Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9c52779d593a00c358f4295d271f3d56b8cce5bc4a1af8d27ca96b212041ab2fN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9c52779d593a00c358f4295d271f3d56b8cce5bc4a1af8d27ca96b212041ab2fN.exe
-
Size
454KB
-
MD5
6c9bbd257c57fa6f04250b0d070e08c0
-
SHA1
d606b48211f5c4cb8df46f21fac238809e22edf0
-
SHA256
9c52779d593a00c358f4295d271f3d56b8cce5bc4a1af8d27ca96b212041ab2f
-
SHA512
484fb0663b375515dfa7e54c594a963312dc6b2f25f92dc9c9fa662ff4f74561ee1e0b2ba1e5526a66ca9c8de21dca1e0c6cb246adb17346f3cbdf2c1dfdf6a3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeD:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/540-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-817-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-829-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-906-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-1629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-1772-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-1952-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3068 jppjd.exe 3828 884260.exe 2116 420006.exe 3512 djdpd.exe 2568 dvvjd.exe 3436 ttnbtt.exe 1456 rrxlxrl.exe 2108 5lrlrll.exe 392 jpjvj.exe 2080 000426.exe 2880 480860.exe 4008 tntntt.exe 1756 2002226.exe 4992 8882604.exe 412 802648.exe 2960 46282.exe 2816 0808660.exe 3968 204288.exe 4540 fxrfrll.exe 4156 8686048.exe 5084 02866.exe 4436 djjvd.exe 1840 2060266.exe 316 1thbnh.exe 1244 xrlxlfx.exe 1184 e40426.exe 3340 24604.exe 976 822282.exe 1012 600826.exe 1652 204048.exe 4700 44048.exe 2932 jvvjp.exe 2400 46264.exe 1284 2282482.exe 3924 80420.exe 1524 rfxlxrl.exe 1832 044860.exe 4400 888426.exe 1556 882648.exe 872 vddvd.exe 4820 4822048.exe 2600 ffffrlf.exe 3528 7bnbtn.exe 396 xlfxllr.exe 2556 282682.exe 2768 0822082.exe 3228 86042.exe 652 42422.exe 4548 288082.exe 516 4222602.exe 3448 2024882.exe 2144 hnbnhb.exe 64 66648.exe 232 44608.exe 2372 dppjv.exe 348 i448004.exe 4260 nbttbt.exe 372 88604.exe 2148 pppdj.exe 2428 686448.exe 3468 4848826.exe 1260 9dvpv.exe 408 5ppjv.exe 4332 lxxrllf.exe -
resource yara_rule behavioral2/memory/540-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-906-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-1215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-1629-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8688440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k62600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbntbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8022448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 620482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8686640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0804860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2264.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 540 wrote to memory of 3068 540 9c52779d593a00c358f4295d271f3d56b8cce5bc4a1af8d27ca96b212041ab2fN.exe 83 PID 540 wrote to memory of 3068 540 9c52779d593a00c358f4295d271f3d56b8cce5bc4a1af8d27ca96b212041ab2fN.exe 83 PID 540 wrote to memory of 3068 540 9c52779d593a00c358f4295d271f3d56b8cce5bc4a1af8d27ca96b212041ab2fN.exe 83 PID 3068 wrote to memory of 3828 3068 jppjd.exe 84 PID 3068 wrote to memory of 3828 3068 jppjd.exe 84 PID 3068 wrote to memory of 3828 3068 jppjd.exe 84 PID 3828 wrote to memory of 2116 3828 884260.exe 85 PID 3828 wrote to memory of 2116 3828 884260.exe 85 PID 3828 wrote to memory of 2116 3828 884260.exe 85 PID 2116 wrote to memory of 3512 2116 420006.exe 86 PID 2116 wrote to memory of 3512 2116 420006.exe 86 PID 2116 wrote to memory of 3512 2116 420006.exe 86 PID 3512 wrote to memory of 2568 3512 djdpd.exe 87 PID 3512 wrote to memory of 2568 3512 djdpd.exe 87 PID 3512 wrote to memory of 2568 3512 djdpd.exe 87 PID 2568 wrote to memory of 3436 2568 dvvjd.exe 88 PID 2568 wrote to memory of 3436 2568 dvvjd.exe 88 PID 2568 wrote to memory of 3436 2568 dvvjd.exe 88 PID 3436 wrote to memory of 1456 3436 ttnbtt.exe 89 PID 3436 wrote to memory of 1456 3436 ttnbtt.exe 89 PID 3436 wrote to memory of 1456 3436 ttnbtt.exe 89 PID 1456 wrote to memory of 2108 1456 rrxlxrl.exe 90 PID 1456 wrote to memory of 2108 1456 rrxlxrl.exe 90 PID 1456 wrote to memory of 2108 1456 rrxlxrl.exe 90 PID 2108 wrote to memory of 392 2108 5lrlrll.exe 91 PID 2108 wrote to memory of 392 2108 5lrlrll.exe 91 PID 2108 wrote to memory of 392 2108 5lrlrll.exe 91 PID 392 wrote to memory of 2080 392 jpjvj.exe 92 PID 392 wrote to memory of 2080 392 jpjvj.exe 92 PID 392 wrote to memory of 2080 392 jpjvj.exe 92 PID 2080 wrote to memory of 2880 2080 000426.exe 93 PID 2080 wrote to memory of 2880 2080 000426.exe 93 PID 2080 wrote to memory of 2880 2080 000426.exe 93 PID 2880 wrote to memory of 4008 2880 480860.exe 94 PID 2880 wrote to memory of 4008 2880 480860.exe 94 PID 2880 wrote to memory of 4008 2880 480860.exe 94 PID 4008 wrote to memory of 1756 4008 tntntt.exe 95 PID 4008 wrote to memory of 1756 4008 tntntt.exe 95 PID 4008 wrote to memory of 1756 4008 tntntt.exe 95 PID 1756 wrote to memory of 4992 1756 2002226.exe 96 PID 1756 wrote to memory of 4992 1756 2002226.exe 96 PID 1756 wrote to memory of 4992 1756 2002226.exe 96 PID 4992 wrote to memory of 412 4992 8882604.exe 97 PID 4992 wrote to memory of 412 4992 8882604.exe 97 PID 4992 wrote to memory of 412 4992 8882604.exe 97 PID 412 wrote to memory of 2960 412 802648.exe 98 PID 412 wrote to memory of 2960 412 802648.exe 98 PID 412 wrote to memory of 2960 412 802648.exe 98 PID 2960 wrote to memory of 2816 2960 46282.exe 99 PID 2960 wrote to memory of 2816 2960 46282.exe 99 PID 2960 wrote to memory of 2816 2960 46282.exe 99 PID 2816 wrote to memory of 3968 2816 0808660.exe 100 PID 2816 wrote to memory of 3968 2816 0808660.exe 100 PID 2816 wrote to memory of 3968 2816 0808660.exe 100 PID 3968 wrote to memory of 4540 3968 204288.exe 101 PID 3968 wrote to memory of 4540 3968 204288.exe 101 PID 3968 wrote to memory of 4540 3968 204288.exe 101 PID 4540 wrote to memory of 4156 4540 fxrfrll.exe 161 PID 4540 wrote to memory of 4156 4540 fxrfrll.exe 161 PID 4540 wrote to memory of 4156 4540 fxrfrll.exe 161 PID 4156 wrote to memory of 5084 4156 8686048.exe 103 PID 4156 wrote to memory of 5084 4156 8686048.exe 103 PID 4156 wrote to memory of 5084 4156 8686048.exe 103 PID 5084 wrote to memory of 4436 5084 02866.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c52779d593a00c358f4295d271f3d56b8cce5bc4a1af8d27ca96b212041ab2fN.exe"C:\Users\Admin\AppData\Local\Temp\9c52779d593a00c358f4295d271f3d56b8cce5bc4a1af8d27ca96b212041ab2fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\jppjd.exec:\jppjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\884260.exec:\884260.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\420006.exec:\420006.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\djdpd.exec:\djdpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\dvvjd.exec:\dvvjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\ttnbtt.exec:\ttnbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\rrxlxrl.exec:\rrxlxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\5lrlrll.exec:\5lrlrll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\jpjvj.exec:\jpjvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\000426.exec:\000426.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\480860.exec:\480860.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\tntntt.exec:\tntntt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\2002226.exec:\2002226.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\8882604.exec:\8882604.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\802648.exec:\802648.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\46282.exec:\46282.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\0808660.exec:\0808660.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\204288.exec:\204288.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\fxrfrll.exec:\fxrfrll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\8686048.exec:\8686048.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\02866.exec:\02866.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\djjvd.exec:\djjvd.exe23⤵
- Executes dropped EXE
PID:4436 -
\??\c:\2060266.exec:\2060266.exe24⤵
- Executes dropped EXE
PID:1840 -
\??\c:\1thbnh.exec:\1thbnh.exe25⤵
- Executes dropped EXE
PID:316 -
\??\c:\xrlxlfx.exec:\xrlxlfx.exe26⤵
- Executes dropped EXE
PID:1244 -
\??\c:\e40426.exec:\e40426.exe27⤵
- Executes dropped EXE
PID:1184 -
\??\c:\24604.exec:\24604.exe28⤵
- Executes dropped EXE
PID:3340 -
\??\c:\822282.exec:\822282.exe29⤵
- Executes dropped EXE
PID:976 -
\??\c:\600826.exec:\600826.exe30⤵
- Executes dropped EXE
PID:1012 -
\??\c:\204048.exec:\204048.exe31⤵
- Executes dropped EXE
PID:1652 -
\??\c:\44048.exec:\44048.exe32⤵
- Executes dropped EXE
PID:4700 -
\??\c:\jvvjp.exec:\jvvjp.exe33⤵
- Executes dropped EXE
PID:2932 -
\??\c:\46264.exec:\46264.exe34⤵
- Executes dropped EXE
PID:2400 -
\??\c:\2282482.exec:\2282482.exe35⤵
- Executes dropped EXE
PID:1284 -
\??\c:\80420.exec:\80420.exe36⤵
- Executes dropped EXE
PID:3924 -
\??\c:\rfxlxrl.exec:\rfxlxrl.exe37⤵
- Executes dropped EXE
PID:1524 -
\??\c:\044860.exec:\044860.exe38⤵
- Executes dropped EXE
PID:1832 -
\??\c:\888426.exec:\888426.exe39⤵
- Executes dropped EXE
PID:4400 -
\??\c:\882648.exec:\882648.exe40⤵
- Executes dropped EXE
PID:1556 -
\??\c:\vddvd.exec:\vddvd.exe41⤵
- Executes dropped EXE
PID:872 -
\??\c:\4822048.exec:\4822048.exe42⤵
- Executes dropped EXE
PID:4820 -
\??\c:\ffffrlf.exec:\ffffrlf.exe43⤵
- Executes dropped EXE
PID:2600 -
\??\c:\7bnbtn.exec:\7bnbtn.exe44⤵
- Executes dropped EXE
PID:3528 -
\??\c:\xlfxllr.exec:\xlfxllr.exe45⤵
- Executes dropped EXE
PID:396 -
\??\c:\282682.exec:\282682.exe46⤵
- Executes dropped EXE
PID:2556 -
\??\c:\0822082.exec:\0822082.exe47⤵
- Executes dropped EXE
PID:2768 -
\??\c:\86042.exec:\86042.exe48⤵
- Executes dropped EXE
PID:3228 -
\??\c:\42422.exec:\42422.exe49⤵
- Executes dropped EXE
PID:652 -
\??\c:\288082.exec:\288082.exe50⤵
- Executes dropped EXE
PID:4548 -
\??\c:\4222602.exec:\4222602.exe51⤵
- Executes dropped EXE
PID:516 -
\??\c:\2024882.exec:\2024882.exe52⤵
- Executes dropped EXE
PID:3448 -
\??\c:\hnbnhb.exec:\hnbnhb.exe53⤵
- Executes dropped EXE
PID:2144 -
\??\c:\66648.exec:\66648.exe54⤵
- Executes dropped EXE
PID:64 -
\??\c:\44608.exec:\44608.exe55⤵
- Executes dropped EXE
PID:232 -
\??\c:\dppjv.exec:\dppjv.exe56⤵
- Executes dropped EXE
PID:2372 -
\??\c:\i448004.exec:\i448004.exe57⤵
- Executes dropped EXE
PID:348 -
\??\c:\nbttbt.exec:\nbttbt.exe58⤵
- Executes dropped EXE
PID:4260 -
\??\c:\88604.exec:\88604.exe59⤵
- Executes dropped EXE
PID:372 -
\??\c:\pppdj.exec:\pppdj.exe60⤵
- Executes dropped EXE
PID:2148 -
\??\c:\686448.exec:\686448.exe61⤵
- Executes dropped EXE
PID:2428 -
\??\c:\4848826.exec:\4848826.exe62⤵
- Executes dropped EXE
PID:3468 -
\??\c:\9dvpv.exec:\9dvpv.exe63⤵
- Executes dropped EXE
PID:1260 -
\??\c:\5ppjv.exec:\5ppjv.exe64⤵
- Executes dropped EXE
PID:408 -
\??\c:\lxxrllf.exec:\lxxrllf.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4332 -
\??\c:\i866448.exec:\i866448.exe66⤵PID:3524
-
\??\c:\2888882.exec:\2888882.exe67⤵PID:676
-
\??\c:\jpjvp.exec:\jpjvp.exe68⤵PID:32
-
\??\c:\628822.exec:\628822.exe69⤵
- System Location Discovery: System Language Discovery
PID:3648 -
\??\c:\i460444.exec:\i460444.exe70⤵PID:1200
-
\??\c:\224266.exec:\224266.exe71⤵PID:1696
-
\??\c:\tnttnn.exec:\tnttnn.exe72⤵PID:1224
-
\??\c:\xlrlllx.exec:\xlrlllx.exe73⤵PID:440
-
\??\c:\24000.exec:\24000.exe74⤵PID:4844
-
\??\c:\484488.exec:\484488.exe75⤵PID:3012
-
\??\c:\8604882.exec:\8604882.exe76⤵PID:1280
-
\??\c:\068488.exec:\068488.exe77⤵PID:5076
-
\??\c:\646266.exec:\646266.exe78⤵PID:3868
-
\??\c:\4022004.exec:\4022004.exe79⤵PID:1372
-
\??\c:\866448.exec:\866448.exe80⤵PID:4156
-
\??\c:\w40044.exec:\w40044.exe81⤵PID:2312
-
\??\c:\ffxrrrf.exec:\ffxrrrf.exe82⤵PID:4392
-
\??\c:\6244082.exec:\6244082.exe83⤵PID:2548
-
\??\c:\ffrlfxr.exec:\ffrlfxr.exe84⤵PID:448
-
\??\c:\8628866.exec:\8628866.exe85⤵PID:3092
-
\??\c:\bbbnbt.exec:\bbbnbt.exe86⤵PID:3700
-
\??\c:\002082.exec:\002082.exe87⤵PID:3340
-
\??\c:\8426864.exec:\8426864.exe88⤵PID:3840
-
\??\c:\2448282.exec:\2448282.exe89⤵PID:5028
-
\??\c:\6248086.exec:\6248086.exe90⤵PID:2932
-
\??\c:\fxrfxfx.exec:\fxrfxfx.exe91⤵PID:3268
-
\??\c:\8000440.exec:\8000440.exe92⤵PID:4468
-
\??\c:\084488.exec:\084488.exe93⤵PID:1084
-
\??\c:\02226.exec:\02226.exe94⤵PID:2272
-
\??\c:\4222266.exec:\4222266.exe95⤵PID:1340
-
\??\c:\thttnn.exec:\thttnn.exe96⤵PID:720
-
\??\c:\428486.exec:\428486.exe97⤵PID:2668
-
\??\c:\4282660.exec:\4282660.exe98⤵PID:2288
-
\??\c:\7ddvj.exec:\7ddvj.exe99⤵PID:1168
-
\??\c:\rlffxxx.exec:\rlffxxx.exe100⤵PID:1188
-
\??\c:\5xlfxxx.exec:\5xlfxxx.exe101⤵PID:4508
-
\??\c:\86404.exec:\86404.exe102⤵PID:1620
-
\??\c:\7rxlffx.exec:\7rxlffx.exe103⤵PID:3228
-
\??\c:\xlfxlfx.exec:\xlfxlfx.exe104⤵PID:1160
-
\??\c:\66228.exec:\66228.exe105⤵PID:3100
-
\??\c:\5lfrfxl.exec:\5lfrfxl.exe106⤵PID:1628
-
\??\c:\rflfrlf.exec:\rflfrlf.exe107⤵PID:3584
-
\??\c:\u042264.exec:\u042264.exe108⤵PID:4524
-
\??\c:\nttnbb.exec:\nttnbb.exe109⤵PID:4768
-
\??\c:\hbhbnh.exec:\hbhbnh.exe110⤵PID:2208
-
\??\c:\666422.exec:\666422.exe111⤵PID:3952
-
\??\c:\k00826.exec:\k00826.exe112⤵PID:3876
-
\??\c:\84820.exec:\84820.exe113⤵PID:3768
-
\??\c:\200088.exec:\200088.exe114⤵PID:2148
-
\??\c:\8646202.exec:\8646202.exe115⤵PID:224
-
\??\c:\1hthtn.exec:\1hthtn.exe116⤵PID:3468
-
\??\c:\082086.exec:\082086.exe117⤵PID:5104
-
\??\c:\vjjvp.exec:\vjjvp.exe118⤵PID:2188
-
\??\c:\44020.exec:\44020.exe119⤵PID:408
-
\??\c:\0060604.exec:\0060604.exe120⤵PID:4332
-
\??\c:\0620664.exec:\0620664.exe121⤵PID:1480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-