Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 10:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe
-
Size
454KB
-
MD5
538f1a1627e2e404679d394911cc605a
-
SHA1
5b95f9a85b78128dd96a90b9193dab5dbf58ee51
-
SHA256
e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755
-
SHA512
e0b0c461a6667db735d66dbcb701caa09bff71acc147adb1059434fefc6aa68b6b3aaa4e8e6e37cf909e14255276e6096038d083a6e5e74aa725fa005bc12bac
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1J:q7Tc2NYHUrAwfMp3CD1J
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1912-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/564-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-727-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-992-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-1580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4628 jvdjp.exe 4896 4404422.exe 3708 484482.exe 3640 6022480.exe 2116 dpvpp.exe 3936 7pvvp.exe 4980 8244480.exe 2100 rrfxlfl.exe 3712 420448.exe 3464 xxxrrlf.exe 3744 jpvpd.exe 2876 dvppv.exe 4792 6060606.exe 3156 rxlfxxf.exe 2544 xflfxxf.exe 3496 o686004.exe 4328 3lllfff.exe 2328 864800.exe 1212 666426.exe 2468 488226.exe 2896 2062666.exe 4436 pvdvp.exe 2152 vvppv.exe 2396 04848.exe 3468 4468604.exe 532 g2028.exe 1572 pddvp.exe 3956 lfxrxxx.exe 5112 djjpd.exe 764 1hhhnt.exe 3024 3nnnnn.exe 1228 vpdvv.exe 4736 5bhbbb.exe 4812 28648.exe 4876 nhhhbb.exe 4400 3ddpd.exe 1148 20206.exe 4856 g0648.exe 3216 5pdpv.exe 2408 c404484.exe 4296 00660.exe 1444 fflrlxl.exe 2236 002822.exe 3152 26006.exe 3680 o842644.exe 4816 4228626.exe 4084 jdjdv.exe 4272 xflrrfr.exe 2732 04600.exe 2116 24004.exe 456 5dvpj.exe 944 e00880.exe 564 a8660.exe 4632 86260.exe 4616 266662.exe 1956 044822.exe 2540 7nhbhh.exe 3400 thnhbb.exe 868 2622626.exe 2996 k86000.exe 2856 6088484.exe 3696 thntnn.exe 2068 484488.exe 1564 jdjjd.exe -
resource yara_rule behavioral2/memory/1912-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/564-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-731-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6860004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2086862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 880488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6004262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6082828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e64244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u642266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1912 wrote to memory of 4628 1912 e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe 83 PID 1912 wrote to memory of 4628 1912 e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe 83 PID 1912 wrote to memory of 4628 1912 e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe 83 PID 4628 wrote to memory of 4896 4628 jvdjp.exe 84 PID 4628 wrote to memory of 4896 4628 jvdjp.exe 84 PID 4628 wrote to memory of 4896 4628 jvdjp.exe 84 PID 4896 wrote to memory of 3708 4896 4404422.exe 85 PID 4896 wrote to memory of 3708 4896 4404422.exe 85 PID 4896 wrote to memory of 3708 4896 4404422.exe 85 PID 3708 wrote to memory of 3640 3708 484482.exe 86 PID 3708 wrote to memory of 3640 3708 484482.exe 86 PID 3708 wrote to memory of 3640 3708 484482.exe 86 PID 3640 wrote to memory of 2116 3640 6022480.exe 87 PID 3640 wrote to memory of 2116 3640 6022480.exe 87 PID 3640 wrote to memory of 2116 3640 6022480.exe 87 PID 2116 wrote to memory of 3936 2116 dpvpp.exe 88 PID 2116 wrote to memory of 3936 2116 dpvpp.exe 88 PID 2116 wrote to memory of 3936 2116 dpvpp.exe 88 PID 3936 wrote to memory of 4980 3936 7pvvp.exe 89 PID 3936 wrote to memory of 4980 3936 7pvvp.exe 89 PID 3936 wrote to memory of 4980 3936 7pvvp.exe 89 PID 4980 wrote to memory of 2100 4980 8244480.exe 90 PID 4980 wrote to memory of 2100 4980 8244480.exe 90 PID 4980 wrote to memory of 2100 4980 8244480.exe 90 PID 2100 wrote to memory of 3712 2100 rrfxlfl.exe 91 PID 2100 wrote to memory of 3712 2100 rrfxlfl.exe 91 PID 2100 wrote to memory of 3712 2100 rrfxlfl.exe 91 PID 3712 wrote to memory of 3464 3712 420448.exe 92 PID 3712 wrote to memory of 3464 3712 420448.exe 92 PID 3712 wrote to memory of 3464 3712 420448.exe 92 PID 3464 wrote to memory of 3744 3464 xxxrrlf.exe 93 PID 3464 wrote to memory of 3744 3464 xxxrrlf.exe 93 PID 3464 wrote to memory of 3744 3464 xxxrrlf.exe 93 PID 3744 wrote to memory of 2876 3744 jpvpd.exe 94 PID 3744 wrote to memory of 2876 3744 jpvpd.exe 94 PID 3744 wrote to memory of 2876 3744 jpvpd.exe 94 PID 2876 wrote to memory of 4792 2876 dvppv.exe 95 PID 2876 wrote to memory of 4792 2876 dvppv.exe 95 PID 2876 wrote to memory of 4792 2876 dvppv.exe 95 PID 4792 wrote to memory of 3156 4792 6060606.exe 96 PID 4792 wrote to memory of 3156 4792 6060606.exe 96 PID 4792 wrote to memory of 3156 4792 6060606.exe 96 PID 3156 wrote to memory of 2544 3156 rxlfxxf.exe 97 PID 3156 wrote to memory of 2544 3156 rxlfxxf.exe 97 PID 3156 wrote to memory of 2544 3156 rxlfxxf.exe 97 PID 2544 wrote to memory of 3496 2544 xflfxxf.exe 98 PID 2544 wrote to memory of 3496 2544 xflfxxf.exe 98 PID 2544 wrote to memory of 3496 2544 xflfxxf.exe 98 PID 3496 wrote to memory of 4328 3496 o686004.exe 99 PID 3496 wrote to memory of 4328 3496 o686004.exe 99 PID 3496 wrote to memory of 4328 3496 o686004.exe 99 PID 4328 wrote to memory of 2328 4328 3lllfff.exe 100 PID 4328 wrote to memory of 2328 4328 3lllfff.exe 100 PID 4328 wrote to memory of 2328 4328 3lllfff.exe 100 PID 2328 wrote to memory of 1212 2328 864800.exe 101 PID 2328 wrote to memory of 1212 2328 864800.exe 101 PID 2328 wrote to memory of 1212 2328 864800.exe 101 PID 1212 wrote to memory of 2468 1212 666426.exe 102 PID 1212 wrote to memory of 2468 1212 666426.exe 102 PID 1212 wrote to memory of 2468 1212 666426.exe 102 PID 2468 wrote to memory of 2896 2468 488226.exe 103 PID 2468 wrote to memory of 2896 2468 488226.exe 103 PID 2468 wrote to memory of 2896 2468 488226.exe 103 PID 2896 wrote to memory of 4436 2896 2062666.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe"C:\Users\Admin\AppData\Local\Temp\e48a0616b2f93e7ad470d52ab0acb422880293c23422c4c175bfd883992ce755.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\jvdjp.exec:\jvdjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\4404422.exec:\4404422.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\484482.exec:\484482.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\6022480.exec:\6022480.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\dpvpp.exec:\dpvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\7pvvp.exec:\7pvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\8244480.exec:\8244480.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\rrfxlfl.exec:\rrfxlfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\420448.exec:\420448.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\xxxrrlf.exec:\xxxrrlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\jpvpd.exec:\jpvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\dvppv.exec:\dvppv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\6060606.exec:\6060606.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\rxlfxxf.exec:\rxlfxxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\xflfxxf.exec:\xflfxxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\o686004.exec:\o686004.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\3lllfff.exec:\3lllfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\864800.exec:\864800.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\666426.exec:\666426.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\488226.exec:\488226.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\2062666.exec:\2062666.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\pvdvp.exec:\pvdvp.exe23⤵
- Executes dropped EXE
PID:4436 -
\??\c:\vvppv.exec:\vvppv.exe24⤵
- Executes dropped EXE
PID:2152 -
\??\c:\04848.exec:\04848.exe25⤵
- Executes dropped EXE
PID:2396 -
\??\c:\4468604.exec:\4468604.exe26⤵
- Executes dropped EXE
PID:3468 -
\??\c:\g2028.exec:\g2028.exe27⤵
- Executes dropped EXE
PID:532 -
\??\c:\pddvp.exec:\pddvp.exe28⤵
- Executes dropped EXE
PID:1572 -
\??\c:\lfxrxxx.exec:\lfxrxxx.exe29⤵
- Executes dropped EXE
PID:3956 -
\??\c:\djjpd.exec:\djjpd.exe30⤵
- Executes dropped EXE
PID:5112 -
\??\c:\1hhhnt.exec:\1hhhnt.exe31⤵
- Executes dropped EXE
PID:764 -
\??\c:\3nnnnn.exec:\3nnnnn.exe32⤵
- Executes dropped EXE
PID:3024 -
\??\c:\vpdvv.exec:\vpdvv.exe33⤵
- Executes dropped EXE
PID:1228 -
\??\c:\5bhbbb.exec:\5bhbbb.exe34⤵
- Executes dropped EXE
PID:4736 -
\??\c:\28648.exec:\28648.exe35⤵
- Executes dropped EXE
PID:4812 -
\??\c:\nhhhbb.exec:\nhhhbb.exe36⤵
- Executes dropped EXE
PID:4876 -
\??\c:\3ddpd.exec:\3ddpd.exe37⤵
- Executes dropped EXE
PID:4400 -
\??\c:\20206.exec:\20206.exe38⤵
- Executes dropped EXE
PID:1148 -
\??\c:\g0648.exec:\g0648.exe39⤵
- Executes dropped EXE
PID:4856 -
\??\c:\5pdpv.exec:\5pdpv.exe40⤵
- Executes dropped EXE
PID:3216 -
\??\c:\c404484.exec:\c404484.exe41⤵
- Executes dropped EXE
PID:2408 -
\??\c:\00660.exec:\00660.exe42⤵
- Executes dropped EXE
PID:4296 -
\??\c:\fflrlxl.exec:\fflrlxl.exe43⤵
- Executes dropped EXE
PID:1444 -
\??\c:\002822.exec:\002822.exe44⤵
- Executes dropped EXE
PID:2236 -
\??\c:\26006.exec:\26006.exe45⤵
- Executes dropped EXE
PID:3152 -
\??\c:\o842644.exec:\o842644.exe46⤵
- Executes dropped EXE
PID:3680 -
\??\c:\4228626.exec:\4228626.exe47⤵
- Executes dropped EXE
PID:4816 -
\??\c:\jdjdv.exec:\jdjdv.exe48⤵
- Executes dropped EXE
PID:4084 -
\??\c:\xflrrfr.exec:\xflrrfr.exe49⤵
- Executes dropped EXE
PID:4272 -
\??\c:\04600.exec:\04600.exe50⤵
- Executes dropped EXE
PID:2732 -
\??\c:\24004.exec:\24004.exe51⤵
- Executes dropped EXE
PID:2116 -
\??\c:\5dvpj.exec:\5dvpj.exe52⤵
- Executes dropped EXE
PID:456 -
\??\c:\e00880.exec:\e00880.exe53⤵
- Executes dropped EXE
PID:944 -
\??\c:\a8660.exec:\a8660.exe54⤵
- Executes dropped EXE
PID:564 -
\??\c:\86260.exec:\86260.exe55⤵
- Executes dropped EXE
PID:4632 -
\??\c:\266662.exec:\266662.exe56⤵
- Executes dropped EXE
PID:4616 -
\??\c:\044822.exec:\044822.exe57⤵
- Executes dropped EXE
PID:1956 -
\??\c:\7nhbhh.exec:\7nhbhh.exe58⤵
- Executes dropped EXE
PID:2540 -
\??\c:\thnhbb.exec:\thnhbb.exe59⤵
- Executes dropped EXE
PID:3400 -
\??\c:\2622626.exec:\2622626.exe60⤵
- Executes dropped EXE
PID:868 -
\??\c:\k86000.exec:\k86000.exe61⤵
- Executes dropped EXE
PID:2996 -
\??\c:\6088484.exec:\6088484.exe62⤵
- Executes dropped EXE
PID:2856 -
\??\c:\thntnn.exec:\thntnn.exe63⤵
- Executes dropped EXE
PID:3696 -
\??\c:\484488.exec:\484488.exe64⤵
- Executes dropped EXE
PID:2068 -
\??\c:\jdjjd.exec:\jdjjd.exe65⤵
- Executes dropped EXE
PID:1564 -
\??\c:\60828.exec:\60828.exe66⤵PID:5036
-
\??\c:\thnhbt.exec:\thnhbt.exe67⤵PID:3200
-
\??\c:\jdvpd.exec:\jdvpd.exe68⤵PID:4824
-
\??\c:\xrfxrlf.exec:\xrfxrlf.exe69⤵PID:3136
-
\??\c:\7ffxxxr.exec:\7ffxxxr.exe70⤵PID:2704
-
\??\c:\3dpjd.exec:\3dpjd.exe71⤵PID:756
-
\??\c:\488280.exec:\488280.exe72⤵PID:1368
-
\??\c:\64686.exec:\64686.exe73⤵PID:3692
-
\??\c:\httnhn.exec:\httnhn.exe74⤵PID:4568
-
\??\c:\hbbbtt.exec:\hbbbtt.exe75⤵PID:2356
-
\??\c:\jdjdd.exec:\jdjdd.exe76⤵PID:3556
-
\??\c:\c684826.exec:\c684826.exe77⤵PID:3128
-
\??\c:\ddvjv.exec:\ddvjv.exe78⤵PID:4412
-
\??\c:\62226.exec:\62226.exe79⤵PID:4136
-
\??\c:\lllxxff.exec:\lllxxff.exe80⤵PID:3440
-
\??\c:\1hhnht.exec:\1hhnht.exe81⤵PID:2660
-
\??\c:\tnnnhn.exec:\tnnnhn.exe82⤵PID:832
-
\??\c:\7ppjd.exec:\7ppjd.exe83⤵PID:872
-
\??\c:\9jpjd.exec:\9jpjd.exe84⤵PID:4772
-
\??\c:\o882448.exec:\o882448.exe85⤵PID:1988
-
\??\c:\02848.exec:\02848.exe86⤵PID:4748
-
\??\c:\g8822.exec:\g8822.exe87⤵PID:216
-
\??\c:\nntttb.exec:\nntttb.exe88⤵PID:1228
-
\??\c:\lfrlllr.exec:\lfrlllr.exe89⤵PID:1932
-
\??\c:\86642.exec:\86642.exe90⤵PID:640
-
\??\c:\002626.exec:\002626.exe91⤵PID:496
-
\??\c:\0628826.exec:\0628826.exe92⤵PID:4400
-
\??\c:\g4600.exec:\g4600.exe93⤵PID:1148
-
\??\c:\rflffrr.exec:\rflffrr.exe94⤵PID:5016
-
\??\c:\9nnhbb.exec:\9nnhbb.exe95⤵PID:1552
-
\??\c:\44604.exec:\44604.exe96⤵PID:1940
-
\??\c:\066064.exec:\066064.exe97⤵PID:1788
-
\??\c:\02204.exec:\02204.exe98⤵PID:4628
-
\??\c:\jjvdp.exec:\jjvdp.exe99⤵PID:864
-
\??\c:\nnnnnn.exec:\nnnnnn.exe100⤵PID:3516
-
\??\c:\rlllfff.exec:\rlllfff.exe101⤵PID:3428
-
\??\c:\k42666.exec:\k42666.exe102⤵PID:4076
-
\??\c:\bnnbhh.exec:\bnnbhh.exe103⤵PID:3708
-
\??\c:\vjpjv.exec:\vjpjv.exe104⤵PID:4768
-
\??\c:\jpdvp.exec:\jpdvp.exe105⤵PID:3376
-
\??\c:\lrfrrrl.exec:\lrfrrrl.exe106⤵PID:4944
-
\??\c:\nbhthh.exec:\nbhthh.exe107⤵PID:2732
-
\??\c:\8666426.exec:\8666426.exe108⤵PID:2116
-
\??\c:\xlrxlff.exec:\xlrxlff.exe109⤵PID:456
-
\??\c:\240400.exec:\240400.exe110⤵PID:4980
-
\??\c:\nhhhbn.exec:\nhhhbn.exe111⤵PID:4560
-
\??\c:\5hnhhh.exec:\5hnhhh.exe112⤵PID:772
-
\??\c:\20288.exec:\20288.exe113⤵PID:5004
-
\??\c:\44426.exec:\44426.exe114⤵PID:1312
-
\??\c:\1jjvp.exec:\1jjvp.exe115⤵PID:1424
-
\??\c:\642644.exec:\642644.exe116⤵PID:4348
-
\??\c:\2800822.exec:\2800822.exe117⤵PID:3276
-
\??\c:\3pjjd.exec:\3pjjd.exe118⤵PID:2268
-
\??\c:\i266604.exec:\i266604.exe119⤵PID:1744
-
\??\c:\jdpjv.exec:\jdpjv.exe120⤵PID:2024
-
\??\c:\284804.exec:\284804.exe121⤵PID:2372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-