Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 21:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
37c005ca98f6ba1e84c6487c9a7d6c206ede6656219cdc9d420adcd989a9569a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
37c005ca98f6ba1e84c6487c9a7d6c206ede6656219cdc9d420adcd989a9569a.exe
-
Size
453KB
-
MD5
1bf92ff7b02652b69c83bd1aa97d6702
-
SHA1
43eea7f9d7bd8428fc70ede188a67c00b9a72a50
-
SHA256
37c005ca98f6ba1e84c6487c9a7d6c206ede6656219cdc9d420adcd989a9569a
-
SHA512
c8d04dde236e814ac501058f6331a4f875204368e7833a706e8b04d1d2a9eb4ec32a3485e6dbed5dbe537f7e729fdc500f893210d1448884dbcf63248f588b81
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/348-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-887-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-918-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-992-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-999-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-1072-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-1304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-1377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-1468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 348 w62004.exe 1524 pjdvp.exe 4472 4066004.exe 2180 pjdvp.exe 1020 vpvpj.exe 2340 tbnbtn.exe 4276 rllfxrl.exe 3704 80604.exe 4428 266262.exe 3508 086000.exe 1328 422604.exe 2868 btbhhn.exe 5016 280606.exe 1952 86004.exe 2804 nbbtnh.exe 2080 2864260.exe 2060 6806242.exe 1748 jvdvv.exe 1652 02200.exe 1420 2022662.exe 3864 24488.exe 1932 s0082.exe 2152 i842604.exe 5052 5vjvj.exe 1048 882882.exe 3420 ttthnn.exe 5068 ddjvj.exe 692 6242002.exe 2472 rlfrflx.exe 3536 8044880.exe 4128 1tnbnh.exe 2012 dpjvj.exe 4892 2664208.exe 4844 vdjdp.exe 1460 60086.exe 872 g2088.exe 1660 lfxrlll.exe 2260 2068444.exe 4644 pddvp.exe 1168 nbthth.exe 4476 rxxrfrr.exe 3924 80422.exe 348 rxrlflf.exe 4144 s8048.exe 1524 fxlxllf.exe 440 s0644.exe 2584 dpdvp.exe 1360 846484.exe 3188 bnnbnb.exe 2340 xfrfxrl.exe 3504 4060488.exe 3968 jjvpj.exe 4552 6288282.exe 3756 48048.exe 216 8804226.exe 4320 8682262.exe 336 thhbtt.exe 4544 7fxrffx.exe 4408 4626004.exe 3248 422040.exe 1940 nntnbb.exe 1844 llxlfxr.exe 2412 xrlfrlx.exe 2248 48826.exe -
resource yara_rule behavioral2/memory/348-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-887-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-918-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-992-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-999-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-1072-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-1304-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k06424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0882626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o444844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4882660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 662204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 348 1520 37c005ca98f6ba1e84c6487c9a7d6c206ede6656219cdc9d420adcd989a9569a.exe 83 PID 1520 wrote to memory of 348 1520 37c005ca98f6ba1e84c6487c9a7d6c206ede6656219cdc9d420adcd989a9569a.exe 83 PID 1520 wrote to memory of 348 1520 37c005ca98f6ba1e84c6487c9a7d6c206ede6656219cdc9d420adcd989a9569a.exe 83 PID 348 wrote to memory of 1524 348 w62004.exe 84 PID 348 wrote to memory of 1524 348 w62004.exe 84 PID 348 wrote to memory of 1524 348 w62004.exe 84 PID 1524 wrote to memory of 4472 1524 pjdvp.exe 85 PID 1524 wrote to memory of 4472 1524 pjdvp.exe 85 PID 1524 wrote to memory of 4472 1524 pjdvp.exe 85 PID 4472 wrote to memory of 2180 4472 4066004.exe 86 PID 4472 wrote to memory of 2180 4472 4066004.exe 86 PID 4472 wrote to memory of 2180 4472 4066004.exe 86 PID 2180 wrote to memory of 1020 2180 pjdvp.exe 87 PID 2180 wrote to memory of 1020 2180 pjdvp.exe 87 PID 2180 wrote to memory of 1020 2180 pjdvp.exe 87 PID 1020 wrote to memory of 2340 1020 vpvpj.exe 88 PID 1020 wrote to memory of 2340 1020 vpvpj.exe 88 PID 1020 wrote to memory of 2340 1020 vpvpj.exe 88 PID 2340 wrote to memory of 4276 2340 tbnbtn.exe 89 PID 2340 wrote to memory of 4276 2340 tbnbtn.exe 89 PID 2340 wrote to memory of 4276 2340 tbnbtn.exe 89 PID 4276 wrote to memory of 3704 4276 rllfxrl.exe 90 PID 4276 wrote to memory of 3704 4276 rllfxrl.exe 90 PID 4276 wrote to memory of 3704 4276 rllfxrl.exe 90 PID 3704 wrote to memory of 4428 3704 80604.exe 91 PID 3704 wrote to memory of 4428 3704 80604.exe 91 PID 3704 wrote to memory of 4428 3704 80604.exe 91 PID 4428 wrote to memory of 3508 4428 266262.exe 92 PID 4428 wrote to memory of 3508 4428 266262.exe 92 PID 4428 wrote to memory of 3508 4428 266262.exe 92 PID 3508 wrote to memory of 1328 3508 086000.exe 93 PID 3508 wrote to memory of 1328 3508 086000.exe 93 PID 3508 wrote to memory of 1328 3508 086000.exe 93 PID 1328 wrote to memory of 2868 1328 422604.exe 94 PID 1328 wrote to memory of 2868 1328 422604.exe 94 PID 1328 wrote to memory of 2868 1328 422604.exe 94 PID 2868 wrote to memory of 5016 2868 btbhhn.exe 95 PID 2868 wrote to memory of 5016 2868 btbhhn.exe 95 PID 2868 wrote to memory of 5016 2868 btbhhn.exe 95 PID 5016 wrote to memory of 1952 5016 280606.exe 96 PID 5016 wrote to memory of 1952 5016 280606.exe 96 PID 5016 wrote to memory of 1952 5016 280606.exe 96 PID 1952 wrote to memory of 2804 1952 86004.exe 97 PID 1952 wrote to memory of 2804 1952 86004.exe 97 PID 1952 wrote to memory of 2804 1952 86004.exe 97 PID 2804 wrote to memory of 2080 2804 nbbtnh.exe 98 PID 2804 wrote to memory of 2080 2804 nbbtnh.exe 98 PID 2804 wrote to memory of 2080 2804 nbbtnh.exe 98 PID 2080 wrote to memory of 2060 2080 2864260.exe 99 PID 2080 wrote to memory of 2060 2080 2864260.exe 99 PID 2080 wrote to memory of 2060 2080 2864260.exe 99 PID 2060 wrote to memory of 1748 2060 6806242.exe 100 PID 2060 wrote to memory of 1748 2060 6806242.exe 100 PID 2060 wrote to memory of 1748 2060 6806242.exe 100 PID 1748 wrote to memory of 1652 1748 jvdvv.exe 101 PID 1748 wrote to memory of 1652 1748 jvdvv.exe 101 PID 1748 wrote to memory of 1652 1748 jvdvv.exe 101 PID 1652 wrote to memory of 1420 1652 02200.exe 102 PID 1652 wrote to memory of 1420 1652 02200.exe 102 PID 1652 wrote to memory of 1420 1652 02200.exe 102 PID 1420 wrote to memory of 3864 1420 2022662.exe 103 PID 1420 wrote to memory of 3864 1420 2022662.exe 103 PID 1420 wrote to memory of 3864 1420 2022662.exe 103 PID 3864 wrote to memory of 1932 3864 24488.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\37c005ca98f6ba1e84c6487c9a7d6c206ede6656219cdc9d420adcd989a9569a.exe"C:\Users\Admin\AppData\Local\Temp\37c005ca98f6ba1e84c6487c9a7d6c206ede6656219cdc9d420adcd989a9569a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\w62004.exec:\w62004.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\pjdvp.exec:\pjdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\4066004.exec:\4066004.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\pjdvp.exec:\pjdvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\vpvpj.exec:\vpvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\tbnbtn.exec:\tbnbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\rllfxrl.exec:\rllfxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\80604.exec:\80604.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\266262.exec:\266262.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\086000.exec:\086000.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\422604.exec:\422604.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\btbhhn.exec:\btbhhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\280606.exec:\280606.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\86004.exec:\86004.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\nbbtnh.exec:\nbbtnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\2864260.exec:\2864260.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\6806242.exec:\6806242.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\jvdvv.exec:\jvdvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\02200.exec:\02200.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\2022662.exec:\2022662.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\24488.exec:\24488.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\s0082.exec:\s0082.exe23⤵
- Executes dropped EXE
PID:1932 -
\??\c:\i842604.exec:\i842604.exe24⤵
- Executes dropped EXE
PID:2152 -
\??\c:\5vjvj.exec:\5vjvj.exe25⤵
- Executes dropped EXE
PID:5052 -
\??\c:\882882.exec:\882882.exe26⤵
- Executes dropped EXE
PID:1048 -
\??\c:\ttthnn.exec:\ttthnn.exe27⤵
- Executes dropped EXE
PID:3420 -
\??\c:\ddjvj.exec:\ddjvj.exe28⤵
- Executes dropped EXE
PID:5068 -
\??\c:\6242002.exec:\6242002.exe29⤵
- Executes dropped EXE
PID:692 -
\??\c:\rlfrflx.exec:\rlfrflx.exe30⤵
- Executes dropped EXE
PID:2472 -
\??\c:\8044880.exec:\8044880.exe31⤵
- Executes dropped EXE
PID:3536 -
\??\c:\1tnbnh.exec:\1tnbnh.exe32⤵
- Executes dropped EXE
PID:4128 -
\??\c:\dpjvj.exec:\dpjvj.exe33⤵
- Executes dropped EXE
PID:2012 -
\??\c:\2664208.exec:\2664208.exe34⤵
- Executes dropped EXE
PID:4892 -
\??\c:\vdjdp.exec:\vdjdp.exe35⤵
- Executes dropped EXE
PID:4844 -
\??\c:\60086.exec:\60086.exe36⤵
- Executes dropped EXE
PID:1460 -
\??\c:\g2088.exec:\g2088.exe37⤵
- Executes dropped EXE
PID:872 -
\??\c:\lfxrlll.exec:\lfxrlll.exe38⤵
- Executes dropped EXE
PID:1660 -
\??\c:\2068444.exec:\2068444.exe39⤵
- Executes dropped EXE
PID:2260 -
\??\c:\pddvp.exec:\pddvp.exe40⤵
- Executes dropped EXE
PID:4644 -
\??\c:\nbthth.exec:\nbthth.exe41⤵
- Executes dropped EXE
PID:1168 -
\??\c:\rxxrfrr.exec:\rxxrfrr.exe42⤵
- Executes dropped EXE
PID:4476 -
\??\c:\80422.exec:\80422.exe43⤵
- Executes dropped EXE
PID:3924 -
\??\c:\rxrlflf.exec:\rxrlflf.exe44⤵
- Executes dropped EXE
PID:348 -
\??\c:\s8048.exec:\s8048.exe45⤵
- Executes dropped EXE
PID:4144 -
\??\c:\fxlxllf.exec:\fxlxllf.exe46⤵
- Executes dropped EXE
PID:1524 -
\??\c:\s0644.exec:\s0644.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:440 -
\??\c:\dpdvp.exec:\dpdvp.exe48⤵
- Executes dropped EXE
PID:2584 -
\??\c:\846484.exec:\846484.exe49⤵
- Executes dropped EXE
PID:1360 -
\??\c:\bnnbnb.exec:\bnnbnb.exe50⤵
- Executes dropped EXE
PID:3188 -
\??\c:\xfrfxrl.exec:\xfrfxrl.exe51⤵
- Executes dropped EXE
PID:2340 -
\??\c:\4060488.exec:\4060488.exe52⤵
- Executes dropped EXE
PID:3504 -
\??\c:\jjvpj.exec:\jjvpj.exe53⤵
- Executes dropped EXE
PID:3968 -
\??\c:\6288282.exec:\6288282.exe54⤵
- Executes dropped EXE
PID:4552 -
\??\c:\48048.exec:\48048.exe55⤵
- Executes dropped EXE
PID:3756 -
\??\c:\8804226.exec:\8804226.exe56⤵
- Executes dropped EXE
PID:216 -
\??\c:\8682262.exec:\8682262.exe57⤵
- Executes dropped EXE
PID:4320 -
\??\c:\thhbtt.exec:\thhbtt.exe58⤵
- Executes dropped EXE
PID:336 -
\??\c:\7fxrffx.exec:\7fxrffx.exe59⤵
- Executes dropped EXE
PID:4544 -
\??\c:\4626004.exec:\4626004.exe60⤵
- Executes dropped EXE
PID:4408 -
\??\c:\422040.exec:\422040.exe61⤵
- Executes dropped EXE
PID:3248 -
\??\c:\nntnbb.exec:\nntnbb.exe62⤵
- Executes dropped EXE
PID:1940 -
\??\c:\llxlfxr.exec:\llxlfxr.exe63⤵
- Executes dropped EXE
PID:1844 -
\??\c:\xrlfrlx.exec:\xrlfrlx.exe64⤵
- Executes dropped EXE
PID:2412 -
\??\c:\48826.exec:\48826.exe65⤵
- Executes dropped EXE
PID:2248 -
\??\c:\7ffxlrl.exec:\7ffxlrl.exe66⤵PID:2808
-
\??\c:\44606.exec:\44606.exe67⤵PID:4176
-
\??\c:\thhhnh.exec:\thhhnh.exe68⤵PID:2856
-
\??\c:\tnttbb.exec:\tnttbb.exe69⤵PID:2400
-
\??\c:\djpdv.exec:\djpdv.exe70⤵PID:2036
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe71⤵PID:1956
-
\??\c:\xffrfrl.exec:\xffrfrl.exe72⤵PID:436
-
\??\c:\lfrlfxr.exec:\lfrlfxr.exe73⤵PID:4836
-
\??\c:\2204826.exec:\2204826.exe74⤵PID:3184
-
\??\c:\424648.exec:\424648.exe75⤵PID:4616
-
\??\c:\40642.exec:\40642.exe76⤵PID:4308
-
\??\c:\9xrrffx.exec:\9xrrffx.exe77⤵PID:2588
-
\??\c:\02208.exec:\02208.exe78⤵PID:756
-
\??\c:\6442822.exec:\6442822.exe79⤵PID:3080
-
\??\c:\828266.exec:\828266.exe80⤵PID:2292
-
\??\c:\3bbntn.exec:\3bbntn.exe81⤵PID:5040
-
\??\c:\006600.exec:\006600.exe82⤵PID:868
-
\??\c:\frrlxxl.exec:\frrlxxl.exe83⤵PID:1812
-
\??\c:\hhhttn.exec:\hhhttn.exe84⤵PID:5052
-
\??\c:\s0602.exec:\s0602.exe85⤵PID:4908
-
\??\c:\4400488.exec:\4400488.exe86⤵PID:2088
-
\??\c:\08860.exec:\08860.exe87⤵PID:5108
-
\??\c:\fffxlfx.exec:\fffxlfx.exe88⤵PID:700
-
\??\c:\440482.exec:\440482.exe89⤵PID:372
-
\??\c:\dvpjj.exec:\dvpjj.exe90⤵PID:2688
-
\??\c:\xxxlxfx.exec:\xxxlxfx.exe91⤵PID:608
-
\??\c:\rxfxrll.exec:\rxfxrll.exe92⤵PID:1816
-
\??\c:\466460.exec:\466460.exe93⤵PID:3472
-
\??\c:\e88248.exec:\e88248.exe94⤵PID:3176
-
\??\c:\nnnbnt.exec:\nnnbnt.exe95⤵PID:2092
-
\??\c:\c626644.exec:\c626644.exe96⤵PID:3588
-
\??\c:\006404.exec:\006404.exe97⤵PID:5096
-
\??\c:\jdpjj.exec:\jdpjj.exe98⤵PID:4768
-
\??\c:\dpvjj.exec:\dpvjj.exe99⤵PID:4036
-
\??\c:\jppdp.exec:\jppdp.exe100⤵PID:2056
-
\??\c:\frxflfr.exec:\frxflfr.exe101⤵PID:1824
-
\??\c:\lffrfrf.exec:\lffrfrf.exe102⤵PID:3228
-
\??\c:\206048.exec:\206048.exe103⤵PID:3428
-
\??\c:\0820208.exec:\0820208.exe104⤵PID:4488
-
\??\c:\260460.exec:\260460.exe105⤵PID:4352
-
\??\c:\jddvd.exec:\jddvd.exe106⤵PID:3100
-
\??\c:\k06424.exec:\k06424.exe107⤵
- System Location Discovery: System Language Discovery
PID:1520 -
\??\c:\9thtbt.exec:\9thtbt.exe108⤵PID:3924
-
\??\c:\xlflxlx.exec:\xlflxlx.exe109⤵PID:348
-
\??\c:\02826.exec:\02826.exe110⤵PID:1452
-
\??\c:\o444844.exec:\o444844.exe111⤵
- System Location Discovery: System Language Discovery
PID:1524 -
\??\c:\868206.exec:\868206.exe112⤵PID:440
-
\??\c:\808406.exec:\808406.exe113⤵PID:1784
-
\??\c:\dppjd.exec:\dppjd.exe114⤵PID:1432
-
\??\c:\480628.exec:\480628.exe115⤵PID:2596
-
\??\c:\dvpjj.exec:\dvpjj.exe116⤵PID:1084
-
\??\c:\rfxlrlx.exec:\rfxlrlx.exe117⤵PID:1464
-
\??\c:\tttbth.exec:\tttbth.exe118⤵PID:100
-
\??\c:\jdjpd.exec:\jdjpd.exe119⤵PID:1600
-
\??\c:\rfffrlf.exec:\rfffrlf.exe120⤵PID:3948
-
\??\c:\8620404.exec:\8620404.exe121⤵PID:4420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-