Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 18:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe
-
Size
453KB
-
MD5
6ddd739ca86c64b9c9c20cd40c8652af
-
SHA1
5ee093278c2abffcd09e75eca3d39312437f1223
-
SHA256
4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3
-
SHA512
35110423cd7d00bb281a3ab17ac1863e5988c99995bc99cb1cfa251566db1312b7384cb0eb2dd64248106de357898604faecef9ad5f62856a3dac827430f46c9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2544-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/608-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-807-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-871-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/608-1119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-1214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-1737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2192 5vdvp.exe 2160 dvjpd.exe 2856 vdjdv.exe 3760 0622248.exe 5032 62408.exe 2224 0022044.exe 4292 q06048.exe 2668 8662266.exe 1416 42248.exe 2068 620488.exe 2176 080826.exe 1600 000082.exe 2804 flxlfxr.exe 4336 flfxrlf.exe 4000 022048.exe 4576 hhbthb.exe 608 vjjvp.exe 1656 2064248.exe 1940 rrlfrrl.exe 3236 vjjvj.exe 4288 rlfxlfr.exe 4580 tnhbtn.exe 3348 06826.exe 3128 2004266.exe 4472 2844260.exe 1632 600448.exe 2404 thhbtn.exe 3472 0264886.exe 2300 8202842.exe 5044 20082.exe 4408 28442.exe 3144 llrxfxf.exe 4968 6226042.exe 2952 6408488.exe 5096 3xxlfxl.exe 4352 vjjjd.exe 1716 hntbnh.exe 2612 jpdvj.exe 1424 06204.exe 2544 vppdp.exe 4596 httnbt.exe 2160 jvdvj.exe 1504 dvpjd.exe 3760 284260.exe 1908 22420.exe 4612 8660608.exe 3168 0048260.exe 2908 htbthh.exe 2576 tnnhtt.exe 4340 vjjvj.exe 1516 jdvjd.exe 1404 084226.exe 1412 9jdvd.exe 2264 8448242.exe 4516 42820.exe 1756 8620826.exe 1084 dpvjd.exe 3636 400860.exe 1988 hhnbnh.exe 1700 64208.exe 4708 662648.exe 4740 frxllfl.exe 3184 w24204.exe 3696 5tthbt.exe -
resource yara_rule behavioral2/memory/2544-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/608-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-871-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfflfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0460606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q44204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8662266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2192 2544 4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe 83 PID 2544 wrote to memory of 2192 2544 4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe 83 PID 2544 wrote to memory of 2192 2544 4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe 83 PID 2192 wrote to memory of 2160 2192 5vdvp.exe 84 PID 2192 wrote to memory of 2160 2192 5vdvp.exe 84 PID 2192 wrote to memory of 2160 2192 5vdvp.exe 84 PID 2160 wrote to memory of 2856 2160 dvjpd.exe 85 PID 2160 wrote to memory of 2856 2160 dvjpd.exe 85 PID 2160 wrote to memory of 2856 2160 dvjpd.exe 85 PID 2856 wrote to memory of 3760 2856 vdjdv.exe 86 PID 2856 wrote to memory of 3760 2856 vdjdv.exe 86 PID 2856 wrote to memory of 3760 2856 vdjdv.exe 86 PID 3760 wrote to memory of 5032 3760 0622248.exe 87 PID 3760 wrote to memory of 5032 3760 0622248.exe 87 PID 3760 wrote to memory of 5032 3760 0622248.exe 87 PID 5032 wrote to memory of 2224 5032 62408.exe 88 PID 5032 wrote to memory of 2224 5032 62408.exe 88 PID 5032 wrote to memory of 2224 5032 62408.exe 88 PID 2224 wrote to memory of 4292 2224 0022044.exe 89 PID 2224 wrote to memory of 4292 2224 0022044.exe 89 PID 2224 wrote to memory of 4292 2224 0022044.exe 89 PID 4292 wrote to memory of 2668 4292 q06048.exe 90 PID 4292 wrote to memory of 2668 4292 q06048.exe 90 PID 4292 wrote to memory of 2668 4292 q06048.exe 90 PID 2668 wrote to memory of 1416 2668 8662266.exe 91 PID 2668 wrote to memory of 1416 2668 8662266.exe 91 PID 2668 wrote to memory of 1416 2668 8662266.exe 91 PID 1416 wrote to memory of 2068 1416 42248.exe 92 PID 1416 wrote to memory of 2068 1416 42248.exe 92 PID 1416 wrote to memory of 2068 1416 42248.exe 92 PID 2068 wrote to memory of 2176 2068 620488.exe 93 PID 2068 wrote to memory of 2176 2068 620488.exe 93 PID 2068 wrote to memory of 2176 2068 620488.exe 93 PID 2176 wrote to memory of 1600 2176 080826.exe 94 PID 2176 wrote to memory of 1600 2176 080826.exe 94 PID 2176 wrote to memory of 1600 2176 080826.exe 94 PID 1600 wrote to memory of 2804 1600 000082.exe 95 PID 1600 wrote to memory of 2804 1600 000082.exe 95 PID 1600 wrote to memory of 2804 1600 000082.exe 95 PID 2804 wrote to memory of 4336 2804 flxlfxr.exe 96 PID 2804 wrote to memory of 4336 2804 flxlfxr.exe 96 PID 2804 wrote to memory of 4336 2804 flxlfxr.exe 96 PID 4336 wrote to memory of 4000 4336 flfxrlf.exe 97 PID 4336 wrote to memory of 4000 4336 flfxrlf.exe 97 PID 4336 wrote to memory of 4000 4336 flfxrlf.exe 97 PID 4000 wrote to memory of 4576 4000 022048.exe 98 PID 4000 wrote to memory of 4576 4000 022048.exe 98 PID 4000 wrote to memory of 4576 4000 022048.exe 98 PID 4576 wrote to memory of 608 4576 hhbthb.exe 99 PID 4576 wrote to memory of 608 4576 hhbthb.exe 99 PID 4576 wrote to memory of 608 4576 hhbthb.exe 99 PID 608 wrote to memory of 1656 608 vjjvp.exe 100 PID 608 wrote to memory of 1656 608 vjjvp.exe 100 PID 608 wrote to memory of 1656 608 vjjvp.exe 100 PID 1656 wrote to memory of 1940 1656 2064248.exe 101 PID 1656 wrote to memory of 1940 1656 2064248.exe 101 PID 1656 wrote to memory of 1940 1656 2064248.exe 101 PID 1940 wrote to memory of 3236 1940 rrlfrrl.exe 102 PID 1940 wrote to memory of 3236 1940 rrlfrrl.exe 102 PID 1940 wrote to memory of 3236 1940 rrlfrrl.exe 102 PID 3236 wrote to memory of 4288 3236 vjjvj.exe 103 PID 3236 wrote to memory of 4288 3236 vjjvj.exe 103 PID 3236 wrote to memory of 4288 3236 vjjvj.exe 103 PID 4288 wrote to memory of 4580 4288 rlfxlfr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe"C:\Users\Admin\AppData\Local\Temp\4816dbf73b926573eeb46a732c06f2cd8eb82d7f2ca7d2cbe9e9307d09fa15e3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\5vdvp.exec:\5vdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\dvjpd.exec:\dvjpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\vdjdv.exec:\vdjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\0622248.exec:\0622248.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\62408.exec:\62408.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\0022044.exec:\0022044.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\q06048.exec:\q06048.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\8662266.exec:\8662266.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\42248.exec:\42248.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\620488.exec:\620488.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\080826.exec:\080826.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\000082.exec:\000082.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\flxlfxr.exec:\flxlfxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\flfxrlf.exec:\flfxrlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\022048.exec:\022048.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\hhbthb.exec:\hhbthb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\vjjvp.exec:\vjjvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:608 -
\??\c:\2064248.exec:\2064248.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\rrlfrrl.exec:\rrlfrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\vjjvj.exec:\vjjvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\rlfxlfr.exec:\rlfxlfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\tnhbtn.exec:\tnhbtn.exe23⤵
- Executes dropped EXE
PID:4580 -
\??\c:\06826.exec:\06826.exe24⤵
- Executes dropped EXE
PID:3348 -
\??\c:\2004266.exec:\2004266.exe25⤵
- Executes dropped EXE
PID:3128 -
\??\c:\2844260.exec:\2844260.exe26⤵
- Executes dropped EXE
PID:4472 -
\??\c:\600448.exec:\600448.exe27⤵
- Executes dropped EXE
PID:1632 -
\??\c:\thhbtn.exec:\thhbtn.exe28⤵
- Executes dropped EXE
PID:2404 -
\??\c:\0264886.exec:\0264886.exe29⤵
- Executes dropped EXE
PID:3472 -
\??\c:\8202842.exec:\8202842.exe30⤵
- Executes dropped EXE
PID:2300 -
\??\c:\20082.exec:\20082.exe31⤵
- Executes dropped EXE
PID:5044 -
\??\c:\28442.exec:\28442.exe32⤵
- Executes dropped EXE
PID:4408 -
\??\c:\llrxfxf.exec:\llrxfxf.exe33⤵
- Executes dropped EXE
PID:3144 -
\??\c:\6226042.exec:\6226042.exe34⤵
- Executes dropped EXE
PID:4968 -
\??\c:\6408488.exec:\6408488.exe35⤵
- Executes dropped EXE
PID:2952 -
\??\c:\3xxlfxl.exec:\3xxlfxl.exe36⤵
- Executes dropped EXE
PID:5096 -
\??\c:\vjjjd.exec:\vjjjd.exe37⤵
- Executes dropped EXE
PID:4352 -
\??\c:\hntbnh.exec:\hntbnh.exe38⤵
- Executes dropped EXE
PID:1716 -
\??\c:\jpdvj.exec:\jpdvj.exe39⤵
- Executes dropped EXE
PID:2612 -
\??\c:\06204.exec:\06204.exe40⤵
- Executes dropped EXE
PID:1424 -
\??\c:\662026.exec:\662026.exe41⤵PID:4376
-
\??\c:\vppdp.exec:\vppdp.exe42⤵
- Executes dropped EXE
PID:2544 -
\??\c:\httnbt.exec:\httnbt.exe43⤵
- Executes dropped EXE
PID:4596 -
\??\c:\jvdvj.exec:\jvdvj.exe44⤵
- Executes dropped EXE
PID:2160 -
\??\c:\dvpjd.exec:\dvpjd.exe45⤵
- Executes dropped EXE
PID:1504 -
\??\c:\284260.exec:\284260.exe46⤵
- Executes dropped EXE
PID:3760 -
\??\c:\22420.exec:\22420.exe47⤵
- Executes dropped EXE
PID:1908 -
\??\c:\8660608.exec:\8660608.exe48⤵
- Executes dropped EXE
PID:4612 -
\??\c:\0048260.exec:\0048260.exe49⤵
- Executes dropped EXE
PID:3168 -
\??\c:\htbthh.exec:\htbthh.exe50⤵
- Executes dropped EXE
PID:2908 -
\??\c:\tnnhtt.exec:\tnnhtt.exe51⤵
- Executes dropped EXE
PID:2576 -
\??\c:\vjjvj.exec:\vjjvj.exe52⤵
- Executes dropped EXE
PID:4340 -
\??\c:\jdvjd.exec:\jdvjd.exe53⤵
- Executes dropped EXE
PID:1516 -
\??\c:\084226.exec:\084226.exe54⤵
- Executes dropped EXE
PID:1404 -
\??\c:\9jdvd.exec:\9jdvd.exe55⤵
- Executes dropped EXE
PID:1412 -
\??\c:\8448242.exec:\8448242.exe56⤵
- Executes dropped EXE
PID:2264 -
\??\c:\42820.exec:\42820.exe57⤵
- Executes dropped EXE
PID:4516 -
\??\c:\8620826.exec:\8620826.exe58⤵
- Executes dropped EXE
PID:1756 -
\??\c:\dpvjd.exec:\dpvjd.exe59⤵
- Executes dropped EXE
PID:1084 -
\??\c:\400860.exec:\400860.exe60⤵
- Executes dropped EXE
PID:3636 -
\??\c:\hhnbnh.exec:\hhnbnh.exe61⤵
- Executes dropped EXE
PID:1988 -
\??\c:\64208.exec:\64208.exe62⤵
- Executes dropped EXE
PID:1700 -
\??\c:\662648.exec:\662648.exe63⤵
- Executes dropped EXE
PID:4708 -
\??\c:\frxllfl.exec:\frxllfl.exe64⤵
- Executes dropped EXE
PID:4740 -
\??\c:\w24204.exec:\w24204.exe65⤵
- Executes dropped EXE
PID:3184 -
\??\c:\5tthbt.exec:\5tthbt.exe66⤵
- Executes dropped EXE
PID:3696 -
\??\c:\dvjvp.exec:\dvjvp.exe67⤵PID:4680
-
\??\c:\fxfrxrx.exec:\fxfrxrx.exe68⤵PID:3488
-
\??\c:\fflrxfr.exec:\fflrxfr.exe69⤵PID:3068
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe70⤵PID:3164
-
\??\c:\q88604.exec:\q88604.exe71⤵PID:396
-
\??\c:\rflxrlx.exec:\rflxrlx.exe72⤵PID:608
-
\??\c:\rrrfxrf.exec:\rrrfxrf.exe73⤵PID:1300
-
\??\c:\jvvpj.exec:\jvvpj.exe74⤵PID:4684
-
\??\c:\nbhbnh.exec:\nbhbnh.exe75⤵PID:2768
-
\??\c:\24480.exec:\24480.exe76⤵PID:5052
-
\??\c:\bbhtht.exec:\bbhtht.exe77⤵PID:2800
-
\??\c:\5nhbnh.exec:\5nhbnh.exe78⤵PID:4044
-
\??\c:\ntbtbb.exec:\ntbtbb.exe79⤵PID:1444
-
\??\c:\vjdvj.exec:\vjdvj.exe80⤵PID:2672
-
\??\c:\280260.exec:\280260.exe81⤵PID:1544
-
\??\c:\64804.exec:\64804.exe82⤵PID:2148
-
\??\c:\frrfrlx.exec:\frrfrlx.exe83⤵PID:4472
-
\??\c:\7lxlfxl.exec:\7lxlfxl.exe84⤵PID:4568
-
\??\c:\84482.exec:\84482.exe85⤵PID:1436
-
\??\c:\64042.exec:\64042.exe86⤵PID:4956
-
\??\c:\djdvp.exec:\djdvp.exe87⤵PID:3100
-
\??\c:\86042.exec:\86042.exe88⤵PID:3736
-
\??\c:\822482.exec:\822482.exe89⤵PID:3888
-
\??\c:\xrxlflf.exec:\xrxlflf.exe90⤵PID:776
-
\??\c:\bnhbtn.exec:\bnhbtn.exe91⤵PID:2108
-
\??\c:\28420.exec:\28420.exe92⤵PID:4448
-
\??\c:\ttthtn.exec:\ttthtn.exe93⤵PID:2872
-
\??\c:\xllxrlf.exec:\xllxrlf.exe94⤵PID:2124
-
\??\c:\dppdp.exec:\dppdp.exe95⤵PID:3656
-
\??\c:\hnthtn.exec:\hnthtn.exe96⤵PID:4588
-
\??\c:\o020482.exec:\o020482.exe97⤵PID:2016
-
\??\c:\0842048.exec:\0842048.exe98⤵PID:3928
-
\??\c:\88826.exec:\88826.exe99⤵PID:1304
-
\??\c:\q06080.exec:\q06080.exe100⤵PID:4548
-
\??\c:\a4082.exec:\a4082.exe101⤵PID:1716
-
\??\c:\2842826.exec:\2842826.exe102⤵PID:2612
-
\??\c:\pvpjv.exec:\pvpjv.exe103⤵PID:2844
-
\??\c:\9vdvv.exec:\9vdvv.exe104⤵PID:1636
-
\??\c:\66208.exec:\66208.exe105⤵PID:2396
-
\??\c:\djdjj.exec:\djdjj.exe106⤵PID:2616
-
\??\c:\202082.exec:\202082.exe107⤵PID:1568
-
\??\c:\thtnhb.exec:\thtnhb.exe108⤵PID:5080
-
\??\c:\pdjvj.exec:\pdjvj.exe109⤵PID:3760
-
\??\c:\htbttt.exec:\htbttt.exe110⤵PID:632
-
\??\c:\lffrfxl.exec:\lffrfxl.exe111⤵PID:3716
-
\??\c:\jvvpd.exec:\jvvpd.exe112⤵PID:4796
-
\??\c:\rxfxlfx.exec:\rxfxlfx.exe113⤵PID:1744
-
\??\c:\644826.exec:\644826.exe114⤵PID:2224
-
\??\c:\vpjdp.exec:\vpjdp.exe115⤵PID:4900
-
\??\c:\rlllrlf.exec:\rlllrlf.exe116⤵PID:764
-
\??\c:\60482.exec:\60482.exe117⤵PID:1172
-
\??\c:\ntbnht.exec:\ntbnht.exe118⤵PID:3860
-
\??\c:\nbtnbb.exec:\nbtnbb.exe119⤵PID:620
-
\??\c:\28460.exec:\28460.exe120⤵PID:2212
-
\??\c:\dpjvj.exec:\dpjvj.exe121⤵PID:2992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-