Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 15:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ff7ba13f223d6d9318c588f9c01773be7190e8cb4e48a037033fdecaaee3842a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ff7ba13f223d6d9318c588f9c01773be7190e8cb4e48a037033fdecaaee3842a.exe
-
Size
453KB
-
MD5
a06d0b209997c77d96bb03c09588f2c2
-
SHA1
bbce60392a0d95e96663e58a68ca0898894e7f92
-
SHA256
ff7ba13f223d6d9318c588f9c01773be7190e8cb4e48a037033fdecaaee3842a
-
SHA512
436c5485ef5b777d91a585d5b678c5026198cedad8e12ad21bb8a289dbd6cdc0731402695205b9edefe544cbae136ea59080a0608f130019755c21551fb616fd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1332-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/332-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-950-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-1005-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-1492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1384 5fxfrfx.exe 4788 202004.exe 3928 884204.exe 2924 3dpdp.exe 2584 828860.exe 4336 60082.exe 1632 5llxrll.exe 4812 vddpd.exe 1200 1fxxlfr.exe 440 4846420.exe 3668 g8808.exe 3012 hhhhhh.exe 2520 4026004.exe 1064 jpdpj.exe 3868 rfrlxxr.exe 4540 bnnhhh.exe 628 284888.exe 860 88260.exe 4436 266088.exe 2720 8060882.exe 1836 dvvpj.exe 1880 fxxrxrr.exe 3960 8466666.exe 3340 8888660.exe 4748 26660.exe 1180 rllfrrl.exe 3288 26606.exe 4700 tttnhb.exe 4360 i800006.exe 2748 2084000.exe 4356 i882604.exe 1524 dvvpj.exe 1996 i400662.exe 4708 q28600.exe 2528 60604.exe 1740 dvdvv.exe 4820 08448.exe 1616 0406066.exe 3528 4806240.exe 1680 fxlfllr.exe 1080 jpvpj.exe 4328 jpvpj.exe 548 64048.exe 2220 nthttb.exe 2208 1flfllr.exe 4548 hbbtnn.exe 1764 vppjv.exe 4000 42266.exe 4348 66222.exe 4144 ppdpj.exe 1640 lflffff.exe 2372 202622.exe 4276 m0600.exe 372 tntntt.exe 1924 rrxrllf.exe 4696 frxrllf.exe 388 4800488.exe 2480 vpdvd.exe 4476 424800.exe 1260 62826.exe 3524 84426.exe 2332 6286420.exe 1804 040482.exe 2708 48448.exe -
resource yara_rule behavioral2/memory/1332-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/332-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-950-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-1005-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6286420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w44204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 026086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0460606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4842042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0848266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6288882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0220864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4822604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4626004.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1332 wrote to memory of 1384 1332 ff7ba13f223d6d9318c588f9c01773be7190e8cb4e48a037033fdecaaee3842a.exe 83 PID 1332 wrote to memory of 1384 1332 ff7ba13f223d6d9318c588f9c01773be7190e8cb4e48a037033fdecaaee3842a.exe 83 PID 1332 wrote to memory of 1384 1332 ff7ba13f223d6d9318c588f9c01773be7190e8cb4e48a037033fdecaaee3842a.exe 83 PID 1384 wrote to memory of 4788 1384 5fxfrfx.exe 84 PID 1384 wrote to memory of 4788 1384 5fxfrfx.exe 84 PID 1384 wrote to memory of 4788 1384 5fxfrfx.exe 84 PID 4788 wrote to memory of 3928 4788 202004.exe 85 PID 4788 wrote to memory of 3928 4788 202004.exe 85 PID 4788 wrote to memory of 3928 4788 202004.exe 85 PID 3928 wrote to memory of 2924 3928 884204.exe 86 PID 3928 wrote to memory of 2924 3928 884204.exe 86 PID 3928 wrote to memory of 2924 3928 884204.exe 86 PID 2924 wrote to memory of 2584 2924 3dpdp.exe 87 PID 2924 wrote to memory of 2584 2924 3dpdp.exe 87 PID 2924 wrote to memory of 2584 2924 3dpdp.exe 87 PID 2584 wrote to memory of 4336 2584 828860.exe 88 PID 2584 wrote to memory of 4336 2584 828860.exe 88 PID 2584 wrote to memory of 4336 2584 828860.exe 88 PID 4336 wrote to memory of 1632 4336 60082.exe 89 PID 4336 wrote to memory of 1632 4336 60082.exe 89 PID 4336 wrote to memory of 1632 4336 60082.exe 89 PID 1632 wrote to memory of 4812 1632 5llxrll.exe 90 PID 1632 wrote to memory of 4812 1632 5llxrll.exe 90 PID 1632 wrote to memory of 4812 1632 5llxrll.exe 90 PID 4812 wrote to memory of 1200 4812 vddpd.exe 91 PID 4812 wrote to memory of 1200 4812 vddpd.exe 91 PID 4812 wrote to memory of 1200 4812 vddpd.exe 91 PID 1200 wrote to memory of 440 1200 1fxxlfr.exe 92 PID 1200 wrote to memory of 440 1200 1fxxlfr.exe 92 PID 1200 wrote to memory of 440 1200 1fxxlfr.exe 92 PID 440 wrote to memory of 3668 440 4846420.exe 93 PID 440 wrote to memory of 3668 440 4846420.exe 93 PID 440 wrote to memory of 3668 440 4846420.exe 93 PID 3668 wrote to memory of 3012 3668 g8808.exe 94 PID 3668 wrote to memory of 3012 3668 g8808.exe 94 PID 3668 wrote to memory of 3012 3668 g8808.exe 94 PID 3012 wrote to memory of 2520 3012 hhhhhh.exe 95 PID 3012 wrote to memory of 2520 3012 hhhhhh.exe 95 PID 3012 wrote to memory of 2520 3012 hhhhhh.exe 95 PID 2520 wrote to memory of 1064 2520 4026004.exe 96 PID 2520 wrote to memory of 1064 2520 4026004.exe 96 PID 2520 wrote to memory of 1064 2520 4026004.exe 96 PID 1064 wrote to memory of 3868 1064 jpdpj.exe 97 PID 1064 wrote to memory of 3868 1064 jpdpj.exe 97 PID 1064 wrote to memory of 3868 1064 jpdpj.exe 97 PID 3868 wrote to memory of 4540 3868 rfrlxxr.exe 98 PID 3868 wrote to memory of 4540 3868 rfrlxxr.exe 98 PID 3868 wrote to memory of 4540 3868 rfrlxxr.exe 98 PID 4540 wrote to memory of 628 4540 bnnhhh.exe 99 PID 4540 wrote to memory of 628 4540 bnnhhh.exe 99 PID 4540 wrote to memory of 628 4540 bnnhhh.exe 99 PID 628 wrote to memory of 860 628 284888.exe 100 PID 628 wrote to memory of 860 628 284888.exe 100 PID 628 wrote to memory of 860 628 284888.exe 100 PID 860 wrote to memory of 4436 860 88260.exe 101 PID 860 wrote to memory of 4436 860 88260.exe 101 PID 860 wrote to memory of 4436 860 88260.exe 101 PID 4436 wrote to memory of 2720 4436 266088.exe 102 PID 4436 wrote to memory of 2720 4436 266088.exe 102 PID 4436 wrote to memory of 2720 4436 266088.exe 102 PID 2720 wrote to memory of 1836 2720 8060882.exe 103 PID 2720 wrote to memory of 1836 2720 8060882.exe 103 PID 2720 wrote to memory of 1836 2720 8060882.exe 103 PID 1836 wrote to memory of 1880 1836 dvvpj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff7ba13f223d6d9318c588f9c01773be7190e8cb4e48a037033fdecaaee3842a.exe"C:\Users\Admin\AppData\Local\Temp\ff7ba13f223d6d9318c588f9c01773be7190e8cb4e48a037033fdecaaee3842a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\5fxfrfx.exec:\5fxfrfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\202004.exec:\202004.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\884204.exec:\884204.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\3dpdp.exec:\3dpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\828860.exec:\828860.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\60082.exec:\60082.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\5llxrll.exec:\5llxrll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\vddpd.exec:\vddpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\1fxxlfr.exec:\1fxxlfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\4846420.exec:\4846420.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\g8808.exec:\g8808.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\hhhhhh.exec:\hhhhhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\4026004.exec:\4026004.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\jpdpj.exec:\jpdpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\rfrlxxr.exec:\rfrlxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\bnnhhh.exec:\bnnhhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\284888.exec:\284888.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\88260.exec:\88260.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\266088.exec:\266088.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\8060882.exec:\8060882.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\dvvpj.exec:\dvvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\fxxrxrr.exec:\fxxrxrr.exe23⤵
- Executes dropped EXE
PID:1880 -
\??\c:\8466666.exec:\8466666.exe24⤵
- Executes dropped EXE
PID:3960 -
\??\c:\8888660.exec:\8888660.exe25⤵
- Executes dropped EXE
PID:3340 -
\??\c:\26660.exec:\26660.exe26⤵
- Executes dropped EXE
PID:4748 -
\??\c:\rllfrrl.exec:\rllfrrl.exe27⤵
- Executes dropped EXE
PID:1180 -
\??\c:\26606.exec:\26606.exe28⤵
- Executes dropped EXE
PID:3288 -
\??\c:\tttnhb.exec:\tttnhb.exe29⤵
- Executes dropped EXE
PID:4700 -
\??\c:\i800006.exec:\i800006.exe30⤵
- Executes dropped EXE
PID:4360 -
\??\c:\2084000.exec:\2084000.exe31⤵
- Executes dropped EXE
PID:2748 -
\??\c:\i882604.exec:\i882604.exe32⤵
- Executes dropped EXE
PID:4356 -
\??\c:\dvvpj.exec:\dvvpj.exe33⤵
- Executes dropped EXE
PID:1524 -
\??\c:\i400662.exec:\i400662.exe34⤵
- Executes dropped EXE
PID:1996 -
\??\c:\q28600.exec:\q28600.exe35⤵
- Executes dropped EXE
PID:4708 -
\??\c:\60604.exec:\60604.exe36⤵
- Executes dropped EXE
PID:2528 -
\??\c:\dvdvv.exec:\dvdvv.exe37⤵
- Executes dropped EXE
PID:1740 -
\??\c:\08448.exec:\08448.exe38⤵
- Executes dropped EXE
PID:4820 -
\??\c:\0406066.exec:\0406066.exe39⤵
- Executes dropped EXE
PID:1616 -
\??\c:\4806240.exec:\4806240.exe40⤵
- Executes dropped EXE
PID:3528 -
\??\c:\fxlfllr.exec:\fxlfllr.exe41⤵
- Executes dropped EXE
PID:1680 -
\??\c:\jpvpj.exec:\jpvpj.exe42⤵
- Executes dropped EXE
PID:1080 -
\??\c:\jpvpj.exec:\jpvpj.exe43⤵
- Executes dropped EXE
PID:4328 -
\??\c:\64048.exec:\64048.exe44⤵
- Executes dropped EXE
PID:548 -
\??\c:\nthttb.exec:\nthttb.exe45⤵
- Executes dropped EXE
PID:2220 -
\??\c:\1flfllr.exec:\1flfllr.exe46⤵
- Executes dropped EXE
PID:2208 -
\??\c:\hbbtnn.exec:\hbbtnn.exe47⤵
- Executes dropped EXE
PID:4548 -
\??\c:\vppjv.exec:\vppjv.exe48⤵
- Executes dropped EXE
PID:1764 -
\??\c:\42266.exec:\42266.exe49⤵
- Executes dropped EXE
PID:4000 -
\??\c:\66222.exec:\66222.exe50⤵
- Executes dropped EXE
PID:4348 -
\??\c:\ppdpj.exec:\ppdpj.exe51⤵
- Executes dropped EXE
PID:4144 -
\??\c:\lflffff.exec:\lflffff.exe52⤵
- Executes dropped EXE
PID:1640 -
\??\c:\202622.exec:\202622.exe53⤵
- Executes dropped EXE
PID:2372 -
\??\c:\m0600.exec:\m0600.exe54⤵
- Executes dropped EXE
PID:4276 -
\??\c:\tntntt.exec:\tntntt.exe55⤵
- Executes dropped EXE
PID:372 -
\??\c:\rrxrllf.exec:\rrxrllf.exe56⤵
- Executes dropped EXE
PID:1924 -
\??\c:\frxrllf.exec:\frxrllf.exe57⤵
- Executes dropped EXE
PID:4696 -
\??\c:\4800488.exec:\4800488.exe58⤵
- Executes dropped EXE
PID:388 -
\??\c:\vpdvd.exec:\vpdvd.exe59⤵
- Executes dropped EXE
PID:2480 -
\??\c:\424800.exec:\424800.exe60⤵
- Executes dropped EXE
PID:4476 -
\??\c:\62826.exec:\62826.exe61⤵
- Executes dropped EXE
PID:1260 -
\??\c:\84426.exec:\84426.exe62⤵
- Executes dropped EXE
PID:3524 -
\??\c:\6286420.exec:\6286420.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332 -
\??\c:\040482.exec:\040482.exe64⤵
- Executes dropped EXE
PID:1804 -
\??\c:\48448.exec:\48448.exe65⤵
- Executes dropped EXE
PID:2708 -
\??\c:\bhnttt.exec:\bhnttt.exe66⤵PID:2648
-
\??\c:\nthbtt.exec:\nthbtt.exe67⤵PID:2172
-
\??\c:\jdvvp.exec:\jdvvp.exe68⤵PID:4812
-
\??\c:\s0486.exec:\s0486.exe69⤵PID:1200
-
\??\c:\vppjp.exec:\vppjp.exe70⤵PID:1736
-
\??\c:\86486.exec:\86486.exe71⤵PID:4392
-
\??\c:\9hbtnn.exec:\9hbtnn.exe72⤵PID:440
-
\??\c:\0444040.exec:\0444040.exe73⤵PID:412
-
\??\c:\8600266.exec:\8600266.exe74⤵PID:2996
-
\??\c:\40604.exec:\40604.exe75⤵PID:3568
-
\??\c:\nbbtnn.exec:\nbbtnn.exe76⤵PID:2100
-
\??\c:\fxxrfxl.exec:\fxxrfxl.exe77⤵PID:3964
-
\??\c:\bthbhb.exec:\bthbhb.exe78⤵PID:1732
-
\??\c:\rlxrffl.exec:\rlxrffl.exe79⤵PID:2312
-
\??\c:\7ppdv.exec:\7ppdv.exe80⤵PID:4764
-
\??\c:\k28822.exec:\k28822.exe81⤵PID:4032
-
\??\c:\ffrlllr.exec:\ffrlllr.exe82⤵PID:4368
-
\??\c:\62444.exec:\62444.exe83⤵PID:4436
-
\??\c:\hntnhb.exec:\hntnhb.exe84⤵PID:1208
-
\??\c:\5tbttn.exec:\5tbttn.exe85⤵PID:4828
-
\??\c:\pjdjd.exec:\pjdjd.exe86⤵PID:3520
-
\??\c:\228262.exec:\228262.exe87⤵PID:3340
-
\??\c:\nhbbtt.exec:\nhbbtt.exe88⤵PID:464
-
\??\c:\2066600.exec:\2066600.exe89⤵PID:316
-
\??\c:\pddvp.exec:\pddvp.exe90⤵PID:4756
-
\??\c:\224488.exec:\224488.exe91⤵PID:332
-
\??\c:\hhhtnh.exec:\hhhtnh.exe92⤵PID:884
-
\??\c:\xlxlfxl.exec:\xlxlfxl.exe93⤵PID:2588
-
\??\c:\a8448.exec:\a8448.exe94⤵PID:4184
-
\??\c:\648226.exec:\648226.exe95⤵PID:1832
-
\??\c:\djpjd.exec:\djpjd.exe96⤵PID:4512
-
\??\c:\dppjd.exec:\dppjd.exe97⤵PID:1556
-
\??\c:\444208.exec:\444208.exe98⤵PID:5036
-
\??\c:\402600.exec:\402600.exe99⤵PID:3528
-
\??\c:\6486822.exec:\6486822.exe100⤵PID:840
-
\??\c:\1bhbnh.exec:\1bhbnh.exe101⤵PID:2920
-
\??\c:\i620260.exec:\i620260.exe102⤵PID:548
-
\??\c:\hnthbn.exec:\hnthbn.exe103⤵PID:2248
-
\??\c:\ntthnh.exec:\ntthnh.exe104⤵PID:3100
-
\??\c:\6004882.exec:\6004882.exe105⤵PID:2328
-
\??\c:\tnhtnn.exec:\tnhtnn.exe106⤵PID:1764
-
\??\c:\pppjj.exec:\pppjj.exe107⤵PID:4000
-
\??\c:\8804884.exec:\8804884.exe108⤵PID:116
-
\??\c:\nhtntn.exec:\nhtntn.exe109⤵PID:696
-
\??\c:\jvvjv.exec:\jvvjv.exe110⤵PID:4044
-
\??\c:\djjvj.exec:\djjvj.exe111⤵PID:832
-
\??\c:\hnbtnh.exec:\hnbtnh.exe112⤵PID:1336
-
\??\c:\624422.exec:\624422.exe113⤵PID:4280
-
\??\c:\42260.exec:\42260.exe114⤵PID:4292
-
\??\c:\flrlffx.exec:\flrlffx.exe115⤵PID:532
-
\??\c:\pjddp.exec:\pjddp.exe116⤵PID:1332
-
\??\c:\pppjv.exec:\pppjv.exe117⤵PID:3068
-
\??\c:\64088.exec:\64088.exe118⤵PID:2116
-
\??\c:\jjjvd.exec:\jjjvd.exe119⤵PID:3228
-
\??\c:\648644.exec:\648644.exe120⤵PID:1284
-
\??\c:\thnnhh.exec:\thnnhh.exe121⤵PID:5032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-