Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 10:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9d7c597a4b107aac46f84c25230e0f8bcb4968ba548bb5c77ea05c2931e89435.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9d7c597a4b107aac46f84c25230e0f8bcb4968ba548bb5c77ea05c2931e89435.exe
-
Size
454KB
-
MD5
ca501ddefc75d562a764a749308cd745
-
SHA1
83d670944f8340844effb9b29441d9f9741063f8
-
SHA256
9d7c597a4b107aac46f84c25230e0f8bcb4968ba548bb5c77ea05c2931e89435
-
SHA512
1c9cdfdcbfb43236a5a95d9b6578b6936382d1191110ec1eb8504eda8b0d14d6db2ed03eb3d4729588cea455eb5203c26a39a936556bfbd2b282e672411b1df3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2228-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-771-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-1207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2200 a4482.exe 5016 48086.exe 1568 jppdp.exe 4000 866848.exe 2372 k44482.exe 4084 m8826.exe 1112 vvdvj.exe 4984 62826.exe 1820 3ttnhb.exe 4908 86044.exe 3276 20408.exe 3204 g6884.exe 3736 4004848.exe 3888 40264.exe 4328 0400860.exe 3908 7dpdv.exe 5052 806044.exe 1708 vddvj.exe 1544 u062824.exe 4612 00604.exe 2584 7xxxllf.exe 872 9nhbnn.exe 1232 xxlfxrf.exe 3080 lrxlfxl.exe 3260 0066608.exe 3940 8628282.exe 3416 606662.exe 2348 rfllffx.exe 4372 2406242.exe 1380 842600.exe 5036 5lrlffr.exe 4844 6444448.exe 2696 8848604.exe 2928 dvdvj.exe 2628 jddvp.exe 4620 pddvp.exe 3912 4222664.exe 3400 a8000.exe 2040 2460006.exe 4220 w28204.exe 3688 48826.exe 3932 c282248.exe 4996 btbthn.exe 1548 m4404.exe 464 xxfrxrf.exe 2072 62260.exe 640 ffrrlff.exe 1564 24400.exe 652 m6004.exe 3512 206048.exe 3308 4086042.exe 1100 268866.exe 1932 8060886.exe 5100 vjdvd.exe 3976 a4004.exe 1200 xrrxrlx.exe 3728 84048.exe 688 lllfrlx.exe 4984 2400260.exe 4808 bntnnh.exe 4280 82426.exe 4928 2262648.exe 3216 lrlrrfl.exe 2360 jdjvj.exe -
resource yara_rule behavioral2/memory/2200-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-638-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e28440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o402220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2066042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 688448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w02600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k00606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u288048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2200 2228 9d7c597a4b107aac46f84c25230e0f8bcb4968ba548bb5c77ea05c2931e89435.exe 83 PID 2228 wrote to memory of 2200 2228 9d7c597a4b107aac46f84c25230e0f8bcb4968ba548bb5c77ea05c2931e89435.exe 83 PID 2228 wrote to memory of 2200 2228 9d7c597a4b107aac46f84c25230e0f8bcb4968ba548bb5c77ea05c2931e89435.exe 83 PID 2200 wrote to memory of 5016 2200 a4482.exe 84 PID 2200 wrote to memory of 5016 2200 a4482.exe 84 PID 2200 wrote to memory of 5016 2200 a4482.exe 84 PID 5016 wrote to memory of 1568 5016 48086.exe 85 PID 5016 wrote to memory of 1568 5016 48086.exe 85 PID 5016 wrote to memory of 1568 5016 48086.exe 85 PID 1568 wrote to memory of 4000 1568 jppdp.exe 196 PID 1568 wrote to memory of 4000 1568 jppdp.exe 196 PID 1568 wrote to memory of 4000 1568 jppdp.exe 196 PID 4000 wrote to memory of 2372 4000 866848.exe 87 PID 4000 wrote to memory of 2372 4000 866848.exe 87 PID 4000 wrote to memory of 2372 4000 866848.exe 87 PID 2372 wrote to memory of 4084 2372 k44482.exe 88 PID 2372 wrote to memory of 4084 2372 k44482.exe 88 PID 2372 wrote to memory of 4084 2372 k44482.exe 88 PID 4084 wrote to memory of 1112 4084 m8826.exe 199 PID 4084 wrote to memory of 1112 4084 m8826.exe 199 PID 4084 wrote to memory of 1112 4084 m8826.exe 199 PID 1112 wrote to memory of 4984 1112 vvdvj.exe 203 PID 1112 wrote to memory of 4984 1112 vvdvj.exe 203 PID 1112 wrote to memory of 4984 1112 vvdvj.exe 203 PID 4984 wrote to memory of 1820 4984 62826.exe 91 PID 4984 wrote to memory of 1820 4984 62826.exe 91 PID 4984 wrote to memory of 1820 4984 62826.exe 91 PID 1820 wrote to memory of 4908 1820 3ttnhb.exe 92 PID 1820 wrote to memory of 4908 1820 3ttnhb.exe 92 PID 1820 wrote to memory of 4908 1820 3ttnhb.exe 92 PID 4908 wrote to memory of 3276 4908 86044.exe 207 PID 4908 wrote to memory of 3276 4908 86044.exe 207 PID 4908 wrote to memory of 3276 4908 86044.exe 207 PID 3276 wrote to memory of 3204 3276 20408.exe 94 PID 3276 wrote to memory of 3204 3276 20408.exe 94 PID 3276 wrote to memory of 3204 3276 20408.exe 94 PID 3204 wrote to memory of 3736 3204 g6884.exe 95 PID 3204 wrote to memory of 3736 3204 g6884.exe 95 PID 3204 wrote to memory of 3736 3204 g6884.exe 95 PID 3736 wrote to memory of 3888 3736 4004848.exe 96 PID 3736 wrote to memory of 3888 3736 4004848.exe 96 PID 3736 wrote to memory of 3888 3736 4004848.exe 96 PID 3888 wrote to memory of 4328 3888 40264.exe 97 PID 3888 wrote to memory of 4328 3888 40264.exe 97 PID 3888 wrote to memory of 4328 3888 40264.exe 97 PID 4328 wrote to memory of 3908 4328 0400860.exe 98 PID 4328 wrote to memory of 3908 4328 0400860.exe 98 PID 4328 wrote to memory of 3908 4328 0400860.exe 98 PID 3908 wrote to memory of 5052 3908 7dpdv.exe 99 PID 3908 wrote to memory of 5052 3908 7dpdv.exe 99 PID 3908 wrote to memory of 5052 3908 7dpdv.exe 99 PID 5052 wrote to memory of 1708 5052 806044.exe 100 PID 5052 wrote to memory of 1708 5052 806044.exe 100 PID 5052 wrote to memory of 1708 5052 806044.exe 100 PID 1708 wrote to memory of 1544 1708 vddvj.exe 101 PID 1708 wrote to memory of 1544 1708 vddvj.exe 101 PID 1708 wrote to memory of 1544 1708 vddvj.exe 101 PID 1544 wrote to memory of 4612 1544 u062824.exe 102 PID 1544 wrote to memory of 4612 1544 u062824.exe 102 PID 1544 wrote to memory of 4612 1544 u062824.exe 102 PID 4612 wrote to memory of 2584 4612 00604.exe 103 PID 4612 wrote to memory of 2584 4612 00604.exe 103 PID 4612 wrote to memory of 2584 4612 00604.exe 103 PID 2584 wrote to memory of 872 2584 7xxxllf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d7c597a4b107aac46f84c25230e0f8bcb4968ba548bb5c77ea05c2931e89435.exe"C:\Users\Admin\AppData\Local\Temp\9d7c597a4b107aac46f84c25230e0f8bcb4968ba548bb5c77ea05c2931e89435.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\a4482.exec:\a4482.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\48086.exec:\48086.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\jppdp.exec:\jppdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\866848.exec:\866848.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\k44482.exec:\k44482.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\m8826.exec:\m8826.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\vvdvj.exec:\vvdvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\62826.exec:\62826.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\3ttnhb.exec:\3ttnhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\86044.exec:\86044.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\20408.exec:\20408.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\g6884.exec:\g6884.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\4004848.exec:\4004848.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\40264.exec:\40264.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\0400860.exec:\0400860.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\7dpdv.exec:\7dpdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\806044.exec:\806044.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\vddvj.exec:\vddvj.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\u062824.exec:\u062824.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\00604.exec:\00604.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\7xxxllf.exec:\7xxxllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\9nhbnn.exec:\9nhbnn.exe23⤵
- Executes dropped EXE
PID:872 -
\??\c:\xxlfxrf.exec:\xxlfxrf.exe24⤵
- Executes dropped EXE
PID:1232 -
\??\c:\lrxlfxl.exec:\lrxlfxl.exe25⤵
- Executes dropped EXE
PID:3080 -
\??\c:\0066608.exec:\0066608.exe26⤵
- Executes dropped EXE
PID:3260 -
\??\c:\8628282.exec:\8628282.exe27⤵
- Executes dropped EXE
PID:3940 -
\??\c:\606662.exec:\606662.exe28⤵
- Executes dropped EXE
PID:3416 -
\??\c:\rfllffx.exec:\rfllffx.exe29⤵
- Executes dropped EXE
PID:2348 -
\??\c:\2406242.exec:\2406242.exe30⤵
- Executes dropped EXE
PID:4372 -
\??\c:\842600.exec:\842600.exe31⤵
- Executes dropped EXE
PID:1380 -
\??\c:\5lrlffr.exec:\5lrlffr.exe32⤵
- Executes dropped EXE
PID:5036 -
\??\c:\6444448.exec:\6444448.exe33⤵
- Executes dropped EXE
PID:4844 -
\??\c:\8848604.exec:\8848604.exe34⤵
- Executes dropped EXE
PID:2696 -
\??\c:\dvdvj.exec:\dvdvj.exe35⤵
- Executes dropped EXE
PID:2928 -
\??\c:\jddvp.exec:\jddvp.exe36⤵
- Executes dropped EXE
PID:2628 -
\??\c:\pddvp.exec:\pddvp.exe37⤵
- Executes dropped EXE
PID:4620 -
\??\c:\4222664.exec:\4222664.exe38⤵
- Executes dropped EXE
PID:3912 -
\??\c:\a8000.exec:\a8000.exe39⤵
- Executes dropped EXE
PID:3400 -
\??\c:\2460006.exec:\2460006.exe40⤵
- Executes dropped EXE
PID:2040 -
\??\c:\w28204.exec:\w28204.exe41⤵
- Executes dropped EXE
PID:4220 -
\??\c:\48826.exec:\48826.exe42⤵
- Executes dropped EXE
PID:3688 -
\??\c:\c282248.exec:\c282248.exe43⤵
- Executes dropped EXE
PID:3932 -
\??\c:\btbthn.exec:\btbthn.exe44⤵
- Executes dropped EXE
PID:4996 -
\??\c:\m4404.exec:\m4404.exe45⤵
- Executes dropped EXE
PID:1548 -
\??\c:\xxfrxrf.exec:\xxfrxrf.exe46⤵
- Executes dropped EXE
PID:464 -
\??\c:\62260.exec:\62260.exe47⤵
- Executes dropped EXE
PID:2072 -
\??\c:\ffrrlff.exec:\ffrrlff.exe48⤵
- Executes dropped EXE
PID:640 -
\??\c:\24400.exec:\24400.exe49⤵
- Executes dropped EXE
PID:1564 -
\??\c:\m6004.exec:\m6004.exe50⤵
- Executes dropped EXE
PID:652 -
\??\c:\206048.exec:\206048.exe51⤵
- Executes dropped EXE
PID:3512 -
\??\c:\4086042.exec:\4086042.exe52⤵
- Executes dropped EXE
PID:3308 -
\??\c:\268866.exec:\268866.exe53⤵
- Executes dropped EXE
PID:1100 -
\??\c:\8060886.exec:\8060886.exe54⤵
- Executes dropped EXE
PID:1932 -
\??\c:\vjdvd.exec:\vjdvd.exe55⤵
- Executes dropped EXE
PID:5100 -
\??\c:\a4004.exec:\a4004.exe56⤵
- Executes dropped EXE
PID:3976 -
\??\c:\xrrxrlx.exec:\xrrxrlx.exe57⤵
- Executes dropped EXE
PID:1200 -
\??\c:\84048.exec:\84048.exe58⤵
- Executes dropped EXE
PID:3728 -
\??\c:\lllfrlx.exec:\lllfrlx.exe59⤵
- Executes dropped EXE
PID:688 -
\??\c:\2400260.exec:\2400260.exe60⤵
- Executes dropped EXE
PID:4984 -
\??\c:\bntnnh.exec:\bntnnh.exe61⤵
- Executes dropped EXE
PID:4808 -
\??\c:\82426.exec:\82426.exe62⤵
- Executes dropped EXE
PID:4280 -
\??\c:\2262648.exec:\2262648.exe63⤵
- Executes dropped EXE
PID:4928 -
\??\c:\lrlrrfl.exec:\lrlrrfl.exe64⤵
- Executes dropped EXE
PID:3216 -
\??\c:\jdjvj.exec:\jdjvj.exe65⤵
- Executes dropped EXE
PID:2360 -
\??\c:\lrrfrlx.exec:\lrrfrlx.exe66⤵PID:4564
-
\??\c:\4682268.exec:\4682268.exe67⤵PID:4624
-
\??\c:\bhnhbb.exec:\bhnhbb.exe68⤵PID:4216
-
\??\c:\w46248.exec:\w46248.exe69⤵PID:3768
-
\??\c:\9ppjv.exec:\9ppjv.exe70⤵PID:4400
-
\??\c:\rlxxxff.exec:\rlxxxff.exe71⤵PID:876
-
\??\c:\xxfrrlx.exec:\xxfrrlx.exe72⤵PID:1440
-
\??\c:\jddvj.exec:\jddvj.exe73⤵PID:3240
-
\??\c:\dvpvj.exec:\dvpvj.exe74⤵PID:848
-
\??\c:\2848648.exec:\2848648.exe75⤵PID:5112
-
\??\c:\640626.exec:\640626.exe76⤵PID:4288
-
\??\c:\lxxlffr.exec:\lxxlffr.exe77⤵PID:996
-
\??\c:\868466.exec:\868466.exe78⤵PID:1848
-
\??\c:\5tnhbn.exec:\5tnhbn.exe79⤵PID:3208
-
\??\c:\q04826.exec:\q04826.exe80⤵PID:3900
-
\??\c:\bhttbh.exec:\bhttbh.exe81⤵PID:4416
-
\??\c:\4404820.exec:\4404820.exe82⤵PID:756
-
\??\c:\pjdpd.exec:\pjdpd.exe83⤵PID:2472
-
\??\c:\7rlxfrx.exec:\7rlxfrx.exe84⤵PID:5060
-
\??\c:\xlrllff.exec:\xlrllff.exe85⤵PID:2348
-
\??\c:\0882480.exec:\0882480.exe86⤵PID:4372
-
\??\c:\80226.exec:\80226.exe87⤵PID:3004
-
\??\c:\0444264.exec:\0444264.exe88⤵PID:1656
-
\??\c:\e28440.exec:\e28440.exe89⤵
- System Location Discovery: System Language Discovery
PID:3928 -
\??\c:\646822.exec:\646822.exe90⤵PID:2640
-
\??\c:\pvjvd.exec:\pvjvd.exe91⤵PID:1704
-
\??\c:\20660.exec:\20660.exe92⤵PID:1484
-
\??\c:\42822.exec:\42822.exe93⤵PID:3140
-
\??\c:\ffxrrlr.exec:\ffxrrlr.exe94⤵PID:3200
-
\??\c:\vdjdp.exec:\vdjdp.exe95⤵PID:1168
-
\??\c:\0848448.exec:\0848448.exe96⤵PID:4008
-
\??\c:\804460.exec:\804460.exe97⤵PID:4056
-
\??\c:\rfrlxrl.exec:\rfrlxrl.exe98⤵PID:3476
-
\??\c:\044688.exec:\044688.exe99⤵PID:5040
-
\??\c:\c666082.exec:\c666082.exe100⤵PID:4220
-
\??\c:\9fxlfxr.exec:\9fxlfxr.exe101⤵PID:628
-
\??\c:\822604.exec:\822604.exe102⤵PID:4488
-
\??\c:\hbhtnh.exec:\hbhtnh.exe103⤵PID:916
-
\??\c:\9jpdj.exec:\9jpdj.exe104⤵PID:4840
-
\??\c:\htbbht.exec:\htbbht.exe105⤵PID:3236
-
\??\c:\nhnbtt.exec:\nhnbtt.exe106⤵PID:3692
-
\??\c:\6848822.exec:\6848822.exe107⤵PID:2072
-
\??\c:\jvjvp.exec:\jvjvp.exe108⤵PID:392
-
\??\c:\88086.exec:\88086.exe109⤵PID:1356
-
\??\c:\pppdv.exec:\pppdv.exe110⤵PID:652
-
\??\c:\g6664.exec:\g6664.exe111⤵PID:624
-
\??\c:\1llxrrf.exec:\1llxrrf.exe112⤵PID:1832
-
\??\c:\lxfrffx.exec:\lxfrffx.exe113⤵PID:4436
-
\??\c:\rllfxxr.exec:\rllfxxr.exe114⤵PID:4000
-
\??\c:\q26048.exec:\q26048.exe115⤵PID:2372
-
\??\c:\642226.exec:\642226.exe116⤵PID:3280
-
\??\c:\vjpdp.exec:\vjpdp.exe117⤵PID:1112
-
\??\c:\6000442.exec:\6000442.exe118⤵PID:1220
-
\??\c:\9nhtnh.exec:\9nhtnh.exe119⤵PID:976
-
\??\c:\ttnbbt.exec:\ttnbbt.exe120⤵PID:4924
-
\??\c:\httnhb.exec:\httnhb.exe121⤵PID:4984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-