Analysis
-
max time kernel
79s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 20:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dbe561b54572231af5d4ca23ae2d2e3be4725a9afd4186805294fe8eaa7c3ce7.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
dbe561b54572231af5d4ca23ae2d2e3be4725a9afd4186805294fe8eaa7c3ce7.exe
-
Size
454KB
-
MD5
ac1031712657a0225e4cb99309b544e8
-
SHA1
e5a6beff96707e423ae76434bbc348663a91ad1c
-
SHA256
dbe561b54572231af5d4ca23ae2d2e3be4725a9afd4186805294fe8eaa7c3ce7
-
SHA512
26b05f3db7a48e93d8020985704434a80f8a257176631ca1989573c8c882828c2a19213698fc23b7c6c269030418938253c1eb997dc3da8561304a07ad0950b8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4932-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-807-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-1016-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-1068-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-1539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3828 240884.exe 1856 2220808.exe 3204 jvdvj.exe 1212 btnbtn.exe 4764 vddvj.exe 2580 5hntnt.exe 2156 482244.exe 1340 46200.exe 2300 86680.exe 4748 pvvjv.exe 1876 jjvpj.exe 680 rlflllr.exe 3304 c004260.exe 1408 2408604.exe 3644 hthbbt.exe 4596 vpppj.exe 1492 s8486.exe 2052 1hbnhh.exe 4828 2848660.exe 852 bbbhbb.exe 1784 xlrllll.exe 3560 6026080.exe 1712 8022660.exe 4684 nhntnt.exe 1360 lxxlfxr.exe 3784 bnbbbh.exe 4004 406608.exe 936 flxlffx.exe 2648 hnthbb.exe 1092 bhnbtb.exe 4284 w60448.exe 688 606000.exe 3436 dddvp.exe 3060 ddjvp.exe 1864 00604.exe 4744 3djdv.exe 2800 3nnhbt.exe 960 4262266.exe 2020 9tnnbh.exe 972 jpvjd.exe 908 2044404.exe 3904 c626664.exe 3108 lrfxrlf.exe 4924 dvvpj.exe 3404 882644.exe 4188 xrfrlfx.exe 2788 68444.exe 2988 28680.exe 4840 djdvj.exe 4228 nbhbbt.exe 1180 djpjd.exe 4232 flrllff.exe 4380 04060.exe 720 206488.exe 220 204800.exe 3828 jvvpj.exe 2436 6600448.exe 2084 xrflxlx.exe 3876 pjjjj.exe 2076 9ffxlll.exe 2888 7hbtnn.exe 2472 s2260.exe 4764 20082.exe 844 4222660.exe -
resource yara_rule behavioral2/memory/4932-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-1016-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-1068-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6266622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6026602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w62626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q48604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k04822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640000.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4932 wrote to memory of 3828 4932 dbe561b54572231af5d4ca23ae2d2e3be4725a9afd4186805294fe8eaa7c3ce7.exe 83 PID 4932 wrote to memory of 3828 4932 dbe561b54572231af5d4ca23ae2d2e3be4725a9afd4186805294fe8eaa7c3ce7.exe 83 PID 4932 wrote to memory of 3828 4932 dbe561b54572231af5d4ca23ae2d2e3be4725a9afd4186805294fe8eaa7c3ce7.exe 83 PID 3828 wrote to memory of 1856 3828 240884.exe 84 PID 3828 wrote to memory of 1856 3828 240884.exe 84 PID 3828 wrote to memory of 1856 3828 240884.exe 84 PID 1856 wrote to memory of 3204 1856 2220808.exe 85 PID 1856 wrote to memory of 3204 1856 2220808.exe 85 PID 1856 wrote to memory of 3204 1856 2220808.exe 85 PID 3204 wrote to memory of 1212 3204 jvdvj.exe 86 PID 3204 wrote to memory of 1212 3204 jvdvj.exe 86 PID 3204 wrote to memory of 1212 3204 jvdvj.exe 86 PID 1212 wrote to memory of 4764 1212 btnbtn.exe 87 PID 1212 wrote to memory of 4764 1212 btnbtn.exe 87 PID 1212 wrote to memory of 4764 1212 btnbtn.exe 87 PID 4764 wrote to memory of 2580 4764 vddvj.exe 88 PID 4764 wrote to memory of 2580 4764 vddvj.exe 88 PID 4764 wrote to memory of 2580 4764 vddvj.exe 88 PID 2580 wrote to memory of 2156 2580 5hntnt.exe 89 PID 2580 wrote to memory of 2156 2580 5hntnt.exe 89 PID 2580 wrote to memory of 2156 2580 5hntnt.exe 89 PID 2156 wrote to memory of 1340 2156 482244.exe 90 PID 2156 wrote to memory of 1340 2156 482244.exe 90 PID 2156 wrote to memory of 1340 2156 482244.exe 90 PID 1340 wrote to memory of 2300 1340 46200.exe 91 PID 1340 wrote to memory of 2300 1340 46200.exe 91 PID 1340 wrote to memory of 2300 1340 46200.exe 91 PID 2300 wrote to memory of 4748 2300 86680.exe 92 PID 2300 wrote to memory of 4748 2300 86680.exe 92 PID 2300 wrote to memory of 4748 2300 86680.exe 92 PID 4748 wrote to memory of 1876 4748 pvvjv.exe 93 PID 4748 wrote to memory of 1876 4748 pvvjv.exe 93 PID 4748 wrote to memory of 1876 4748 pvvjv.exe 93 PID 1876 wrote to memory of 680 1876 jjvpj.exe 94 PID 1876 wrote to memory of 680 1876 jjvpj.exe 94 PID 1876 wrote to memory of 680 1876 jjvpj.exe 94 PID 680 wrote to memory of 3304 680 rlflllr.exe 95 PID 680 wrote to memory of 3304 680 rlflllr.exe 95 PID 680 wrote to memory of 3304 680 rlflllr.exe 95 PID 3304 wrote to memory of 1408 3304 c004260.exe 96 PID 3304 wrote to memory of 1408 3304 c004260.exe 96 PID 3304 wrote to memory of 1408 3304 c004260.exe 96 PID 1408 wrote to memory of 3644 1408 2408604.exe 97 PID 1408 wrote to memory of 3644 1408 2408604.exe 97 PID 1408 wrote to memory of 3644 1408 2408604.exe 97 PID 3644 wrote to memory of 4596 3644 hthbbt.exe 98 PID 3644 wrote to memory of 4596 3644 hthbbt.exe 98 PID 3644 wrote to memory of 4596 3644 hthbbt.exe 98 PID 4596 wrote to memory of 1492 4596 vpppj.exe 99 PID 4596 wrote to memory of 1492 4596 vpppj.exe 99 PID 4596 wrote to memory of 1492 4596 vpppj.exe 99 PID 1492 wrote to memory of 2052 1492 s8486.exe 100 PID 1492 wrote to memory of 2052 1492 s8486.exe 100 PID 1492 wrote to memory of 2052 1492 s8486.exe 100 PID 2052 wrote to memory of 4828 2052 1hbnhh.exe 101 PID 2052 wrote to memory of 4828 2052 1hbnhh.exe 101 PID 2052 wrote to memory of 4828 2052 1hbnhh.exe 101 PID 4828 wrote to memory of 852 4828 2848660.exe 102 PID 4828 wrote to memory of 852 4828 2848660.exe 102 PID 4828 wrote to memory of 852 4828 2848660.exe 102 PID 852 wrote to memory of 1784 852 bbbhbb.exe 103 PID 852 wrote to memory of 1784 852 bbbhbb.exe 103 PID 852 wrote to memory of 1784 852 bbbhbb.exe 103 PID 1784 wrote to memory of 3560 1784 xlrllll.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbe561b54572231af5d4ca23ae2d2e3be4725a9afd4186805294fe8eaa7c3ce7.exe"C:\Users\Admin\AppData\Local\Temp\dbe561b54572231af5d4ca23ae2d2e3be4725a9afd4186805294fe8eaa7c3ce7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\240884.exec:\240884.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\2220808.exec:\2220808.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\jvdvj.exec:\jvdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\btnbtn.exec:\btnbtn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\vddvj.exec:\vddvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\5hntnt.exec:\5hntnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\482244.exec:\482244.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\46200.exec:\46200.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\86680.exec:\86680.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\pvvjv.exec:\pvvjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\jjvpj.exec:\jjvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\rlflllr.exec:\rlflllr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\c004260.exec:\c004260.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\2408604.exec:\2408604.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\hthbbt.exec:\hthbbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\vpppj.exec:\vpppj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\s8486.exec:\s8486.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\1hbnhh.exec:\1hbnhh.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\2848660.exec:\2848660.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\bbbhbb.exec:\bbbhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\xlrllll.exec:\xlrllll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\6026080.exec:\6026080.exe23⤵
- Executes dropped EXE
PID:3560 -
\??\c:\8022660.exec:\8022660.exe24⤵
- Executes dropped EXE
PID:1712 -
\??\c:\nhntnt.exec:\nhntnt.exe25⤵
- Executes dropped EXE
PID:4684 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe26⤵
- Executes dropped EXE
PID:1360 -
\??\c:\bnbbbh.exec:\bnbbbh.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3784 -
\??\c:\406608.exec:\406608.exe28⤵
- Executes dropped EXE
PID:4004 -
\??\c:\flxlffx.exec:\flxlffx.exe29⤵
- Executes dropped EXE
PID:936 -
\??\c:\hnthbb.exec:\hnthbb.exe30⤵
- Executes dropped EXE
PID:2648 -
\??\c:\bhnbtb.exec:\bhnbtb.exe31⤵
- Executes dropped EXE
PID:1092 -
\??\c:\w60448.exec:\w60448.exe32⤵
- Executes dropped EXE
PID:4284 -
\??\c:\606000.exec:\606000.exe33⤵
- Executes dropped EXE
PID:688 -
\??\c:\dddvp.exec:\dddvp.exe34⤵
- Executes dropped EXE
PID:3436 -
\??\c:\ddjvp.exec:\ddjvp.exe35⤵
- Executes dropped EXE
PID:3060 -
\??\c:\00604.exec:\00604.exe36⤵
- Executes dropped EXE
PID:1864 -
\??\c:\3djdv.exec:\3djdv.exe37⤵
- Executes dropped EXE
PID:4744 -
\??\c:\3nnhbt.exec:\3nnhbt.exe38⤵
- Executes dropped EXE
PID:2800 -
\??\c:\4262266.exec:\4262266.exe39⤵
- Executes dropped EXE
PID:960 -
\??\c:\9tnnbh.exec:\9tnnbh.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020 -
\??\c:\jpvjd.exec:\jpvjd.exe41⤵
- Executes dropped EXE
PID:972 -
\??\c:\2044404.exec:\2044404.exe42⤵
- Executes dropped EXE
PID:908 -
\??\c:\c626664.exec:\c626664.exe43⤵
- Executes dropped EXE
PID:3904 -
\??\c:\lrfxrlf.exec:\lrfxrlf.exe44⤵
- Executes dropped EXE
PID:3108 -
\??\c:\dvvpj.exec:\dvvpj.exe45⤵
- Executes dropped EXE
PID:4924 -
\??\c:\882644.exec:\882644.exe46⤵
- Executes dropped EXE
PID:3404 -
\??\c:\xrfrlfx.exec:\xrfrlfx.exe47⤵
- Executes dropped EXE
PID:4188 -
\??\c:\68444.exec:\68444.exe48⤵
- Executes dropped EXE
PID:2788 -
\??\c:\28680.exec:\28680.exe49⤵
- Executes dropped EXE
PID:2988 -
\??\c:\djdvj.exec:\djdvj.exe50⤵
- Executes dropped EXE
PID:4840 -
\??\c:\nbhbbt.exec:\nbhbbt.exe51⤵
- Executes dropped EXE
PID:4228 -
\??\c:\djpjd.exec:\djpjd.exe52⤵
- Executes dropped EXE
PID:1180 -
\??\c:\flrllff.exec:\flrllff.exe53⤵
- Executes dropped EXE
PID:4232 -
\??\c:\04060.exec:\04060.exe54⤵
- Executes dropped EXE
PID:4380 -
\??\c:\206488.exec:\206488.exe55⤵
- Executes dropped EXE
PID:720 -
\??\c:\204800.exec:\204800.exe56⤵
- Executes dropped EXE
PID:220 -
\??\c:\jvvpj.exec:\jvvpj.exe57⤵
- Executes dropped EXE
PID:3828 -
\??\c:\6600448.exec:\6600448.exe58⤵
- Executes dropped EXE
PID:2436 -
\??\c:\xrflxlx.exec:\xrflxlx.exe59⤵
- Executes dropped EXE
PID:2084 -
\??\c:\pjjjj.exec:\pjjjj.exe60⤵
- Executes dropped EXE
PID:3876 -
\??\c:\9ffxlll.exec:\9ffxlll.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2076 -
\??\c:\7hbtnn.exec:\7hbtnn.exe62⤵
- Executes dropped EXE
PID:2888 -
\??\c:\s2260.exec:\s2260.exe63⤵
- Executes dropped EXE
PID:2472 -
\??\c:\20082.exec:\20082.exe64⤵
- Executes dropped EXE
PID:4764 -
\??\c:\4222660.exec:\4222660.exe65⤵
- Executes dropped EXE
PID:844 -
\??\c:\1xxrllf.exec:\1xxrllf.exe66⤵PID:2468
-
\??\c:\u026228.exec:\u026228.exe67⤵PID:1908
-
\??\c:\468004.exec:\468004.exe68⤵PID:632
-
\??\c:\htnhbb.exec:\htnhbb.exe69⤵PID:5116
-
\??\c:\hbtbtb.exec:\hbtbtb.exe70⤵PID:1364
-
\??\c:\thhbnn.exec:\thhbnn.exe71⤵PID:4748
-
\??\c:\248860.exec:\248860.exe72⤵PID:3408
-
\??\c:\7vdpd.exec:\7vdpd.exe73⤵PID:740
-
\??\c:\lxxlxrl.exec:\lxxlxrl.exe74⤵PID:1792
-
\??\c:\08040.exec:\08040.exe75⤵PID:4484
-
\??\c:\9pjvp.exec:\9pjvp.exe76⤵PID:4884
-
\??\c:\2664826.exec:\2664826.exe77⤵PID:1076
-
\??\c:\vvvjd.exec:\vvvjd.exe78⤵PID:4076
-
\??\c:\82484.exec:\82484.exe79⤵PID:876
-
\??\c:\28048.exec:\28048.exe80⤵PID:2768
-
\??\c:\7djpj.exec:\7djpj.exe81⤵PID:3556
-
\??\c:\jvpjd.exec:\jvpjd.exe82⤵PID:2384
-
\??\c:\dvvpp.exec:\dvvpp.exe83⤵PID:1052
-
\??\c:\88482.exec:\88482.exe84⤵PID:2196
-
\??\c:\frxxllx.exec:\frxxllx.exe85⤵PID:1608
-
\??\c:\lrlfxrl.exec:\lrlfxrl.exe86⤵PID:1368
-
\??\c:\1vvvp.exec:\1vvvp.exe87⤵PID:4004
-
\??\c:\9dvpj.exec:\9dvpj.exe88⤵PID:2928
-
\??\c:\pdvdp.exec:\pdvdp.exe89⤵PID:996
-
\??\c:\nnnbtt.exec:\nnnbtt.exe90⤵PID:2260
-
\??\c:\1dvjd.exec:\1dvjd.exe91⤵PID:3908
-
\??\c:\4684624.exec:\4684624.exe92⤵PID:4324
-
\??\c:\dvpdp.exec:\dvpdp.exe93⤵PID:1744
-
\??\c:\00642.exec:\00642.exe94⤵PID:4744
-
\??\c:\c002086.exec:\c002086.exe95⤵PID:1264
-
\??\c:\c024860.exec:\c024860.exe96⤵PID:872
-
\??\c:\nthbnh.exec:\nthbnh.exe97⤵PID:3316
-
\??\c:\tththt.exec:\tththt.exe98⤵PID:1700
-
\??\c:\jvpjv.exec:\jvpjv.exe99⤵PID:4320
-
\??\c:\284262.exec:\284262.exe100⤵PID:3108
-
\??\c:\5hhtnn.exec:\5hhtnn.exe101⤵PID:2332
-
\??\c:\vpdpv.exec:\vpdpv.exe102⤵PID:1072
-
\??\c:\ddjvj.exec:\ddjvj.exe103⤵PID:1616
-
\??\c:\pddjv.exec:\pddjv.exe104⤵PID:2104
-
\??\c:\648826.exec:\648826.exe105⤵PID:2788
-
\??\c:\084442.exec:\084442.exe106⤵PID:2464
-
\??\c:\60426.exec:\60426.exe107⤵PID:4840
-
\??\c:\c886820.exec:\c886820.exe108⤵PID:3600
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe109⤵PID:2268
-
\??\c:\04264.exec:\04264.exe110⤵PID:3592
-
\??\c:\xxfrlrf.exec:\xxfrlrf.exe111⤵PID:1580
-
\??\c:\6444882.exec:\6444882.exe112⤵PID:1488
-
\??\c:\8802686.exec:\8802686.exe113⤵PID:2436
-
\??\c:\lxrfrfr.exec:\lxrfrfr.exe114⤵PID:2316
-
\??\c:\6064208.exec:\6064208.exe115⤵PID:1856
-
\??\c:\802660.exec:\802660.exe116⤵PID:1056
-
\??\c:\nbhtbt.exec:\nbhtbt.exe117⤵PID:4416
-
\??\c:\3hthth.exec:\3hthth.exe118⤵PID:2060
-
\??\c:\a0644.exec:\a0644.exe119⤵PID:5108
-
\??\c:\rrrflfx.exec:\rrrflfx.exe120⤵PID:1204
-
\??\c:\w88642.exec:\w88642.exe121⤵PID:964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-