Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9e4636e9a1b2ade5a7509b5e3289efc3982c49e9c3b73168788ddc0be40818cc.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9e4636e9a1b2ade5a7509b5e3289efc3982c49e9c3b73168788ddc0be40818cc.exe
-
Size
454KB
-
MD5
56db38ccd66a77ce9de011b14d6e3a5d
-
SHA1
1a5ea7ece55dbccdbc077d82e41ffc1728b7dee0
-
SHA256
9e4636e9a1b2ade5a7509b5e3289efc3982c49e9c3b73168788ddc0be40818cc
-
SHA512
d9d995c28f5b0af077bc2c1fcc28d24de2ca17fb36f88c2fcfa37266198ac64c801c4fd1d2690b487d4bf80fab1be69d1a17c40571715a40566033eb8e5be3c6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeOo:q7Tc2NYHUrAwfMp3CDOo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4204-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-815-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-859-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-898-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-1026-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-1156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-1303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1728 lxxxxfx.exe 404 dpjjp.exe 2872 06042.exe 752 848008.exe 3772 84860.exe 1120 lfxrfxr.exe 3160 228826.exe 2376 206442.exe 3148 rxrrrxf.exe 8 8486482.exe 984 tbbntn.exe 4380 pdpvj.exe 2192 frfrfrl.exe 3652 dpjvj.exe 4368 pjvpj.exe 4756 dpjvp.exe 1800 vjpdv.exe 4448 btbnbt.exe 4256 626082.exe 1924 8262604.exe 3324 bnhhnh.exe 3780 s8048.exe 3360 rfrfrlf.exe 4780 040860.exe 2888 684226.exe 3592 400860.exe 2164 hhhtbt.exe 3248 5tnhbt.exe 3696 0620426.exe 2680 pdjvp.exe 4728 htnbnh.exe 1824 pddvd.exe 1528 20008.exe 1584 682204.exe 3080 o408826.exe 4808 5vjvj.exe 4772 ththtn.exe 2904 400420.exe 884 s2042.exe 2960 222204.exe 2264 nbbnbt.exe 2860 e26086.exe 780 dppvj.exe 4748 xxxrxrl.exe 2592 220860.exe 4116 0848604.exe 5064 djjpd.exe 1004 3xxlxrf.exe 1976 440426.exe 928 8820826.exe 4832 a4606.exe 1716 64422.exe 4548 04082.exe 3952 848868.exe 4360 860848.exe 4752 3ffrfxl.exe 3332 8448260.exe 4880 8822048.exe 2068 06042.exe 3832 60288.exe 2816 pvpjj.exe 1756 bbtnht.exe 2520 nnbbhb.exe 2896 q00040.exe -
resource yara_rule behavioral2/memory/4204-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-772-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6608608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k00426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c064226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8808800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxfrlx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4204 wrote to memory of 1728 4204 9e4636e9a1b2ade5a7509b5e3289efc3982c49e9c3b73168788ddc0be40818cc.exe 83 PID 4204 wrote to memory of 1728 4204 9e4636e9a1b2ade5a7509b5e3289efc3982c49e9c3b73168788ddc0be40818cc.exe 83 PID 4204 wrote to memory of 1728 4204 9e4636e9a1b2ade5a7509b5e3289efc3982c49e9c3b73168788ddc0be40818cc.exe 83 PID 1728 wrote to memory of 404 1728 lxxxxfx.exe 84 PID 1728 wrote to memory of 404 1728 lxxxxfx.exe 84 PID 1728 wrote to memory of 404 1728 lxxxxfx.exe 84 PID 404 wrote to memory of 2872 404 dpjjp.exe 85 PID 404 wrote to memory of 2872 404 dpjjp.exe 85 PID 404 wrote to memory of 2872 404 dpjjp.exe 85 PID 2872 wrote to memory of 752 2872 06042.exe 86 PID 2872 wrote to memory of 752 2872 06042.exe 86 PID 2872 wrote to memory of 752 2872 06042.exe 86 PID 752 wrote to memory of 3772 752 848008.exe 87 PID 752 wrote to memory of 3772 752 848008.exe 87 PID 752 wrote to memory of 3772 752 848008.exe 87 PID 3772 wrote to memory of 1120 3772 84860.exe 88 PID 3772 wrote to memory of 1120 3772 84860.exe 88 PID 3772 wrote to memory of 1120 3772 84860.exe 88 PID 1120 wrote to memory of 3160 1120 lfxrfxr.exe 89 PID 1120 wrote to memory of 3160 1120 lfxrfxr.exe 89 PID 1120 wrote to memory of 3160 1120 lfxrfxr.exe 89 PID 3160 wrote to memory of 2376 3160 228826.exe 90 PID 3160 wrote to memory of 2376 3160 228826.exe 90 PID 3160 wrote to memory of 2376 3160 228826.exe 90 PID 2376 wrote to memory of 3148 2376 206442.exe 91 PID 2376 wrote to memory of 3148 2376 206442.exe 91 PID 2376 wrote to memory of 3148 2376 206442.exe 91 PID 3148 wrote to memory of 8 3148 rxrrrxf.exe 92 PID 3148 wrote to memory of 8 3148 rxrrrxf.exe 92 PID 3148 wrote to memory of 8 3148 rxrrrxf.exe 92 PID 8 wrote to memory of 984 8 8486482.exe 93 PID 8 wrote to memory of 984 8 8486482.exe 93 PID 8 wrote to memory of 984 8 8486482.exe 93 PID 984 wrote to memory of 4380 984 tbbntn.exe 94 PID 984 wrote to memory of 4380 984 tbbntn.exe 94 PID 984 wrote to memory of 4380 984 tbbntn.exe 94 PID 4380 wrote to memory of 2192 4380 pdpvj.exe 95 PID 4380 wrote to memory of 2192 4380 pdpvj.exe 95 PID 4380 wrote to memory of 2192 4380 pdpvj.exe 95 PID 2192 wrote to memory of 3652 2192 frfrfrl.exe 96 PID 2192 wrote to memory of 3652 2192 frfrfrl.exe 96 PID 2192 wrote to memory of 3652 2192 frfrfrl.exe 96 PID 3652 wrote to memory of 4368 3652 dpjvj.exe 97 PID 3652 wrote to memory of 4368 3652 dpjvj.exe 97 PID 3652 wrote to memory of 4368 3652 dpjvj.exe 97 PID 4368 wrote to memory of 4756 4368 pjvpj.exe 98 PID 4368 wrote to memory of 4756 4368 pjvpj.exe 98 PID 4368 wrote to memory of 4756 4368 pjvpj.exe 98 PID 4756 wrote to memory of 1800 4756 dpjvp.exe 99 PID 4756 wrote to memory of 1800 4756 dpjvp.exe 99 PID 4756 wrote to memory of 1800 4756 dpjvp.exe 99 PID 1800 wrote to memory of 4448 1800 vjpdv.exe 100 PID 1800 wrote to memory of 4448 1800 vjpdv.exe 100 PID 1800 wrote to memory of 4448 1800 vjpdv.exe 100 PID 4448 wrote to memory of 4256 4448 btbnbt.exe 101 PID 4448 wrote to memory of 4256 4448 btbnbt.exe 101 PID 4448 wrote to memory of 4256 4448 btbnbt.exe 101 PID 4256 wrote to memory of 1924 4256 626082.exe 102 PID 4256 wrote to memory of 1924 4256 626082.exe 102 PID 4256 wrote to memory of 1924 4256 626082.exe 102 PID 1924 wrote to memory of 3324 1924 8262604.exe 103 PID 1924 wrote to memory of 3324 1924 8262604.exe 103 PID 1924 wrote to memory of 3324 1924 8262604.exe 103 PID 3324 wrote to memory of 3780 3324 bnhhnh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e4636e9a1b2ade5a7509b5e3289efc3982c49e9c3b73168788ddc0be40818cc.exe"C:\Users\Admin\AppData\Local\Temp\9e4636e9a1b2ade5a7509b5e3289efc3982c49e9c3b73168788ddc0be40818cc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\lxxxxfx.exec:\lxxxxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\dpjjp.exec:\dpjjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\06042.exec:\06042.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\848008.exec:\848008.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\84860.exec:\84860.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\lfxrfxr.exec:\lfxrfxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\228826.exec:\228826.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
\??\c:\206442.exec:\206442.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\rxrrrxf.exec:\rxrrrxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\8486482.exec:\8486482.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\tbbntn.exec:\tbbntn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\pdpvj.exec:\pdpvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\frfrfrl.exec:\frfrfrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\dpjvj.exec:\dpjvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\pjvpj.exec:\pjvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\dpjvp.exec:\dpjvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\vjpdv.exec:\vjpdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\btbnbt.exec:\btbnbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\626082.exec:\626082.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\8262604.exec:\8262604.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\bnhhnh.exec:\bnhhnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\s8048.exec:\s8048.exe23⤵
- Executes dropped EXE
PID:3780 -
\??\c:\rfrfrlf.exec:\rfrfrlf.exe24⤵
- Executes dropped EXE
PID:3360 -
\??\c:\040860.exec:\040860.exe25⤵
- Executes dropped EXE
PID:4780 -
\??\c:\684226.exec:\684226.exe26⤵
- Executes dropped EXE
PID:2888 -
\??\c:\400860.exec:\400860.exe27⤵
- Executes dropped EXE
PID:3592 -
\??\c:\hhhtbt.exec:\hhhtbt.exe28⤵
- Executes dropped EXE
PID:2164 -
\??\c:\5tnhbt.exec:\5tnhbt.exe29⤵
- Executes dropped EXE
PID:3248 -
\??\c:\0620426.exec:\0620426.exe30⤵
- Executes dropped EXE
PID:3696 -
\??\c:\pdjvp.exec:\pdjvp.exe31⤵
- Executes dropped EXE
PID:2680 -
\??\c:\htnbnh.exec:\htnbnh.exe32⤵
- Executes dropped EXE
PID:4728 -
\??\c:\pddvd.exec:\pddvd.exe33⤵
- Executes dropped EXE
PID:1824 -
\??\c:\20008.exec:\20008.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528 -
\??\c:\682204.exec:\682204.exe35⤵
- Executes dropped EXE
PID:1584 -
\??\c:\o408826.exec:\o408826.exe36⤵
- Executes dropped EXE
PID:3080 -
\??\c:\5vjvj.exec:\5vjvj.exe37⤵
- Executes dropped EXE
PID:4808 -
\??\c:\ththtn.exec:\ththtn.exe38⤵
- Executes dropped EXE
PID:4772 -
\??\c:\400420.exec:\400420.exe39⤵
- Executes dropped EXE
PID:2904 -
\??\c:\s2042.exec:\s2042.exe40⤵
- Executes dropped EXE
PID:884 -
\??\c:\222204.exec:\222204.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
\??\c:\nbbnbt.exec:\nbbnbt.exe42⤵
- Executes dropped EXE
PID:2264 -
\??\c:\e26086.exec:\e26086.exe43⤵
- Executes dropped EXE
PID:2860 -
\??\c:\dppvj.exec:\dppvj.exe44⤵
- Executes dropped EXE
PID:780 -
\??\c:\xxxrxrl.exec:\xxxrxrl.exe45⤵
- Executes dropped EXE
PID:4748 -
\??\c:\220860.exec:\220860.exe46⤵
- Executes dropped EXE
PID:2592 -
\??\c:\0848604.exec:\0848604.exe47⤵
- Executes dropped EXE
PID:4116 -
\??\c:\djjpd.exec:\djjpd.exe48⤵
- Executes dropped EXE
PID:5064 -
\??\c:\3xxlxrf.exec:\3xxlxrf.exe49⤵
- Executes dropped EXE
PID:1004 -
\??\c:\440426.exec:\440426.exe50⤵
- Executes dropped EXE
PID:1976 -
\??\c:\8820826.exec:\8820826.exe51⤵
- Executes dropped EXE
PID:928 -
\??\c:\a4606.exec:\a4606.exe52⤵
- Executes dropped EXE
PID:4832 -
\??\c:\64422.exec:\64422.exe53⤵
- Executes dropped EXE
PID:1716 -
\??\c:\04082.exec:\04082.exe54⤵
- Executes dropped EXE
PID:4548 -
\??\c:\848868.exec:\848868.exe55⤵
- Executes dropped EXE
PID:3952 -
\??\c:\860848.exec:\860848.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4360 -
\??\c:\3ffrfxl.exec:\3ffrfxl.exe57⤵
- Executes dropped EXE
PID:4752 -
\??\c:\8448260.exec:\8448260.exe58⤵
- Executes dropped EXE
PID:3332 -
\??\c:\8822048.exec:\8822048.exe59⤵
- Executes dropped EXE
PID:4880 -
\??\c:\06042.exec:\06042.exe60⤵
- Executes dropped EXE
PID:2068 -
\??\c:\60288.exec:\60288.exe61⤵
- Executes dropped EXE
PID:3832 -
\??\c:\pvpjj.exec:\pvpjj.exe62⤵
- Executes dropped EXE
PID:2816 -
\??\c:\bbtnht.exec:\bbtnht.exe63⤵
- Executes dropped EXE
PID:1756 -
\??\c:\nnbbhb.exec:\nnbbhb.exe64⤵
- Executes dropped EXE
PID:2520 -
\??\c:\q00040.exec:\q00040.exe65⤵
- Executes dropped EXE
PID:2896 -
\??\c:\4442048.exec:\4442048.exe66⤵PID:2756
-
\??\c:\jjpdd.exec:\jjpdd.exe67⤵PID:2024
-
\??\c:\024042.exec:\024042.exe68⤵PID:4936
-
\??\c:\a2864.exec:\a2864.exe69⤵PID:952
-
\??\c:\68208.exec:\68208.exe70⤵PID:3120
-
\??\c:\628204.exec:\628204.exe71⤵PID:2984
-
\??\c:\xrrrffx.exec:\xrrrffx.exe72⤵PID:4252
-
\??\c:\280448.exec:\280448.exe73⤵PID:4944
-
\??\c:\a4486.exec:\a4486.exe74⤵PID:3236
-
\??\c:\u448604.exec:\u448604.exe75⤵PID:1572
-
\??\c:\44886.exec:\44886.exe76⤵PID:3144
-
\??\c:\tbthnt.exec:\tbthnt.exe77⤵PID:2272
-
\??\c:\xrxrfxr.exec:\xrxrfxr.exe78⤵PID:3596
-
\??\c:\w88604.exec:\w88604.exe79⤵PID:3224
-
\??\c:\3vjvj.exec:\3vjvj.exe80⤵PID:2204
-
\??\c:\082448.exec:\082448.exe81⤵PID:1800
-
\??\c:\646048.exec:\646048.exe82⤵PID:3264
-
\??\c:\g0082.exec:\g0082.exe83⤵PID:1532
-
\??\c:\028604.exec:\028604.exe84⤵PID:1924
-
\??\c:\hhnhtn.exec:\hhnhtn.exe85⤵PID:1832
-
\??\c:\u442064.exec:\u442064.exe86⤵PID:1444
-
\??\c:\428484.exec:\428484.exe87⤵PID:3152
-
\??\c:\46264.exec:\46264.exe88⤵PID:4780
-
\??\c:\frrlffx.exec:\frrlffx.exe89⤵PID:3592
-
\??\c:\82268.exec:\82268.exe90⤵PID:4468
-
\??\c:\fxxxrrf.exec:\fxxxrrf.exe91⤵PID:368
-
\??\c:\ffrlffl.exec:\ffrlffl.exe92⤵PID:3796
-
\??\c:\jvdjp.exec:\jvdjp.exe93⤵PID:3828
-
\??\c:\rlrllrr.exec:\rlrllrr.exe94⤵PID:4688
-
\??\c:\0406000.exec:\0406000.exe95⤵PID:4320
-
\??\c:\4040022.exec:\4040022.exe96⤵PID:2248
-
\??\c:\3dvvp.exec:\3dvvp.exe97⤵PID:4800
-
\??\c:\hnttnn.exec:\hnttnn.exe98⤵PID:4828
-
\??\c:\8808800.exec:\8808800.exe99⤵
- System Location Discovery: System Language Discovery
PID:1688 -
\??\c:\8226220.exec:\8226220.exe100⤵PID:3600
-
\??\c:\bnttbn.exec:\bnttbn.exe101⤵PID:1932
-
\??\c:\vpdjp.exec:\vpdjp.exe102⤵PID:4224
-
\??\c:\4040262.exec:\4040262.exe103⤵PID:1676
-
\??\c:\xrflllr.exec:\xrflllr.exe104⤵PID:212
-
\??\c:\tnttbb.exec:\tnttbb.exe105⤵PID:3544
-
\??\c:\480442.exec:\480442.exe106⤵PID:1004
-
\??\c:\6000444.exec:\6000444.exe107⤵PID:4516
-
\??\c:\264888.exec:\264888.exe108⤵PID:1440
-
\??\c:\vvpjj.exec:\vvpjj.exe109⤵PID:4900
-
\??\c:\82220.exec:\82220.exe110⤵PID:2876
-
\??\c:\ddjdj.exec:\ddjdj.exe111⤵PID:1716
-
\??\c:\486282.exec:\486282.exe112⤵PID:4932
-
\??\c:\48466.exec:\48466.exe113⤵PID:1336
-
\??\c:\7pvjd.exec:\7pvjd.exe114⤵PID:2400
-
\??\c:\6648640.exec:\6648640.exe115⤵PID:4008
-
\??\c:\2660668.exec:\2660668.exe116⤵PID:3520
-
\??\c:\4400444.exec:\4400444.exe117⤵PID:3288
-
\??\c:\bnnhbh.exec:\bnnhbh.exe118⤵PID:4500
-
\??\c:\jjpjv.exec:\jjpjv.exe119⤵PID:1136
-
\??\c:\0244884.exec:\0244884.exe120⤵PID:4004
-
\??\c:\1lrlffx.exec:\1lrlffx.exe121⤵PID:844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-