Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 23:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
604a4c97837ddd2224abc077de72e18b0d61ddd3f9252631bed47deb1d97e317.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
604a4c97837ddd2224abc077de72e18b0d61ddd3f9252631bed47deb1d97e317.exe
-
Size
456KB
-
MD5
287160b4f673db6405eaa4d7d2f603cf
-
SHA1
61cc75af6563cc11f8285b300982eced3a4a7b20
-
SHA256
604a4c97837ddd2224abc077de72e18b0d61ddd3f9252631bed47deb1d97e317
-
SHA512
149800242c9e1f02dd5cb5504965194d6805b4004ea5ded782eddeccb4defa2a72e57aa129b968193a19109aeaad12b2b3d7c70a491088548db3b0de66891ef6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR7:q7Tc2NYHUrAwfMp3CDR7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4296-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-778-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-896-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-957-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-997-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-1539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 972 04040.exe 1732 vpdvp.exe 636 204048.exe 2012 lfffxxx.exe 4216 e68222.exe 4540 82422.exe 1468 2226044.exe 4684 tbttnn.exe 4920 48820.exe 2660 8626048.exe 4652 c220882.exe 508 xflxlfr.exe 4588 6426448.exe 4376 284826.exe 1216 ddjjp.exe 4992 lxxxrrl.exe 5004 606404.exe 4056 rffxllx.exe 4256 208888.exe 1444 44082.exe 4996 vpdvd.exe 1532 66626.exe 4548 e84642.exe 948 068620.exe 4292 8024220.exe 3316 8860820.exe 3068 86600.exe 360 vpdvp.exe 3488 864626.exe 3640 6664264.exe 4592 lxxllfx.exe 3764 tbhbnb.exe 4888 6226004.exe 1260 rlrlffx.exe 1324 s8040.exe 2528 nhhbtt.exe 2488 vpjdj.exe 1772 i620448.exe 3464 00604.exe 2788 6864488.exe 4328 rlfxrlf.exe 4316 0620442.exe 4912 8686486.exe 972 xxxrrrf.exe 2908 0848204.exe 1252 486066.exe 2688 0808426.exe 444 jvpdv.exe 2916 86608.exe 4216 rllfxxr.exe 3720 7djdp.exe 4540 bhnbbh.exe 4604 82484.exe 2092 dvvpj.exe 2200 djjjd.exe 1844 k60822.exe 4008 hbtnhb.exe 3592 jjjpj.exe 4632 htnttb.exe 3856 rrlfrrl.exe 1392 266040.exe 4860 w46644.exe 760 thbhtn.exe 1436 4462660.exe -
resource yara_rule behavioral2/memory/4296-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-676-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 020844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o226448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8288488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4296 wrote to memory of 972 4296 604a4c97837ddd2224abc077de72e18b0d61ddd3f9252631bed47deb1d97e317.exe 83 PID 4296 wrote to memory of 972 4296 604a4c97837ddd2224abc077de72e18b0d61ddd3f9252631bed47deb1d97e317.exe 83 PID 4296 wrote to memory of 972 4296 604a4c97837ddd2224abc077de72e18b0d61ddd3f9252631bed47deb1d97e317.exe 83 PID 972 wrote to memory of 1732 972 04040.exe 84 PID 972 wrote to memory of 1732 972 04040.exe 84 PID 972 wrote to memory of 1732 972 04040.exe 84 PID 1732 wrote to memory of 636 1732 vpdvp.exe 85 PID 1732 wrote to memory of 636 1732 vpdvp.exe 85 PID 1732 wrote to memory of 636 1732 vpdvp.exe 85 PID 636 wrote to memory of 2012 636 204048.exe 86 PID 636 wrote to memory of 2012 636 204048.exe 86 PID 636 wrote to memory of 2012 636 204048.exe 86 PID 2012 wrote to memory of 4216 2012 lfffxxx.exe 87 PID 2012 wrote to memory of 4216 2012 lfffxxx.exe 87 PID 2012 wrote to memory of 4216 2012 lfffxxx.exe 87 PID 4216 wrote to memory of 4540 4216 e68222.exe 88 PID 4216 wrote to memory of 4540 4216 e68222.exe 88 PID 4216 wrote to memory of 4540 4216 e68222.exe 88 PID 4540 wrote to memory of 1468 4540 82422.exe 89 PID 4540 wrote to memory of 1468 4540 82422.exe 89 PID 4540 wrote to memory of 1468 4540 82422.exe 89 PID 1468 wrote to memory of 4684 1468 2226044.exe 90 PID 1468 wrote to memory of 4684 1468 2226044.exe 90 PID 1468 wrote to memory of 4684 1468 2226044.exe 90 PID 4684 wrote to memory of 4920 4684 tbttnn.exe 91 PID 4684 wrote to memory of 4920 4684 tbttnn.exe 91 PID 4684 wrote to memory of 4920 4684 tbttnn.exe 91 PID 4920 wrote to memory of 2660 4920 48820.exe 92 PID 4920 wrote to memory of 2660 4920 48820.exe 92 PID 4920 wrote to memory of 2660 4920 48820.exe 92 PID 2660 wrote to memory of 4652 2660 8626048.exe 93 PID 2660 wrote to memory of 4652 2660 8626048.exe 93 PID 2660 wrote to memory of 4652 2660 8626048.exe 93 PID 4652 wrote to memory of 508 4652 c220882.exe 94 PID 4652 wrote to memory of 508 4652 c220882.exe 94 PID 4652 wrote to memory of 508 4652 c220882.exe 94 PID 508 wrote to memory of 4588 508 xflxlfr.exe 95 PID 508 wrote to memory of 4588 508 xflxlfr.exe 95 PID 508 wrote to memory of 4588 508 xflxlfr.exe 95 PID 4588 wrote to memory of 4376 4588 6426448.exe 96 PID 4588 wrote to memory of 4376 4588 6426448.exe 96 PID 4588 wrote to memory of 4376 4588 6426448.exe 96 PID 4376 wrote to memory of 1216 4376 284826.exe 97 PID 4376 wrote to memory of 1216 4376 284826.exe 97 PID 4376 wrote to memory of 1216 4376 284826.exe 97 PID 1216 wrote to memory of 4992 1216 ddjjp.exe 98 PID 1216 wrote to memory of 4992 1216 ddjjp.exe 98 PID 1216 wrote to memory of 4992 1216 ddjjp.exe 98 PID 4992 wrote to memory of 5004 4992 lxxxrrl.exe 99 PID 4992 wrote to memory of 5004 4992 lxxxrrl.exe 99 PID 4992 wrote to memory of 5004 4992 lxxxrrl.exe 99 PID 5004 wrote to memory of 4056 5004 606404.exe 100 PID 5004 wrote to memory of 4056 5004 606404.exe 100 PID 5004 wrote to memory of 4056 5004 606404.exe 100 PID 4056 wrote to memory of 4256 4056 rffxllx.exe 101 PID 4056 wrote to memory of 4256 4056 rffxllx.exe 101 PID 4056 wrote to memory of 4256 4056 rffxllx.exe 101 PID 4256 wrote to memory of 1444 4256 208888.exe 102 PID 4256 wrote to memory of 1444 4256 208888.exe 102 PID 4256 wrote to memory of 1444 4256 208888.exe 102 PID 1444 wrote to memory of 4996 1444 44082.exe 103 PID 1444 wrote to memory of 4996 1444 44082.exe 103 PID 1444 wrote to memory of 4996 1444 44082.exe 103 PID 4996 wrote to memory of 1532 4996 vpdvd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\604a4c97837ddd2224abc077de72e18b0d61ddd3f9252631bed47deb1d97e317.exe"C:\Users\Admin\AppData\Local\Temp\604a4c97837ddd2224abc077de72e18b0d61ddd3f9252631bed47deb1d97e317.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\04040.exec:\04040.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\vpdvp.exec:\vpdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\204048.exec:\204048.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\lfffxxx.exec:\lfffxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\e68222.exec:\e68222.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\82422.exec:\82422.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\2226044.exec:\2226044.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\tbttnn.exec:\tbttnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\48820.exec:\48820.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\8626048.exec:\8626048.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\c220882.exec:\c220882.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\xflxlfr.exec:\xflxlfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:508 -
\??\c:\6426448.exec:\6426448.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\284826.exec:\284826.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\ddjjp.exec:\ddjjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\lxxxrrl.exec:\lxxxrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\606404.exec:\606404.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\rffxllx.exec:\rffxllx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\208888.exec:\208888.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\44082.exec:\44082.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\vpdvd.exec:\vpdvd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\66626.exec:\66626.exe23⤵
- Executes dropped EXE
PID:1532 -
\??\c:\e84642.exec:\e84642.exe24⤵
- Executes dropped EXE
PID:4548 -
\??\c:\068620.exec:\068620.exe25⤵
- Executes dropped EXE
PID:948 -
\??\c:\8024220.exec:\8024220.exe26⤵
- Executes dropped EXE
PID:4292 -
\??\c:\8860820.exec:\8860820.exe27⤵
- Executes dropped EXE
PID:3316 -
\??\c:\86600.exec:\86600.exe28⤵
- Executes dropped EXE
PID:3068 -
\??\c:\vpdvp.exec:\vpdvp.exe29⤵
- Executes dropped EXE
PID:360 -
\??\c:\864626.exec:\864626.exe30⤵
- Executes dropped EXE
PID:3488 -
\??\c:\6664264.exec:\6664264.exe31⤵
- Executes dropped EXE
PID:3640 -
\??\c:\lxxllfx.exec:\lxxllfx.exe32⤵
- Executes dropped EXE
PID:4592 -
\??\c:\tbhbnb.exec:\tbhbnb.exe33⤵
- Executes dropped EXE
PID:3764 -
\??\c:\6226004.exec:\6226004.exe34⤵
- Executes dropped EXE
PID:4888 -
\??\c:\rlrlffx.exec:\rlrlffx.exe35⤵
- Executes dropped EXE
PID:1260 -
\??\c:\s8040.exec:\s8040.exe36⤵
- Executes dropped EXE
PID:1324 -
\??\c:\nhhbtt.exec:\nhhbtt.exe37⤵
- Executes dropped EXE
PID:2528 -
\??\c:\vpjdj.exec:\vpjdj.exe38⤵
- Executes dropped EXE
PID:2488 -
\??\c:\i620448.exec:\i620448.exe39⤵
- Executes dropped EXE
PID:1772 -
\??\c:\00604.exec:\00604.exe40⤵
- Executes dropped EXE
PID:3464 -
\??\c:\6864488.exec:\6864488.exe41⤵
- Executes dropped EXE
PID:2788 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe42⤵
- Executes dropped EXE
PID:4328 -
\??\c:\0620442.exec:\0620442.exe43⤵
- Executes dropped EXE
PID:4316 -
\??\c:\8686486.exec:\8686486.exe44⤵
- Executes dropped EXE
PID:4912 -
\??\c:\xxxrrrf.exec:\xxxrrrf.exe45⤵
- Executes dropped EXE
PID:972 -
\??\c:\0848204.exec:\0848204.exe46⤵
- Executes dropped EXE
PID:2908 -
\??\c:\486066.exec:\486066.exe47⤵
- Executes dropped EXE
PID:1252 -
\??\c:\0808426.exec:\0808426.exe48⤵
- Executes dropped EXE
PID:2688 -
\??\c:\jvpdv.exec:\jvpdv.exe49⤵
- Executes dropped EXE
PID:444 -
\??\c:\86608.exec:\86608.exe50⤵
- Executes dropped EXE
PID:2916 -
\??\c:\rllfxxr.exec:\rllfxxr.exe51⤵
- Executes dropped EXE
PID:4216 -
\??\c:\7djdp.exec:\7djdp.exe52⤵
- Executes dropped EXE
PID:3720 -
\??\c:\bhnbbh.exec:\bhnbbh.exe53⤵
- Executes dropped EXE
PID:4540 -
\??\c:\82484.exec:\82484.exe54⤵
- Executes dropped EXE
PID:4604 -
\??\c:\dvvpj.exec:\dvvpj.exe55⤵
- Executes dropped EXE
PID:2092 -
\??\c:\djjjd.exec:\djjjd.exe56⤵
- Executes dropped EXE
PID:2200 -
\??\c:\k60822.exec:\k60822.exe57⤵
- Executes dropped EXE
PID:1844 -
\??\c:\hbtnhb.exec:\hbtnhb.exe58⤵
- Executes dropped EXE
PID:4008 -
\??\c:\jjjpj.exec:\jjjpj.exe59⤵
- Executes dropped EXE
PID:3592 -
\??\c:\htnttb.exec:\htnttb.exe60⤵
- Executes dropped EXE
PID:4632 -
\??\c:\rrlfrrl.exec:\rrlfrrl.exe61⤵
- Executes dropped EXE
PID:3856 -
\??\c:\266040.exec:\266040.exe62⤵
- Executes dropped EXE
PID:1392 -
\??\c:\w46644.exec:\w46644.exe63⤵
- Executes dropped EXE
PID:4860 -
\??\c:\thbhtn.exec:\thbhtn.exe64⤵
- Executes dropped EXE
PID:760 -
\??\c:\4462660.exec:\4462660.exe65⤵
- Executes dropped EXE
PID:1436 -
\??\c:\hbhbtn.exec:\hbhbtn.exe66⤵PID:4072
-
\??\c:\fffxxrr.exec:\fffxxrr.exe67⤵PID:2280
-
\??\c:\02488.exec:\02488.exe68⤵PID:4780
-
\??\c:\5rrrrrr.exec:\5rrrrrr.exe69⤵PID:1188
-
\??\c:\vjvpd.exec:\vjvpd.exe70⤵PID:4468
-
\??\c:\8626662.exec:\8626662.exe71⤵PID:2380
-
\??\c:\pddvv.exec:\pddvv.exe72⤵PID:3852
-
\??\c:\bthbnn.exec:\bthbnn.exe73⤵PID:1804
-
\??\c:\u220464.exec:\u220464.exe74⤵PID:1600
-
\??\c:\hnthth.exec:\hnthth.exe75⤵PID:4548
-
\??\c:\488260.exec:\488260.exe76⤵PID:3408
-
\??\c:\066060.exec:\066060.exe77⤵PID:4040
-
\??\c:\1nnnhh.exec:\1nnnhh.exe78⤵PID:3508
-
\??\c:\nbbnhb.exec:\nbbnhb.exe79⤵PID:4792
-
\??\c:\o804264.exec:\o804264.exe80⤵PID:4760
-
\??\c:\pddvj.exec:\pddvj.exe81⤵PID:360
-
\??\c:\o000488.exec:\o000488.exe82⤵PID:3832
-
\??\c:\nbhhbt.exec:\nbhhbt.exe83⤵PID:4612
-
\??\c:\846404.exec:\846404.exe84⤵PID:5044
-
\??\c:\q22868.exec:\q22868.exe85⤵PID:5028
-
\??\c:\btbbhh.exec:\btbbhh.exe86⤵PID:1440
-
\??\c:\m6204.exec:\m6204.exe87⤵PID:4112
-
\??\c:\22248.exec:\22248.exe88⤵PID:904
-
\??\c:\fflfxrr.exec:\fflfxrr.exe89⤵PID:1512
-
\??\c:\bnnnhb.exec:\bnnnhb.exe90⤵PID:1324
-
\??\c:\9htnhh.exec:\9htnhh.exe91⤵PID:1312
-
\??\c:\jddvp.exec:\jddvp.exe92⤵PID:1664
-
\??\c:\1pdpd.exec:\1pdpd.exe93⤵PID:4564
-
\??\c:\vpvpj.exec:\vpvpj.exe94⤵PID:3668
-
\??\c:\2864482.exec:\2864482.exe95⤵PID:2288
-
\??\c:\2660044.exec:\2660044.exe96⤵PID:3876
-
\??\c:\u460882.exec:\u460882.exe97⤵PID:4316
-
\??\c:\6800448.exec:\6800448.exe98⤵PID:3556
-
\??\c:\djvpp.exec:\djvpp.exe99⤵PID:1052
-
\??\c:\jdpjv.exec:\jdpjv.exe100⤵PID:1396
-
\??\c:\1fxrllf.exec:\1fxrllf.exe101⤵PID:8
-
\??\c:\tnnhbb.exec:\tnnhbb.exe102⤵PID:3752
-
\??\c:\46860.exec:\46860.exe103⤵PID:2328
-
\??\c:\rflllrr.exec:\rflllrr.exe104⤵PID:1004
-
\??\c:\ddvpd.exec:\ddvpd.exe105⤵PID:2916
-
\??\c:\e62604.exec:\e62604.exe106⤵PID:2944
-
\??\c:\262262.exec:\262262.exe107⤵PID:4628
-
\??\c:\vpvvd.exec:\vpvvd.exe108⤵PID:2096
-
\??\c:\4242668.exec:\4242668.exe109⤵PID:3184
-
\??\c:\pvdvv.exec:\pvdvv.exe110⤵PID:4252
-
\??\c:\dpppj.exec:\dpppj.exe111⤵PID:2092
-
\??\c:\406044.exec:\406044.exe112⤵PID:1896
-
\??\c:\9hhbtt.exec:\9hhbtt.exe113⤵PID:3788
-
\??\c:\jvdvp.exec:\jvdvp.exe114⤵PID:1332
-
\??\c:\9pvpj.exec:\9pvpj.exe115⤵PID:1480
-
\??\c:\3vpjv.exec:\3vpjv.exe116⤵PID:4668
-
\??\c:\4060826.exec:\4060826.exe117⤵PID:1780
-
\??\c:\206488.exec:\206488.exe118⤵PID:3232
-
\??\c:\022422.exec:\022422.exe119⤵PID:2596
-
\??\c:\xrxrxfx.exec:\xrxrxfx.exe120⤵PID:1392
-
\??\c:\664044.exec:\664044.exe121⤵PID:2112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-