Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 19:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9621967e88f22f0e5995c8b05017479c5d62b1777a13bae78e9eedf39f7ae4f2N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9621967e88f22f0e5995c8b05017479c5d62b1777a13bae78e9eedf39f7ae4f2N.exe
-
Size
454KB
-
MD5
d7dd789d286593186c5c95703b026a90
-
SHA1
0fb0d076b4711a9a2beda85a118fb7771de1e4ec
-
SHA256
9621967e88f22f0e5995c8b05017479c5d62b1777a13bae78e9eedf39f7ae4f2
-
SHA512
b27eb294d7ce18a7d1c02e441a2b8f6585720b202abf6fdb232cb9155a5fe46c57c29b4982cb95227efc956549015ce5a161602025c17f16b749e07909f37eff
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAben:q7Tc2NYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3868-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-855-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-1000-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-1031-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-1035-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-1201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-1408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3840 lllrlrl.exe 64 8482004.exe 2520 vjpdv.exe 1408 06826.exe 2396 8286064.exe 4756 28448.exe 1580 pdpdd.exe 1448 m0204.exe 3160 884860.exe 3028 hhnhbt.exe 1872 004820.exe 436 dpjdv.exe 4972 tthnhb.exe 1584 hbhtnn.exe 228 bhttnh.exe 4508 frffrrl.exe 4520 402004.exe 1016 1fxrlfx.exe 768 o408600.exe 5100 hnnbtn.exe 1564 pjjvp.exe 2312 ttnbtn.exe 2440 k06262.exe 1368 jdvpj.exe 2536 062088.exe 5056 w84826.exe 516 2400002.exe 4428 xrxrrll.exe 532 w66060.exe 3320 o060820.exe 1172 nhbthn.exe 1528 fxxrffx.exe 3808 046444.exe 2376 nhnbtn.exe 2404 48448.exe 3236 4404826.exe 3560 djpdv.exe 3448 64864.exe 2680 vddpd.exe 4956 xffrfxl.exe 3984 6486048.exe 620 44642.exe 1340 s6208.exe 2184 08048.exe 3580 vjjvp.exe 3552 xfflxrf.exe 2320 200880.exe 1796 8442608.exe 2408 26204.exe 5024 frxllrl.exe 4472 k66842.exe 4412 6064241.exe 4540 5rrfflf.exe 4844 7xlxlfr.exe 1892 jjpjd.exe 2924 020886.exe 216 86642.exe 3712 o660448.exe 3152 646442.exe 3216 8666004.exe 3096 rxfxxrr.exe 1552 xxxrxxr.exe 3300 xxlfxxx.exe 2456 3ttnbb.exe -
resource yara_rule behavioral2/memory/3868-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-855-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-890-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2206684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3btnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4226664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0846448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3868 wrote to memory of 3840 3868 9621967e88f22f0e5995c8b05017479c5d62b1777a13bae78e9eedf39f7ae4f2N.exe 83 PID 3868 wrote to memory of 3840 3868 9621967e88f22f0e5995c8b05017479c5d62b1777a13bae78e9eedf39f7ae4f2N.exe 83 PID 3868 wrote to memory of 3840 3868 9621967e88f22f0e5995c8b05017479c5d62b1777a13bae78e9eedf39f7ae4f2N.exe 83 PID 3840 wrote to memory of 64 3840 lllrlrl.exe 84 PID 3840 wrote to memory of 64 3840 lllrlrl.exe 84 PID 3840 wrote to memory of 64 3840 lllrlrl.exe 84 PID 64 wrote to memory of 2520 64 8482004.exe 85 PID 64 wrote to memory of 2520 64 8482004.exe 85 PID 64 wrote to memory of 2520 64 8482004.exe 85 PID 2520 wrote to memory of 1408 2520 vjpdv.exe 86 PID 2520 wrote to memory of 1408 2520 vjpdv.exe 86 PID 2520 wrote to memory of 1408 2520 vjpdv.exe 86 PID 1408 wrote to memory of 2396 1408 06826.exe 87 PID 1408 wrote to memory of 2396 1408 06826.exe 87 PID 1408 wrote to memory of 2396 1408 06826.exe 87 PID 2396 wrote to memory of 4756 2396 8286064.exe 88 PID 2396 wrote to memory of 4756 2396 8286064.exe 88 PID 2396 wrote to memory of 4756 2396 8286064.exe 88 PID 4756 wrote to memory of 1580 4756 28448.exe 89 PID 4756 wrote to memory of 1580 4756 28448.exe 89 PID 4756 wrote to memory of 1580 4756 28448.exe 89 PID 1580 wrote to memory of 1448 1580 pdpdd.exe 90 PID 1580 wrote to memory of 1448 1580 pdpdd.exe 90 PID 1580 wrote to memory of 1448 1580 pdpdd.exe 90 PID 1448 wrote to memory of 3160 1448 m0204.exe 91 PID 1448 wrote to memory of 3160 1448 m0204.exe 91 PID 1448 wrote to memory of 3160 1448 m0204.exe 91 PID 3160 wrote to memory of 3028 3160 884860.exe 92 PID 3160 wrote to memory of 3028 3160 884860.exe 92 PID 3160 wrote to memory of 3028 3160 884860.exe 92 PID 3028 wrote to memory of 1872 3028 hhnhbt.exe 93 PID 3028 wrote to memory of 1872 3028 hhnhbt.exe 93 PID 3028 wrote to memory of 1872 3028 hhnhbt.exe 93 PID 1872 wrote to memory of 436 1872 004820.exe 94 PID 1872 wrote to memory of 436 1872 004820.exe 94 PID 1872 wrote to memory of 436 1872 004820.exe 94 PID 436 wrote to memory of 4972 436 dpjdv.exe 95 PID 436 wrote to memory of 4972 436 dpjdv.exe 95 PID 436 wrote to memory of 4972 436 dpjdv.exe 95 PID 4972 wrote to memory of 1584 4972 tthnhb.exe 96 PID 4972 wrote to memory of 1584 4972 tthnhb.exe 96 PID 4972 wrote to memory of 1584 4972 tthnhb.exe 96 PID 1584 wrote to memory of 228 1584 hbhtnn.exe 97 PID 1584 wrote to memory of 228 1584 hbhtnn.exe 97 PID 1584 wrote to memory of 228 1584 hbhtnn.exe 97 PID 228 wrote to memory of 4508 228 bhttnh.exe 98 PID 228 wrote to memory of 4508 228 bhttnh.exe 98 PID 228 wrote to memory of 4508 228 bhttnh.exe 98 PID 4508 wrote to memory of 4520 4508 frffrrl.exe 99 PID 4508 wrote to memory of 4520 4508 frffrrl.exe 99 PID 4508 wrote to memory of 4520 4508 frffrrl.exe 99 PID 4520 wrote to memory of 1016 4520 402004.exe 100 PID 4520 wrote to memory of 1016 4520 402004.exe 100 PID 4520 wrote to memory of 1016 4520 402004.exe 100 PID 1016 wrote to memory of 768 1016 1fxrlfx.exe 101 PID 1016 wrote to memory of 768 1016 1fxrlfx.exe 101 PID 1016 wrote to memory of 768 1016 1fxrlfx.exe 101 PID 768 wrote to memory of 5100 768 o408600.exe 102 PID 768 wrote to memory of 5100 768 o408600.exe 102 PID 768 wrote to memory of 5100 768 o408600.exe 102 PID 5100 wrote to memory of 1564 5100 hnnbtn.exe 103 PID 5100 wrote to memory of 1564 5100 hnnbtn.exe 103 PID 5100 wrote to memory of 1564 5100 hnnbtn.exe 103 PID 1564 wrote to memory of 2312 1564 pjjvp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9621967e88f22f0e5995c8b05017479c5d62b1777a13bae78e9eedf39f7ae4f2N.exe"C:\Users\Admin\AppData\Local\Temp\9621967e88f22f0e5995c8b05017479c5d62b1777a13bae78e9eedf39f7ae4f2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\lllrlrl.exec:\lllrlrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\8482004.exec:\8482004.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\vjpdv.exec:\vjpdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\06826.exec:\06826.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\8286064.exec:\8286064.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\28448.exec:\28448.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\pdpdd.exec:\pdpdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\m0204.exec:\m0204.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\884860.exec:\884860.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
\??\c:\hhnhbt.exec:\hhnhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\004820.exec:\004820.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\dpjdv.exec:\dpjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\tthnhb.exec:\tthnhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\hbhtnn.exec:\hbhtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\bhttnh.exec:\bhttnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\frffrrl.exec:\frffrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\402004.exec:\402004.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\1fxrlfx.exec:\1fxrlfx.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\o408600.exec:\o408600.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\hnnbtn.exec:\hnnbtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\pjjvp.exec:\pjjvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\ttnbtn.exec:\ttnbtn.exe23⤵
- Executes dropped EXE
PID:2312 -
\??\c:\k06262.exec:\k06262.exe24⤵
- Executes dropped EXE
PID:2440 -
\??\c:\jdvpj.exec:\jdvpj.exe25⤵
- Executes dropped EXE
PID:1368 -
\??\c:\062088.exec:\062088.exe26⤵
- Executes dropped EXE
PID:2536 -
\??\c:\w84826.exec:\w84826.exe27⤵
- Executes dropped EXE
PID:5056 -
\??\c:\2400002.exec:\2400002.exe28⤵
- Executes dropped EXE
PID:516 -
\??\c:\xrxrrll.exec:\xrxrrll.exe29⤵
- Executes dropped EXE
PID:4428 -
\??\c:\w66060.exec:\w66060.exe30⤵
- Executes dropped EXE
PID:532 -
\??\c:\o060820.exec:\o060820.exe31⤵
- Executes dropped EXE
PID:3320 -
\??\c:\nhbthn.exec:\nhbthn.exe32⤵
- Executes dropped EXE
PID:1172 -
\??\c:\fxxrffx.exec:\fxxrffx.exe33⤵
- Executes dropped EXE
PID:1528 -
\??\c:\046444.exec:\046444.exe34⤵
- Executes dropped EXE
PID:3808 -
\??\c:\nhnbtn.exec:\nhnbtn.exe35⤵
- Executes dropped EXE
PID:2376 -
\??\c:\48448.exec:\48448.exe36⤵
- Executes dropped EXE
PID:2404 -
\??\c:\4404826.exec:\4404826.exe37⤵
- Executes dropped EXE
PID:3236 -
\??\c:\djpdv.exec:\djpdv.exe38⤵
- Executes dropped EXE
PID:3560 -
\??\c:\64864.exec:\64864.exe39⤵
- Executes dropped EXE
PID:3448 -
\??\c:\vddpd.exec:\vddpd.exe40⤵
- Executes dropped EXE
PID:2680 -
\??\c:\xffrfxl.exec:\xffrfxl.exe41⤵
- Executes dropped EXE
PID:4956 -
\??\c:\6486048.exec:\6486048.exe42⤵
- Executes dropped EXE
PID:3984 -
\??\c:\44642.exec:\44642.exe43⤵
- Executes dropped EXE
PID:620 -
\??\c:\s6208.exec:\s6208.exe44⤵
- Executes dropped EXE
PID:1340 -
\??\c:\08048.exec:\08048.exe45⤵
- Executes dropped EXE
PID:2184 -
\??\c:\vjjvp.exec:\vjjvp.exe46⤵
- Executes dropped EXE
PID:3580 -
\??\c:\xfflxrf.exec:\xfflxrf.exe47⤵
- Executes dropped EXE
PID:3552 -
\??\c:\200880.exec:\200880.exe48⤵
- Executes dropped EXE
PID:2320 -
\??\c:\8442608.exec:\8442608.exe49⤵
- Executes dropped EXE
PID:1796 -
\??\c:\26204.exec:\26204.exe50⤵
- Executes dropped EXE
PID:2408 -
\??\c:\frxllrl.exec:\frxllrl.exe51⤵
- Executes dropped EXE
PID:5024 -
\??\c:\k66842.exec:\k66842.exe52⤵
- Executes dropped EXE
PID:4472 -
\??\c:\6064241.exec:\6064241.exe53⤵
- Executes dropped EXE
PID:4412 -
\??\c:\5rrfflf.exec:\5rrfflf.exe54⤵
- Executes dropped EXE
PID:4540 -
\??\c:\7xlxlfr.exec:\7xlxlfr.exe55⤵
- Executes dropped EXE
PID:4844 -
\??\c:\jjpjd.exec:\jjpjd.exe56⤵
- Executes dropped EXE
PID:1892 -
\??\c:\020886.exec:\020886.exe57⤵
- Executes dropped EXE
PID:2924 -
\??\c:\86642.exec:\86642.exe58⤵
- Executes dropped EXE
PID:216 -
\??\c:\o660448.exec:\o660448.exe59⤵
- Executes dropped EXE
PID:3712 -
\??\c:\646442.exec:\646442.exe60⤵
- Executes dropped EXE
PID:3152 -
\??\c:\8666004.exec:\8666004.exe61⤵
- Executes dropped EXE
PID:3216 -
\??\c:\rxfxxrr.exec:\rxfxxrr.exe62⤵
- Executes dropped EXE
PID:3096 -
\??\c:\xxxrxxr.exec:\xxxrxxr.exe63⤵
- Executes dropped EXE
PID:1552 -
\??\c:\xxlfxxx.exec:\xxlfxxx.exe64⤵
- Executes dropped EXE
PID:3300 -
\??\c:\3ttnbb.exec:\3ttnbb.exe65⤵
- Executes dropped EXE
PID:2456 -
\??\c:\xrfrxrx.exec:\xrfrxrx.exe66⤵PID:1900
-
\??\c:\9vvpd.exec:\9vvpd.exe67⤵PID:1720
-
\??\c:\g4404.exec:\g4404.exe68⤵PID:4112
-
\??\c:\jddvj.exec:\jddvj.exe69⤵PID:436
-
\??\c:\3rffrrl.exec:\3rffrrl.exe70⤵PID:2936
-
\??\c:\xflllff.exec:\xflllff.exe71⤵PID:536
-
\??\c:\e28600.exec:\e28600.exe72⤵PID:2176
-
\??\c:\1vdvd.exec:\1vdvd.exe73⤵PID:5060
-
\??\c:\202044.exec:\202044.exe74⤵PID:4860
-
\??\c:\484822.exec:\484822.exe75⤵PID:3636
-
\??\c:\1xfrflf.exec:\1xfrflf.exe76⤵PID:640
-
\??\c:\hbtnbn.exec:\hbtnbn.exe77⤵PID:3020
-
\??\c:\vvdvv.exec:\vvdvv.exe78⤵PID:2384
-
\??\c:\dpdvp.exec:\dpdvp.exe79⤵PID:4932
-
\??\c:\xfrxfxx.exec:\xfrxfxx.exe80⤵PID:2996
-
\??\c:\lrfxrrl.exec:\lrfxrrl.exe81⤵PID:3068
-
\??\c:\22488.exec:\22488.exe82⤵PID:2312
-
\??\c:\tnnhbb.exec:\tnnhbb.exe83⤵PID:2472
-
\??\c:\lrxrllf.exec:\lrxrllf.exe84⤵PID:1104
-
\??\c:\jpvpj.exec:\jpvpj.exe85⤵PID:2700
-
\??\c:\m4004.exec:\m4004.exe86⤵PID:2420
-
\??\c:\bbbthb.exec:\bbbthb.exe87⤵PID:688
-
\??\c:\4226664.exec:\4226664.exe88⤵
- System Location Discovery: System Language Discovery
PID:3872 -
\??\c:\pvdpj.exec:\pvdpj.exe89⤵
- System Location Discovery: System Language Discovery
PID:516 -
\??\c:\8260882.exec:\8260882.exe90⤵PID:1992
-
\??\c:\866004.exec:\866004.exe91⤵PID:2300
-
\??\c:\40644.exec:\40644.exe92⤵PID:936
-
\??\c:\s4486.exec:\s4486.exe93⤵PID:428
-
\??\c:\pvdvv.exec:\pvdvv.exe94⤵PID:5012
-
\??\c:\228822.exec:\228822.exe95⤵PID:1712
-
\??\c:\m6208.exec:\m6208.exe96⤵PID:1528
-
\??\c:\4464006.exec:\4464006.exe97⤵PID:1912
-
\??\c:\jvvpj.exec:\jvvpj.exe98⤵PID:1500
-
\??\c:\rfllffx.exec:\rfllffx.exe99⤵PID:2164
-
\??\c:\flllffx.exec:\flllffx.exe100⤵PID:5116
-
\??\c:\880828.exec:\880828.exe101⤵PID:4768
-
\??\c:\008600.exec:\008600.exe102⤵PID:4788
-
\??\c:\bbnhbb.exec:\bbnhbb.exe103⤵PID:2244
-
\??\c:\a8820.exec:\a8820.exe104⤵PID:5096
-
\??\c:\xfllfff.exec:\xfllfff.exe105⤵PID:2948
-
\??\c:\xllfxxr.exec:\xllfxxr.exe106⤵PID:1976
-
\??\c:\006604.exec:\006604.exe107⤵PID:4120
-
\??\c:\xlllfxr.exec:\xlllfxr.exe108⤵
- System Location Discovery: System Language Discovery
PID:2184 -
\??\c:\7llfrrl.exec:\7llfrrl.exe109⤵PID:4480
-
\??\c:\bhnhbt.exec:\bhnhbt.exe110⤵PID:3552
-
\??\c:\7nnbnh.exec:\7nnbnh.exe111⤵PID:8
-
\??\c:\fxxxrxr.exec:\fxxxrxr.exe112⤵PID:2412
-
\??\c:\4860666.exec:\4860666.exe113⤵PID:4764
-
\??\c:\frlflfr.exec:\frlflfr.exe114⤵PID:5008
-
\??\c:\9tthtt.exec:\9tthtt.exe115⤵PID:1616
-
\??\c:\484448.exec:\484448.exe116⤵PID:2400
-
\??\c:\2608608.exec:\2608608.exe117⤵PID:548
-
\??\c:\fflfrrl.exec:\fflfrrl.exe118⤵PID:2896
-
\??\c:\60660.exec:\60660.exe119⤵PID:1896
-
\??\c:\hthbhh.exec:\hthbhh.exe120⤵PID:2728
-
\??\c:\886626.exec:\886626.exe121⤵PID:2188
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-