Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 06:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
17257cfce619e31df82e960c2d5b9558f77139be81514a6fe29380fc903ad3a2N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
17257cfce619e31df82e960c2d5b9558f77139be81514a6fe29380fc903ad3a2N.exe
-
Size
455KB
-
MD5
135825501d24231331fb54c7fd0aa1f0
-
SHA1
e95223f2e712f862d8dae7ef804eb5662321ef11
-
SHA256
17257cfce619e31df82e960c2d5b9558f77139be81514a6fe29380fc903ad3a2
-
SHA512
042f024a64e7c091b687de4c2ee576b75ab2cdc156e4cc576640ac701cbe88a1b3ff7496d6ec687b8397e80c155a990fe52de4359f455846a0037cbb5b6bb384
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRD:q7Tc2NYHUrAwfMp3CDRD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/5048-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-881-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 116 428648.exe 412 fffrfxf.exe 5072 djdpd.exe 1592 vdvjv.exe 4052 3pjjd.exe 3580 5vpjp.exe 2740 c008604.exe 3956 u800448.exe 1856 84040.exe 3300 vppvv.exe 2016 444866.exe 3256 xlfrfxl.exe 696 848648.exe 4020 w66844.exe 3440 0222642.exe 3336 djjdp.exe 4852 3hthhb.exe 5008 hthbnh.exe 2816 djjdp.exe 996 w28682.exe 1956 466460.exe 2804 42828.exe 4620 g6224.exe 4508 lllxlfr.exe 408 200860.exe 3284 820460.exe 4216 nbbntn.exe 4576 vdvpd.exe 836 00088.exe 1012 ppvjv.exe 872 42602.exe 1004 ttthth.exe 1652 frlxfrf.exe 2736 hnhthb.exe 1764 u842426.exe 3896 vppdp.exe 4588 068088.exe 4512 06602.exe 2960 pjjdv.exe 4240 jvpvj.exe 3112 jddpp.exe 4976 662642.exe 1076 jjdvj.exe 2660 k88884.exe 3088 dvdpv.exe 3664 08486.exe 220 6420208.exe 3036 btbnnb.exe 3800 jvvjp.exe 4368 204208.exe 1520 thhthb.exe 1432 266460.exe 3228 frlxlfr.exe 2488 w22060.exe 2132 flxlfxx.exe 2144 pjjdd.exe 1592 k60466.exe 1720 bnnhtn.exe 4784 tnhhbb.exe 5092 u624684.exe 1028 jvvpj.exe 712 2048048.exe 5012 4220622.exe 5032 k00860.exe -
resource yara_rule behavioral2/memory/5048-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-636-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o842288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2848822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w66844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2800000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6244800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4222000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2220608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5048 wrote to memory of 116 5048 17257cfce619e31df82e960c2d5b9558f77139be81514a6fe29380fc903ad3a2N.exe 83 PID 5048 wrote to memory of 116 5048 17257cfce619e31df82e960c2d5b9558f77139be81514a6fe29380fc903ad3a2N.exe 83 PID 5048 wrote to memory of 116 5048 17257cfce619e31df82e960c2d5b9558f77139be81514a6fe29380fc903ad3a2N.exe 83 PID 116 wrote to memory of 412 116 428648.exe 84 PID 116 wrote to memory of 412 116 428648.exe 84 PID 116 wrote to memory of 412 116 428648.exe 84 PID 412 wrote to memory of 5072 412 fffrfxf.exe 85 PID 412 wrote to memory of 5072 412 fffrfxf.exe 85 PID 412 wrote to memory of 5072 412 fffrfxf.exe 85 PID 5072 wrote to memory of 1592 5072 djdpd.exe 86 PID 5072 wrote to memory of 1592 5072 djdpd.exe 86 PID 5072 wrote to memory of 1592 5072 djdpd.exe 86 PID 1592 wrote to memory of 4052 1592 vdvjv.exe 87 PID 1592 wrote to memory of 4052 1592 vdvjv.exe 87 PID 1592 wrote to memory of 4052 1592 vdvjv.exe 87 PID 4052 wrote to memory of 3580 4052 3pjjd.exe 88 PID 4052 wrote to memory of 3580 4052 3pjjd.exe 88 PID 4052 wrote to memory of 3580 4052 3pjjd.exe 88 PID 3580 wrote to memory of 2740 3580 5vpjp.exe 89 PID 3580 wrote to memory of 2740 3580 5vpjp.exe 89 PID 3580 wrote to memory of 2740 3580 5vpjp.exe 89 PID 2740 wrote to memory of 3956 2740 c008604.exe 90 PID 2740 wrote to memory of 3956 2740 c008604.exe 90 PID 2740 wrote to memory of 3956 2740 c008604.exe 90 PID 3956 wrote to memory of 1856 3956 u800448.exe 91 PID 3956 wrote to memory of 1856 3956 u800448.exe 91 PID 3956 wrote to memory of 1856 3956 u800448.exe 91 PID 1856 wrote to memory of 3300 1856 84040.exe 92 PID 1856 wrote to memory of 3300 1856 84040.exe 92 PID 1856 wrote to memory of 3300 1856 84040.exe 92 PID 3300 wrote to memory of 2016 3300 vppvv.exe 93 PID 3300 wrote to memory of 2016 3300 vppvv.exe 93 PID 3300 wrote to memory of 2016 3300 vppvv.exe 93 PID 2016 wrote to memory of 3256 2016 444866.exe 94 PID 2016 wrote to memory of 3256 2016 444866.exe 94 PID 2016 wrote to memory of 3256 2016 444866.exe 94 PID 3256 wrote to memory of 696 3256 xlfrfxl.exe 95 PID 3256 wrote to memory of 696 3256 xlfrfxl.exe 95 PID 3256 wrote to memory of 696 3256 xlfrfxl.exe 95 PID 696 wrote to memory of 4020 696 848648.exe 96 PID 696 wrote to memory of 4020 696 848648.exe 96 PID 696 wrote to memory of 4020 696 848648.exe 96 PID 4020 wrote to memory of 3440 4020 w66844.exe 97 PID 4020 wrote to memory of 3440 4020 w66844.exe 97 PID 4020 wrote to memory of 3440 4020 w66844.exe 97 PID 3440 wrote to memory of 3336 3440 0222642.exe 98 PID 3440 wrote to memory of 3336 3440 0222642.exe 98 PID 3440 wrote to memory of 3336 3440 0222642.exe 98 PID 3336 wrote to memory of 4852 3336 djjdp.exe 99 PID 3336 wrote to memory of 4852 3336 djjdp.exe 99 PID 3336 wrote to memory of 4852 3336 djjdp.exe 99 PID 4852 wrote to memory of 5008 4852 3hthhb.exe 100 PID 4852 wrote to memory of 5008 4852 3hthhb.exe 100 PID 4852 wrote to memory of 5008 4852 3hthhb.exe 100 PID 5008 wrote to memory of 2816 5008 hthbnh.exe 101 PID 5008 wrote to memory of 2816 5008 hthbnh.exe 101 PID 5008 wrote to memory of 2816 5008 hthbnh.exe 101 PID 2816 wrote to memory of 996 2816 djjdp.exe 102 PID 2816 wrote to memory of 996 2816 djjdp.exe 102 PID 2816 wrote to memory of 996 2816 djjdp.exe 102 PID 996 wrote to memory of 1956 996 w28682.exe 103 PID 996 wrote to memory of 1956 996 w28682.exe 103 PID 996 wrote to memory of 1956 996 w28682.exe 103 PID 1956 wrote to memory of 2804 1956 466460.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\17257cfce619e31df82e960c2d5b9558f77139be81514a6fe29380fc903ad3a2N.exe"C:\Users\Admin\AppData\Local\Temp\17257cfce619e31df82e960c2d5b9558f77139be81514a6fe29380fc903ad3a2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\428648.exec:\428648.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\fffrfxf.exec:\fffrfxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\djdpd.exec:\djdpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\vdvjv.exec:\vdvjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\3pjjd.exec:\3pjjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\5vpjp.exec:\5vpjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\c008604.exec:\c008604.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\u800448.exec:\u800448.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\84040.exec:\84040.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\vppvv.exec:\vppvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\444866.exec:\444866.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\xlfrfxl.exec:\xlfrfxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\848648.exec:\848648.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\w66844.exec:\w66844.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\0222642.exec:\0222642.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\djjdp.exec:\djjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\3hthhb.exec:\3hthhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\hthbnh.exec:\hthbnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\djjdp.exec:\djjdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\w28682.exec:\w28682.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\466460.exec:\466460.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\42828.exec:\42828.exe23⤵
- Executes dropped EXE
PID:2804 -
\??\c:\g6224.exec:\g6224.exe24⤵
- Executes dropped EXE
PID:4620 -
\??\c:\lllxlfr.exec:\lllxlfr.exe25⤵
- Executes dropped EXE
PID:4508 -
\??\c:\200860.exec:\200860.exe26⤵
- Executes dropped EXE
PID:408 -
\??\c:\820460.exec:\820460.exe27⤵
- Executes dropped EXE
PID:3284 -
\??\c:\nbbntn.exec:\nbbntn.exe28⤵
- Executes dropped EXE
PID:4216 -
\??\c:\vdvpd.exec:\vdvpd.exe29⤵
- Executes dropped EXE
PID:4576 -
\??\c:\00088.exec:\00088.exe30⤵
- Executes dropped EXE
PID:836 -
\??\c:\ppvjv.exec:\ppvjv.exe31⤵
- Executes dropped EXE
PID:1012 -
\??\c:\42602.exec:\42602.exe32⤵
- Executes dropped EXE
PID:872 -
\??\c:\ttthth.exec:\ttthth.exe33⤵
- Executes dropped EXE
PID:1004 -
\??\c:\frlxfrf.exec:\frlxfrf.exe34⤵
- Executes dropped EXE
PID:1652 -
\??\c:\hnhthb.exec:\hnhthb.exe35⤵
- Executes dropped EXE
PID:2736 -
\??\c:\u842426.exec:\u842426.exe36⤵
- Executes dropped EXE
PID:1764 -
\??\c:\vppdp.exec:\vppdp.exe37⤵
- Executes dropped EXE
PID:3896 -
\??\c:\068088.exec:\068088.exe38⤵
- Executes dropped EXE
PID:4588 -
\??\c:\06602.exec:\06602.exe39⤵
- Executes dropped EXE
PID:4512 -
\??\c:\pjjdv.exec:\pjjdv.exe40⤵
- Executes dropped EXE
PID:2960 -
\??\c:\jvpvj.exec:\jvpvj.exe41⤵
- Executes dropped EXE
PID:4240 -
\??\c:\jddpp.exec:\jddpp.exe42⤵
- Executes dropped EXE
PID:3112 -
\??\c:\662642.exec:\662642.exe43⤵
- Executes dropped EXE
PID:4976 -
\??\c:\jjdvj.exec:\jjdvj.exe44⤵
- Executes dropped EXE
PID:1076 -
\??\c:\k88884.exec:\k88884.exe45⤵
- Executes dropped EXE
PID:2660 -
\??\c:\dvdpv.exec:\dvdpv.exe46⤵
- Executes dropped EXE
PID:3088 -
\??\c:\08486.exec:\08486.exe47⤵
- Executes dropped EXE
PID:3664 -
\??\c:\6420208.exec:\6420208.exe48⤵
- Executes dropped EXE
PID:220 -
\??\c:\btbnnb.exec:\btbnnb.exe49⤵
- Executes dropped EXE
PID:3036 -
\??\c:\jvvjp.exec:\jvvjp.exe50⤵
- Executes dropped EXE
PID:3800 -
\??\c:\204208.exec:\204208.exe51⤵
- Executes dropped EXE
PID:4368 -
\??\c:\thhthb.exec:\thhthb.exe52⤵
- Executes dropped EXE
PID:1520 -
\??\c:\266460.exec:\266460.exe53⤵
- Executes dropped EXE
PID:1432 -
\??\c:\frlxlfr.exec:\frlxlfr.exe54⤵
- Executes dropped EXE
PID:3228 -
\??\c:\w22060.exec:\w22060.exe55⤵
- Executes dropped EXE
PID:2488 -
\??\c:\flxlfxx.exec:\flxlfxx.exe56⤵
- Executes dropped EXE
PID:2132 -
\??\c:\pjjdd.exec:\pjjdd.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144 -
\??\c:\k60466.exec:\k60466.exe58⤵
- Executes dropped EXE
PID:1592 -
\??\c:\bnnhtn.exec:\bnnhtn.exe59⤵
- Executes dropped EXE
PID:1720 -
\??\c:\tnhhbb.exec:\tnhhbb.exe60⤵
- Executes dropped EXE
PID:4784 -
\??\c:\u624684.exec:\u624684.exe61⤵
- Executes dropped EXE
PID:5092 -
\??\c:\jvvpj.exec:\jvvpj.exe62⤵
- Executes dropped EXE
PID:1028 -
\??\c:\2048048.exec:\2048048.exe63⤵
- Executes dropped EXE
PID:712 -
\??\c:\4220622.exec:\4220622.exe64⤵
- Executes dropped EXE
PID:5012 -
\??\c:\k00860.exec:\k00860.exe65⤵
- Executes dropped EXE
PID:5032 -
\??\c:\m0642.exec:\m0642.exe66⤵PID:2300
-
\??\c:\u222042.exec:\u222042.exe67⤵PID:1572
-
\??\c:\5vpvp.exec:\5vpvp.exe68⤵PID:3288
-
\??\c:\8042042.exec:\8042042.exe69⤵PID:3360
-
\??\c:\8064046.exec:\8064046.exe70⤵PID:1180
-
\??\c:\htbbhn.exec:\htbbhn.exe71⤵PID:3108
-
\??\c:\hbnhnn.exec:\hbnhnn.exe72⤵PID:4832
-
\??\c:\826600.exec:\826600.exe73⤵PID:1676
-
\??\c:\9rxxflr.exec:\9rxxflr.exe74⤵PID:2380
-
\??\c:\7vppp.exec:\7vppp.exe75⤵PID:3724
-
\??\c:\2422222.exec:\2422222.exe76⤵PID:1488
-
\??\c:\vppjv.exec:\vppjv.exe77⤵PID:3220
-
\??\c:\rflfrlx.exec:\rflfrlx.exe78⤵PID:1712
-
\??\c:\0026044.exec:\0026044.exe79⤵PID:1884
-
\??\c:\8204004.exec:\8204004.exe80⤵PID:3084
-
\??\c:\jvjjd.exec:\jvjjd.exe81⤵PID:60
-
\??\c:\46444.exec:\46444.exe82⤵PID:1148
-
\??\c:\240482.exec:\240482.exe83⤵PID:3516
-
\??\c:\g6620.exec:\g6620.exe84⤵PID:468
-
\??\c:\pdvjp.exec:\pdvjp.exe85⤵PID:4316
-
\??\c:\866048.exec:\866048.exe86⤵PID:4420
-
\??\c:\606404.exec:\606404.exe87⤵PID:4960
-
\??\c:\pppdp.exec:\pppdp.exe88⤵PID:972
-
\??\c:\06226.exec:\06226.exe89⤵PID:1648
-
\??\c:\82484.exec:\82484.exe90⤵PID:4884
-
\??\c:\ttbthh.exec:\ttbthh.exe91⤵PID:5100
-
\??\c:\vjjpp.exec:\vjjpp.exe92⤵PID:900
-
\??\c:\4226048.exec:\4226048.exe93⤵PID:232
-
\??\c:\bbbttt.exec:\bbbttt.exe94⤵PID:1424
-
\??\c:\vpvpj.exec:\vpvpj.exe95⤵PID:1040
-
\??\c:\vjpdj.exec:\vjpdj.exe96⤵PID:1596
-
\??\c:\e28222.exec:\e28222.exe97⤵PID:1772
-
\??\c:\46260.exec:\46260.exe98⤵PID:3124
-
\??\c:\840804.exec:\840804.exe99⤵PID:1496
-
\??\c:\rfrlffl.exec:\rfrlffl.exe100⤵PID:3428
-
\??\c:\hnnhbb.exec:\hnnhbb.exe101⤵PID:2764
-
\??\c:\w06600.exec:\w06600.exe102⤵PID:5064
-
\??\c:\8848226.exec:\8848226.exe103⤵PID:2024
-
\??\c:\c626004.exec:\c626004.exe104⤵PID:448
-
\??\c:\w84400.exec:\w84400.exe105⤵PID:4948
-
\??\c:\006648.exec:\006648.exe106⤵PID:3596
-
\??\c:\e24822.exec:\e24822.exe107⤵PID:1092
-
\??\c:\60800.exec:\60800.exe108⤵PID:1076
-
\??\c:\04008.exec:\04008.exe109⤵PID:2660
-
\??\c:\04400.exec:\04400.exe110⤵PID:2504
-
\??\c:\lffxrrr.exec:\lffxrrr.exe111⤵PID:1340
-
\??\c:\8622626.exec:\8622626.exe112⤵PID:2188
-
\??\c:\vpppv.exec:\vpppv.exe113⤵
- System Location Discovery: System Language Discovery
PID:804 -
\??\c:\40600.exec:\40600.exe114⤵PID:4988
-
\??\c:\200044.exec:\200044.exe115⤵PID:1212
-
\??\c:\ffflllr.exec:\ffflllr.exe116⤵PID:116
-
\??\c:\tbbttn.exec:\tbbttn.exe117⤵PID:4556
-
\??\c:\200448.exec:\200448.exe118⤵PID:908
-
\??\c:\jppdp.exec:\jppdp.exe119⤵PID:4308
-
\??\c:\hthtbt.exec:\hthtbt.exe120⤵PID:3744
-
\??\c:\bhntbn.exec:\bhntbn.exe121⤵PID:4224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-