exec:\800040.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728 -
\??\c:\9lflfff.exec:\9lflfff.exe53⤵
- Executes dropped EXE
PID:4808 -
\??\c:\3ppjj.exec:\3ppjj.exe54⤵
- Executes dropped EXE
PID:5040 -
\??\c:\nbbhhn.exec:\nbbhhn.exe55⤵
- Executes dropped EXE
PID:2888 -
\??\c:\xxffffx.exec:\xxffffx.exe56⤵
- Executes dropped EXE
PID:5008 -
\??\c:\vddjd.exec:\vddjd.exe57⤵
- Executes dropped EXE
PID:3996 -
\??\c:\frrfrxr.exec:\frrfrxr.exe58⤵
- Executes dropped EXE
PID:4504 -
\??\c:\3rrlffx.exec:\3rrlffx.exe59⤵
- Executes dropped EXE
PID:3096 -
\??\c:\dppjv.exec:\dppjv.exe60⤵
- Executes dropped EXE
PID:3164 -
\??\c:\pjpdv.exec:\pjpdv.exe61⤵
- Executes dropped EXE
PID:4000 -
\??\c:\42266.exec:\42266.exe62⤵
- Executes dropped EXE
PID:3140 -
\??\c:\pjdpd.exec:\pjdpd.exe63⤵
- Executes dropped EXE
PID:3292 -
\??\c:\k86048.exec:\k86048.exe64⤵
- Executes dropped EXE
PID:2860 -
\??\c:\w04206.exec:\w04206.exe65⤵
- Executes dropped EXE
PID:428 -
\??\c:\8620004.exec:\8620004.exe66⤵PID:4980
-
\??\c:\9jdvj.exec:\9jdvj.exe67⤵PID:4892
-
\??\c:\frrffxx.exec:\frrffxx.exe68⤵PID:3504
-
\??\c:\xlfrfxf.exec:\xlfrfxf.exe69⤵PID:3636
-
\??\c:\6464000.exec:\6464000.exe70⤵PID:4204
-
\??\c:\fxfrxrf.exec:\fxfrxrf.exe71⤵PID:3180
-
\??\c:\006082.exec:\006082.exe72⤵PID:5104
-
\??\c:\s0026.exec:\s0026.exe73⤵PID:4280
-
\??\c:\pdjdv.exec:\pdjdv.exe74⤵PID:2024
-
\??\c:\284860.exec:\284860.exe75⤵PID:632
-
\??\c:\u446486.exec:\u446486.exe76⤵PID:1744
-
\??\c:\200204.exec:\200204.exe77⤵PID:4144
-
\??\c:\u008640.exec:\u008640.exe78⤵PID:3760
-
\??\c:\20086.exec:\20086.exe79⤵PID:1792
-
\??\c:\60486.exec:\60486.exe80⤵PID:3924
-
\??\c:\884860.exec:\884860.exe81⤵PID:2620
-
\??\c:\hbthnh.exec:\hbthnh.exe82⤵PID:2648
-
\??\c:\vjjvp.exec:\vjjvp.exe83⤵PID:3208
-
\??\c:\64820.exec:\64820.exe84⤵PID:1268
-
\??\c:\424828.exec:\424828.exe85⤵PID:5100
-
\??\c:\8442824.exec:\8442824.exe86⤵PID:4588
-
\??\c:\7bhhnt.exec:\7bhhnt.exe87⤵PID:844
-
\??\c:\q82644.exec:\q82644.exe88⤵PID:1976
-
\??\c:\q06044.exec:\q06044.exe89⤵PID:4856
-
\??\c:\jjjvd.exec:\jjjvd.exe90⤵PID:1520
-
\??\c:\hbbtbb.exec:\hbbtbb.exe91⤵PID:948
-
\??\c:\ffrxlfx.exec:\ffrxlfx.exe92⤵PID:700
-
\??\c:\jvpdp.exec:\jvpdp.exe93⤵PID:3632
-
\??\c:\8848608.exec:\8848608.exe94⤵PID:1568
-
\??\c:\602086.exec:\602086.exe95⤵PID:5064
-
\??\c:\822466.exec:\822466.exe96⤵PID:3520
-
\??\c:\406004.exec:\406004.exe97⤵PID:1232
-
\??\c:\7nhbtt.exec:\7nhbtt.exe98⤵PID:1180
-
\??\c:\9lfrxrf.exec:\9lfrxrf.exe99⤵PID:2676
-
\??\c:\dvpdv.exec:\dvpdv.exe100⤵PID:4488
-
\??\c:\tttnbt.exec:\tttnbt.exe101⤵PID:4592
-
\??\c:\rrfxrrr.exec:\rrfxrrr.exe102⤵PID:2784
-
\??\c:\280486.exec:\280486.exe103⤵PID:1436
-
\??\c:\5rfrxrf.exec:\5rfrxrf.exe104⤵PID:4564
-
\??\c:\00086.exec:\00086.exe105⤵PID:3508
-
\??\c:\jjpdp.exec:\jjpdp.exe106⤵PID:5000
-
\??\c:\s4482.exec:\s4482.exe107⤵PID:5072
-
\??\c:\rxxfxlf.exec:\rxxfxlf.exe108⤵PID:4380
-
\??\c:\bttnhh.exec:\bttnhh.exe109⤵PID:4560
-
\??\c:\g6242.exec:\g6242.exe110⤵PID:4180
-
\??\c:\3vpjv.exec:\3vpjv.exe111⤵PID:4820
-
\??\c:\6064826.exec:\6064826.exe112⤵PID:1636
-
\??\c:\c260864.exec:\c260864.exe113⤵PID:4364
-
\??\c:\3fxlrlr.exec:\3fxlrlr.exe114⤵PID:4508
-
\??\c:\hbtthb.exec:\hbtthb.exe115⤵PID:4648
-
\??\c:\rlxfflr.exec:\rlxfflr.exe116⤵PID:2060
-
\??\c:\4064886.exec:\4064886.exe117⤵PID:368
-
\??\c:\1ththb.exec:\1ththb.exe118⤵PID:1028
-
\??\c:\262460.exec:\262460.exe119⤵PID:4744
-
\??\c:\c268042.exec:\c268042.exe120⤵PID:2888
-
\??\c:\hhhthb.exec:\hhhthb.exe121⤵PID:5112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-