Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
12eac72aebf4a6e63be87d1786b73d73b62b4af7f5800327b0176b2ebc35ccb1.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
12eac72aebf4a6e63be87d1786b73d73b62b4af7f5800327b0176b2ebc35ccb1.exe
-
Size
456KB
-
MD5
1652b465f36fe980db0a7d5c09af7bc9
-
SHA1
16d232bc616088fd199c86953585cfa693c84cbc
-
SHA256
12eac72aebf4a6e63be87d1786b73d73b62b4af7f5800327b0176b2ebc35ccb1
-
SHA512
8b7428c85488a69150a901c96f49367abba8fe1d5f26459d848cfd2677a69de6f6e205dda8af0c002737523f01286d2962922098a3143410bcb692b9a2a164a9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3452-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-827-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-1008-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-1217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-1683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-1814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4960 28448.exe 3956 ddvpp.exe 5072 40060.exe 2176 042266.exe 2784 jjdvd.exe 816 g2866.exe 452 k40482.exe 3424 228446.exe 4900 24868.exe 2540 ttnbbt.exe 3244 bhhthb.exe 2980 622604.exe 3800 8448260.exe 2424 862660.exe 1780 tnnhbt.exe 2672 4264820.exe 2208 hbnhnh.exe 4908 62860.exe 4788 486682.exe 3300 q66266.exe 2728 2044804.exe 1200 6408644.exe 4484 rxfrllf.exe 3580 600422.exe 4616 hnnnhh.exe 3220 xffllfr.exe 2468 2628840.exe 1308 dpvpp.exe 3216 004862.exe 1164 pjvdj.exe 2264 o242226.exe 3900 dvjdd.exe 4716 7ttnhh.exe 3556 tbhhbb.exe 1708 nhnhhh.exe 4732 3vdvv.exe 3496 4022448.exe 2376 xrrffff.exe 1248 82660.exe 2068 0400448.exe 4952 tnntnb.exe 4400 m0220.exe 1776 jvdvv.exe 4184 044444.exe 228 ttttnn.exe 3212 w44466.exe 1784 48226.exe 2064 9ffflll.exe 4356 2606808.exe 3936 xrlffxr.exe 2968 jjpjd.exe 2556 68066.exe 3588 446088.exe 4700 m8426.exe 2656 ffxrlxr.exe 3652 1lfrlxr.exe 4524 jdvjd.exe 3472 m8886.exe 1100 s4426.exe 1656 bhnhbb.exe 384 4468868.exe 4192 vdpjv.exe 2564 bhhtnh.exe 4204 dpdvj.exe -
resource yara_rule behavioral2/memory/3452-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-620-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4866066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c682688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k20468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8222226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6020606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3452 wrote to memory of 4960 3452 12eac72aebf4a6e63be87d1786b73d73b62b4af7f5800327b0176b2ebc35ccb1.exe 83 PID 3452 wrote to memory of 4960 3452 12eac72aebf4a6e63be87d1786b73d73b62b4af7f5800327b0176b2ebc35ccb1.exe 83 PID 3452 wrote to memory of 4960 3452 12eac72aebf4a6e63be87d1786b73d73b62b4af7f5800327b0176b2ebc35ccb1.exe 83 PID 4960 wrote to memory of 3956 4960 28448.exe 84 PID 4960 wrote to memory of 3956 4960 28448.exe 84 PID 4960 wrote to memory of 3956 4960 28448.exe 84 PID 3956 wrote to memory of 5072 3956 ddvpp.exe 85 PID 3956 wrote to memory of 5072 3956 ddvpp.exe 85 PID 3956 wrote to memory of 5072 3956 ddvpp.exe 85 PID 5072 wrote to memory of 2176 5072 40060.exe 86 PID 5072 wrote to memory of 2176 5072 40060.exe 86 PID 5072 wrote to memory of 2176 5072 40060.exe 86 PID 2176 wrote to memory of 2784 2176 042266.exe 87 PID 2176 wrote to memory of 2784 2176 042266.exe 87 PID 2176 wrote to memory of 2784 2176 042266.exe 87 PID 2784 wrote to memory of 816 2784 jjdvd.exe 88 PID 2784 wrote to memory of 816 2784 jjdvd.exe 88 PID 2784 wrote to memory of 816 2784 jjdvd.exe 88 PID 816 wrote to memory of 452 816 g2866.exe 89 PID 816 wrote to memory of 452 816 g2866.exe 89 PID 816 wrote to memory of 452 816 g2866.exe 89 PID 452 wrote to memory of 3424 452 k40482.exe 90 PID 452 wrote to memory of 3424 452 k40482.exe 90 PID 452 wrote to memory of 3424 452 k40482.exe 90 PID 3424 wrote to memory of 4900 3424 228446.exe 91 PID 3424 wrote to memory of 4900 3424 228446.exe 91 PID 3424 wrote to memory of 4900 3424 228446.exe 91 PID 4900 wrote to memory of 2540 4900 24868.exe 92 PID 4900 wrote to memory of 2540 4900 24868.exe 92 PID 4900 wrote to memory of 2540 4900 24868.exe 92 PID 2540 wrote to memory of 3244 2540 ttnbbt.exe 93 PID 2540 wrote to memory of 3244 2540 ttnbbt.exe 93 PID 2540 wrote to memory of 3244 2540 ttnbbt.exe 93 PID 3244 wrote to memory of 2980 3244 bhhthb.exe 94 PID 3244 wrote to memory of 2980 3244 bhhthb.exe 94 PID 3244 wrote to memory of 2980 3244 bhhthb.exe 94 PID 2980 wrote to memory of 3800 2980 622604.exe 95 PID 2980 wrote to memory of 3800 2980 622604.exe 95 PID 2980 wrote to memory of 3800 2980 622604.exe 95 PID 3800 wrote to memory of 2424 3800 8448260.exe 96 PID 3800 wrote to memory of 2424 3800 8448260.exe 96 PID 3800 wrote to memory of 2424 3800 8448260.exe 96 PID 2424 wrote to memory of 1780 2424 862660.exe 97 PID 2424 wrote to memory of 1780 2424 862660.exe 97 PID 2424 wrote to memory of 1780 2424 862660.exe 97 PID 1780 wrote to memory of 2672 1780 tnnhbt.exe 98 PID 1780 wrote to memory of 2672 1780 tnnhbt.exe 98 PID 1780 wrote to memory of 2672 1780 tnnhbt.exe 98 PID 2672 wrote to memory of 2208 2672 4264820.exe 99 PID 2672 wrote to memory of 2208 2672 4264820.exe 99 PID 2672 wrote to memory of 2208 2672 4264820.exe 99 PID 2208 wrote to memory of 4908 2208 hbnhnh.exe 100 PID 2208 wrote to memory of 4908 2208 hbnhnh.exe 100 PID 2208 wrote to memory of 4908 2208 hbnhnh.exe 100 PID 4908 wrote to memory of 4788 4908 62860.exe 101 PID 4908 wrote to memory of 4788 4908 62860.exe 101 PID 4908 wrote to memory of 4788 4908 62860.exe 101 PID 4788 wrote to memory of 3300 4788 486682.exe 102 PID 4788 wrote to memory of 3300 4788 486682.exe 102 PID 4788 wrote to memory of 3300 4788 486682.exe 102 PID 3300 wrote to memory of 2728 3300 q66266.exe 103 PID 3300 wrote to memory of 2728 3300 q66266.exe 103 PID 3300 wrote to memory of 2728 3300 q66266.exe 103 PID 2728 wrote to memory of 1200 2728 2044804.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\12eac72aebf4a6e63be87d1786b73d73b62b4af7f5800327b0176b2ebc35ccb1.exe"C:\Users\Admin\AppData\Local\Temp\12eac72aebf4a6e63be87d1786b73d73b62b4af7f5800327b0176b2ebc35ccb1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\28448.exec:\28448.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\ddvpp.exec:\ddvpp.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\40060.exec:\40060.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\042266.exec:\042266.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\jjdvd.exec:\jjdvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\g2866.exec:\g2866.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\k40482.exec:\k40482.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\228446.exec:\228446.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\24868.exec:\24868.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\ttnbbt.exec:\ttnbbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\bhhthb.exec:\bhhthb.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\622604.exec:\622604.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\8448260.exec:\8448260.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
\??\c:\862660.exec:\862660.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\tnnhbt.exec:\tnnhbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\4264820.exec:\4264820.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\hbnhnh.exec:\hbnhnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\62860.exec:\62860.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\486682.exec:\486682.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\q66266.exec:\q66266.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\2044804.exec:\2044804.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\6408644.exec:\6408644.exe23⤵
- Executes dropped EXE
PID:1200 -
\??\c:\rxfrllf.exec:\rxfrllf.exe24⤵
- Executes dropped EXE
PID:4484 -
\??\c:\600422.exec:\600422.exe25⤵
- Executes dropped EXE
PID:3580 -
\??\c:\hnnnhh.exec:\hnnnhh.exe26⤵
- Executes dropped EXE
PID:4616 -
\??\c:\xffllfr.exec:\xffllfr.exe27⤵
- Executes dropped EXE
PID:3220 -
\??\c:\2628840.exec:\2628840.exe28⤵
- Executes dropped EXE
PID:2468 -
\??\c:\dpvpp.exec:\dpvpp.exe29⤵
- Executes dropped EXE
PID:1308 -
\??\c:\004862.exec:\004862.exe30⤵
- Executes dropped EXE
PID:3216 -
\??\c:\pjvdj.exec:\pjvdj.exe31⤵
- Executes dropped EXE
PID:1164 -
\??\c:\o242226.exec:\o242226.exe32⤵
- Executes dropped EXE
PID:2264 -
\??\c:\dvjdd.exec:\dvjdd.exe33⤵
- Executes dropped EXE
PID:3900 -
\??\c:\7ttnhh.exec:\7ttnhh.exe34⤵
- Executes dropped EXE
PID:4716 -
\??\c:\tbhhbb.exec:\tbhhbb.exe35⤵
- Executes dropped EXE
PID:3556 -
\??\c:\nhnhhh.exec:\nhnhhh.exe36⤵
- Executes dropped EXE
PID:1708 -
\??\c:\3vdvv.exec:\3vdvv.exe37⤵
- Executes dropped EXE
PID:4732 -
\??\c:\4022448.exec:\4022448.exe38⤵
- Executes dropped EXE
PID:3496 -
\??\c:\xrrffff.exec:\xrrffff.exe39⤵
- Executes dropped EXE
PID:2376 -
\??\c:\82660.exec:\82660.exe40⤵
- Executes dropped EXE
PID:1248 -
\??\c:\0400448.exec:\0400448.exe41⤵
- Executes dropped EXE
PID:2068 -
\??\c:\tnntnb.exec:\tnntnb.exe42⤵
- Executes dropped EXE
PID:4952 -
\??\c:\m0220.exec:\m0220.exe43⤵
- Executes dropped EXE
PID:4400 -
\??\c:\jvdvv.exec:\jvdvv.exe44⤵
- Executes dropped EXE
PID:1776 -
\??\c:\044444.exec:\044444.exe45⤵
- Executes dropped EXE
PID:4184 -
\??\c:\ttttnn.exec:\ttttnn.exe46⤵
- Executes dropped EXE
PID:228 -
\??\c:\w44466.exec:\w44466.exe47⤵
- Executes dropped EXE
PID:3212 -
\??\c:\48226.exec:\48226.exe48⤵
- Executes dropped EXE
PID:1784 -
\??\c:\9ffflll.exec:\9ffflll.exe49⤵
- Executes dropped EXE
PID:2064 -
\??\c:\2606808.exec:\2606808.exe50⤵
- Executes dropped EXE
PID:4356 -
\??\c:\xrlffxr.exec:\xrlffxr.exe51⤵
- Executes dropped EXE
PID:3936 -
\??\c:\jjpjd.exec:\jjpjd.exe52⤵
- Executes dropped EXE
PID:2968 -
\??\c:\68066.exec:\68066.exe53⤵
- Executes dropped EXE
PID:2556 -
\??\c:\446088.exec:\446088.exe54⤵
- Executes dropped EXE
PID:3588 -
\??\c:\m8426.exec:\m8426.exe55⤵
- Executes dropped EXE
PID:4700 -
\??\c:\ffxrlxr.exec:\ffxrlxr.exe56⤵
- Executes dropped EXE
PID:2656 -
\??\c:\1lfrlxr.exec:\1lfrlxr.exe57⤵
- Executes dropped EXE
PID:3652 -
\??\c:\jdvjd.exec:\jdvjd.exe58⤵
- Executes dropped EXE
PID:4524 -
\??\c:\m8886.exec:\m8886.exe59⤵
- Executes dropped EXE
PID:3472 -
\??\c:\s4426.exec:\s4426.exe60⤵
- Executes dropped EXE
PID:1100 -
\??\c:\bhnhbb.exec:\bhnhbb.exe61⤵
- Executes dropped EXE
PID:1656 -
\??\c:\4468868.exec:\4468868.exe62⤵
- Executes dropped EXE
PID:384 -
\??\c:\vdpjv.exec:\vdpjv.exe63⤵
- Executes dropped EXE
PID:4192 -
\??\c:\bhhtnh.exec:\bhhtnh.exe64⤵
- Executes dropped EXE
PID:2564 -
\??\c:\dpdvj.exec:\dpdvj.exe65⤵
- Executes dropped EXE
PID:4204 -
\??\c:\q66060.exec:\q66060.exe66⤵PID:2472
-
\??\c:\jdvjd.exec:\jdvjd.exe67⤵PID:2364
-
\??\c:\1lfxrlx.exec:\1lfxrlx.exe68⤵PID:1684
-
\??\c:\vpppd.exec:\vpppd.exe69⤵PID:2696
-
\??\c:\tntntn.exec:\tntntn.exe70⤵PID:376
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe71⤵
- System Location Discovery: System Language Discovery
PID:780 -
\??\c:\o228626.exec:\o228626.exe72⤵PID:2408
-
\??\c:\xlrrrlx.exec:\xlrrrlx.exe73⤵PID:3444
-
\??\c:\9lfxrrr.exec:\9lfxrrr.exe74⤵PID:2664
-
\??\c:\jdvpj.exec:\jdvpj.exe75⤵PID:2672
-
\??\c:\xllflrl.exec:\xllflrl.exe76⤵PID:4968
-
\??\c:\xfxxlfx.exec:\xfxxlfx.exe77⤵PID:4384
-
\??\c:\lfxlxrl.exec:\lfxlxrl.exe78⤵PID:3060
-
\??\c:\6020606.exec:\6020606.exe79⤵
- System Location Discovery: System Language Discovery
PID:2360 -
\??\c:\080048.exec:\080048.exe80⤵PID:4568
-
\??\c:\vvpdj.exec:\vvpdj.exe81⤵PID:1608
-
\??\c:\pjjpd.exec:\pjjpd.exe82⤵PID:4116
-
\??\c:\dvpdv.exec:\dvpdv.exe83⤵PID:4324
-
\??\c:\xlxrlfl.exec:\xlxrlfl.exe84⤵PID:4484
-
\??\c:\vdjdp.exec:\vdjdp.exe85⤵PID:2712
-
\??\c:\0444220.exec:\0444220.exe86⤵PID:2580
-
\??\c:\vdjdj.exec:\vdjdj.exe87⤵PID:1976
-
\??\c:\pppdv.exec:\pppdv.exe88⤵PID:3220
-
\??\c:\llrxlfx.exec:\llrxlfx.exe89⤵
- System Location Discovery: System Language Discovery
PID:3980 -
\??\c:\8204606.exec:\8204606.exe90⤵PID:3092
-
\??\c:\u482044.exec:\u482044.exe91⤵PID:4152
-
\??\c:\280860.exec:\280860.exe92⤵PID:1000
-
\??\c:\2886420.exec:\2886420.exe93⤵PID:4056
-
\??\c:\42404.exec:\42404.exe94⤵PID:4360
-
\??\c:\620488.exec:\620488.exe95⤵PID:3860
-
\??\c:\64042.exec:\64042.exe96⤵PID:3900
-
\??\c:\vjjvj.exec:\vjjvj.exe97⤵PID:3856
-
\??\c:\btthtt.exec:\btthtt.exe98⤵PID:3252
-
\??\c:\w62082.exec:\w62082.exe99⤵PID:1708
-
\??\c:\3vjdp.exec:\3vjdp.exe100⤵PID:1612
-
\??\c:\btnttn.exec:\btnttn.exe101⤵PID:4016
-
\??\c:\3hbnhb.exec:\3hbnhb.exe102⤵PID:4008
-
\??\c:\vpjdv.exec:\vpjdv.exe103⤵PID:5060
-
\??\c:\86602.exec:\86602.exe104⤵PID:2536
-
\??\c:\lfxlxxl.exec:\lfxlxxl.exe105⤵PID:2204
-
\??\c:\tthbth.exec:\tthbth.exe106⤵PID:3984
-
\??\c:\22408.exec:\22408.exe107⤵PID:2404
-
\??\c:\260426.exec:\260426.exe108⤵PID:2936
-
\??\c:\i044860.exec:\i044860.exe109⤵PID:2084
-
\??\c:\02028.exec:\02028.exe110⤵PID:4464
-
\??\c:\08264.exec:\08264.exe111⤵PID:2156
-
\??\c:\40028.exec:\40028.exe112⤵PID:4100
-
\??\c:\i406488.exec:\i406488.exe113⤵PID:4332
-
\??\c:\tbbnbt.exec:\tbbnbt.exe114⤵PID:2324
-
\??\c:\428242.exec:\428242.exe115⤵PID:3872
-
\??\c:\c242606.exec:\c242606.exe116⤵PID:2556
-
\??\c:\jjdvp.exec:\jjdvp.exe117⤵PID:784
-
\??\c:\200448.exec:\200448.exe118⤵PID:4148
-
\??\c:\4420820.exec:\4420820.exe119⤵PID:468
-
\??\c:\9thnbb.exec:\9thnbb.exe120⤵PID:1848
-
\??\c:\hhbnnh.exec:\hhbnnh.exe121⤵PID:972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-