Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 15:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe
-
Size
454KB
-
MD5
71d15315b7e75d78da8bbc4bfc2daef2
-
SHA1
b69b8df734ed6321c5be9d9d6b570727e94a9df7
-
SHA256
5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b
-
SHA512
51584613d82ba8d0fe83b61ab0933a31cf40370978f96c997eae1cae2cc2fb36146194ddcded50a9aa5c1433f7b488a6f4c84e4e8e9fd77c5b2d9986345c3a65
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAber:q7Tc2NYHUrAwfMp3CDr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2376-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/416-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-943-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-1044-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-1202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-1230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-1765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 984 028260.exe 3616 vdjdv.exe 2276 tnhnhh.exe 3172 m8440.exe 4644 tbhhhn.exe 4632 vvpdp.exe 2700 202680.exe 2104 9fxrfxl.exe 2008 7rrlfxr.exe 1596 808482.exe 1656 jvjvj.exe 416 e64242.exe 2220 6808822.exe 4668 24040.exe 1964 00642.exe 2652 68882.exe 2728 3xrllll.exe 2880 240444.exe 660 ntbtth.exe 4648 7xrlffx.exe 4992 2866000.exe 3128 pjvpj.exe 4384 262600.exe 3240 846642.exe 2456 pppdp.exe 228 28464.exe 3132 nhbntn.exe 3080 5ppdv.exe 2136 440420.exe 4156 864086.exe 4944 00420.exe 3088 0442266.exe 4880 6064208.exe 2004 nbtnbn.exe 4492 222226.exe 2164 062460.exe 2336 0820044.exe 4912 flfxlrx.exe 624 7jdvp.exe 3348 460886.exe 4772 thtbnb.exe 2152 7bhtbt.exe 5096 btnbnb.exe 620 26486.exe 4964 vdvjp.exe 3976 g4464.exe 3104 vjdvj.exe 3204 xfxffxl.exe 3236 frlxlxl.exe 2256 204426.exe 2720 u280042.exe 1128 g4420.exe 2812 7tnbnb.exe 4148 nnnbtn.exe 3292 ntntnb.exe 536 0284488.exe 4644 640442.exe 1508 3ppdp.exe 3040 0284888.exe 3512 66086.exe 1668 2286864.exe 4264 fxrfrlx.exe 2852 q84826.exe 464 w22082.exe -
resource yara_rule behavioral2/memory/2376-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/416-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-943-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4224888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0442266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0400606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhtt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 984 2376 5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe 83 PID 2376 wrote to memory of 984 2376 5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe 83 PID 2376 wrote to memory of 984 2376 5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe 83 PID 984 wrote to memory of 3616 984 028260.exe 84 PID 984 wrote to memory of 3616 984 028260.exe 84 PID 984 wrote to memory of 3616 984 028260.exe 84 PID 3616 wrote to memory of 2276 3616 vdjdv.exe 85 PID 3616 wrote to memory of 2276 3616 vdjdv.exe 85 PID 3616 wrote to memory of 2276 3616 vdjdv.exe 85 PID 2276 wrote to memory of 3172 2276 tnhnhh.exe 86 PID 2276 wrote to memory of 3172 2276 tnhnhh.exe 86 PID 2276 wrote to memory of 3172 2276 tnhnhh.exe 86 PID 3172 wrote to memory of 4644 3172 m8440.exe 87 PID 3172 wrote to memory of 4644 3172 m8440.exe 87 PID 3172 wrote to memory of 4644 3172 m8440.exe 87 PID 4644 wrote to memory of 4632 4644 tbhhhn.exe 88 PID 4644 wrote to memory of 4632 4644 tbhhhn.exe 88 PID 4644 wrote to memory of 4632 4644 tbhhhn.exe 88 PID 4632 wrote to memory of 2700 4632 vvpdp.exe 89 PID 4632 wrote to memory of 2700 4632 vvpdp.exe 89 PID 4632 wrote to memory of 2700 4632 vvpdp.exe 89 PID 2700 wrote to memory of 2104 2700 202680.exe 90 PID 2700 wrote to memory of 2104 2700 202680.exe 90 PID 2700 wrote to memory of 2104 2700 202680.exe 90 PID 2104 wrote to memory of 2008 2104 9fxrfxl.exe 91 PID 2104 wrote to memory of 2008 2104 9fxrfxl.exe 91 PID 2104 wrote to memory of 2008 2104 9fxrfxl.exe 91 PID 2008 wrote to memory of 1596 2008 7rrlfxr.exe 92 PID 2008 wrote to memory of 1596 2008 7rrlfxr.exe 92 PID 2008 wrote to memory of 1596 2008 7rrlfxr.exe 92 PID 1596 wrote to memory of 1656 1596 808482.exe 93 PID 1596 wrote to memory of 1656 1596 808482.exe 93 PID 1596 wrote to memory of 1656 1596 808482.exe 93 PID 1656 wrote to memory of 416 1656 jvjvj.exe 94 PID 1656 wrote to memory of 416 1656 jvjvj.exe 94 PID 1656 wrote to memory of 416 1656 jvjvj.exe 94 PID 416 wrote to memory of 2220 416 e64242.exe 95 PID 416 wrote to memory of 2220 416 e64242.exe 95 PID 416 wrote to memory of 2220 416 e64242.exe 95 PID 2220 wrote to memory of 4668 2220 6808822.exe 96 PID 2220 wrote to memory of 4668 2220 6808822.exe 96 PID 2220 wrote to memory of 4668 2220 6808822.exe 96 PID 4668 wrote to memory of 1964 4668 24040.exe 97 PID 4668 wrote to memory of 1964 4668 24040.exe 97 PID 4668 wrote to memory of 1964 4668 24040.exe 97 PID 1964 wrote to memory of 2652 1964 00642.exe 98 PID 1964 wrote to memory of 2652 1964 00642.exe 98 PID 1964 wrote to memory of 2652 1964 00642.exe 98 PID 2652 wrote to memory of 2728 2652 68882.exe 99 PID 2652 wrote to memory of 2728 2652 68882.exe 99 PID 2652 wrote to memory of 2728 2652 68882.exe 99 PID 2728 wrote to memory of 2880 2728 3xrllll.exe 100 PID 2728 wrote to memory of 2880 2728 3xrllll.exe 100 PID 2728 wrote to memory of 2880 2728 3xrllll.exe 100 PID 2880 wrote to memory of 660 2880 240444.exe 101 PID 2880 wrote to memory of 660 2880 240444.exe 101 PID 2880 wrote to memory of 660 2880 240444.exe 101 PID 660 wrote to memory of 4648 660 ntbtth.exe 102 PID 660 wrote to memory of 4648 660 ntbtth.exe 102 PID 660 wrote to memory of 4648 660 ntbtth.exe 102 PID 4648 wrote to memory of 4992 4648 7xrlffx.exe 103 PID 4648 wrote to memory of 4992 4648 7xrlffx.exe 103 PID 4648 wrote to memory of 4992 4648 7xrlffx.exe 103 PID 4992 wrote to memory of 3128 4992 2866000.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe"C:\Users\Admin\AppData\Local\Temp\5a31f7bd447684b6ac25c80cbf9ae5b2e9de8bc31fc4d3de7f8845ac54f2ca2b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\028260.exec:\028260.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\vdjdv.exec:\vdjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\tnhnhh.exec:\tnhnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\m8440.exec:\m8440.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\tbhhhn.exec:\tbhhhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\vvpdp.exec:\vvpdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\202680.exec:\202680.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\9fxrfxl.exec:\9fxrfxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\7rrlfxr.exec:\7rrlfxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\808482.exec:\808482.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\jvjvj.exec:\jvjvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\e64242.exec:\e64242.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
\??\c:\6808822.exec:\6808822.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\24040.exec:\24040.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\00642.exec:\00642.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\68882.exec:\68882.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\3xrllll.exec:\3xrllll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\240444.exec:\240444.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\ntbtth.exec:\ntbtth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
\??\c:\7xrlffx.exec:\7xrlffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\2866000.exec:\2866000.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\pjvpj.exec:\pjvpj.exe23⤵
- Executes dropped EXE
PID:3128 -
\??\c:\262600.exec:\262600.exe24⤵
- Executes dropped EXE
PID:4384 -
\??\c:\846642.exec:\846642.exe25⤵
- Executes dropped EXE
PID:3240 -
\??\c:\pppdp.exec:\pppdp.exe26⤵
- Executes dropped EXE
PID:2456 -
\??\c:\28464.exec:\28464.exe27⤵
- Executes dropped EXE
PID:228 -
\??\c:\nhbntn.exec:\nhbntn.exe28⤵
- Executes dropped EXE
PID:3132 -
\??\c:\5ppdv.exec:\5ppdv.exe29⤵
- Executes dropped EXE
PID:3080 -
\??\c:\440420.exec:\440420.exe30⤵
- Executes dropped EXE
PID:2136 -
\??\c:\864086.exec:\864086.exe31⤵
- Executes dropped EXE
PID:4156 -
\??\c:\00420.exec:\00420.exe32⤵
- Executes dropped EXE
PID:4944 -
\??\c:\0442266.exec:\0442266.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3088 -
\??\c:\6064208.exec:\6064208.exe34⤵
- Executes dropped EXE
PID:4880 -
\??\c:\nbtnbn.exec:\nbtnbn.exe35⤵
- Executes dropped EXE
PID:2004 -
\??\c:\222226.exec:\222226.exe36⤵
- Executes dropped EXE
PID:4492 -
\??\c:\062460.exec:\062460.exe37⤵
- Executes dropped EXE
PID:2164 -
\??\c:\0820044.exec:\0820044.exe38⤵
- Executes dropped EXE
PID:2336 -
\??\c:\flfxlrx.exec:\flfxlrx.exe39⤵
- Executes dropped EXE
PID:4912 -
\??\c:\7jdvp.exec:\7jdvp.exe40⤵
- Executes dropped EXE
PID:624 -
\??\c:\460886.exec:\460886.exe41⤵
- Executes dropped EXE
PID:3348 -
\??\c:\thtbnb.exec:\thtbnb.exe42⤵
- Executes dropped EXE
PID:4772 -
\??\c:\7bhtbt.exec:\7bhtbt.exe43⤵
- Executes dropped EXE
PID:2152 -
\??\c:\btnbnb.exec:\btnbnb.exe44⤵
- Executes dropped EXE
PID:5096 -
\??\c:\26486.exec:\26486.exe45⤵
- Executes dropped EXE
PID:620 -
\??\c:\vdvjp.exec:\vdvjp.exe46⤵
- Executes dropped EXE
PID:4964 -
\??\c:\g4464.exec:\g4464.exe47⤵
- Executes dropped EXE
PID:3976 -
\??\c:\vjdvj.exec:\vjdvj.exe48⤵
- Executes dropped EXE
PID:3104 -
\??\c:\xfxffxl.exec:\xfxffxl.exe49⤵
- Executes dropped EXE
PID:3204 -
\??\c:\frlxlxl.exec:\frlxlxl.exe50⤵
- Executes dropped EXE
PID:3236 -
\??\c:\vdjvp.exec:\vdjvp.exe51⤵PID:1360
-
\??\c:\204426.exec:\204426.exe52⤵
- Executes dropped EXE
PID:2256 -
\??\c:\u280042.exec:\u280042.exe53⤵
- Executes dropped EXE
PID:2720 -
\??\c:\g4420.exec:\g4420.exe54⤵
- Executes dropped EXE
PID:1128 -
\??\c:\7tnbnb.exec:\7tnbnb.exe55⤵
- Executes dropped EXE
PID:2812 -
\??\c:\nnnbtn.exec:\nnnbtn.exe56⤵
- Executes dropped EXE
PID:4148 -
\??\c:\ntntnb.exec:\ntntnb.exe57⤵
- Executes dropped EXE
PID:3292 -
\??\c:\0284488.exec:\0284488.exe58⤵
- Executes dropped EXE
PID:536 -
\??\c:\640442.exec:\640442.exe59⤵
- Executes dropped EXE
PID:4644 -
\??\c:\3ppdp.exec:\3ppdp.exe60⤵
- Executes dropped EXE
PID:1508 -
\??\c:\0284888.exec:\0284888.exe61⤵
- Executes dropped EXE
PID:3040 -
\??\c:\66086.exec:\66086.exe62⤵
- Executes dropped EXE
PID:3512 -
\??\c:\2286864.exec:\2286864.exe63⤵
- Executes dropped EXE
PID:1668 -
\??\c:\fxrfrlx.exec:\fxrfrlx.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4264 -
\??\c:\q84826.exec:\q84826.exe65⤵
- Executes dropped EXE
PID:2852 -
\??\c:\w22082.exec:\w22082.exe66⤵
- Executes dropped EXE
PID:464 -
\??\c:\xlxlrlx.exec:\xlxlrlx.exe67⤵PID:1952
-
\??\c:\lxrlrlx.exec:\lxrlrlx.exe68⤵PID:5044
-
\??\c:\bbtnnn.exec:\bbtnnn.exe69⤵PID:416
-
\??\c:\s4464.exec:\s4464.exe70⤵PID:1524
-
\??\c:\8888608.exec:\8888608.exe71⤵PID:468
-
\??\c:\2064044.exec:\2064044.exe72⤵PID:3576
-
\??\c:\642082.exec:\642082.exe73⤵PID:3276
-
\??\c:\9xrlxxl.exec:\9xrlxxl.exe74⤵PID:2168
-
\??\c:\4288268.exec:\4288268.exe75⤵PID:4268
-
\??\c:\nhthbn.exec:\nhthbn.exe76⤵PID:3952
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe77⤵PID:3024
-
\??\c:\866266.exec:\866266.exe78⤵PID:1372
-
\??\c:\1xxlfrl.exec:\1xxlfrl.exe79⤵PID:4648
-
\??\c:\djjpd.exec:\djjpd.exe80⤵PID:1404
-
\??\c:\jjppv.exec:\jjppv.exe81⤵PID:3844
-
\??\c:\w06004.exec:\w06004.exe82⤵PID:5104
-
\??\c:\djjvj.exec:\djjvj.exe83⤵PID:3768
-
\??\c:\thbnht.exec:\thbnht.exe84⤵PID:4836
-
\??\c:\frrfrlx.exec:\frrfrlx.exe85⤵PID:1896
-
\??\c:\rllfrrl.exec:\rllfrrl.exe86⤵PID:116
-
\??\c:\xrlxlfr.exec:\xrlxlfr.exe87⤵PID:224
-
\??\c:\204804.exec:\204804.exe88⤵PID:1956
-
\??\c:\vjdvj.exec:\vjdvj.exe89⤵PID:3160
-
\??\c:\080826.exec:\080826.exe90⤵PID:2876
-
\??\c:\1pppd.exec:\1pppd.exe91⤵PID:4272
-
\??\c:\pvvjv.exec:\pvvjv.exe92⤵PID:1928
-
\??\c:\8602620.exec:\8602620.exe93⤵PID:3004
-
\??\c:\llllxfr.exec:\llllxfr.exe94⤵PID:3412
-
\??\c:\nnnbnt.exec:\nnnbnt.exe95⤵PID:3036
-
\??\c:\s0206.exec:\s0206.exe96⤵PID:540
-
\??\c:\208284.exec:\208284.exe97⤵PID:2444
-
\??\c:\9rrlfxr.exec:\9rrlfxr.exe98⤵PID:452
-
\??\c:\4242604.exec:\4242604.exe99⤵PID:2004
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe100⤵PID:4492
-
\??\c:\jjppj.exec:\jjppj.exe101⤵PID:4252
-
\??\c:\280200.exec:\280200.exe102⤵PID:5092
-
\??\c:\jjjvd.exec:\jjjvd.exe103⤵PID:2640
-
\??\c:\660020.exec:\660020.exe104⤵PID:1816
-
\??\c:\thhtbn.exec:\thhtbn.exe105⤵PID:3348
-
\??\c:\s8826.exec:\s8826.exe106⤵PID:4544
-
\??\c:\8442464.exec:\8442464.exe107⤵PID:3304
-
\??\c:\5vdjj.exec:\5vdjj.exe108⤵PID:2776
-
\??\c:\jjpjv.exec:\jjpjv.exe109⤵PID:2952
-
\??\c:\rrlxlfr.exec:\rrlxlfr.exe110⤵PID:4520
-
\??\c:\5rlfxrf.exec:\5rlfxrf.exe111⤵PID:392
-
\??\c:\g4000.exec:\g4000.exe112⤵PID:436
-
\??\c:\222642.exec:\222642.exe113⤵PID:4472
-
\??\c:\rxrfrfx.exec:\rxrfrfx.exe114⤵PID:4524
-
\??\c:\vpdvd.exec:\vpdvd.exe115⤵PID:2376
-
\??\c:\2602486.exec:\2602486.exe116⤵PID:4040
-
\??\c:\o820224.exec:\o820224.exe117⤵PID:4432
-
\??\c:\thbnhb.exec:\thbnhb.exe118⤵PID:2620
-
\??\c:\7vdpd.exec:\7vdpd.exe119⤵PID:4148
-
\??\c:\i068048.exec:\i068048.exe120⤵PID:2920
-
\??\c:\jvpdp.exec:\jvpdp.exe121⤵PID:3980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-