Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 00:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe
-
Size
453KB
-
MD5
4f357b27ab9739ac20f13a0830d31c52
-
SHA1
5f6d2b8a05f929bb2efff8b5fde77407ebc2ad95
-
SHA256
4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549
-
SHA512
4ccce45b677dd8eddaec2e6fac11b9d7bac08936d903c6cc690fd3034ce6263b75f7843e52492d0c9de98b89c7720bb2ce5554d9b36519882d904bc4c74a1dfe
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3164-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-1848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1796 9bhbhn.exe 3252 82202.exe 3284 ppjdp.exe 2732 686020.exe 464 5rllfrr.exe 2448 86686.exe 4460 0808664.exe 3620 42642.exe 4204 a2204.exe 4936 022682.exe 1688 lrrfrfx.exe 3204 08208.exe 3228 s0648.exe 3880 040860.exe 4012 jvvpj.exe 2520 7bbnnb.exe 768 ppvdj.exe 2916 468088.exe 1460 686088.exe 4648 9nnbnh.exe 5012 jvpdj.exe 3860 8408208.exe 3992 662086.exe 676 266420.exe 5036 pppvj.exe 3188 e46442.exe 2572 5hbnhb.exe 4792 e26026.exe 4440 08208.exe 3488 jdjvv.exe 1456 vjvjj.exe 3672 e44204.exe 5064 862008.exe 3312 24420.exe 1524 nntthb.exe 964 hhhtbt.exe 2116 rfxlrlx.exe 4660 dddvj.exe 3544 djjpd.exe 384 a4224.exe 3192 8842086.exe 5024 222082.exe 4808 rflxfxr.exe 2832 2004266.exe 4840 606464.exe 2972 66208.exe 4220 9tthtn.exe 3364 bnnbnb.exe 4048 flrfxrf.exe 4388 5vpjv.exe 2564 dppjd.exe 4568 flfxlxl.exe 2236 4406648.exe 1992 9tttnn.exe 4148 1rrfrrf.exe 3340 660826.exe 4232 000820.exe 464 rffrlfl.exe 2644 406044.exe 4460 3hbnbn.exe 2108 vddpp.exe 1300 7vpdp.exe 4580 o888664.exe 3556 222082.exe -
resource yara_rule behavioral2/memory/3164-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-611-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k00488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 1796 3164 4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe 82 PID 3164 wrote to memory of 1796 3164 4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe 82 PID 3164 wrote to memory of 1796 3164 4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe 82 PID 1796 wrote to memory of 3252 1796 9bhbhn.exe 83 PID 1796 wrote to memory of 3252 1796 9bhbhn.exe 83 PID 1796 wrote to memory of 3252 1796 9bhbhn.exe 83 PID 3252 wrote to memory of 3284 3252 82202.exe 84 PID 3252 wrote to memory of 3284 3252 82202.exe 84 PID 3252 wrote to memory of 3284 3252 82202.exe 84 PID 3284 wrote to memory of 2732 3284 ppjdp.exe 85 PID 3284 wrote to memory of 2732 3284 ppjdp.exe 85 PID 3284 wrote to memory of 2732 3284 ppjdp.exe 85 PID 2732 wrote to memory of 464 2732 686020.exe 140 PID 2732 wrote to memory of 464 2732 686020.exe 140 PID 2732 wrote to memory of 464 2732 686020.exe 140 PID 464 wrote to memory of 2448 464 5rllfrr.exe 87 PID 464 wrote to memory of 2448 464 5rllfrr.exe 87 PID 464 wrote to memory of 2448 464 5rllfrr.exe 87 PID 2448 wrote to memory of 4460 2448 86686.exe 142 PID 2448 wrote to memory of 4460 2448 86686.exe 142 PID 2448 wrote to memory of 4460 2448 86686.exe 142 PID 4460 wrote to memory of 3620 4460 0808664.exe 89 PID 4460 wrote to memory of 3620 4460 0808664.exe 89 PID 4460 wrote to memory of 3620 4460 0808664.exe 89 PID 3620 wrote to memory of 4204 3620 42642.exe 90 PID 3620 wrote to memory of 4204 3620 42642.exe 90 PID 3620 wrote to memory of 4204 3620 42642.exe 90 PID 4204 wrote to memory of 4936 4204 a2204.exe 91 PID 4204 wrote to memory of 4936 4204 a2204.exe 91 PID 4204 wrote to memory of 4936 4204 a2204.exe 91 PID 4936 wrote to memory of 1688 4936 022682.exe 92 PID 4936 wrote to memory of 1688 4936 022682.exe 92 PID 4936 wrote to memory of 1688 4936 022682.exe 92 PID 1688 wrote to memory of 3204 1688 lrrfrfx.exe 93 PID 1688 wrote to memory of 3204 1688 lrrfrfx.exe 93 PID 1688 wrote to memory of 3204 1688 lrrfrfx.exe 93 PID 3204 wrote to memory of 3228 3204 08208.exe 94 PID 3204 wrote to memory of 3228 3204 08208.exe 94 PID 3204 wrote to memory of 3228 3204 08208.exe 94 PID 3228 wrote to memory of 3880 3228 s0648.exe 95 PID 3228 wrote to memory of 3880 3228 s0648.exe 95 PID 3228 wrote to memory of 3880 3228 s0648.exe 95 PID 3880 wrote to memory of 4012 3880 040860.exe 96 PID 3880 wrote to memory of 4012 3880 040860.exe 96 PID 3880 wrote to memory of 4012 3880 040860.exe 96 PID 4012 wrote to memory of 2520 4012 jvvpj.exe 97 PID 4012 wrote to memory of 2520 4012 jvvpj.exe 97 PID 4012 wrote to memory of 2520 4012 jvvpj.exe 97 PID 2520 wrote to memory of 768 2520 7bbnnb.exe 98 PID 2520 wrote to memory of 768 2520 7bbnnb.exe 98 PID 2520 wrote to memory of 768 2520 7bbnnb.exe 98 PID 768 wrote to memory of 2916 768 ppvdj.exe 99 PID 768 wrote to memory of 2916 768 ppvdj.exe 99 PID 768 wrote to memory of 2916 768 ppvdj.exe 99 PID 2916 wrote to memory of 1460 2916 468088.exe 100 PID 2916 wrote to memory of 1460 2916 468088.exe 100 PID 2916 wrote to memory of 1460 2916 468088.exe 100 PID 1460 wrote to memory of 4648 1460 686088.exe 101 PID 1460 wrote to memory of 4648 1460 686088.exe 101 PID 1460 wrote to memory of 4648 1460 686088.exe 101 PID 4648 wrote to memory of 5012 4648 9nnbnh.exe 102 PID 4648 wrote to memory of 5012 4648 9nnbnh.exe 102 PID 4648 wrote to memory of 5012 4648 9nnbnh.exe 102 PID 5012 wrote to memory of 3860 5012 jvpdj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe"C:\Users\Admin\AppData\Local\Temp\4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\9bhbhn.exec:\9bhbhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\82202.exec:\82202.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\ppjdp.exec:\ppjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\686020.exec:\686020.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\5rllfrr.exec:\5rllfrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\86686.exec:\86686.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\0808664.exec:\0808664.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\42642.exec:\42642.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\a2204.exec:\a2204.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\022682.exec:\022682.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\lrrfrfx.exec:\lrrfrfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\08208.exec:\08208.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\s0648.exec:\s0648.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\040860.exec:\040860.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\jvvpj.exec:\jvvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\7bbnnb.exec:\7bbnnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\ppvdj.exec:\ppvdj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\468088.exec:\468088.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\686088.exec:\686088.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\9nnbnh.exec:\9nnbnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\jvpdj.exec:\jvpdj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\8408208.exec:\8408208.exe23⤵
- Executes dropped EXE
PID:3860 -
\??\c:\662086.exec:\662086.exe24⤵
- Executes dropped EXE
PID:3992 -
\??\c:\266420.exec:\266420.exe25⤵
- Executes dropped EXE
PID:676 -
\??\c:\pppvj.exec:\pppvj.exe26⤵
- Executes dropped EXE
PID:5036 -
\??\c:\e46442.exec:\e46442.exe27⤵
- Executes dropped EXE
PID:3188 -
\??\c:\5hbnhb.exec:\5hbnhb.exe28⤵
- Executes dropped EXE
PID:2572 -
\??\c:\e26026.exec:\e26026.exe29⤵
- Executes dropped EXE
PID:4792 -
\??\c:\08208.exec:\08208.exe30⤵
- Executes dropped EXE
PID:4440 -
\??\c:\jdjvv.exec:\jdjvv.exe31⤵
- Executes dropped EXE
PID:3488 -
\??\c:\vjvjj.exec:\vjvjj.exe32⤵
- Executes dropped EXE
PID:1456 -
\??\c:\e44204.exec:\e44204.exe33⤵
- Executes dropped EXE
PID:3672 -
\??\c:\862008.exec:\862008.exe34⤵
- Executes dropped EXE
PID:5064 -
\??\c:\24420.exec:\24420.exe35⤵
- Executes dropped EXE
PID:3312 -
\??\c:\nntthb.exec:\nntthb.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524 -
\??\c:\hhhtbt.exec:\hhhtbt.exe37⤵
- Executes dropped EXE
PID:964 -
\??\c:\rfxlrlx.exec:\rfxlrlx.exe38⤵
- Executes dropped EXE
PID:2116 -
\??\c:\dddvj.exec:\dddvj.exe39⤵
- Executes dropped EXE
PID:4660 -
\??\c:\djjpd.exec:\djjpd.exe40⤵
- Executes dropped EXE
PID:3544 -
\??\c:\a4224.exec:\a4224.exe41⤵
- Executes dropped EXE
PID:384 -
\??\c:\8842086.exec:\8842086.exe42⤵
- Executes dropped EXE
PID:3192 -
\??\c:\222082.exec:\222082.exe43⤵
- Executes dropped EXE
PID:5024 -
\??\c:\rflxfxr.exec:\rflxfxr.exe44⤵
- Executes dropped EXE
PID:4808 -
\??\c:\2004266.exec:\2004266.exe45⤵
- Executes dropped EXE
PID:2832 -
\??\c:\606464.exec:\606464.exe46⤵
- Executes dropped EXE
PID:4840 -
\??\c:\66208.exec:\66208.exe47⤵
- Executes dropped EXE
PID:2972 -
\??\c:\9tthtn.exec:\9tthtn.exe48⤵
- Executes dropped EXE
PID:4220 -
\??\c:\bnnbnb.exec:\bnnbnb.exe49⤵
- Executes dropped EXE
PID:3364 -
\??\c:\flrfxrf.exec:\flrfxrf.exe50⤵
- Executes dropped EXE
PID:4048 -
\??\c:\5vpjv.exec:\5vpjv.exe51⤵
- Executes dropped EXE
PID:4388 -
\??\c:\dppjd.exec:\dppjd.exe52⤵
- Executes dropped EXE
PID:2564 -
\??\c:\flfxlxl.exec:\flfxlxl.exe53⤵
- Executes dropped EXE
PID:4568 -
\??\c:\4406648.exec:\4406648.exe54⤵
- Executes dropped EXE
PID:2236 -
\??\c:\9tttnn.exec:\9tttnn.exe55⤵
- Executes dropped EXE
PID:1992 -
\??\c:\1rrfrrf.exec:\1rrfrrf.exe56⤵
- Executes dropped EXE
PID:4148 -
\??\c:\660826.exec:\660826.exe57⤵
- Executes dropped EXE
PID:3340 -
\??\c:\000820.exec:\000820.exe58⤵
- Executes dropped EXE
PID:4232 -
\??\c:\rffrlfl.exec:\rffrlfl.exe59⤵
- Executes dropped EXE
PID:464 -
\??\c:\406044.exec:\406044.exe60⤵
- Executes dropped EXE
PID:2644 -
\??\c:\3hbnbn.exec:\3hbnbn.exe61⤵
- Executes dropped EXE
PID:4460 -
\??\c:\vddpp.exec:\vddpp.exe62⤵
- Executes dropped EXE
PID:2108 -
\??\c:\7vpdp.exec:\7vpdp.exe63⤵
- Executes dropped EXE
PID:1300 -
\??\c:\o888664.exec:\o888664.exe64⤵
- Executes dropped EXE
PID:4580 -
\??\c:\222082.exec:\222082.exe65⤵
- Executes dropped EXE
PID:3556 -
\??\c:\048204.exec:\048204.exe66⤵PID:2384
-
\??\c:\vpjvj.exec:\vpjvj.exe67⤵PID:1580
-
\??\c:\k44640.exec:\k44640.exe68⤵PID:4892
-
\??\c:\s0486.exec:\s0486.exe69⤵
- System Location Discovery: System Language Discovery
PID:2424 -
\??\c:\s4820.exec:\s4820.exe70⤵PID:2840
-
\??\c:\60048.exec:\60048.exe71⤵PID:4180
-
\??\c:\88208.exec:\88208.exe72⤵PID:4040
-
\??\c:\0446486.exec:\0446486.exe73⤵PID:3980
-
\??\c:\xffrfrl.exec:\xffrfrl.exe74⤵PID:3664
-
\??\c:\422642.exec:\422642.exe75⤵PID:2996
-
\??\c:\0404608.exec:\0404608.exe76⤵PID:5028
-
\??\c:\8664264.exec:\8664264.exe77⤵PID:4648
-
\??\c:\xlxlxxl.exec:\xlxlxxl.exe78⤵PID:3860
-
\??\c:\pppdp.exec:\pppdp.exe79⤵PID:1408
-
\??\c:\jppdd.exec:\jppdd.exe80⤵PID:2444
-
\??\c:\684864.exec:\684864.exe81⤵PID:1648
-
\??\c:\ntnbhb.exec:\ntnbhb.exe82⤵PID:1172
-
\??\c:\644248.exec:\644248.exe83⤵PID:4680
-
\??\c:\0008602.exec:\0008602.exe84⤵PID:3280
-
\??\c:\8064420.exec:\8064420.exe85⤵PID:3244
-
\??\c:\240042.exec:\240042.exe86⤵PID:4484
-
\??\c:\3thbbt.exec:\3thbbt.exe87⤵PID:720
-
\??\c:\444642.exec:\444642.exe88⤵PID:3052
-
\??\c:\8660224.exec:\8660224.exe89⤵PID:1456
-
\??\c:\888248.exec:\888248.exe90⤵PID:4120
-
\??\c:\028648.exec:\028648.exe91⤵PID:2264
-
\??\c:\lfxflll.exec:\lfxflll.exe92⤵PID:2548
-
\??\c:\8220820.exec:\8220820.exe93⤵PID:1368
-
\??\c:\040620.exec:\040620.exe94⤵PID:2116
-
\??\c:\dpvjd.exec:\dpvjd.exe95⤵PID:3616
-
\??\c:\4842086.exec:\4842086.exe96⤵PID:4036
-
\??\c:\06282.exec:\06282.exe97⤵PID:2544
-
\??\c:\7hbnbt.exec:\7hbnbt.exe98⤵PID:1476
-
\??\c:\tbbnhb.exec:\tbbnhb.exe99⤵PID:1596
-
\??\c:\q62828.exec:\q62828.exe100⤵PID:4920
-
\??\c:\9djvp.exec:\9djvp.exe101⤵PID:408
-
\??\c:\6248660.exec:\6248660.exe102⤵PID:4608
-
\??\c:\ntbtnt.exec:\ntbtnt.exe103⤵PID:4560
-
\??\c:\66642.exec:\66642.exe104⤵PID:3144
-
\??\c:\s0060.exec:\s0060.exe105⤵PID:2756
-
\??\c:\tbbhtt.exec:\tbbhtt.exe106⤵PID:3124
-
\??\c:\044844.exec:\044844.exe107⤵PID:2940
-
\??\c:\48208.exec:\48208.exe108⤵PID:3844
-
\??\c:\thbbhb.exec:\thbbhb.exe109⤵PID:2136
-
\??\c:\lffrxxl.exec:\lffrxxl.exe110⤵PID:4468
-
\??\c:\7ddpp.exec:\7ddpp.exe111⤵PID:4732
-
\??\c:\xlflxrf.exec:\xlflxrf.exe112⤵PID:2948
-
\??\c:\nbttbb.exec:\nbttbb.exe113⤵PID:4668
-
\??\c:\240822.exec:\240822.exe114⤵PID:4504
-
\??\c:\48084.exec:\48084.exe115⤵PID:4244
-
\??\c:\40086.exec:\40086.exe116⤵PID:2272
-
\??\c:\thnhht.exec:\thnhht.exe117⤵PID:2428
-
\??\c:\lxfllfr.exec:\lxfllfr.exe118⤵PID:840
-
\??\c:\dvpdp.exec:\dvpdp.exe119⤵PID:4140
-
\??\c:\22882.exec:\22882.exe120⤵PID:4464
-
\??\c:\c282004.exec:\c282004.exe121⤵PID:4380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-