Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 08:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe
-
Size
453KB
-
MD5
e4c1fa87cd6106e0871ee7aec5a53a56
-
SHA1
500ac3d042b8ff6f0a4f5ca95d2c5a5f60b1f4d5
-
SHA256
fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0
-
SHA512
37e79e8978aa9c7255d90e1024bd57fb75254bf28174bcc96276f62f3a1ef81f7eac3bedb8c63498441c79b07bfa1c4067dbe540e35d5b7596653c519e06a424
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3788-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-933-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-1150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4704 vpdpp.exe 3896 g2408.exe 4492 80266.exe 1036 lffrllf.exe 544 hhhbbb.exe 2852 9vdvp.exe 900 bnnnhb.exe 3012 00044.exe 4552 fxxrrrl.exe 4884 lffxxxf.exe 4220 64408.exe 1028 rflrxrx.exe 2288 xxrlxxx.exe 1836 04800.exe 2968 bnnbbn.exe 4592 u804882.exe 4280 s6826.exe 2304 6026880.exe 3628 28004.exe 4520 ddppv.exe 4332 jpjdv.exe 2508 9pjvj.exe 1788 vjdpv.exe 2740 840820.exe 4308 604822.exe 2016 0626048.exe 220 xlrffxx.exe 4828 tnhbtn.exe 2080 nhbbtt.exe 3616 1thnht.exe 1704 602668.exe 2940 thtbth.exe 2416 bnnhtt.exe 1776 6486426.exe 4080 7nhbtn.exe 2476 1tthbb.exe 2336 djjvd.exe 2664 42886.exe 4508 7hbnbt.exe 3020 jdjdv.exe 3100 rxrxrxr.exe 1764 3xxlxrl.exe 3160 84264.exe 3624 hbhthn.exe 2832 440488.exe 4276 424486.exe 3944 40486.exe 1796 g0266.exe 748 8482042.exe 5064 4804888.exe 3124 84482.exe 4540 604486.exe 1036 vvpjv.exe 2780 206426.exe 3096 46822.exe 4788 lrrflfx.exe 4476 0688660.exe 2884 7htnbb.exe 1548 tbnhhh.exe 4676 vdjvj.exe 4488 22864.exe 4664 800860.exe 4572 1hhtbb.exe 556 4264860.exe -
resource yara_rule behavioral2/memory/3788-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-628-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8282828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 008266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfrfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i282604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4220488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3788 wrote to memory of 4704 3788 fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe 83 PID 3788 wrote to memory of 4704 3788 fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe 83 PID 3788 wrote to memory of 4704 3788 fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe 83 PID 4704 wrote to memory of 3896 4704 vpdpp.exe 84 PID 4704 wrote to memory of 3896 4704 vpdpp.exe 84 PID 4704 wrote to memory of 3896 4704 vpdpp.exe 84 PID 3896 wrote to memory of 4492 3896 g2408.exe 85 PID 3896 wrote to memory of 4492 3896 g2408.exe 85 PID 3896 wrote to memory of 4492 3896 g2408.exe 85 PID 4492 wrote to memory of 1036 4492 80266.exe 86 PID 4492 wrote to memory of 1036 4492 80266.exe 86 PID 4492 wrote to memory of 1036 4492 80266.exe 86 PID 1036 wrote to memory of 544 1036 lffrllf.exe 87 PID 1036 wrote to memory of 544 1036 lffrllf.exe 87 PID 1036 wrote to memory of 544 1036 lffrllf.exe 87 PID 544 wrote to memory of 2852 544 hhhbbb.exe 88 PID 544 wrote to memory of 2852 544 hhhbbb.exe 88 PID 544 wrote to memory of 2852 544 hhhbbb.exe 88 PID 2852 wrote to memory of 900 2852 9vdvp.exe 89 PID 2852 wrote to memory of 900 2852 9vdvp.exe 89 PID 2852 wrote to memory of 900 2852 9vdvp.exe 89 PID 900 wrote to memory of 3012 900 bnnnhb.exe 90 PID 900 wrote to memory of 3012 900 bnnnhb.exe 90 PID 900 wrote to memory of 3012 900 bnnnhb.exe 90 PID 3012 wrote to memory of 4552 3012 00044.exe 91 PID 3012 wrote to memory of 4552 3012 00044.exe 91 PID 3012 wrote to memory of 4552 3012 00044.exe 91 PID 4552 wrote to memory of 4884 4552 fxxrrrl.exe 92 PID 4552 wrote to memory of 4884 4552 fxxrrrl.exe 92 PID 4552 wrote to memory of 4884 4552 fxxrrrl.exe 92 PID 4884 wrote to memory of 4220 4884 lffxxxf.exe 93 PID 4884 wrote to memory of 4220 4884 lffxxxf.exe 93 PID 4884 wrote to memory of 4220 4884 lffxxxf.exe 93 PID 4220 wrote to memory of 1028 4220 64408.exe 94 PID 4220 wrote to memory of 1028 4220 64408.exe 94 PID 4220 wrote to memory of 1028 4220 64408.exe 94 PID 1028 wrote to memory of 2288 1028 rflrxrx.exe 95 PID 1028 wrote to memory of 2288 1028 rflrxrx.exe 95 PID 1028 wrote to memory of 2288 1028 rflrxrx.exe 95 PID 2288 wrote to memory of 1836 2288 xxrlxxx.exe 96 PID 2288 wrote to memory of 1836 2288 xxrlxxx.exe 96 PID 2288 wrote to memory of 1836 2288 xxrlxxx.exe 96 PID 1836 wrote to memory of 2968 1836 04800.exe 97 PID 1836 wrote to memory of 2968 1836 04800.exe 97 PID 1836 wrote to memory of 2968 1836 04800.exe 97 PID 2968 wrote to memory of 4592 2968 bnnbbn.exe 98 PID 2968 wrote to memory of 4592 2968 bnnbbn.exe 98 PID 2968 wrote to memory of 4592 2968 bnnbbn.exe 98 PID 4592 wrote to memory of 4280 4592 u804882.exe 99 PID 4592 wrote to memory of 4280 4592 u804882.exe 99 PID 4592 wrote to memory of 4280 4592 u804882.exe 99 PID 4280 wrote to memory of 2304 4280 s6826.exe 100 PID 4280 wrote to memory of 2304 4280 s6826.exe 100 PID 4280 wrote to memory of 2304 4280 s6826.exe 100 PID 2304 wrote to memory of 3628 2304 6026880.exe 101 PID 2304 wrote to memory of 3628 2304 6026880.exe 101 PID 2304 wrote to memory of 3628 2304 6026880.exe 101 PID 3628 wrote to memory of 4520 3628 28004.exe 102 PID 3628 wrote to memory of 4520 3628 28004.exe 102 PID 3628 wrote to memory of 4520 3628 28004.exe 102 PID 4520 wrote to memory of 4332 4520 ddppv.exe 103 PID 4520 wrote to memory of 4332 4520 ddppv.exe 103 PID 4520 wrote to memory of 4332 4520 ddppv.exe 103 PID 4332 wrote to memory of 2508 4332 jpjdv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe"C:\Users\Admin\AppData\Local\Temp\fc395f47aab22178de06a06c699b65dff797970b8d062a7bac191a4a808212c0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\vpdpp.exec:\vpdpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\g2408.exec:\g2408.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\80266.exec:\80266.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\lffrllf.exec:\lffrllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\hhhbbb.exec:\hhhbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\9vdvp.exec:\9vdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\bnnnhb.exec:\bnnnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\00044.exec:\00044.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\lffxxxf.exec:\lffxxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\64408.exec:\64408.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\rflrxrx.exec:\rflrxrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\xxrlxxx.exec:\xxrlxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\04800.exec:\04800.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\bnnbbn.exec:\bnnbbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\u804882.exec:\u804882.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\s6826.exec:\s6826.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\6026880.exec:\6026880.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\28004.exec:\28004.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\ddppv.exec:\ddppv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\jpjdv.exec:\jpjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\9pjvj.exec:\9pjvj.exe23⤵
- Executes dropped EXE
PID:2508 -
\??\c:\vjdpv.exec:\vjdpv.exe24⤵
- Executes dropped EXE
PID:1788 -
\??\c:\840820.exec:\840820.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2740 -
\??\c:\604822.exec:\604822.exe26⤵
- Executes dropped EXE
PID:4308 -
\??\c:\0626048.exec:\0626048.exe27⤵
- Executes dropped EXE
PID:2016 -
\??\c:\xlrffxx.exec:\xlrffxx.exe28⤵
- Executes dropped EXE
PID:220 -
\??\c:\tnhbtn.exec:\tnhbtn.exe29⤵
- Executes dropped EXE
PID:4828 -
\??\c:\nhbbtt.exec:\nhbbtt.exe30⤵
- Executes dropped EXE
PID:2080 -
\??\c:\1thnht.exec:\1thnht.exe31⤵
- Executes dropped EXE
PID:3616 -
\??\c:\602668.exec:\602668.exe32⤵
- Executes dropped EXE
PID:1704 -
\??\c:\thtbth.exec:\thtbth.exe33⤵
- Executes dropped EXE
PID:2940 -
\??\c:\bnnhtt.exec:\bnnhtt.exe34⤵
- Executes dropped EXE
PID:2416 -
\??\c:\6486426.exec:\6486426.exe35⤵
- Executes dropped EXE
PID:1776 -
\??\c:\7nhbtn.exec:\7nhbtn.exe36⤵
- Executes dropped EXE
PID:4080 -
\??\c:\1tthbb.exec:\1tthbb.exe37⤵
- Executes dropped EXE
PID:2476 -
\??\c:\djjvd.exec:\djjvd.exe38⤵
- Executes dropped EXE
PID:2336 -
\??\c:\42886.exec:\42886.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664 -
\??\c:\7hbnbt.exec:\7hbnbt.exe40⤵
- Executes dropped EXE
PID:4508 -
\??\c:\jdjdv.exec:\jdjdv.exe41⤵
- Executes dropped EXE
PID:3020 -
\??\c:\rxrxrxr.exec:\rxrxrxr.exe42⤵
- Executes dropped EXE
PID:3100 -
\??\c:\3xxlxrl.exec:\3xxlxrl.exe43⤵
- Executes dropped EXE
PID:1764 -
\??\c:\84264.exec:\84264.exe44⤵
- Executes dropped EXE
PID:3160 -
\??\c:\hbhthn.exec:\hbhthn.exe45⤵
- Executes dropped EXE
PID:3624 -
\??\c:\440488.exec:\440488.exe46⤵
- Executes dropped EXE
PID:2832 -
\??\c:\424486.exec:\424486.exe47⤵
- Executes dropped EXE
PID:4276 -
\??\c:\40486.exec:\40486.exe48⤵
- Executes dropped EXE
PID:3944 -
\??\c:\g0266.exec:\g0266.exe49⤵
- Executes dropped EXE
PID:1796 -
\??\c:\8482042.exec:\8482042.exe50⤵
- Executes dropped EXE
PID:748 -
\??\c:\4804888.exec:\4804888.exe51⤵
- Executes dropped EXE
PID:5064 -
\??\c:\84482.exec:\84482.exe52⤵
- Executes dropped EXE
PID:3124 -
\??\c:\604486.exec:\604486.exe53⤵
- Executes dropped EXE
PID:4540 -
\??\c:\vvpjv.exec:\vvpjv.exe54⤵
- Executes dropped EXE
PID:1036 -
\??\c:\206426.exec:\206426.exe55⤵
- Executes dropped EXE
PID:2780 -
\??\c:\46822.exec:\46822.exe56⤵
- Executes dropped EXE
PID:3096 -
\??\c:\lrrflfx.exec:\lrrflfx.exe57⤵
- Executes dropped EXE
PID:4788 -
\??\c:\0688660.exec:\0688660.exe58⤵
- Executes dropped EXE
PID:4476 -
\??\c:\7htnbb.exec:\7htnbb.exe59⤵
- Executes dropped EXE
PID:2884 -
\??\c:\tbnhhh.exec:\tbnhhh.exe60⤵
- Executes dropped EXE
PID:1548 -
\??\c:\vdjvj.exec:\vdjvj.exe61⤵
- Executes dropped EXE
PID:4676 -
\??\c:\22864.exec:\22864.exe62⤵
- Executes dropped EXE
PID:4488 -
\??\c:\800860.exec:\800860.exe63⤵
- Executes dropped EXE
PID:4664 -
\??\c:\1hhtbb.exec:\1hhtbb.exe64⤵
- Executes dropped EXE
PID:4572 -
\??\c:\4264860.exec:\4264860.exe65⤵
- Executes dropped EXE
PID:556 -
\??\c:\6282600.exec:\6282600.exe66⤵PID:2288
-
\??\c:\g2248.exec:\g2248.exe67⤵PID:3088
-
\??\c:\222620.exec:\222620.exe68⤵PID:1204
-
\??\c:\9tthtn.exec:\9tthtn.exe69⤵PID:4428
-
\??\c:\u882660.exec:\u882660.exe70⤵PID:1160
-
\??\c:\rxxlxrl.exec:\rxxlxrl.exe71⤵PID:3940
-
\??\c:\vjpdp.exec:\vjpdp.exe72⤵PID:1588
-
\??\c:\006082.exec:\006082.exe73⤵PID:1724
-
\??\c:\hbhbhb.exec:\hbhbhb.exe74⤵PID:1044
-
\??\c:\22820.exec:\22820.exe75⤵PID:2560
-
\??\c:\k02644.exec:\k02644.exe76⤵PID:2776
-
\??\c:\3jdpd.exec:\3jdpd.exe77⤵PID:5052
-
\??\c:\lfrlrlr.exec:\lfrlrlr.exe78⤵PID:4200
-
\??\c:\5nnbtn.exec:\5nnbtn.exe79⤵PID:2828
-
\??\c:\642222.exec:\642222.exe80⤵PID:3472
-
\??\c:\08202.exec:\08202.exe81⤵PID:2960
-
\??\c:\464260.exec:\464260.exe82⤵PID:1284
-
\??\c:\2826082.exec:\2826082.exe83⤵PID:836
-
\??\c:\9jdpd.exec:\9jdpd.exe84⤵PID:216
-
\??\c:\88420.exec:\88420.exe85⤵PID:3384
-
\??\c:\5xlxxrf.exec:\5xlxxrf.exe86⤵PID:1412
-
\??\c:\lxfffxf.exec:\lxfffxf.exe87⤵PID:4828
-
\??\c:\tnhtnh.exec:\tnhtnh.exe88⤵PID:4752
-
\??\c:\vvpjv.exec:\vvpjv.exe89⤵PID:660
-
\??\c:\4246662.exec:\4246662.exe90⤵PID:1180
-
\??\c:\rrrrffr.exec:\rrrrffr.exe91⤵PID:1616
-
\??\c:\248648.exec:\248648.exe92⤵PID:1384
-
\??\c:\m4426.exec:\m4426.exe93⤵PID:1456
-
\??\c:\vdddv.exec:\vdddv.exe94⤵PID:1776
-
\??\c:\hbhbbt.exec:\hbhbbt.exe95⤵PID:4396
-
\??\c:\vpvdp.exec:\vpvdp.exe96⤵PID:1120
-
\??\c:\frxxfxr.exec:\frxxfxr.exe97⤵PID:1608
-
\??\c:\0848266.exec:\0848266.exe98⤵PID:2664
-
\??\c:\7llxrlx.exec:\7llxrlx.exe99⤵PID:4468
-
\??\c:\k08204.exec:\k08204.exe100⤵PID:624
-
\??\c:\0004260.exec:\0004260.exe101⤵PID:4892
-
\??\c:\2626448.exec:\2626448.exe102⤵PID:4212
-
\??\c:\jpjjd.exec:\jpjjd.exe103⤵PID:3372
-
\??\c:\4420260.exec:\4420260.exe104⤵PID:4856
-
\??\c:\66648.exec:\66648.exe105⤵PID:3412
-
\??\c:\066082.exec:\066082.exe106⤵PID:3952
-
\??\c:\bhnhhb.exec:\bhnhhb.exe107⤵PID:1048
-
\??\c:\thbtnh.exec:\thbtnh.exe108⤵PID:4704
-
\??\c:\220206.exec:\220206.exe109⤵PID:5096
-
\??\c:\u226048.exec:\u226048.exe110⤵PID:4568
-
\??\c:\e62600.exec:\e62600.exe111⤵PID:1948
-
\??\c:\860682.exec:\860682.exe112⤵PID:3016
-
\??\c:\xxxlxrx.exec:\xxxlxrx.exe113⤵PID:3488
-
\??\c:\5xlxrlf.exec:\5xlxrlf.exe114⤵PID:432
-
\??\c:\u226048.exec:\u226048.exe115⤵PID:4696
-
\??\c:\s6828.exec:\s6828.exe116⤵PID:3840
-
\??\c:\9vvvj.exec:\9vvvj.exe117⤵PID:4756
-
\??\c:\64826.exec:\64826.exe118⤵PID:2868
-
\??\c:\4828626.exec:\4828626.exe119⤵PID:3284
-
\??\c:\fllrfxr.exec:\fllrfxr.exe120⤵PID:5000
-
\??\c:\64080.exec:\64080.exe121⤵PID:756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-