Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 08:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aba7db44321a625ca7d4e0d2c08a9b03a49a695ff1e2c52c56102c614b5eaf3c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
aba7db44321a625ca7d4e0d2c08a9b03a49a695ff1e2c52c56102c614b5eaf3c.exe
-
Size
455KB
-
MD5
6b72dfa9d0b33d6b2e6ef05fcc128dad
-
SHA1
e3adfb6b810cb2c76610d2ce96ba716de4d1d8fb
-
SHA256
aba7db44321a625ca7d4e0d2c08a9b03a49a695ff1e2c52c56102c614b5eaf3c
-
SHA512
45f57d5f7f1780502bf2187d057ccdc20fe78038d004197a41855ec4addfb1a1197b90ca5cb07b7eb5d7f372eb57608da1f6ea8cbd276a0dff656ac5ebe29000
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRm:q7Tc2NYHUrAwfMp3CDRm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2440-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-1056-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-1635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-1658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-1787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2164 40686.exe 3604 jpjvd.exe 4316 lxrxlxr.exe 1748 266680.exe 3220 428642.exe 4280 7pjvv.exe 4688 m6664.exe 716 tnhhbb.exe 3744 vvdvv.exe 3144 tbhbtn.exe 3496 lllfllx.exe 2912 q24044.exe 4864 rlrrffx.exe 4208 hbtnhh.exe 4988 i866660.exe 3288 6444822.exe 1040 rllfxxr.exe 4788 xlllfff.exe 4740 26848.exe 748 462666.exe 3876 04008.exe 1168 484822.exe 2840 4440444.exe 4464 82006.exe 2992 48046.exe 4992 k84644.exe 2036 lrrxlxl.exe 1736 0060662.exe 3084 xxrrrrr.exe 1744 u226004.exe 1660 7bhhnn.exe 3540 g0268.exe 4288 86600.exe 1272 rrrlllf.exe 1532 lxxrlfx.exe 1192 bbbbhn.exe 4984 42422.exe 3468 lrxrffx.exe 404 9djdp.exe 2220 pvvvp.exe 1288 48060.exe 5016 flrlllf.exe 1956 864064.exe 1136 404866.exe 4932 xfxfrlx.exe 3424 tntbhh.exe 388 bbbthb.exe 448 006644.exe 3976 880088.exe 4552 880644.exe 2872 lxrrlrr.exe 2844 8404448.exe 1132 7flfffl.exe 4480 e44244.exe 244 048648.exe 4012 8220488.exe 2560 5bthtn.exe 3264 7nbnbn.exe 3912 pvdpd.exe 876 4666044.exe 4564 vddpd.exe 2700 002204.exe 2912 222600.exe 1672 6888622.exe -
resource yara_rule behavioral2/memory/2440-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-835-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 668886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfflfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2164 2440 aba7db44321a625ca7d4e0d2c08a9b03a49a695ff1e2c52c56102c614b5eaf3c.exe 85 PID 2440 wrote to memory of 2164 2440 aba7db44321a625ca7d4e0d2c08a9b03a49a695ff1e2c52c56102c614b5eaf3c.exe 85 PID 2440 wrote to memory of 2164 2440 aba7db44321a625ca7d4e0d2c08a9b03a49a695ff1e2c52c56102c614b5eaf3c.exe 85 PID 2164 wrote to memory of 3604 2164 40686.exe 86 PID 2164 wrote to memory of 3604 2164 40686.exe 86 PID 2164 wrote to memory of 3604 2164 40686.exe 86 PID 3604 wrote to memory of 4316 3604 jpjvd.exe 87 PID 3604 wrote to memory of 4316 3604 jpjvd.exe 87 PID 3604 wrote to memory of 4316 3604 jpjvd.exe 87 PID 4316 wrote to memory of 1748 4316 lxrxlxr.exe 88 PID 4316 wrote to memory of 1748 4316 lxrxlxr.exe 88 PID 4316 wrote to memory of 1748 4316 lxrxlxr.exe 88 PID 1748 wrote to memory of 3220 1748 266680.exe 89 PID 1748 wrote to memory of 3220 1748 266680.exe 89 PID 1748 wrote to memory of 3220 1748 266680.exe 89 PID 3220 wrote to memory of 4280 3220 428642.exe 90 PID 3220 wrote to memory of 4280 3220 428642.exe 90 PID 3220 wrote to memory of 4280 3220 428642.exe 90 PID 4280 wrote to memory of 4688 4280 7pjvv.exe 91 PID 4280 wrote to memory of 4688 4280 7pjvv.exe 91 PID 4280 wrote to memory of 4688 4280 7pjvv.exe 91 PID 4688 wrote to memory of 716 4688 m6664.exe 92 PID 4688 wrote to memory of 716 4688 m6664.exe 92 PID 4688 wrote to memory of 716 4688 m6664.exe 92 PID 716 wrote to memory of 3744 716 tnhhbb.exe 93 PID 716 wrote to memory of 3744 716 tnhhbb.exe 93 PID 716 wrote to memory of 3744 716 tnhhbb.exe 93 PID 3744 wrote to memory of 3144 3744 vvdvv.exe 94 PID 3744 wrote to memory of 3144 3744 vvdvv.exe 94 PID 3744 wrote to memory of 3144 3744 vvdvv.exe 94 PID 3144 wrote to memory of 3496 3144 tbhbtn.exe 95 PID 3144 wrote to memory of 3496 3144 tbhbtn.exe 95 PID 3144 wrote to memory of 3496 3144 tbhbtn.exe 95 PID 3496 wrote to memory of 2912 3496 lllfllx.exe 96 PID 3496 wrote to memory of 2912 3496 lllfllx.exe 96 PID 3496 wrote to memory of 2912 3496 lllfllx.exe 96 PID 2912 wrote to memory of 4864 2912 q24044.exe 97 PID 2912 wrote to memory of 4864 2912 q24044.exe 97 PID 2912 wrote to memory of 4864 2912 q24044.exe 97 PID 4864 wrote to memory of 4208 4864 rlrrffx.exe 98 PID 4864 wrote to memory of 4208 4864 rlrrffx.exe 98 PID 4864 wrote to memory of 4208 4864 rlrrffx.exe 98 PID 4208 wrote to memory of 4988 4208 hbtnhh.exe 99 PID 4208 wrote to memory of 4988 4208 hbtnhh.exe 99 PID 4208 wrote to memory of 4988 4208 hbtnhh.exe 99 PID 4988 wrote to memory of 3288 4988 i866660.exe 100 PID 4988 wrote to memory of 3288 4988 i866660.exe 100 PID 4988 wrote to memory of 3288 4988 i866660.exe 100 PID 3288 wrote to memory of 1040 3288 6444822.exe 101 PID 3288 wrote to memory of 1040 3288 6444822.exe 101 PID 3288 wrote to memory of 1040 3288 6444822.exe 101 PID 1040 wrote to memory of 4788 1040 rllfxxr.exe 102 PID 1040 wrote to memory of 4788 1040 rllfxxr.exe 102 PID 1040 wrote to memory of 4788 1040 rllfxxr.exe 102 PID 4788 wrote to memory of 4740 4788 xlllfff.exe 103 PID 4788 wrote to memory of 4740 4788 xlllfff.exe 103 PID 4788 wrote to memory of 4740 4788 xlllfff.exe 103 PID 4740 wrote to memory of 748 4740 26848.exe 104 PID 4740 wrote to memory of 748 4740 26848.exe 104 PID 4740 wrote to memory of 748 4740 26848.exe 104 PID 748 wrote to memory of 3876 748 462666.exe 105 PID 748 wrote to memory of 3876 748 462666.exe 105 PID 748 wrote to memory of 3876 748 462666.exe 105 PID 3876 wrote to memory of 1168 3876 04008.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\aba7db44321a625ca7d4e0d2c08a9b03a49a695ff1e2c52c56102c614b5eaf3c.exe"C:\Users\Admin\AppData\Local\Temp\aba7db44321a625ca7d4e0d2c08a9b03a49a695ff1e2c52c56102c614b5eaf3c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\40686.exec:\40686.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\jpjvd.exec:\jpjvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\lxrxlxr.exec:\lxrxlxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\266680.exec:\266680.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\428642.exec:\428642.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\7pjvv.exec:\7pjvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\m6664.exec:\m6664.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\tnhhbb.exec:\tnhhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
\??\c:\vvdvv.exec:\vvdvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\tbhbtn.exec:\tbhbtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\lllfllx.exec:\lllfllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\q24044.exec:\q24044.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\rlrrffx.exec:\rlrrffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\hbtnhh.exec:\hbtnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\i866660.exec:\i866660.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\6444822.exec:\6444822.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\rllfxxr.exec:\rllfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\xlllfff.exec:\xlllfff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\26848.exec:\26848.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\462666.exec:\462666.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\04008.exec:\04008.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\484822.exec:\484822.exe23⤵
- Executes dropped EXE
PID:1168 -
\??\c:\4440444.exec:\4440444.exe24⤵
- Executes dropped EXE
PID:2840 -
\??\c:\82006.exec:\82006.exe25⤵
- Executes dropped EXE
PID:4464 -
\??\c:\48046.exec:\48046.exe26⤵
- Executes dropped EXE
PID:2992 -
\??\c:\k84644.exec:\k84644.exe27⤵
- Executes dropped EXE
PID:4992 -
\??\c:\lrrxlxl.exec:\lrrxlxl.exe28⤵
- Executes dropped EXE
PID:2036 -
\??\c:\0060662.exec:\0060662.exe29⤵
- Executes dropped EXE
PID:1736 -
\??\c:\xxrrrrr.exec:\xxrrrrr.exe30⤵
- Executes dropped EXE
PID:3084 -
\??\c:\u226004.exec:\u226004.exe31⤵
- Executes dropped EXE
PID:1744 -
\??\c:\7bhhnn.exec:\7bhhnn.exe32⤵
- Executes dropped EXE
PID:1660 -
\??\c:\g0268.exec:\g0268.exe33⤵
- Executes dropped EXE
PID:3540 -
\??\c:\86600.exec:\86600.exe34⤵
- Executes dropped EXE
PID:4288 -
\??\c:\rrrlllf.exec:\rrrlllf.exe35⤵
- Executes dropped EXE
PID:1272 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe36⤵
- Executes dropped EXE
PID:1532 -
\??\c:\bbbbhn.exec:\bbbbhn.exe37⤵
- Executes dropped EXE
PID:1192 -
\??\c:\42422.exec:\42422.exe38⤵
- Executes dropped EXE
PID:4984 -
\??\c:\lrxrffx.exec:\lrxrffx.exe39⤵
- Executes dropped EXE
PID:3468 -
\??\c:\9djdp.exec:\9djdp.exe40⤵
- Executes dropped EXE
PID:404 -
\??\c:\pvvvp.exec:\pvvvp.exe41⤵
- Executes dropped EXE
PID:2220 -
\??\c:\48060.exec:\48060.exe42⤵
- Executes dropped EXE
PID:1288 -
\??\c:\flrlllf.exec:\flrlllf.exe43⤵
- Executes dropped EXE
PID:5016 -
\??\c:\864064.exec:\864064.exe44⤵
- Executes dropped EXE
PID:1956 -
\??\c:\404866.exec:\404866.exe45⤵
- Executes dropped EXE
PID:1136 -
\??\c:\xfxfrlx.exec:\xfxfrlx.exe46⤵
- Executes dropped EXE
PID:4932 -
\??\c:\rlrxrlr.exec:\rlrxrlr.exe47⤵PID:5064
-
\??\c:\tntbhh.exec:\tntbhh.exe48⤵
- Executes dropped EXE
PID:3424 -
\??\c:\bbbthb.exec:\bbbthb.exe49⤵
- Executes dropped EXE
PID:388 -
\??\c:\006644.exec:\006644.exe50⤵
- Executes dropped EXE
PID:448 -
\??\c:\880088.exec:\880088.exe51⤵
- Executes dropped EXE
PID:3976 -
\??\c:\880644.exec:\880644.exe52⤵
- Executes dropped EXE
PID:4552 -
\??\c:\lxrrlrr.exec:\lxrrlrr.exe53⤵
- Executes dropped EXE
PID:2872 -
\??\c:\8404448.exec:\8404448.exe54⤵
- Executes dropped EXE
PID:2844 -
\??\c:\7flfffl.exec:\7flfffl.exe55⤵
- Executes dropped EXE
PID:1132 -
\??\c:\e44244.exec:\e44244.exe56⤵
- Executes dropped EXE
PID:4480 -
\??\c:\048648.exec:\048648.exe57⤵
- Executes dropped EXE
PID:244 -
\??\c:\8220488.exec:\8220488.exe58⤵
- Executes dropped EXE
PID:4012 -
\??\c:\5bthtn.exec:\5bthtn.exe59⤵
- Executes dropped EXE
PID:2560 -
\??\c:\7nbnbn.exec:\7nbnbn.exe60⤵
- Executes dropped EXE
PID:3264 -
\??\c:\pvdpd.exec:\pvdpd.exe61⤵
- Executes dropped EXE
PID:3912 -
\??\c:\4666044.exec:\4666044.exe62⤵
- Executes dropped EXE
PID:876 -
\??\c:\vddpd.exec:\vddpd.exe63⤵
- Executes dropped EXE
PID:4564 -
\??\c:\002204.exec:\002204.exe64⤵
- Executes dropped EXE
PID:2700 -
\??\c:\222600.exec:\222600.exe65⤵
- Executes dropped EXE
PID:2912 -
\??\c:\6888622.exec:\6888622.exe66⤵
- Executes dropped EXE
PID:1672 -
\??\c:\xrxxxxl.exec:\xrxxxxl.exe67⤵PID:1696
-
\??\c:\20082.exec:\20082.exe68⤵PID:4208
-
\??\c:\jvvpd.exec:\jvvpd.exe69⤵
- System Location Discovery: System Language Discovery
PID:4748 -
\??\c:\24664.exec:\24664.exe70⤵PID:3676
-
\??\c:\68442.exec:\68442.exe71⤵PID:4928
-
\??\c:\vjpjj.exec:\vjpjj.exe72⤵PID:2348
-
\??\c:\5llrfff.exec:\5llrfff.exe73⤵PID:2704
-
\??\c:\7pppj.exec:\7pppj.exe74⤵PID:2404
-
\??\c:\8682824.exec:\8682824.exe75⤵PID:2352
-
\??\c:\bthtbb.exec:\bthtbb.exe76⤵PID:4284
-
\??\c:\60826.exec:\60826.exe77⤵PID:3988
-
\??\c:\rrlrllf.exec:\rrlrllf.exe78⤵PID:4128
-
\??\c:\llxrffx.exec:\llxrffx.exe79⤵PID:1188
-
\??\c:\jvjdj.exec:\jvjdj.exe80⤵PID:1268
-
\??\c:\9nnhtt.exec:\9nnhtt.exe81⤵PID:3360
-
\??\c:\200046.exec:\200046.exe82⤵PID:3212
-
\??\c:\ffxrllf.exec:\ffxrllf.exe83⤵PID:2108
-
\??\c:\6466662.exec:\6466662.exe84⤵PID:3572
-
\??\c:\jdpjj.exec:\jdpjj.exe85⤵PID:468
-
\??\c:\xlrlxrl.exec:\xlrlxrl.exe86⤵PID:2924
-
\??\c:\64262.exec:\64262.exe87⤵PID:4620
-
\??\c:\3xrlxxr.exec:\3xrlxxr.exe88⤵PID:1228
-
\??\c:\e26488.exec:\e26488.exe89⤵PID:2252
-
\??\c:\08824.exec:\08824.exe90⤵PID:1888
-
\??\c:\46886.exec:\46886.exe91⤵PID:720
-
\??\c:\ffrlllf.exec:\ffrlllf.exe92⤵PID:1660
-
\??\c:\6648828.exec:\6648828.exe93⤵PID:1616
-
\??\c:\bhhbbt.exec:\bhhbbt.exe94⤵PID:1964
-
\??\c:\jpvpj.exec:\jpvpj.exe95⤵PID:1272
-
\??\c:\bnbbtn.exec:\bnbbtn.exe96⤵PID:1060
-
\??\c:\5dddp.exec:\5dddp.exe97⤵PID:2512
-
\??\c:\5pvjv.exec:\5pvjv.exe98⤵PID:4944
-
\??\c:\bnthtt.exec:\bnthtt.exe99⤵
- System Location Discovery: System Language Discovery
PID:1376 -
\??\c:\8880866.exec:\8880866.exe100⤵PID:404
-
\??\c:\rllfrrl.exec:\rllfrrl.exe101⤵PID:4528
-
\??\c:\xlffrrl.exec:\xlffrrl.exe102⤵PID:4920
-
\??\c:\vvdvp.exec:\vvdvp.exe103⤵PID:5016
-
\??\c:\86004.exec:\86004.exe104⤵PID:1956
-
\??\c:\bbbhhh.exec:\bbbhhh.exe105⤵PID:4380
-
\??\c:\rfffxrx.exec:\rfffxrx.exe106⤵PID:2572
-
\??\c:\hbbbnn.exec:\hbbbnn.exe107⤵PID:5064
-
\??\c:\nbbtnn.exec:\nbbtnn.exe108⤵PID:1056
-
\??\c:\4000448.exec:\4000448.exe109⤵PID:3228
-
\??\c:\2842660.exec:\2842660.exe110⤵PID:448
-
\??\c:\vpvpp.exec:\vpvpp.exe111⤵PID:4268
-
\??\c:\bnnhnn.exec:\bnnhnn.exe112⤵PID:2980
-
\??\c:\k84822.exec:\k84822.exe113⤵PID:668
-
\??\c:\2022222.exec:\2022222.exe114⤵PID:3220
-
\??\c:\9jjdv.exec:\9jjdv.exe115⤵PID:2400
-
\??\c:\u622600.exec:\u622600.exe116⤵PID:2412
-
\??\c:\044888.exec:\044888.exe117⤵PID:208
-
\??\c:\bbhbbb.exec:\bbhbbb.exe118⤵PID:836
-
\??\c:\6288266.exec:\6288266.exe119⤵PID:4604
-
\??\c:\jvvvj.exec:\jvvvj.exe120⤵PID:4144
-
\??\c:\vppjv.exec:\vppjv.exe121⤵PID:1684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-