Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 12:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe
-
Size
453KB
-
MD5
f4aa05e3d665e90e07ccb953d0548ab2
-
SHA1
95a037523541999335985290daf1cdfc10a00777
-
SHA256
ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc
-
SHA512
76fff6aa6d8c542a3464f1b53e9ac7d19eae0de39aefdb4389fe960344c4214185939074015b1a4427e9ba8a553de5465a5ec396c233cd7537a591514c4de029
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4180-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-971-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-1089-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-1117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-2306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1212 ddvjv.exe 2756 e84266.exe 396 jpvvd.exe 5108 400848.exe 4652 frfrrll.exe 3148 842044.exe 1136 6286482.exe 184 84268.exe 2364 082084.exe 2672 nhhthh.exe 2156 2408266.exe 4284 a4886.exe 1660 rlfrfxl.exe 2972 rxxfxrl.exe 3088 lffxrrr.exe 2868 a0004.exe 3564 i446448.exe 2896 vjjdd.exe 1628 6848882.exe 5076 1bnthb.exe 1164 4220864.exe 4076 vddjv.exe 2300 0420448.exe 4512 flffrfx.exe 3860 6222600.exe 4800 3fxrxll.exe 1088 xxxfrfr.exe 2780 1hbntn.exe 2400 082420.exe 636 1xllxxl.exe 1400 00484.exe 508 bnhtht.exe 3140 tthhnt.exe 2860 jdvjp.exe 4356 s8602.exe 2160 084448.exe 4136 7rfrfxl.exe 1160 ttnbnh.exe 3448 00024.exe 2636 7llrxrl.exe 1744 htbntn.exe 1328 200864.exe 3664 lxrfrlx.exe 1216 8486420.exe 760 fxrfrfx.exe 408 02242.exe 2624 flfrfxr.exe 2828 dddpd.exe 1304 006000.exe 4180 s8882.exe 8 vddvp.exe 4392 m0644.exe 372 bnhbnh.exe 2104 46226.exe 3012 422204.exe 3948 c888660.exe 452 lllfxfx.exe 3008 20820.exe 3872 7xlrfrf.exe 3452 jjjpd.exe 756 e66462.exe 216 82260.exe 1608 44422.exe 4192 g4826.exe -
resource yara_rule behavioral2/memory/4180-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-1089-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4848660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 848226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 666648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2466448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 244226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4180 wrote to memory of 1212 4180 ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe 83 PID 4180 wrote to memory of 1212 4180 ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe 83 PID 4180 wrote to memory of 1212 4180 ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe 83 PID 1212 wrote to memory of 2756 1212 ddvjv.exe 84 PID 1212 wrote to memory of 2756 1212 ddvjv.exe 84 PID 1212 wrote to memory of 2756 1212 ddvjv.exe 84 PID 2756 wrote to memory of 396 2756 e84266.exe 85 PID 2756 wrote to memory of 396 2756 e84266.exe 85 PID 2756 wrote to memory of 396 2756 e84266.exe 85 PID 396 wrote to memory of 5108 396 jpvvd.exe 86 PID 396 wrote to memory of 5108 396 jpvvd.exe 86 PID 396 wrote to memory of 5108 396 jpvvd.exe 86 PID 5108 wrote to memory of 4652 5108 400848.exe 87 PID 5108 wrote to memory of 4652 5108 400848.exe 87 PID 5108 wrote to memory of 4652 5108 400848.exe 87 PID 4652 wrote to memory of 3148 4652 frfrrll.exe 88 PID 4652 wrote to memory of 3148 4652 frfrrll.exe 88 PID 4652 wrote to memory of 3148 4652 frfrrll.exe 88 PID 3148 wrote to memory of 1136 3148 842044.exe 89 PID 3148 wrote to memory of 1136 3148 842044.exe 89 PID 3148 wrote to memory of 1136 3148 842044.exe 89 PID 1136 wrote to memory of 184 1136 6286482.exe 90 PID 1136 wrote to memory of 184 1136 6286482.exe 90 PID 1136 wrote to memory of 184 1136 6286482.exe 90 PID 184 wrote to memory of 2364 184 84268.exe 91 PID 184 wrote to memory of 2364 184 84268.exe 91 PID 184 wrote to memory of 2364 184 84268.exe 91 PID 2364 wrote to memory of 2672 2364 082084.exe 92 PID 2364 wrote to memory of 2672 2364 082084.exe 92 PID 2364 wrote to memory of 2672 2364 082084.exe 92 PID 2672 wrote to memory of 2156 2672 nhhthh.exe 93 PID 2672 wrote to memory of 2156 2672 nhhthh.exe 93 PID 2672 wrote to memory of 2156 2672 nhhthh.exe 93 PID 2156 wrote to memory of 4284 2156 2408266.exe 94 PID 2156 wrote to memory of 4284 2156 2408266.exe 94 PID 2156 wrote to memory of 4284 2156 2408266.exe 94 PID 4284 wrote to memory of 1660 4284 a4886.exe 95 PID 4284 wrote to memory of 1660 4284 a4886.exe 95 PID 4284 wrote to memory of 1660 4284 a4886.exe 95 PID 1660 wrote to memory of 2972 1660 rlfrfxl.exe 96 PID 1660 wrote to memory of 2972 1660 rlfrfxl.exe 96 PID 1660 wrote to memory of 2972 1660 rlfrfxl.exe 96 PID 2972 wrote to memory of 3088 2972 rxxfxrl.exe 97 PID 2972 wrote to memory of 3088 2972 rxxfxrl.exe 97 PID 2972 wrote to memory of 3088 2972 rxxfxrl.exe 97 PID 3088 wrote to memory of 2868 3088 lffxrrr.exe 98 PID 3088 wrote to memory of 2868 3088 lffxrrr.exe 98 PID 3088 wrote to memory of 2868 3088 lffxrrr.exe 98 PID 2868 wrote to memory of 3564 2868 a0004.exe 99 PID 2868 wrote to memory of 3564 2868 a0004.exe 99 PID 2868 wrote to memory of 3564 2868 a0004.exe 99 PID 3564 wrote to memory of 2896 3564 i446448.exe 100 PID 3564 wrote to memory of 2896 3564 i446448.exe 100 PID 3564 wrote to memory of 2896 3564 i446448.exe 100 PID 2896 wrote to memory of 1628 2896 vjjdd.exe 101 PID 2896 wrote to memory of 1628 2896 vjjdd.exe 101 PID 2896 wrote to memory of 1628 2896 vjjdd.exe 101 PID 1628 wrote to memory of 5076 1628 6848882.exe 102 PID 1628 wrote to memory of 5076 1628 6848882.exe 102 PID 1628 wrote to memory of 5076 1628 6848882.exe 102 PID 5076 wrote to memory of 1164 5076 1bnthb.exe 103 PID 5076 wrote to memory of 1164 5076 1bnthb.exe 103 PID 5076 wrote to memory of 1164 5076 1bnthb.exe 103 PID 1164 wrote to memory of 4076 1164 4220864.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe"C:\Users\Admin\AppData\Local\Temp\ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\ddvjv.exec:\ddvjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\e84266.exec:\e84266.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\jpvvd.exec:\jpvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\400848.exec:\400848.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\frfrrll.exec:\frfrrll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\842044.exec:\842044.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\6286482.exec:\6286482.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\84268.exec:\84268.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\082084.exec:\082084.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\nhhthh.exec:\nhhthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\2408266.exec:\2408266.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\a4886.exec:\a4886.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\rlfrfxl.exec:\rlfrfxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\rxxfxrl.exec:\rxxfxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\lffxrrr.exec:\lffxrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\a0004.exec:\a0004.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\i446448.exec:\i446448.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\vjjdd.exec:\vjjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\6848882.exec:\6848882.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\1bnthb.exec:\1bnthb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\4220864.exec:\4220864.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\vddjv.exec:\vddjv.exe23⤵
- Executes dropped EXE
PID:4076 -
\??\c:\0420448.exec:\0420448.exe24⤵
- Executes dropped EXE
PID:2300 -
\??\c:\flffrfx.exec:\flffrfx.exe25⤵
- Executes dropped EXE
PID:4512 -
\??\c:\6222600.exec:\6222600.exe26⤵
- Executes dropped EXE
PID:3860 -
\??\c:\3fxrxll.exec:\3fxrxll.exe27⤵
- Executes dropped EXE
PID:4800 -
\??\c:\xxxfrfr.exec:\xxxfrfr.exe28⤵
- Executes dropped EXE
PID:1088 -
\??\c:\1hbntn.exec:\1hbntn.exe29⤵
- Executes dropped EXE
PID:2780 -
\??\c:\082420.exec:\082420.exe30⤵
- Executes dropped EXE
PID:2400 -
\??\c:\1xllxxl.exec:\1xllxxl.exe31⤵
- Executes dropped EXE
PID:636 -
\??\c:\00484.exec:\00484.exe32⤵
- Executes dropped EXE
PID:1400 -
\??\c:\bnhtht.exec:\bnhtht.exe33⤵
- Executes dropped EXE
PID:508 -
\??\c:\tthhnt.exec:\tthhnt.exe34⤵
- Executes dropped EXE
PID:3140 -
\??\c:\jdvjp.exec:\jdvjp.exe35⤵
- Executes dropped EXE
PID:2860 -
\??\c:\s8602.exec:\s8602.exe36⤵
- Executes dropped EXE
PID:4356 -
\??\c:\084448.exec:\084448.exe37⤵
- Executes dropped EXE
PID:2160 -
\??\c:\7rfrfxl.exec:\7rfrfxl.exe38⤵
- Executes dropped EXE
PID:4136 -
\??\c:\ttnbnh.exec:\ttnbnh.exe39⤵
- Executes dropped EXE
PID:1160 -
\??\c:\00024.exec:\00024.exe40⤵
- Executes dropped EXE
PID:3448 -
\??\c:\7llrxrl.exec:\7llrxrl.exe41⤵
- Executes dropped EXE
PID:2636 -
\??\c:\htbntn.exec:\htbntn.exe42⤵
- Executes dropped EXE
PID:1744 -
\??\c:\200864.exec:\200864.exe43⤵
- Executes dropped EXE
PID:1328 -
\??\c:\lxrfrlx.exec:\lxrfrlx.exe44⤵
- Executes dropped EXE
PID:3664 -
\??\c:\8486420.exec:\8486420.exe45⤵
- Executes dropped EXE
PID:1216 -
\??\c:\fxrfrfx.exec:\fxrfrfx.exe46⤵
- Executes dropped EXE
PID:760 -
\??\c:\02242.exec:\02242.exe47⤵
- Executes dropped EXE
PID:408 -
\??\c:\flfrfxr.exec:\flfrfxr.exe48⤵
- Executes dropped EXE
PID:2624 -
\??\c:\dddpd.exec:\dddpd.exe49⤵
- Executes dropped EXE
PID:2828 -
\??\c:\nhnbnh.exec:\nhnbnh.exe50⤵PID:3444
-
\??\c:\006000.exec:\006000.exe51⤵
- Executes dropped EXE
PID:1304 -
\??\c:\s8882.exec:\s8882.exe52⤵
- Executes dropped EXE
PID:4180 -
\??\c:\vddvp.exec:\vddvp.exe53⤵
- Executes dropped EXE
PID:8 -
\??\c:\m0644.exec:\m0644.exe54⤵
- Executes dropped EXE
PID:4392 -
\??\c:\bnhbnh.exec:\bnhbnh.exe55⤵
- Executes dropped EXE
PID:372 -
\??\c:\46226.exec:\46226.exe56⤵
- Executes dropped EXE
PID:2104 -
\??\c:\422204.exec:\422204.exe57⤵
- Executes dropped EXE
PID:3012 -
\??\c:\c888660.exec:\c888660.exe58⤵
- Executes dropped EXE
PID:3948 -
\??\c:\lllfxfx.exec:\lllfxfx.exe59⤵
- Executes dropped EXE
PID:452 -
\??\c:\20820.exec:\20820.exe60⤵
- Executes dropped EXE
PID:3008 -
\??\c:\7xlrfrf.exec:\7xlrfrf.exe61⤵
- Executes dropped EXE
PID:3872 -
\??\c:\jjjpd.exec:\jjjpd.exe62⤵
- Executes dropped EXE
PID:3452 -
\??\c:\e66462.exec:\e66462.exe63⤵
- Executes dropped EXE
PID:756 -
\??\c:\82260.exec:\82260.exe64⤵
- Executes dropped EXE
PID:216 -
\??\c:\44422.exec:\44422.exe65⤵
- Executes dropped EXE
PID:1608 -
\??\c:\g4826.exec:\g4826.exe66⤵
- Executes dropped EXE
PID:4192 -
\??\c:\rfxlxlx.exec:\rfxlxlx.exe67⤵PID:2156
-
\??\c:\422266.exec:\422266.exe68⤵PID:2320
-
\??\c:\a6204.exec:\a6204.exe69⤵PID:2336
-
\??\c:\66886.exec:\66886.exe70⤵PID:1992
-
\??\c:\djjpj.exec:\djjpj.exe71⤵PID:4204
-
\??\c:\040044.exec:\040044.exe72⤵PID:388
-
\??\c:\q28268.exec:\q28268.exe73⤵PID:2296
-
\??\c:\q44422.exec:\q44422.exe74⤵PID:3668
-
\??\c:\604208.exec:\604208.exe75⤵PID:3628
-
\??\c:\228244.exec:\228244.exe76⤵PID:4748
-
\??\c:\fxfxllx.exec:\fxfxllx.exe77⤵PID:428
-
\??\c:\2688440.exec:\2688440.exe78⤵PID:464
-
\??\c:\280604.exec:\280604.exe79⤵PID:1628
-
\??\c:\s6602.exec:\s6602.exe80⤵PID:5076
-
\??\c:\jdvpv.exec:\jdvpv.exe81⤵PID:2408
-
\??\c:\g6086.exec:\g6086.exe82⤵PID:3952
-
\??\c:\rffrlfr.exec:\rffrlfr.exe83⤵PID:2016
-
\??\c:\3tnbnb.exec:\3tnbnb.exe84⤵PID:5060
-
\??\c:\nnhbnb.exec:\nnhbnb.exe85⤵PID:2824
-
\??\c:\hbbttt.exec:\hbbttt.exe86⤵PID:1252
-
\??\c:\c886486.exec:\c886486.exe87⤵PID:5052
-
\??\c:\8040628.exec:\8040628.exe88⤵PID:4800
-
\??\c:\604068.exec:\604068.exe89⤵PID:4088
-
\??\c:\84604.exec:\84604.exe90⤵PID:4704
-
\??\c:\04442.exec:\04442.exe91⤵PID:4876
-
\??\c:\46268.exec:\46268.exe92⤵PID:1192
-
\??\c:\7bhbtt.exec:\7bhbtt.exe93⤵PID:1096
-
\??\c:\2048648.exec:\2048648.exe94⤵PID:3820
-
\??\c:\42826.exec:\42826.exe95⤵PID:1572
-
\??\c:\8848228.exec:\8848228.exe96⤵PID:4624
-
\??\c:\i466228.exec:\i466228.exe97⤵PID:2488
-
\??\c:\42286.exec:\42286.exe98⤵PID:2060
-
\??\c:\i000882.exec:\i000882.exe99⤵PID:4620
-
\??\c:\24264.exec:\24264.exe100⤵PID:2160
-
\??\c:\60260.exec:\60260.exe101⤵PID:4032
-
\??\c:\9fxlrxl.exec:\9fxlrxl.exe102⤵PID:3636
-
\??\c:\062222.exec:\062222.exe103⤵PID:3308
-
\??\c:\fllfxxr.exec:\fllfxxr.exe104⤵
- System Location Discovery: System Language Discovery
PID:4812 -
\??\c:\lfxrfxl.exec:\lfxrfxl.exe105⤵PID:2464
-
\??\c:\xrxxfff.exec:\xrxxfff.exe106⤵PID:1328
-
\??\c:\5pjdp.exec:\5pjdp.exe107⤵PID:716
-
\??\c:\s4480.exec:\s4480.exe108⤵PID:2524
-
\??\c:\lflxllr.exec:\lflxllr.exe109⤵PID:4532
-
\??\c:\xxlfxxx.exec:\xxlfxxx.exe110⤵PID:5116
-
\??\c:\nhnbhb.exec:\nhnbhb.exe111⤵PID:3348
-
\??\c:\4264204.exec:\4264204.exe112⤵PID:2828
-
\??\c:\82446.exec:\82446.exe113⤵PID:3444
-
\??\c:\rffxlxr.exec:\rffxlxr.exe114⤵PID:868
-
\??\c:\bhhhnn.exec:\bhhhnn.exe115⤵PID:1304
-
\??\c:\6848826.exec:\6848826.exe116⤵PID:5040
-
\??\c:\24066.exec:\24066.exe117⤵PID:1740
-
\??\c:\66648.exec:\66648.exe118⤵PID:3944
-
\??\c:\m2822.exec:\m2822.exe119⤵PID:1788
-
\??\c:\c666004.exec:\c666004.exe120⤵PID:1456
-
\??\c:\1vpvj.exec:\1vpvj.exe121⤵PID:1652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-