Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 16:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
847af7e2135d395904cd4aea76f218b05e8024b6e5174379b93ac3399638116aN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
847af7e2135d395904cd4aea76f218b05e8024b6e5174379b93ac3399638116aN.exe
-
Size
454KB
-
MD5
115c8c69bb0d18d3d37c0701d5accb50
-
SHA1
83968f6242b1822cc6a4e4b480f10ec3f44dafd2
-
SHA256
847af7e2135d395904cd4aea76f218b05e8024b6e5174379b93ac3399638116a
-
SHA512
8966ce6d8ce52a852f30a5e2155604f4f5c0c69fa5b032e0fcb725acb597d889bad7b75a667da21051a697c6f3f9e9627bca5b0afc186304a5370fc6e1b7a36f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/3244-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-905-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-918-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3244 tbbtnh.exe 1732 djvjj.exe 4840 tnhbtb.exe 4012 440826.exe 2680 4248646.exe 4540 k40884.exe 1468 lxxrflf.exe 4280 btnhtn.exe 3728 260602.exe 3788 q00826.exe 2820 jppdp.exe 3284 86482.exe 3124 bbbnbn.exe 4376 dvdpv.exe 2432 42200.exe 1980 400044.exe 3252 lrxrrll.exe 5048 jvdvd.exe 4304 ntbnhb.exe 3916 862200.exe 3236 dpvjd.exe 3852 i400484.exe 2340 g8082.exe 4004 pppjd.exe 3408 48882.exe 2324 462664.exe 1744 646404.exe 836 nbhhhh.exe 4212 622604.exe 3640 thtnbn.exe 3748 08060.exe 3764 8208480.exe 5060 068266.exe 1936 pjjjd.exe 904 9jjdp.exe 1512 xffxrlf.exe 1736 pddjd.exe 3028 284822.exe 4936 vjjvp.exe 3696 rrxrllf.exe 3668 jddvv.exe 1608 8840404.exe 804 2026446.exe 4364 88626.exe 2524 6460440.exe 1352 bhbnhb.exe 2204 ntbthh.exe 8 e62600.exe 2916 fxrxlxl.exe 944 hbbttt.exe 2252 fxlffff.exe 3184 jdppp.exe 4628 1ntnbn.exe 4560 28808.exe 3744 642200.exe 4652 02442.exe 2640 vvdvj.exe 508 2240840.exe 3000 flrrlrf.exe 3404 fxxrrlf.exe 4376 2660060.exe 2868 22082.exe 2432 lrxrlff.exe 2280 e62608.exe -
resource yara_rule behavioral2/memory/3244-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-918-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4286822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0408068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u060826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4082666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 288600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8464826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284422.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3876 wrote to memory of 3244 3876 847af7e2135d395904cd4aea76f218b05e8024b6e5174379b93ac3399638116aN.exe 83 PID 3876 wrote to memory of 3244 3876 847af7e2135d395904cd4aea76f218b05e8024b6e5174379b93ac3399638116aN.exe 83 PID 3876 wrote to memory of 3244 3876 847af7e2135d395904cd4aea76f218b05e8024b6e5174379b93ac3399638116aN.exe 83 PID 3244 wrote to memory of 1732 3244 tbbtnh.exe 84 PID 3244 wrote to memory of 1732 3244 tbbtnh.exe 84 PID 3244 wrote to memory of 1732 3244 tbbtnh.exe 84 PID 1732 wrote to memory of 4840 1732 djvjj.exe 85 PID 1732 wrote to memory of 4840 1732 djvjj.exe 85 PID 1732 wrote to memory of 4840 1732 djvjj.exe 85 PID 4840 wrote to memory of 4012 4840 tnhbtb.exe 86 PID 4840 wrote to memory of 4012 4840 tnhbtb.exe 86 PID 4840 wrote to memory of 4012 4840 tnhbtb.exe 86 PID 4012 wrote to memory of 2680 4012 440826.exe 87 PID 4012 wrote to memory of 2680 4012 440826.exe 87 PID 4012 wrote to memory of 2680 4012 440826.exe 87 PID 2680 wrote to memory of 4540 2680 4248646.exe 88 PID 2680 wrote to memory of 4540 2680 4248646.exe 88 PID 2680 wrote to memory of 4540 2680 4248646.exe 88 PID 4540 wrote to memory of 1468 4540 k40884.exe 89 PID 4540 wrote to memory of 1468 4540 k40884.exe 89 PID 4540 wrote to memory of 1468 4540 k40884.exe 89 PID 1468 wrote to memory of 4280 1468 lxxrflf.exe 90 PID 1468 wrote to memory of 4280 1468 lxxrflf.exe 90 PID 1468 wrote to memory of 4280 1468 lxxrflf.exe 90 PID 4280 wrote to memory of 3728 4280 btnhtn.exe 91 PID 4280 wrote to memory of 3728 4280 btnhtn.exe 91 PID 4280 wrote to memory of 3728 4280 btnhtn.exe 91 PID 3728 wrote to memory of 3788 3728 260602.exe 92 PID 3728 wrote to memory of 3788 3728 260602.exe 92 PID 3728 wrote to memory of 3788 3728 260602.exe 92 PID 3788 wrote to memory of 2820 3788 q00826.exe 93 PID 3788 wrote to memory of 2820 3788 q00826.exe 93 PID 3788 wrote to memory of 2820 3788 q00826.exe 93 PID 2820 wrote to memory of 3284 2820 jppdp.exe 94 PID 2820 wrote to memory of 3284 2820 jppdp.exe 94 PID 2820 wrote to memory of 3284 2820 jppdp.exe 94 PID 3284 wrote to memory of 3124 3284 86482.exe 95 PID 3284 wrote to memory of 3124 3284 86482.exe 95 PID 3284 wrote to memory of 3124 3284 86482.exe 95 PID 3124 wrote to memory of 4376 3124 bbbnbn.exe 96 PID 3124 wrote to memory of 4376 3124 bbbnbn.exe 96 PID 3124 wrote to memory of 4376 3124 bbbnbn.exe 96 PID 4376 wrote to memory of 2432 4376 dvdpv.exe 97 PID 4376 wrote to memory of 2432 4376 dvdpv.exe 97 PID 4376 wrote to memory of 2432 4376 dvdpv.exe 97 PID 2432 wrote to memory of 1980 2432 42200.exe 98 PID 2432 wrote to memory of 1980 2432 42200.exe 98 PID 2432 wrote to memory of 1980 2432 42200.exe 98 PID 1980 wrote to memory of 3252 1980 400044.exe 99 PID 1980 wrote to memory of 3252 1980 400044.exe 99 PID 1980 wrote to memory of 3252 1980 400044.exe 99 PID 3252 wrote to memory of 5048 3252 lrxrrll.exe 100 PID 3252 wrote to memory of 5048 3252 lrxrrll.exe 100 PID 3252 wrote to memory of 5048 3252 lrxrrll.exe 100 PID 5048 wrote to memory of 4304 5048 jvdvd.exe 101 PID 5048 wrote to memory of 4304 5048 jvdvd.exe 101 PID 5048 wrote to memory of 4304 5048 jvdvd.exe 101 PID 4304 wrote to memory of 3916 4304 ntbnhb.exe 102 PID 4304 wrote to memory of 3916 4304 ntbnhb.exe 102 PID 4304 wrote to memory of 3916 4304 ntbnhb.exe 102 PID 3916 wrote to memory of 3236 3916 862200.exe 103 PID 3916 wrote to memory of 3236 3916 862200.exe 103 PID 3916 wrote to memory of 3236 3916 862200.exe 103 PID 3236 wrote to memory of 3852 3236 dpvjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\847af7e2135d395904cd4aea76f218b05e8024b6e5174379b93ac3399638116aN.exe"C:\Users\Admin\AppData\Local\Temp\847af7e2135d395904cd4aea76f218b05e8024b6e5174379b93ac3399638116aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\tbbtnh.exec:\tbbtnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\djvjj.exec:\djvjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\tnhbtb.exec:\tnhbtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\440826.exec:\440826.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\4248646.exec:\4248646.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\k40884.exec:\k40884.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\lxxrflf.exec:\lxxrflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\btnhtn.exec:\btnhtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\260602.exec:\260602.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\q00826.exec:\q00826.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\jppdp.exec:\jppdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\86482.exec:\86482.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\bbbnbn.exec:\bbbnbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\dvdpv.exec:\dvdpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\42200.exec:\42200.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\400044.exec:\400044.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\lrxrrll.exec:\lrxrrll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\jvdvd.exec:\jvdvd.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\ntbnhb.exec:\ntbnhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\862200.exec:\862200.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\dpvjd.exec:\dpvjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\i400484.exec:\i400484.exe23⤵
- Executes dropped EXE
PID:3852 -
\??\c:\g8082.exec:\g8082.exe24⤵
- Executes dropped EXE
PID:2340 -
\??\c:\pppjd.exec:\pppjd.exe25⤵
- Executes dropped EXE
PID:4004 -
\??\c:\48882.exec:\48882.exe26⤵
- Executes dropped EXE
PID:3408 -
\??\c:\462664.exec:\462664.exe27⤵
- Executes dropped EXE
PID:2324 -
\??\c:\646404.exec:\646404.exe28⤵
- Executes dropped EXE
PID:1744 -
\??\c:\nbhhhh.exec:\nbhhhh.exe29⤵
- Executes dropped EXE
PID:836 -
\??\c:\622604.exec:\622604.exe30⤵
- Executes dropped EXE
PID:4212 -
\??\c:\thtnbn.exec:\thtnbn.exe31⤵
- Executes dropped EXE
PID:3640 -
\??\c:\08060.exec:\08060.exe32⤵
- Executes dropped EXE
PID:3748 -
\??\c:\8208480.exec:\8208480.exe33⤵
- Executes dropped EXE
PID:3764 -
\??\c:\068266.exec:\068266.exe34⤵
- Executes dropped EXE
PID:5060 -
\??\c:\pjjjd.exec:\pjjjd.exe35⤵
- Executes dropped EXE
PID:1936 -
\??\c:\9jjdp.exec:\9jjdp.exe36⤵
- Executes dropped EXE
PID:904 -
\??\c:\xffxrlf.exec:\xffxrlf.exe37⤵
- Executes dropped EXE
PID:1512 -
\??\c:\pddjd.exec:\pddjd.exe38⤵
- Executes dropped EXE
PID:1736 -
\??\c:\284822.exec:\284822.exe39⤵
- Executes dropped EXE
PID:3028 -
\??\c:\vjjvp.exec:\vjjvp.exe40⤵
- Executes dropped EXE
PID:4936 -
\??\c:\rrxrllf.exec:\rrxrllf.exe41⤵
- Executes dropped EXE
PID:3696 -
\??\c:\jddvv.exec:\jddvv.exe42⤵
- Executes dropped EXE
PID:3668 -
\??\c:\8840404.exec:\8840404.exe43⤵
- Executes dropped EXE
PID:1608 -
\??\c:\2026446.exec:\2026446.exe44⤵
- Executes dropped EXE
PID:804 -
\??\c:\88626.exec:\88626.exe45⤵
- Executes dropped EXE
PID:4364 -
\??\c:\6460440.exec:\6460440.exe46⤵
- Executes dropped EXE
PID:2524 -
\??\c:\bhbnhb.exec:\bhbnhb.exe47⤵
- Executes dropped EXE
PID:1352 -
\??\c:\ntbthh.exec:\ntbthh.exe48⤵
- Executes dropped EXE
PID:2204 -
\??\c:\e62600.exec:\e62600.exe49⤵
- Executes dropped EXE
PID:8 -
\??\c:\fxrxlxl.exec:\fxrxlxl.exe50⤵
- Executes dropped EXE
PID:2916 -
\??\c:\hbbttt.exec:\hbbttt.exe51⤵
- Executes dropped EXE
PID:944 -
\??\c:\fxlffff.exec:\fxlffff.exe52⤵
- Executes dropped EXE
PID:2252 -
\??\c:\jdppp.exec:\jdppp.exe53⤵
- Executes dropped EXE
PID:3184 -
\??\c:\1ntnbn.exec:\1ntnbn.exe54⤵
- Executes dropped EXE
PID:4628 -
\??\c:\28808.exec:\28808.exe55⤵
- Executes dropped EXE
PID:4560 -
\??\c:\642200.exec:\642200.exe56⤵
- Executes dropped EXE
PID:3744 -
\??\c:\02442.exec:\02442.exe57⤵
- Executes dropped EXE
PID:4652 -
\??\c:\vvdvj.exec:\vvdvj.exe58⤵
- Executes dropped EXE
PID:2640 -
\??\c:\2240840.exec:\2240840.exe59⤵
- Executes dropped EXE
PID:508 -
\??\c:\flrrlrf.exec:\flrrlrf.exe60⤵
- Executes dropped EXE
PID:3000 -
\??\c:\fxxrrlf.exec:\fxxrrlf.exe61⤵
- Executes dropped EXE
PID:3404 -
\??\c:\2660060.exec:\2660060.exe62⤵
- Executes dropped EXE
PID:4376 -
\??\c:\22082.exec:\22082.exe63⤵
- Executes dropped EXE
PID:2868 -
\??\c:\lrxrlff.exec:\lrxrlff.exe64⤵
- Executes dropped EXE
PID:2432 -
\??\c:\e62608.exec:\e62608.exe65⤵
- Executes dropped EXE
PID:2280 -
\??\c:\m4644.exec:\m4644.exe66⤵PID:4056
-
\??\c:\a4604.exec:\a4604.exe67⤵PID:3252
-
\??\c:\5lffxxr.exec:\5lffxxr.exe68⤵PID:3784
-
\??\c:\flrffxr.exec:\flrffxr.exe69⤵PID:3300
-
\??\c:\dvpjd.exec:\dvpjd.exe70⤵
- System Location Discovery: System Language Discovery
PID:1444 -
\??\c:\jvdvj.exec:\jvdvj.exe71⤵PID:3984
-
\??\c:\9ffxllf.exec:\9ffxllf.exe72⤵PID:2548
-
\??\c:\rllfxxr.exec:\rllfxxr.exe73⤵PID:4864
-
\??\c:\2444888.exec:\2444888.exe74⤵PID:5076
-
\??\c:\2600468.exec:\2600468.exe75⤵PID:948
-
\??\c:\9httnt.exec:\9httnt.exe76⤵PID:2720
-
\??\c:\9vvpj.exec:\9vvpj.exe77⤵PID:4812
-
\??\c:\20642.exec:\20642.exe78⤵PID:3316
-
\??\c:\e26248.exec:\e26248.exe79⤵PID:1668
-
\??\c:\lllfrrx.exec:\lllfrrx.exe80⤵PID:3508
-
\??\c:\082648.exec:\082648.exe81⤵PID:4824
-
\??\c:\0408068.exec:\0408068.exe82⤵
- System Location Discovery: System Language Discovery
PID:4908 -
\??\c:\i404882.exec:\i404882.exe83⤵PID:3832
-
\??\c:\dppdp.exec:\dppdp.exe84⤵PID:1620
-
\??\c:\228086.exec:\228086.exe85⤵PID:2276
-
\??\c:\8404826.exec:\8404826.exe86⤵PID:3472
-
\??\c:\lxrlfxr.exec:\lxrlfxr.exe87⤵PID:3764
-
\??\c:\bttttn.exec:\bttttn.exe88⤵PID:4772
-
\??\c:\rflfrrr.exec:\rflfrrr.exe89⤵PID:2464
-
\??\c:\6448608.exec:\6448608.exe90⤵PID:5096
-
\??\c:\nhhthb.exec:\nhhthb.exe91⤵PID:4452
-
\??\c:\8226646.exec:\8226646.exe92⤵PID:4536
-
\??\c:\fxxlfrl.exec:\fxxlfrl.exe93⤵PID:1768
-
\??\c:\xllxrlf.exec:\xllxrlf.exe94⤵PID:2788
-
\??\c:\bthbtt.exec:\bthbtt.exe95⤵PID:4532
-
\??\c:\6682660.exec:\6682660.exe96⤵PID:4332
-
\??\c:\htnbnh.exec:\htnbnh.exe97⤵PID:3820
-
\??\c:\rffxrrl.exec:\rffxrrl.exe98⤵PID:736
-
\??\c:\tbbthb.exec:\tbbthb.exe99⤵PID:3736
-
\??\c:\6282604.exec:\6282604.exe100⤵PID:4364
-
\??\c:\jpvvv.exec:\jpvvv.exe101⤵PID:1284
-
\??\c:\82880.exec:\82880.exe102⤵PID:1352
-
\??\c:\1nnhtn.exec:\1nnhtn.exe103⤵PID:4408
-
\??\c:\lflflll.exec:\lflflll.exe104⤵PID:1408
-
\??\c:\1pjdp.exec:\1pjdp.exe105⤵PID:1500
-
\??\c:\rlxxxxr.exec:\rlxxxxr.exe106⤵PID:3752
-
\??\c:\880208.exec:\880208.exe107⤵PID:4260
-
\??\c:\426208.exec:\426208.exe108⤵PID:4388
-
\??\c:\fxrfrfx.exec:\fxrfrfx.exe109⤵PID:1012
-
\??\c:\g4644.exec:\g4644.exe110⤵PID:4252
-
\??\c:\8004882.exec:\8004882.exe111⤵PID:4456
-
\??\c:\8686600.exec:\8686600.exe112⤵PID:4920
-
\??\c:\244826.exec:\244826.exe113⤵PID:2236
-
\??\c:\3pvjp.exec:\3pvjp.exe114⤵PID:4560
-
\??\c:\2640220.exec:\2640220.exe115⤵PID:3788
-
\??\c:\6660820.exec:\6660820.exe116⤵PID:2144
-
\??\c:\btttbb.exec:\btttbb.exe117⤵PID:4608
-
\??\c:\7rrlxxr.exec:\7rrlxxr.exe118⤵PID:5112
-
\??\c:\frxrllf.exec:\frxrllf.exe119⤵PID:1332
-
\??\c:\228204.exec:\228204.exe120⤵PID:2976
-
\??\c:\fflflfx.exec:\fflflfx.exe121⤵PID:2344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-