Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 21:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
43489aadc91538ac011704eeb48fd2d4a6afd93ec09e3d7eff424cdfaba752fdN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
43489aadc91538ac011704eeb48fd2d4a6afd93ec09e3d7eff424cdfaba752fdN.exe
-
Size
453KB
-
MD5
c8fd1fdc14b394376b7dede634435d90
-
SHA1
a743a4fb0c3e5a14c8a510230ba23d57b1eba5e9
-
SHA256
43489aadc91538ac011704eeb48fd2d4a6afd93ec09e3d7eff424cdfaba752fd
-
SHA512
97e653392318e20b4c4e1a3c575d8c5d3374fa4146e20687fe8e75f90a65e3b44f52beccd81139edce7f3cc1463fd4fd182a80cf3d348d104604a75841e8c967
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4304-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-926-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-945-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-1483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1596 440266.exe 2352 0448484.exe 1616 vvvvv.exe 1364 pjpjp.exe 2068 nbhnnn.exe 4420 ddddv.exe 2492 o864006.exe 1184 m6244.exe 1344 0886860.exe 1716 vjdpd.exe 3580 hnhbhh.exe 3404 64828.exe 2420 g8084.exe 4920 ntnbth.exe 3748 vddvj.exe 1628 lrffxrf.exe 1612 rllffff.exe 3180 htnbnh.exe 4108 9thhtb.exe 5080 8684644.exe 2092 682048.exe 3472 m4444.exe 4572 3hnhhh.exe 5100 5djvd.exe 1624 402826.exe 2096 846004.exe 3920 k26044.exe 2088 20486.exe 2808 860042.exe 3268 i602480.exe 2804 hbtnhh.exe 4680 djpjd.exe 4888 062260.exe 3088 4688266.exe 1464 c286488.exe 4624 vjpjv.exe 5040 4286048.exe 4804 9jpvv.exe 2184 hbnbtn.exe 2508 9ffllff.exe 2008 206262.exe 3924 04624.exe 4508 6804444.exe 4424 006426.exe 2628 rlfrlfx.exe 1596 4222024.exe 4356 80660.exe 3276 jvddp.exe 3044 vjjdp.exe 4636 dvdvp.exe 5068 dppdv.exe 3524 1tnbtn.exe 1128 pvjdv.exe 3252 tnnttb.exe 2132 24660.exe 4712 8682440.exe 684 1rfxffr.exe 4288 rrlffxx.exe 4700 tbhbnh.exe 5052 rlxrffr.exe 4812 btbbbh.exe 380 jvvvp.exe 4008 vjpvj.exe 3748 08608.exe -
resource yara_rule behavioral2/memory/4304-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-850-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6020668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2608480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e22626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o488266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4304 wrote to memory of 1596 4304 43489aadc91538ac011704eeb48fd2d4a6afd93ec09e3d7eff424cdfaba752fdN.exe 83 PID 4304 wrote to memory of 1596 4304 43489aadc91538ac011704eeb48fd2d4a6afd93ec09e3d7eff424cdfaba752fdN.exe 83 PID 4304 wrote to memory of 1596 4304 43489aadc91538ac011704eeb48fd2d4a6afd93ec09e3d7eff424cdfaba752fdN.exe 83 PID 1596 wrote to memory of 2352 1596 440266.exe 84 PID 1596 wrote to memory of 2352 1596 440266.exe 84 PID 1596 wrote to memory of 2352 1596 440266.exe 84 PID 2352 wrote to memory of 1616 2352 0448484.exe 85 PID 2352 wrote to memory of 1616 2352 0448484.exe 85 PID 2352 wrote to memory of 1616 2352 0448484.exe 85 PID 1616 wrote to memory of 1364 1616 vvvvv.exe 86 PID 1616 wrote to memory of 1364 1616 vvvvv.exe 86 PID 1616 wrote to memory of 1364 1616 vvvvv.exe 86 PID 1364 wrote to memory of 2068 1364 pjpjp.exe 87 PID 1364 wrote to memory of 2068 1364 pjpjp.exe 87 PID 1364 wrote to memory of 2068 1364 pjpjp.exe 87 PID 2068 wrote to memory of 4420 2068 nbhnnn.exe 88 PID 2068 wrote to memory of 4420 2068 nbhnnn.exe 88 PID 2068 wrote to memory of 4420 2068 nbhnnn.exe 88 PID 4420 wrote to memory of 2492 4420 ddddv.exe 89 PID 4420 wrote to memory of 2492 4420 ddddv.exe 89 PID 4420 wrote to memory of 2492 4420 ddddv.exe 89 PID 2492 wrote to memory of 1184 2492 o864006.exe 90 PID 2492 wrote to memory of 1184 2492 o864006.exe 90 PID 2492 wrote to memory of 1184 2492 o864006.exe 90 PID 1184 wrote to memory of 1344 1184 m6244.exe 91 PID 1184 wrote to memory of 1344 1184 m6244.exe 91 PID 1184 wrote to memory of 1344 1184 m6244.exe 91 PID 1344 wrote to memory of 1716 1344 0886860.exe 92 PID 1344 wrote to memory of 1716 1344 0886860.exe 92 PID 1344 wrote to memory of 1716 1344 0886860.exe 92 PID 1716 wrote to memory of 3580 1716 vjdpd.exe 93 PID 1716 wrote to memory of 3580 1716 vjdpd.exe 93 PID 1716 wrote to memory of 3580 1716 vjdpd.exe 93 PID 3580 wrote to memory of 3404 3580 hnhbhh.exe 94 PID 3580 wrote to memory of 3404 3580 hnhbhh.exe 94 PID 3580 wrote to memory of 3404 3580 hnhbhh.exe 94 PID 3404 wrote to memory of 2420 3404 64828.exe 95 PID 3404 wrote to memory of 2420 3404 64828.exe 95 PID 3404 wrote to memory of 2420 3404 64828.exe 95 PID 2420 wrote to memory of 4920 2420 g8084.exe 96 PID 2420 wrote to memory of 4920 2420 g8084.exe 96 PID 2420 wrote to memory of 4920 2420 g8084.exe 96 PID 4920 wrote to memory of 3748 4920 ntnbth.exe 97 PID 4920 wrote to memory of 3748 4920 ntnbth.exe 97 PID 4920 wrote to memory of 3748 4920 ntnbth.exe 97 PID 3748 wrote to memory of 1628 3748 vddvj.exe 98 PID 3748 wrote to memory of 1628 3748 vddvj.exe 98 PID 3748 wrote to memory of 1628 3748 vddvj.exe 98 PID 1628 wrote to memory of 1612 1628 lrffxrf.exe 99 PID 1628 wrote to memory of 1612 1628 lrffxrf.exe 99 PID 1628 wrote to memory of 1612 1628 lrffxrf.exe 99 PID 1612 wrote to memory of 3180 1612 rllffff.exe 100 PID 1612 wrote to memory of 3180 1612 rllffff.exe 100 PID 1612 wrote to memory of 3180 1612 rllffff.exe 100 PID 3180 wrote to memory of 4108 3180 htnbnh.exe 101 PID 3180 wrote to memory of 4108 3180 htnbnh.exe 101 PID 3180 wrote to memory of 4108 3180 htnbnh.exe 101 PID 4108 wrote to memory of 5080 4108 9thhtb.exe 102 PID 4108 wrote to memory of 5080 4108 9thhtb.exe 102 PID 4108 wrote to memory of 5080 4108 9thhtb.exe 102 PID 5080 wrote to memory of 2092 5080 8684644.exe 103 PID 5080 wrote to memory of 2092 5080 8684644.exe 103 PID 5080 wrote to memory of 2092 5080 8684644.exe 103 PID 2092 wrote to memory of 3472 2092 682048.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\43489aadc91538ac011704eeb48fd2d4a6afd93ec09e3d7eff424cdfaba752fdN.exe"C:\Users\Admin\AppData\Local\Temp\43489aadc91538ac011704eeb48fd2d4a6afd93ec09e3d7eff424cdfaba752fdN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\440266.exec:\440266.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\0448484.exec:\0448484.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\vvvvv.exec:\vvvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\pjpjp.exec:\pjpjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\nbhnnn.exec:\nbhnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\ddddv.exec:\ddddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\o864006.exec:\o864006.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\m6244.exec:\m6244.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\0886860.exec:\0886860.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\vjdpd.exec:\vjdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\hnhbhh.exec:\hnhbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\64828.exec:\64828.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\g8084.exec:\g8084.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\ntnbth.exec:\ntnbth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\vddvj.exec:\vddvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\lrffxrf.exec:\lrffxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\rllffff.exec:\rllffff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\htnbnh.exec:\htnbnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\9thhtb.exec:\9thhtb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\8684644.exec:\8684644.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\682048.exec:\682048.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\m4444.exec:\m4444.exe23⤵
- Executes dropped EXE
PID:3472 -
\??\c:\3hnhhh.exec:\3hnhhh.exe24⤵
- Executes dropped EXE
PID:4572 -
\??\c:\5djvd.exec:\5djvd.exe25⤵
- Executes dropped EXE
PID:5100 -
\??\c:\402826.exec:\402826.exe26⤵
- Executes dropped EXE
PID:1624 -
\??\c:\846004.exec:\846004.exe27⤵
- Executes dropped EXE
PID:2096 -
\??\c:\k26044.exec:\k26044.exe28⤵
- Executes dropped EXE
PID:3920 -
\??\c:\20486.exec:\20486.exe29⤵
- Executes dropped EXE
PID:2088 -
\??\c:\860042.exec:\860042.exe30⤵
- Executes dropped EXE
PID:2808 -
\??\c:\i602480.exec:\i602480.exe31⤵
- Executes dropped EXE
PID:3268 -
\??\c:\hbtnhh.exec:\hbtnhh.exe32⤵
- Executes dropped EXE
PID:2804 -
\??\c:\djpjd.exec:\djpjd.exe33⤵
- Executes dropped EXE
PID:4680 -
\??\c:\062260.exec:\062260.exe34⤵
- Executes dropped EXE
PID:4888 -
\??\c:\4688266.exec:\4688266.exe35⤵
- Executes dropped EXE
PID:3088 -
\??\c:\c286488.exec:\c286488.exe36⤵
- Executes dropped EXE
PID:1464 -
\??\c:\vjpjv.exec:\vjpjv.exe37⤵
- Executes dropped EXE
PID:4624 -
\??\c:\4286048.exec:\4286048.exe38⤵
- Executes dropped EXE
PID:5040 -
\??\c:\9jpvv.exec:\9jpvv.exe39⤵
- Executes dropped EXE
PID:4804 -
\??\c:\hbnbtn.exec:\hbnbtn.exe40⤵
- Executes dropped EXE
PID:2184 -
\??\c:\9ffllff.exec:\9ffllff.exe41⤵
- Executes dropped EXE
PID:2508 -
\??\c:\206262.exec:\206262.exe42⤵
- Executes dropped EXE
PID:2008 -
\??\c:\04624.exec:\04624.exe43⤵
- Executes dropped EXE
PID:3924 -
\??\c:\6804444.exec:\6804444.exe44⤵
- Executes dropped EXE
PID:4508 -
\??\c:\006426.exec:\006426.exe45⤵
- Executes dropped EXE
PID:4424 -
\??\c:\rlfrlfx.exec:\rlfrlfx.exe46⤵
- Executes dropped EXE
PID:2628 -
\??\c:\4222024.exec:\4222024.exe47⤵
- Executes dropped EXE
PID:1596 -
\??\c:\80660.exec:\80660.exe48⤵
- Executes dropped EXE
PID:4356 -
\??\c:\jvddp.exec:\jvddp.exe49⤵
- Executes dropped EXE
PID:3276 -
\??\c:\vjjdp.exec:\vjjdp.exe50⤵
- Executes dropped EXE
PID:3044 -
\??\c:\dvdvp.exec:\dvdvp.exe51⤵
- Executes dropped EXE
PID:4636 -
\??\c:\dppdv.exec:\dppdv.exe52⤵
- Executes dropped EXE
PID:5068 -
\??\c:\1tnbtn.exec:\1tnbtn.exe53⤵
- Executes dropped EXE
PID:3524 -
\??\c:\pvjdv.exec:\pvjdv.exe54⤵
- Executes dropped EXE
PID:1128 -
\??\c:\tnnttb.exec:\tnnttb.exe55⤵
- Executes dropped EXE
PID:3252 -
\??\c:\24660.exec:\24660.exe56⤵
- Executes dropped EXE
PID:2132 -
\??\c:\8682440.exec:\8682440.exe57⤵
- Executes dropped EXE
PID:4712 -
\??\c:\1rfxffr.exec:\1rfxffr.exe58⤵
- Executes dropped EXE
PID:684 -
\??\c:\rrlffxx.exec:\rrlffxx.exe59⤵
- Executes dropped EXE
PID:4288 -
\??\c:\tbhbnh.exec:\tbhbnh.exe60⤵
- Executes dropped EXE
PID:4700 -
\??\c:\rlxrffr.exec:\rlxrffr.exe61⤵
- Executes dropped EXE
PID:5052 -
\??\c:\btbbbh.exec:\btbbbh.exe62⤵
- Executes dropped EXE
PID:4812 -
\??\c:\jvvvp.exec:\jvvvp.exe63⤵
- Executes dropped EXE
PID:380 -
\??\c:\vjpvj.exec:\vjpvj.exe64⤵
- Executes dropped EXE
PID:4008 -
\??\c:\08608.exec:\08608.exe65⤵
- Executes dropped EXE
PID:3748 -
\??\c:\26666.exec:\26666.exe66⤵PID:3480
-
\??\c:\9htthb.exec:\9htthb.exe67⤵PID:2908
-
\??\c:\i648260.exec:\i648260.exe68⤵PID:3240
-
\??\c:\64606.exec:\64606.exe69⤵PID:3180
-
\??\c:\004262.exec:\004262.exe70⤵PID:4564
-
\??\c:\9ffxllx.exec:\9ffxllx.exe71⤵PID:1740
-
\??\c:\9tthbt.exec:\9tthbt.exe72⤵PID:1996
-
\??\c:\622648.exec:\622648.exe73⤵PID:4048
-
\??\c:\dppjd.exec:\dppjd.exe74⤵PID:2236
-
\??\c:\1vvpj.exec:\1vvpj.exe75⤵PID:2472
-
\??\c:\ththnh.exec:\ththnh.exe76⤵PID:4656
-
\??\c:\4684468.exec:\4684468.exe77⤵PID:1736
-
\??\c:\a4268.exec:\a4268.exe78⤵PID:832
-
\??\c:\860208.exec:\860208.exe79⤵PID:2096
-
\??\c:\604480.exec:\604480.exe80⤵PID:4684
-
\??\c:\3xrlffx.exec:\3xrlffx.exe81⤵PID:4480
-
\??\c:\68820.exec:\68820.exe82⤵PID:1028
-
\??\c:\o488266.exec:\o488266.exe83⤵
- System Location Discovery: System Language Discovery
PID:3868 -
\??\c:\848260.exec:\848260.exe84⤵PID:2916
-
\??\c:\w28648.exec:\w28648.exe85⤵PID:4772
-
\??\c:\9ffxxxx.exec:\9ffxxxx.exe86⤵PID:2432
-
\??\c:\2042468.exec:\2042468.exe87⤵PID:4680
-
\??\c:\jddvd.exec:\jddvd.exe88⤵PID:4296
-
\??\c:\3vvjv.exec:\3vvjv.exe89⤵PID:316
-
\??\c:\bbhtnt.exec:\bbhtnt.exe90⤵PID:1464
-
\??\c:\9nnbnh.exec:\9nnbnh.exe91⤵PID:2412
-
\??\c:\bnnhbb.exec:\bnnhbb.exe92⤵PID:4716
-
\??\c:\5fxxllf.exec:\5fxxllf.exe93⤵PID:1864
-
\??\c:\860422.exec:\860422.exe94⤵PID:3848
-
\??\c:\u644044.exec:\u644044.exe95⤵PID:3224
-
\??\c:\jpvdj.exec:\jpvdj.exe96⤵PID:4444
-
\??\c:\6842484.exec:\6842484.exe97⤵PID:4336
-
\??\c:\888260.exec:\888260.exe98⤵PID:4508
-
\??\c:\e24862.exec:\e24862.exe99⤵PID:4424
-
\??\c:\4866006.exec:\4866006.exe100⤵PID:4384
-
\??\c:\844860.exec:\844860.exe101⤵PID:1632
-
\??\c:\xxrrxfl.exec:\xxrrxfl.exe102⤵PID:1208
-
\??\c:\1dvvj.exec:\1dvvj.exe103⤵PID:3372
-
\??\c:\xflxllx.exec:\xflxllx.exe104⤵PID:2124
-
\??\c:\s8482.exec:\s8482.exe105⤵PID:4536
-
\??\c:\428268.exec:\428268.exe106⤵PID:3676
-
\??\c:\g6266.exec:\g6266.exe107⤵PID:3696
-
\??\c:\266820.exec:\266820.exe108⤵PID:3228
-
\??\c:\5hbo62.exec:\5hbo62.exe109⤵PID:3396
-
\??\c:\hbhthb.exec:\hbhthb.exe110⤵PID:2600
-
\??\c:\28668.exec:\28668.exe111⤵PID:2224
-
\??\c:\6808228.exec:\6808228.exe112⤵PID:1144
-
\??\c:\djppj.exec:\djppj.exe113⤵PID:4208
-
\??\c:\86200.exec:\86200.exe114⤵PID:4688
-
\??\c:\466648.exec:\466648.exe115⤵PID:4648
-
\??\c:\c026888.exec:\c026888.exe116⤵PID:4764
-
\??\c:\bnhbnn.exec:\bnhbnn.exe117⤵PID:3312
-
\??\c:\u222048.exec:\u222048.exe118⤵PID:4664
-
\??\c:\0804666.exec:\0804666.exe119⤵PID:3716
-
\??\c:\nnbthb.exec:\nnbthb.exe120⤵PID:372
-
\??\c:\3ppvj.exec:\3ppvj.exe121⤵PID:1728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-