Analysis
-
max time kernel
120s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 15:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
566fa276b1ca49e7de18f0cfc2bad39e6fc8722c457b19841f30d7e05d0ace8fN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
566fa276b1ca49e7de18f0cfc2bad39e6fc8722c457b19841f30d7e05d0ace8fN.exe
-
Size
454KB
-
MD5
6ca2580a1d08c5e5b3d1182cf10cd8e0
-
SHA1
b69acd30f2cd68f673c06d9d739db9fb95aab3b0
-
SHA256
566fa276b1ca49e7de18f0cfc2bad39e6fc8722c457b19841f30d7e05d0ace8f
-
SHA512
ab0d7473a29fe7f30b2de7453ec2815c87fd154b95cd52098a518b1c41b1693719ef6c141b0b0086b72742e62807086ba956f85d7af4e4a3907f0d7be3ccbc46
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeqK:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3680-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-949-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-959-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-1026-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-1033-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-1134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4912 402660.exe 4168 24424.exe 4896 426868.exe 4844 k20004.exe 4584 dpvjd.exe 1636 9hbnbb.exe 1584 9hnhbt.exe 2292 240404.exe 4280 u442042.exe 3224 vvjjd.exe 4956 3fflrlx.exe 4180 7jvpv.exe 1852 9lrffff.exe 3356 lxxxfxl.exe 1312 8442006.exe 2948 666488.exe 768 jvvjv.exe 2400 fxxxrrr.exe 3332 tnnbtn.exe 3148 e84888.exe 764 rflxrll.exe 3996 488044.exe 4904 224028.exe 2908 3pjvp.exe 2564 lflflfl.exe 1036 1htnth.exe 3012 5jjvj.exe 2412 42668.exe 4656 dvpdp.exe 3104 i826482.exe 4296 60642.exe 512 2026408.exe 4000 0686486.exe 1460 g0800.exe 3192 24040.exe 3032 842224.exe 1748 jjpdd.exe 3940 hhttbt.exe 1108 9jjvp.exe 4024 86604.exe 2036 86860.exe 4632 0886048.exe 3624 i604480.exe 3520 rrxfffx.exe 1652 dvvpp.exe 2864 48008.exe 3736 vdpvp.exe 1144 40602.exe 4168 062222.exe 1360 pjpjd.exe 4896 fxxrffr.exe 2020 484822.exe 4016 5ppdp.exe 4808 44624.exe 1908 nnbthh.exe 1636 jdvpj.exe 1780 jvjdd.exe 708 xlxrfff.exe 820 6400606.exe 3524 8682828.exe 1928 620484.exe 2452 2466660.exe 528 1vvvv.exe 4180 1pdjd.exe -
resource yara_rule behavioral2/memory/3680-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-949-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-959-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3680 wrote to memory of 4912 3680 566fa276b1ca49e7de18f0cfc2bad39e6fc8722c457b19841f30d7e05d0ace8fN.exe 83 PID 3680 wrote to memory of 4912 3680 566fa276b1ca49e7de18f0cfc2bad39e6fc8722c457b19841f30d7e05d0ace8fN.exe 83 PID 3680 wrote to memory of 4912 3680 566fa276b1ca49e7de18f0cfc2bad39e6fc8722c457b19841f30d7e05d0ace8fN.exe 83 PID 4912 wrote to memory of 4168 4912 402660.exe 84 PID 4912 wrote to memory of 4168 4912 402660.exe 84 PID 4912 wrote to memory of 4168 4912 402660.exe 84 PID 4168 wrote to memory of 4896 4168 24424.exe 85 PID 4168 wrote to memory of 4896 4168 24424.exe 85 PID 4168 wrote to memory of 4896 4168 24424.exe 85 PID 4896 wrote to memory of 4844 4896 426868.exe 86 PID 4896 wrote to memory of 4844 4896 426868.exe 86 PID 4896 wrote to memory of 4844 4896 426868.exe 86 PID 4844 wrote to memory of 4584 4844 k20004.exe 87 PID 4844 wrote to memory of 4584 4844 k20004.exe 87 PID 4844 wrote to memory of 4584 4844 k20004.exe 87 PID 4584 wrote to memory of 1636 4584 dpvjd.exe 88 PID 4584 wrote to memory of 1636 4584 dpvjd.exe 88 PID 4584 wrote to memory of 1636 4584 dpvjd.exe 88 PID 1636 wrote to memory of 1584 1636 9hbnbb.exe 89 PID 1636 wrote to memory of 1584 1636 9hbnbb.exe 89 PID 1636 wrote to memory of 1584 1636 9hbnbb.exe 89 PID 1584 wrote to memory of 2292 1584 9hnhbt.exe 90 PID 1584 wrote to memory of 2292 1584 9hnhbt.exe 90 PID 1584 wrote to memory of 2292 1584 9hnhbt.exe 90 PID 2292 wrote to memory of 4280 2292 240404.exe 91 PID 2292 wrote to memory of 4280 2292 240404.exe 91 PID 2292 wrote to memory of 4280 2292 240404.exe 91 PID 4280 wrote to memory of 3224 4280 u442042.exe 92 PID 4280 wrote to memory of 3224 4280 u442042.exe 92 PID 4280 wrote to memory of 3224 4280 u442042.exe 92 PID 3224 wrote to memory of 4956 3224 vvjjd.exe 93 PID 3224 wrote to memory of 4956 3224 vvjjd.exe 93 PID 3224 wrote to memory of 4956 3224 vvjjd.exe 93 PID 4956 wrote to memory of 4180 4956 3fflrlx.exe 94 PID 4956 wrote to memory of 4180 4956 3fflrlx.exe 94 PID 4956 wrote to memory of 4180 4956 3fflrlx.exe 94 PID 4180 wrote to memory of 1852 4180 7jvpv.exe 95 PID 4180 wrote to memory of 1852 4180 7jvpv.exe 95 PID 4180 wrote to memory of 1852 4180 7jvpv.exe 95 PID 1852 wrote to memory of 3356 1852 9lrffff.exe 96 PID 1852 wrote to memory of 3356 1852 9lrffff.exe 96 PID 1852 wrote to memory of 3356 1852 9lrffff.exe 96 PID 3356 wrote to memory of 1312 3356 lxxxfxl.exe 97 PID 3356 wrote to memory of 1312 3356 lxxxfxl.exe 97 PID 3356 wrote to memory of 1312 3356 lxxxfxl.exe 97 PID 1312 wrote to memory of 2948 1312 8442006.exe 98 PID 1312 wrote to memory of 2948 1312 8442006.exe 98 PID 1312 wrote to memory of 2948 1312 8442006.exe 98 PID 2948 wrote to memory of 768 2948 666488.exe 99 PID 2948 wrote to memory of 768 2948 666488.exe 99 PID 2948 wrote to memory of 768 2948 666488.exe 99 PID 768 wrote to memory of 2400 768 jvvjv.exe 100 PID 768 wrote to memory of 2400 768 jvvjv.exe 100 PID 768 wrote to memory of 2400 768 jvvjv.exe 100 PID 2400 wrote to memory of 3332 2400 fxxxrrr.exe 101 PID 2400 wrote to memory of 3332 2400 fxxxrrr.exe 101 PID 2400 wrote to memory of 3332 2400 fxxxrrr.exe 101 PID 3332 wrote to memory of 3148 3332 tnnbtn.exe 102 PID 3332 wrote to memory of 3148 3332 tnnbtn.exe 102 PID 3332 wrote to memory of 3148 3332 tnnbtn.exe 102 PID 3148 wrote to memory of 764 3148 e84888.exe 103 PID 3148 wrote to memory of 764 3148 e84888.exe 103 PID 3148 wrote to memory of 764 3148 e84888.exe 103 PID 764 wrote to memory of 3996 764 rflxrll.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\566fa276b1ca49e7de18f0cfc2bad39e6fc8722c457b19841f30d7e05d0ace8fN.exe"C:\Users\Admin\AppData\Local\Temp\566fa276b1ca49e7de18f0cfc2bad39e6fc8722c457b19841f30d7e05d0ace8fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\402660.exec:\402660.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\24424.exec:\24424.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\426868.exec:\426868.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\k20004.exec:\k20004.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\dpvjd.exec:\dpvjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\9hbnbb.exec:\9hbnbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\9hnhbt.exec:\9hnhbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\240404.exec:\240404.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\u442042.exec:\u442042.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\vvjjd.exec:\vvjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\3fflrlx.exec:\3fflrlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\7jvpv.exec:\7jvpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\9lrffff.exec:\9lrffff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\lxxxfxl.exec:\lxxxfxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\8442006.exec:\8442006.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\666488.exec:\666488.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\jvvjv.exec:\jvvjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\fxxxrrr.exec:\fxxxrrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\tnnbtn.exec:\tnnbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\e84888.exec:\e84888.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\rflxrll.exec:\rflxrll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\488044.exec:\488044.exe23⤵
- Executes dropped EXE
PID:3996 -
\??\c:\224028.exec:\224028.exe24⤵
- Executes dropped EXE
PID:4904 -
\??\c:\3pjvp.exec:\3pjvp.exe25⤵
- Executes dropped EXE
PID:2908 -
\??\c:\lflflfl.exec:\lflflfl.exe26⤵
- Executes dropped EXE
PID:2564 -
\??\c:\1htnth.exec:\1htnth.exe27⤵
- Executes dropped EXE
PID:1036 -
\??\c:\5jjvj.exec:\5jjvj.exe28⤵
- Executes dropped EXE
PID:3012 -
\??\c:\42668.exec:\42668.exe29⤵
- Executes dropped EXE
PID:2412 -
\??\c:\dvpdp.exec:\dvpdp.exe30⤵
- Executes dropped EXE
PID:4656 -
\??\c:\i826482.exec:\i826482.exe31⤵
- Executes dropped EXE
PID:3104 -
\??\c:\60642.exec:\60642.exe32⤵
- Executes dropped EXE
PID:4296 -
\??\c:\2026408.exec:\2026408.exe33⤵
- Executes dropped EXE
PID:512 -
\??\c:\0686486.exec:\0686486.exe34⤵
- Executes dropped EXE
PID:4000 -
\??\c:\g0800.exec:\g0800.exe35⤵
- Executes dropped EXE
PID:1460 -
\??\c:\24040.exec:\24040.exe36⤵
- Executes dropped EXE
PID:3192 -
\??\c:\842224.exec:\842224.exe37⤵
- Executes dropped EXE
PID:3032 -
\??\c:\jjpdd.exec:\jjpdd.exe38⤵
- Executes dropped EXE
PID:1748 -
\??\c:\hhttbt.exec:\hhttbt.exe39⤵
- Executes dropped EXE
PID:3940 -
\??\c:\9jjvp.exec:\9jjvp.exe40⤵
- Executes dropped EXE
PID:1108 -
\??\c:\86604.exec:\86604.exe41⤵
- Executes dropped EXE
PID:4024 -
\??\c:\86860.exec:\86860.exe42⤵
- Executes dropped EXE
PID:2036 -
\??\c:\0886048.exec:\0886048.exe43⤵
- Executes dropped EXE
PID:4632 -
\??\c:\i604480.exec:\i604480.exe44⤵
- Executes dropped EXE
PID:3624 -
\??\c:\rrxfffx.exec:\rrxfffx.exe45⤵
- Executes dropped EXE
PID:3520 -
\??\c:\dvvpp.exec:\dvvpp.exe46⤵
- Executes dropped EXE
PID:1652 -
\??\c:\48008.exec:\48008.exe47⤵
- Executes dropped EXE
PID:2864 -
\??\c:\vdpvp.exec:\vdpvp.exe48⤵
- Executes dropped EXE
PID:3736 -
\??\c:\40602.exec:\40602.exe49⤵
- Executes dropped EXE
PID:1144 -
\??\c:\062222.exec:\062222.exe50⤵
- Executes dropped EXE
PID:4168 -
\??\c:\pjpjd.exec:\pjpjd.exe51⤵
- Executes dropped EXE
PID:1360 -
\??\c:\fxxrffr.exec:\fxxrffr.exe52⤵
- Executes dropped EXE
PID:4896 -
\??\c:\484822.exec:\484822.exe53⤵
- Executes dropped EXE
PID:2020 -
\??\c:\5ppdp.exec:\5ppdp.exe54⤵
- Executes dropped EXE
PID:4016 -
\??\c:\44624.exec:\44624.exe55⤵
- Executes dropped EXE
PID:4808 -
\??\c:\nnbthh.exec:\nnbthh.exe56⤵
- Executes dropped EXE
PID:1908 -
\??\c:\jdvpj.exec:\jdvpj.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636 -
\??\c:\jvjdd.exec:\jvjdd.exe58⤵
- Executes dropped EXE
PID:1780 -
\??\c:\xlxrfff.exec:\xlxrfff.exe59⤵
- Executes dropped EXE
PID:708 -
\??\c:\6400606.exec:\6400606.exe60⤵
- Executes dropped EXE
PID:820 -
\??\c:\8682828.exec:\8682828.exe61⤵
- Executes dropped EXE
PID:3524 -
\??\c:\620484.exec:\620484.exe62⤵
- Executes dropped EXE
PID:1928 -
\??\c:\2466660.exec:\2466660.exe63⤵
- Executes dropped EXE
PID:2452 -
\??\c:\1vvvv.exec:\1vvvv.exe64⤵
- Executes dropped EXE
PID:528 -
\??\c:\1pdjd.exec:\1pdjd.exe65⤵
- Executes dropped EXE
PID:4180 -
\??\c:\dvjjd.exec:\dvjjd.exe66⤵PID:4532
-
\??\c:\06260.exec:\06260.exe67⤵PID:4740
-
\??\c:\pdpjv.exec:\pdpjv.exe68⤵PID:5012
-
\??\c:\q84866.exec:\q84866.exe69⤵PID:3728
-
\??\c:\fxxrffx.exec:\fxxrffx.exe70⤵PID:1016
-
\??\c:\684866.exec:\684866.exe71⤵PID:3888
-
\??\c:\068222.exec:\068222.exe72⤵PID:3900
-
\??\c:\684826.exec:\684826.exe73⤵PID:4572
-
\??\c:\48048.exec:\48048.exe74⤵PID:696
-
\??\c:\428600.exec:\428600.exe75⤵PID:3148
-
\??\c:\jddvv.exec:\jddvv.exe76⤵PID:868
-
\??\c:\6244882.exec:\6244882.exe77⤵PID:1740
-
\??\c:\pjppv.exec:\pjppv.exe78⤵PID:4568
-
\??\c:\m4600.exec:\m4600.exe79⤵PID:3152
-
\??\c:\vjjvj.exec:\vjjvj.exe80⤵PID:4196
-
\??\c:\httbhb.exec:\httbhb.exe81⤵PID:2588
-
\??\c:\frxrfxx.exec:\frxrfxx.exe82⤵PID:2564
-
\??\c:\bbbthb.exec:\bbbthb.exe83⤵PID:5020
-
\??\c:\48420.exec:\48420.exe84⤵PID:2168
-
\??\c:\60604.exec:\60604.exe85⤵PID:3620
-
\??\c:\bhnhbh.exec:\bhnhbh.exe86⤵PID:2004
-
\??\c:\4060260.exec:\4060260.exe87⤵PID:3740
-
\??\c:\q62288.exec:\q62288.exe88⤵PID:1732
-
\??\c:\04044.exec:\04044.exe89⤵PID:4452
-
\??\c:\60008.exec:\60008.exe90⤵
- System Location Discovery: System Language Discovery
PID:4424 -
\??\c:\jjjjp.exec:\jjjjp.exe91⤵PID:532
-
\??\c:\48268.exec:\48268.exe92⤵PID:4672
-
\??\c:\1rlxlfr.exec:\1rlxlfr.exe93⤵PID:1132
-
\??\c:\9xrfrlf.exec:\9xrfrlf.exe94⤵PID:1460
-
\??\c:\3xlrfrl.exec:\3xlrfrl.exe95⤵PID:3192
-
\??\c:\vdjjv.exec:\vdjjv.exe96⤵PID:5068
-
\??\c:\thbnbn.exec:\thbnbn.exe97⤵PID:4576
-
\??\c:\thhnbn.exec:\thhnbn.exe98⤵PID:3984
-
\??\c:\dvvjd.exec:\dvvjd.exe99⤵PID:5040
-
\??\c:\44624.exec:\44624.exe100⤵PID:4804
-
\??\c:\c404820.exec:\c404820.exe101⤵PID:3188
-
\??\c:\lrlxfxx.exec:\lrlxfxx.exe102⤵PID:368
-
\??\c:\64000.exec:\64000.exe103⤵PID:4776
-
\??\c:\022028.exec:\022028.exe104⤵PID:4348
-
\??\c:\tttnth.exec:\tttnth.exe105⤵PID:4008
-
\??\c:\28820.exec:\28820.exe106⤵PID:4340
-
\??\c:\1dvjp.exec:\1dvjp.exe107⤵PID:1520
-
\??\c:\3hbbhb.exec:\3hbbhb.exe108⤵PID:2932
-
\??\c:\tbntbn.exec:\tbntbn.exe109⤵PID:1336
-
\??\c:\5dddp.exec:\5dddp.exe110⤵PID:4916
-
\??\c:\rfxrfxr.exec:\rfxrfxr.exe111⤵PID:1020
-
\??\c:\jjpjp.exec:\jjpjp.exe112⤵PID:2532
-
\??\c:\rllxlfr.exec:\rllxlfr.exe113⤵PID:1736
-
\??\c:\1jddj.exec:\1jddj.exe114⤵PID:3552
-
\??\c:\pddjv.exec:\pddjv.exe115⤵PID:4524
-
\??\c:\vjjvp.exec:\vjjvp.exe116⤵PID:4016
-
\??\c:\84042.exec:\84042.exe117⤵PID:1416
-
\??\c:\08820.exec:\08820.exe118⤵PID:3132
-
\??\c:\hhbbtt.exec:\hhbbtt.exe119⤵PID:1636
-
\??\c:\vppjv.exec:\vppjv.exe120⤵PID:1824
-
\??\c:\vpvpj.exec:\vpvpj.exe121⤵PID:3844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-