Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 23:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
518b91b19264b7bf5892ff68de664f3c8e4db4659ae05534259dd927a9d48c3e.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
518b91b19264b7bf5892ff68de664f3c8e4db4659ae05534259dd927a9d48c3e.exe
-
Size
454KB
-
MD5
6ccbdd72fc864773cc3a3380a866545a
-
SHA1
d059e5ecc82f7ce23a44ffbe9af3dfdd80bce032
-
SHA256
518b91b19264b7bf5892ff68de664f3c8e4db4659ae05534259dd927a9d48c3e
-
SHA512
75ff9bf541dee70bf8c322594ea932794bf7106e3a25549e3e4155b2ebdf9bdd36ba4aceff9ca73bcae61f8add857b9b6d39a969b1e73bcdc63179ba342657c2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeH:q7Tc2NYHUrAwfMp3CDH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1840-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-1319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-1694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3340 ppvjv.exe 1840 i408604.exe 1920 2nhtt.exe 2908 jpdjj.exe 1324 flrxxfx.exe 1264 rflxrrr.exe 392 pjppv.exe 1688 pdddv.exe 2496 pdppj.exe 1696 tntnbt.exe 2368 0208024.exe 4612 602840.exe 4272 64608.exe 5096 6220426.exe 5040 04848.exe 4516 a8264.exe 3736 04086.exe 388 djjvj.exe 2432 bhtbbb.exe 428 7bthnh.exe 3308 20426.exe 4700 00420.exe 1616 8626262.exe 1116 9xxllrl.exe 4768 ntbhnt.exe 2948 djvpd.exe 5024 hnnnth.exe 4972 pdpjv.exe 4568 frlflfl.exe 2600 40208.exe 3388 frrxrlf.exe 2572 vvvvp.exe 3392 0826404.exe 1712 lxfrrll.exe 2880 vvdvv.exe 4788 btnbtn.exe 2768 26604.exe 912 6222066.exe 1728 w06420.exe 4652 tnhthn.exe 5100 462848.exe 2612 9nnbtn.exe 3264 44604.exe 1472 3hhtht.exe 3656 rrxfrrx.exe 1000 044660.exe 3856 frxflrl.exe 2316 dppdv.exe 316 400048.exe 4416 pjpjj.exe 1864 dddvv.exe 4084 2440408.exe 4420 48228.exe 2440 6226046.exe 1920 46660.exe 5092 jvvvp.exe 3864 vdjjd.exe 1912 nnnhhh.exe 2508 e80822.exe 4528 hhnhbh.exe 524 802624.exe 1688 rxfxxxx.exe 4344 g8426.exe 2496 824006.exe -
resource yara_rule behavioral2/memory/1840-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-738-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0864820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k02666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 682648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 3340 2124 518b91b19264b7bf5892ff68de664f3c8e4db4659ae05534259dd927a9d48c3e.exe 83 PID 2124 wrote to memory of 3340 2124 518b91b19264b7bf5892ff68de664f3c8e4db4659ae05534259dd927a9d48c3e.exe 83 PID 2124 wrote to memory of 3340 2124 518b91b19264b7bf5892ff68de664f3c8e4db4659ae05534259dd927a9d48c3e.exe 83 PID 3340 wrote to memory of 1840 3340 ppvjv.exe 84 PID 3340 wrote to memory of 1840 3340 ppvjv.exe 84 PID 3340 wrote to memory of 1840 3340 ppvjv.exe 84 PID 1840 wrote to memory of 1920 1840 i408604.exe 85 PID 1840 wrote to memory of 1920 1840 i408604.exe 85 PID 1840 wrote to memory of 1920 1840 i408604.exe 85 PID 1920 wrote to memory of 2908 1920 2nhtt.exe 86 PID 1920 wrote to memory of 2908 1920 2nhtt.exe 86 PID 1920 wrote to memory of 2908 1920 2nhtt.exe 86 PID 2908 wrote to memory of 1324 2908 jpdjj.exe 87 PID 2908 wrote to memory of 1324 2908 jpdjj.exe 87 PID 2908 wrote to memory of 1324 2908 jpdjj.exe 87 PID 1324 wrote to memory of 1264 1324 flrxxfx.exe 88 PID 1324 wrote to memory of 1264 1324 flrxxfx.exe 88 PID 1324 wrote to memory of 1264 1324 flrxxfx.exe 88 PID 1264 wrote to memory of 392 1264 rflxrrr.exe 89 PID 1264 wrote to memory of 392 1264 rflxrrr.exe 89 PID 1264 wrote to memory of 392 1264 rflxrrr.exe 89 PID 392 wrote to memory of 1688 392 pjppv.exe 90 PID 392 wrote to memory of 1688 392 pjppv.exe 90 PID 392 wrote to memory of 1688 392 pjppv.exe 90 PID 1688 wrote to memory of 2496 1688 pdddv.exe 91 PID 1688 wrote to memory of 2496 1688 pdddv.exe 91 PID 1688 wrote to memory of 2496 1688 pdddv.exe 91 PID 2496 wrote to memory of 1696 2496 pdppj.exe 92 PID 2496 wrote to memory of 1696 2496 pdppj.exe 92 PID 2496 wrote to memory of 1696 2496 pdppj.exe 92 PID 1696 wrote to memory of 2368 1696 tntnbt.exe 93 PID 1696 wrote to memory of 2368 1696 tntnbt.exe 93 PID 1696 wrote to memory of 2368 1696 tntnbt.exe 93 PID 2368 wrote to memory of 4612 2368 0208024.exe 94 PID 2368 wrote to memory of 4612 2368 0208024.exe 94 PID 2368 wrote to memory of 4612 2368 0208024.exe 94 PID 4612 wrote to memory of 4272 4612 602840.exe 95 PID 4612 wrote to memory of 4272 4612 602840.exe 95 PID 4612 wrote to memory of 4272 4612 602840.exe 95 PID 4272 wrote to memory of 5096 4272 64608.exe 96 PID 4272 wrote to memory of 5096 4272 64608.exe 96 PID 4272 wrote to memory of 5096 4272 64608.exe 96 PID 5096 wrote to memory of 5040 5096 6220426.exe 97 PID 5096 wrote to memory of 5040 5096 6220426.exe 97 PID 5096 wrote to memory of 5040 5096 6220426.exe 97 PID 5040 wrote to memory of 4516 5040 04848.exe 98 PID 5040 wrote to memory of 4516 5040 04848.exe 98 PID 5040 wrote to memory of 4516 5040 04848.exe 98 PID 4516 wrote to memory of 3736 4516 a8264.exe 99 PID 4516 wrote to memory of 3736 4516 a8264.exe 99 PID 4516 wrote to memory of 3736 4516 a8264.exe 99 PID 3736 wrote to memory of 388 3736 04086.exe 100 PID 3736 wrote to memory of 388 3736 04086.exe 100 PID 3736 wrote to memory of 388 3736 04086.exe 100 PID 388 wrote to memory of 2432 388 djjvj.exe 101 PID 388 wrote to memory of 2432 388 djjvj.exe 101 PID 388 wrote to memory of 2432 388 djjvj.exe 101 PID 2432 wrote to memory of 428 2432 bhtbbb.exe 102 PID 2432 wrote to memory of 428 2432 bhtbbb.exe 102 PID 2432 wrote to memory of 428 2432 bhtbbb.exe 102 PID 428 wrote to memory of 3308 428 7bthnh.exe 103 PID 428 wrote to memory of 3308 428 7bthnh.exe 103 PID 428 wrote to memory of 3308 428 7bthnh.exe 103 PID 3308 wrote to memory of 4700 3308 20426.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\518b91b19264b7bf5892ff68de664f3c8e4db4659ae05534259dd927a9d48c3e.exe"C:\Users\Admin\AppData\Local\Temp\518b91b19264b7bf5892ff68de664f3c8e4db4659ae05534259dd927a9d48c3e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\ppvjv.exec:\ppvjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\i408604.exec:\i408604.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\2nhtt.exec:\2nhtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\jpdjj.exec:\jpdjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\flrxxfx.exec:\flrxxfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\rflxrrr.exec:\rflxrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\pjppv.exec:\pjppv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\pdddv.exec:\pdddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\pdppj.exec:\pdppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\tntnbt.exec:\tntnbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\0208024.exec:\0208024.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\602840.exec:\602840.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\64608.exec:\64608.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\6220426.exec:\6220426.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\04848.exec:\04848.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\a8264.exec:\a8264.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\04086.exec:\04086.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\djjvj.exec:\djjvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\bhtbbb.exec:\bhtbbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\7bthnh.exec:\7bthnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\20426.exec:\20426.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\00420.exec:\00420.exe23⤵
- Executes dropped EXE
PID:4700 -
\??\c:\8626262.exec:\8626262.exe24⤵
- Executes dropped EXE
PID:1616 -
\??\c:\9xxllrl.exec:\9xxllrl.exe25⤵
- Executes dropped EXE
PID:1116 -
\??\c:\ntbhnt.exec:\ntbhnt.exe26⤵
- Executes dropped EXE
PID:4768 -
\??\c:\djvpd.exec:\djvpd.exe27⤵
- Executes dropped EXE
PID:2948 -
\??\c:\hnnnth.exec:\hnnnth.exe28⤵
- Executes dropped EXE
PID:5024 -
\??\c:\pdpjv.exec:\pdpjv.exe29⤵
- Executes dropped EXE
PID:4972 -
\??\c:\frlflfl.exec:\frlflfl.exe30⤵
- Executes dropped EXE
PID:4568 -
\??\c:\40208.exec:\40208.exe31⤵
- Executes dropped EXE
PID:2600 -
\??\c:\frrxrlf.exec:\frrxrlf.exe32⤵
- Executes dropped EXE
PID:3388 -
\??\c:\vvvvp.exec:\vvvvp.exe33⤵
- Executes dropped EXE
PID:2572 -
\??\c:\0826404.exec:\0826404.exe34⤵
- Executes dropped EXE
PID:3392 -
\??\c:\lxfrrll.exec:\lxfrrll.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712 -
\??\c:\vvdvv.exec:\vvdvv.exe36⤵
- Executes dropped EXE
PID:2880 -
\??\c:\btnbtn.exec:\btnbtn.exe37⤵
- Executes dropped EXE
PID:4788 -
\??\c:\26604.exec:\26604.exe38⤵
- Executes dropped EXE
PID:2768 -
\??\c:\6222066.exec:\6222066.exe39⤵
- Executes dropped EXE
PID:912 -
\??\c:\w06420.exec:\w06420.exe40⤵
- Executes dropped EXE
PID:1728 -
\??\c:\tnhthn.exec:\tnhthn.exe41⤵
- Executes dropped EXE
PID:4652 -
\??\c:\462848.exec:\462848.exe42⤵
- Executes dropped EXE
PID:5100 -
\??\c:\9nnbtn.exec:\9nnbtn.exe43⤵
- Executes dropped EXE
PID:2612 -
\??\c:\44604.exec:\44604.exe44⤵
- Executes dropped EXE
PID:3264 -
\??\c:\3hhtht.exec:\3hhtht.exe45⤵
- Executes dropped EXE
PID:1472 -
\??\c:\rrxfrrx.exec:\rrxfrrx.exe46⤵
- Executes dropped EXE
PID:3656 -
\??\c:\044660.exec:\044660.exe47⤵
- Executes dropped EXE
PID:1000 -
\??\c:\frxflrl.exec:\frxflrl.exe48⤵
- Executes dropped EXE
PID:3856 -
\??\c:\dppdv.exec:\dppdv.exe49⤵
- Executes dropped EXE
PID:2316 -
\??\c:\400048.exec:\400048.exe50⤵
- Executes dropped EXE
PID:316 -
\??\c:\pjpjj.exec:\pjpjj.exe51⤵
- Executes dropped EXE
PID:4416 -
\??\c:\dddvv.exec:\dddvv.exe52⤵
- Executes dropped EXE
PID:1864 -
\??\c:\2440408.exec:\2440408.exe53⤵
- Executes dropped EXE
PID:4084 -
\??\c:\48228.exec:\48228.exe54⤵
- Executes dropped EXE
PID:4420 -
\??\c:\6226046.exec:\6226046.exe55⤵
- Executes dropped EXE
PID:2440 -
\??\c:\46660.exec:\46660.exe56⤵
- Executes dropped EXE
PID:1920 -
\??\c:\jvvvp.exec:\jvvvp.exe57⤵
- Executes dropped EXE
PID:5092 -
\??\c:\vdjjd.exec:\vdjjd.exe58⤵
- Executes dropped EXE
PID:3864 -
\??\c:\nnnhhh.exec:\nnnhhh.exe59⤵
- Executes dropped EXE
PID:1912 -
\??\c:\e80822.exec:\e80822.exe60⤵
- Executes dropped EXE
PID:2508 -
\??\c:\hhnhbh.exec:\hhnhbh.exe61⤵
- Executes dropped EXE
PID:4528 -
\??\c:\802624.exec:\802624.exe62⤵
- Executes dropped EXE
PID:524 -
\??\c:\rxfxxxx.exec:\rxfxxxx.exe63⤵
- Executes dropped EXE
PID:1688 -
\??\c:\g8426.exec:\g8426.exe64⤵
- Executes dropped EXE
PID:4344 -
\??\c:\824006.exec:\824006.exe65⤵
- Executes dropped EXE
PID:2496 -
\??\c:\08026.exec:\08026.exe66⤵PID:1588
-
\??\c:\lfllffx.exec:\lfllffx.exe67⤵PID:1512
-
\??\c:\rflxrlx.exec:\rflxrlx.exe68⤵PID:4116
-
\??\c:\7lfxxfx.exec:\7lfxxfx.exe69⤵PID:208
-
\??\c:\fllrflx.exec:\fllrflx.exe70⤵PID:3304
-
\??\c:\ffxrllx.exec:\ffxrllx.exe71⤵PID:3844
-
\??\c:\vdpdv.exec:\vdpdv.exe72⤵PID:540
-
\??\c:\xrllrrx.exec:\xrllrrx.exe73⤵PID:3964
-
\??\c:\26406.exec:\26406.exe74⤵PID:4540
-
\??\c:\jjdjd.exec:\jjdjd.exe75⤵PID:3252
-
\??\c:\dppjj.exec:\dppjj.exe76⤵PID:2284
-
\??\c:\84488.exec:\84488.exe77⤵PID:4496
-
\??\c:\pjjdp.exec:\pjjdp.exe78⤵PID:312
-
\??\c:\24404.exec:\24404.exe79⤵PID:3088
-
\??\c:\1vppp.exec:\1vppp.exe80⤵PID:3680
-
\??\c:\dddvp.exec:\dddvp.exe81⤵PID:1408
-
\??\c:\xrlxffl.exec:\xrlxffl.exe82⤵PID:1616
-
\??\c:\i684848.exec:\i684848.exe83⤵PID:2044
-
\??\c:\22664.exec:\22664.exe84⤵PID:4196
-
\??\c:\ddpdj.exec:\ddpdj.exe85⤵PID:1396
-
\??\c:\tbtnnh.exec:\tbtnnh.exe86⤵PID:2460
-
\??\c:\5pjpp.exec:\5pjpp.exe87⤵PID:4948
-
\??\c:\888626.exec:\888626.exe88⤵PID:1416
-
\??\c:\0004422.exec:\0004422.exe89⤵PID:1420
-
\??\c:\lxrrfrl.exec:\lxrrfrl.exe90⤵PID:976
-
\??\c:\2286482.exec:\2286482.exe91⤵PID:3148
-
\??\c:\nbtbnh.exec:\nbtbnh.exe92⤵PID:3772
-
\??\c:\nnthbt.exec:\nnthbt.exe93⤵PID:720
-
\??\c:\6042482.exec:\6042482.exe94⤵PID:3032
-
\??\c:\rfxrfxr.exec:\rfxrfxr.exe95⤵PID:3828
-
\??\c:\vvdvj.exec:\vvdvj.exe96⤵PID:4472
-
\??\c:\btnthb.exec:\btnthb.exe97⤵PID:3520
-
\??\c:\228642.exec:\228642.exe98⤵PID:3956
-
\??\c:\06486.exec:\06486.exe99⤵PID:1676
-
\??\c:\btnnhn.exec:\btnnhn.exe100⤵PID:5112
-
\??\c:\444264.exec:\444264.exe101⤵PID:1100
-
\??\c:\xxlxxrf.exec:\xxlxxrf.exe102⤵PID:2696
-
\??\c:\lllxlxr.exec:\lllxlxr.exe103⤵PID:3324
-
\??\c:\1lfrfxr.exec:\1lfrfxr.exe104⤵PID:1900
-
\??\c:\rrrrlff.exec:\rrrrlff.exe105⤵PID:5100
-
\??\c:\9jjvj.exec:\9jjvj.exe106⤵PID:4488
-
\??\c:\xllxlfr.exec:\xllxlfr.exe107⤵PID:4244
-
\??\c:\rrrlxrl.exec:\rrrlxrl.exe108⤵PID:100
-
\??\c:\jdjdd.exec:\jdjdd.exe109⤵PID:2756
-
\??\c:\6640084.exec:\6640084.exe110⤵PID:1928
-
\??\c:\lrxfxxl.exec:\lrxfxxl.exe111⤵PID:4880
-
\??\c:\08444.exec:\08444.exe112⤵PID:4424
-
\??\c:\24802.exec:\24802.exe113⤵PID:316
-
\??\c:\0282004.exec:\0282004.exe114⤵PID:4500
-
\??\c:\6442608.exec:\6442608.exe115⤵PID:4644
-
\??\c:\84420.exec:\84420.exe116⤵PID:736
-
\??\c:\hnthht.exec:\hnthht.exe117⤵PID:3268
-
\??\c:\1rxlfxl.exec:\1rxlfxl.exe118⤵PID:2440
-
\??\c:\u060488.exec:\u060488.exe119⤵PID:3768
-
\??\c:\htnbnb.exec:\htnbnb.exe120⤵PID:544
-
\??\c:\5pdpd.exec:\5pdpd.exe121⤵PID:1324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-