Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 20:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe
-
Size
454KB
-
MD5
873ed953b77349630cabbfc03dc01e30
-
SHA1
94771f7a2cd63462f1c1433ac99be6c86f381933
-
SHA256
1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191
-
SHA512
b61816461d63ccfdb1c0ad64af29f7ce8dbc3f6f72e3c3b8433f1621fd9a176c9308d4a40657deb18e3d88aa1cb5e1c1c05511298513ca0d0558e590f8c41a03
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3408-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-920-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-918-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-1531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 760 o668426.exe 2044 9ppjv.exe 3456 rrlxrlr.exe 4928 vjjpd.exe 3840 hhhthb.exe 1592 682082.exe 4196 7llflff.exe 4264 640204.exe 3388 nbbnbn.exe 1476 fxlxlfr.exe 4836 u886042.exe 4452 lllfxxr.exe 1500 484448.exe 2416 7pjvj.exe 4584 hnhtnb.exe 4576 ffrffxx.exe 3864 06642.exe 3516 088226.exe 2384 dddpd.exe 3236 7bnbtn.exe 2604 bnhnbt.exe 4044 thtnbt.exe 3404 jjpdd.exe 3568 4486642.exe 2932 002208.exe 4688 rffrffr.exe 4844 ttthth.exe 3624 hnnbnn.exe 3396 6288664.exe 3680 6664204.exe 776 84820.exe 4448 8220820.exe 672 e06802.exe 3780 222086.exe 4548 xxrlxfx.exe 4560 8882042.exe 448 thnbth.exe 2792 lflfrrl.exe 4420 666426.exe 4596 66264.exe 2192 86046.exe 4476 hhthbb.exe 2692 42208.exe 2044 20486.exe 1664 e06082.exe 3456 24048.exe 3840 s4420.exe 2908 e02082.exe 2600 66608.exe 3452 04426.exe 2488 88864.exe 4752 2026820.exe 1412 vppjv.exe 2868 lrrfxrl.exe 1084 422048.exe 4052 lffrfxx.exe 1964 bbbnbt.exe 452 u220220.exe 3968 2486642.exe 3696 dddvp.exe 2664 i864226.exe 4236 1rlfxlf.exe 996 e46488.exe 1212 62826.exe -
resource yara_rule behavioral2/memory/3408-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-914-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u848226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8464226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3408 wrote to memory of 760 3408 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 83 PID 3408 wrote to memory of 760 3408 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 83 PID 3408 wrote to memory of 760 3408 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 83 PID 760 wrote to memory of 2044 760 o668426.exe 84 PID 760 wrote to memory of 2044 760 o668426.exe 84 PID 760 wrote to memory of 2044 760 o668426.exe 84 PID 2044 wrote to memory of 3456 2044 9ppjv.exe 85 PID 2044 wrote to memory of 3456 2044 9ppjv.exe 85 PID 2044 wrote to memory of 3456 2044 9ppjv.exe 85 PID 3456 wrote to memory of 4928 3456 rrlxrlr.exe 86 PID 3456 wrote to memory of 4928 3456 rrlxrlr.exe 86 PID 3456 wrote to memory of 4928 3456 rrlxrlr.exe 86 PID 4928 wrote to memory of 3840 4928 vjjpd.exe 87 PID 4928 wrote to memory of 3840 4928 vjjpd.exe 87 PID 4928 wrote to memory of 3840 4928 vjjpd.exe 87 PID 3840 wrote to memory of 1592 3840 hhhthb.exe 88 PID 3840 wrote to memory of 1592 3840 hhhthb.exe 88 PID 3840 wrote to memory of 1592 3840 hhhthb.exe 88 PID 1592 wrote to memory of 4196 1592 682082.exe 89 PID 1592 wrote to memory of 4196 1592 682082.exe 89 PID 1592 wrote to memory of 4196 1592 682082.exe 89 PID 4196 wrote to memory of 4264 4196 7llflff.exe 90 PID 4196 wrote to memory of 4264 4196 7llflff.exe 90 PID 4196 wrote to memory of 4264 4196 7llflff.exe 90 PID 4264 wrote to memory of 3388 4264 640204.exe 91 PID 4264 wrote to memory of 3388 4264 640204.exe 91 PID 4264 wrote to memory of 3388 4264 640204.exe 91 PID 3388 wrote to memory of 1476 3388 nbbnbn.exe 92 PID 3388 wrote to memory of 1476 3388 nbbnbn.exe 92 PID 3388 wrote to memory of 1476 3388 nbbnbn.exe 92 PID 1476 wrote to memory of 4836 1476 fxlxlfr.exe 93 PID 1476 wrote to memory of 4836 1476 fxlxlfr.exe 93 PID 1476 wrote to memory of 4836 1476 fxlxlfr.exe 93 PID 4836 wrote to memory of 4452 4836 u886042.exe 94 PID 4836 wrote to memory of 4452 4836 u886042.exe 94 PID 4836 wrote to memory of 4452 4836 u886042.exe 94 PID 4452 wrote to memory of 1500 4452 lllfxxr.exe 95 PID 4452 wrote to memory of 1500 4452 lllfxxr.exe 95 PID 4452 wrote to memory of 1500 4452 lllfxxr.exe 95 PID 1500 wrote to memory of 2416 1500 484448.exe 96 PID 1500 wrote to memory of 2416 1500 484448.exe 96 PID 1500 wrote to memory of 2416 1500 484448.exe 96 PID 2416 wrote to memory of 4584 2416 7pjvj.exe 97 PID 2416 wrote to memory of 4584 2416 7pjvj.exe 97 PID 2416 wrote to memory of 4584 2416 7pjvj.exe 97 PID 4584 wrote to memory of 4576 4584 hnhtnb.exe 98 PID 4584 wrote to memory of 4576 4584 hnhtnb.exe 98 PID 4584 wrote to memory of 4576 4584 hnhtnb.exe 98 PID 4576 wrote to memory of 3864 4576 ffrffxx.exe 99 PID 4576 wrote to memory of 3864 4576 ffrffxx.exe 99 PID 4576 wrote to memory of 3864 4576 ffrffxx.exe 99 PID 3864 wrote to memory of 3516 3864 06642.exe 100 PID 3864 wrote to memory of 3516 3864 06642.exe 100 PID 3864 wrote to memory of 3516 3864 06642.exe 100 PID 3516 wrote to memory of 2384 3516 088226.exe 101 PID 3516 wrote to memory of 2384 3516 088226.exe 101 PID 3516 wrote to memory of 2384 3516 088226.exe 101 PID 2384 wrote to memory of 3236 2384 dddpd.exe 102 PID 2384 wrote to memory of 3236 2384 dddpd.exe 102 PID 2384 wrote to memory of 3236 2384 dddpd.exe 102 PID 3236 wrote to memory of 2604 3236 7bnbtn.exe 103 PID 3236 wrote to memory of 2604 3236 7bnbtn.exe 103 PID 3236 wrote to memory of 2604 3236 7bnbtn.exe 103 PID 2604 wrote to memory of 4044 2604 bnhnbt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe"C:\Users\Admin\AppData\Local\Temp\1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\o668426.exec:\o668426.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\9ppjv.exec:\9ppjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\rrlxrlr.exec:\rrlxrlr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\vjjpd.exec:\vjjpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\hhhthb.exec:\hhhthb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\682082.exec:\682082.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\7llflff.exec:\7llflff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\640204.exec:\640204.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\nbbnbn.exec:\nbbnbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\fxlxlfr.exec:\fxlxlfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\u886042.exec:\u886042.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\lllfxxr.exec:\lllfxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\484448.exec:\484448.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\7pjvj.exec:\7pjvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\hnhtnb.exec:\hnhtnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\ffrffxx.exec:\ffrffxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\06642.exec:\06642.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\088226.exec:\088226.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\dddpd.exec:\dddpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\7bnbtn.exec:\7bnbtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\bnhnbt.exec:\bnhnbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\thtnbt.exec:\thtnbt.exe23⤵
- Executes dropped EXE
PID:4044 -
\??\c:\jjpdd.exec:\jjpdd.exe24⤵
- Executes dropped EXE
PID:3404 -
\??\c:\4486642.exec:\4486642.exe25⤵
- Executes dropped EXE
PID:3568 -
\??\c:\002208.exec:\002208.exe26⤵
- Executes dropped EXE
PID:2932 -
\??\c:\rffrffr.exec:\rffrffr.exe27⤵
- Executes dropped EXE
PID:4688 -
\??\c:\ttthth.exec:\ttthth.exe28⤵
- Executes dropped EXE
PID:4844 -
\??\c:\hnnbnn.exec:\hnnbnn.exe29⤵
- Executes dropped EXE
PID:3624 -
\??\c:\6288664.exec:\6288664.exe30⤵
- Executes dropped EXE
PID:3396 -
\??\c:\6664204.exec:\6664204.exe31⤵
- Executes dropped EXE
PID:3680 -
\??\c:\84820.exec:\84820.exe32⤵
- Executes dropped EXE
PID:776 -
\??\c:\8220820.exec:\8220820.exe33⤵
- Executes dropped EXE
PID:4448 -
\??\c:\e06802.exec:\e06802.exe34⤵
- Executes dropped EXE
PID:672 -
\??\c:\222086.exec:\222086.exe35⤵
- Executes dropped EXE
PID:3780 -
\??\c:\xxrlxfx.exec:\xxrlxfx.exe36⤵
- Executes dropped EXE
PID:4548 -
\??\c:\8882042.exec:\8882042.exe37⤵
- Executes dropped EXE
PID:4560 -
\??\c:\thnbth.exec:\thnbth.exe38⤵
- Executes dropped EXE
PID:448 -
\??\c:\lflfrrl.exec:\lflfrrl.exe39⤵
- Executes dropped EXE
PID:2792 -
\??\c:\666426.exec:\666426.exe40⤵
- Executes dropped EXE
PID:4420 -
\??\c:\66264.exec:\66264.exe41⤵
- Executes dropped EXE
PID:4596 -
\??\c:\86046.exec:\86046.exe42⤵
- Executes dropped EXE
PID:2192 -
\??\c:\hhthbb.exec:\hhthbb.exe43⤵
- Executes dropped EXE
PID:4476 -
\??\c:\42208.exec:\42208.exe44⤵
- Executes dropped EXE
PID:2692 -
\??\c:\20486.exec:\20486.exe45⤵
- Executes dropped EXE
PID:2044 -
\??\c:\e06082.exec:\e06082.exe46⤵
- Executes dropped EXE
PID:1664 -
\??\c:\24048.exec:\24048.exe47⤵
- Executes dropped EXE
PID:3456 -
\??\c:\s4420.exec:\s4420.exe48⤵
- Executes dropped EXE
PID:3840 -
\??\c:\e02082.exec:\e02082.exe49⤵
- Executes dropped EXE
PID:2908 -
\??\c:\66608.exec:\66608.exe50⤵
- Executes dropped EXE
PID:2600 -
\??\c:\04426.exec:\04426.exe51⤵
- Executes dropped EXE
PID:3452 -
\??\c:\88864.exec:\88864.exe52⤵
- Executes dropped EXE
PID:2488 -
\??\c:\2026820.exec:\2026820.exe53⤵
- Executes dropped EXE
PID:4752 -
\??\c:\vppjv.exec:\vppjv.exe54⤵
- Executes dropped EXE
PID:1412 -
\??\c:\lrrfxrl.exec:\lrrfxrl.exe55⤵
- Executes dropped EXE
PID:2868 -
\??\c:\422048.exec:\422048.exe56⤵
- Executes dropped EXE
PID:1084 -
\??\c:\lffrfxx.exec:\lffrfxx.exe57⤵
- Executes dropped EXE
PID:4052 -
\??\c:\bbbnbt.exec:\bbbnbt.exe58⤵
- Executes dropped EXE
PID:1964 -
\??\c:\u220220.exec:\u220220.exe59⤵
- Executes dropped EXE
PID:452 -
\??\c:\2486642.exec:\2486642.exe60⤵
- Executes dropped EXE
PID:3968 -
\??\c:\dddvp.exec:\dddvp.exe61⤵
- Executes dropped EXE
PID:3696 -
\??\c:\i864226.exec:\i864226.exe62⤵
- Executes dropped EXE
PID:2664 -
\??\c:\1rlfxlf.exec:\1rlfxlf.exe63⤵
- Executes dropped EXE
PID:4236 -
\??\c:\e46488.exec:\e46488.exe64⤵
- Executes dropped EXE
PID:996 -
\??\c:\62826.exec:\62826.exe65⤵
- Executes dropped EXE
PID:1212 -
\??\c:\dpvjp.exec:\dpvjp.exe66⤵PID:2424
-
\??\c:\rlrlffl.exec:\rlrlffl.exe67⤵PID:2368
-
\??\c:\rxrfrlf.exec:\rxrfrlf.exe68⤵PID:2416
-
\??\c:\rffrlfr.exec:\rffrlfr.exe69⤵PID:3292
-
\??\c:\bttnbh.exec:\bttnbh.exe70⤵PID:3164
-
\??\c:\fflxlfr.exec:\fflxlfr.exe71⤵PID:220
-
\??\c:\8628626.exec:\8628626.exe72⤵PID:3412
-
\??\c:\vjpjd.exec:\vjpjd.exe73⤵PID:3660
-
\??\c:\pjpjd.exec:\pjpjd.exe74⤵PID:4856
-
\??\c:\xllxlfx.exec:\xllxlfx.exe75⤵PID:732
-
\??\c:\5dvpj.exec:\5dvpj.exe76⤵PID:2100
-
\??\c:\8064822.exec:\8064822.exe77⤵PID:384
-
\??\c:\vppdv.exec:\vppdv.exe78⤵PID:544
-
\??\c:\9jvjv.exec:\9jvjv.exe79⤵PID:2236
-
\??\c:\222648.exec:\222648.exe80⤵PID:3344
-
\??\c:\8448004.exec:\8448004.exe81⤵PID:2824
-
\??\c:\vjdpd.exec:\vjdpd.exe82⤵PID:2280
-
\??\c:\dvpjd.exec:\dvpjd.exe83⤵PID:1436
-
\??\c:\pjjvj.exec:\pjjvj.exe84⤵PID:4592
-
\??\c:\k48604.exec:\k48604.exe85⤵PID:2148
-
\??\c:\022202.exec:\022202.exe86⤵PID:1652
-
\??\c:\vpppj.exec:\vpppj.exe87⤵PID:2716
-
\??\c:\u820886.exec:\u820886.exe88⤵PID:3136
-
\??\c:\64426.exec:\64426.exe89⤵PID:3576
-
\??\c:\062644.exec:\062644.exe90⤵PID:60
-
\??\c:\48222.exec:\48222.exe91⤵PID:3888
-
\??\c:\20004.exec:\20004.exe92⤵PID:3848
-
\??\c:\868200.exec:\868200.exe93⤵PID:824
-
\??\c:\pdjvp.exec:\pdjvp.exe94⤵PID:2504
-
\??\c:\xrfxrlf.exec:\xrfxrlf.exe95⤵PID:3116
-
\??\c:\20040.exec:\20040.exe96⤵PID:3796
-
\??\c:\04048.exec:\04048.exe97⤵PID:4448
-
\??\c:\44260.exec:\44260.exe98⤵PID:672
-
\??\c:\3pjvj.exec:\3pjvj.exe99⤵PID:3504
-
\??\c:\dppdp.exec:\dppdp.exe100⤵PID:4784
-
\??\c:\vppdp.exec:\vppdp.exe101⤵PID:4208
-
\??\c:\dvvpp.exec:\dvvpp.exe102⤵PID:4380
-
\??\c:\jddvp.exec:\jddvp.exe103⤵PID:4860
-
\??\c:\k26400.exec:\k26400.exe104⤵PID:4420
-
\??\c:\4286046.exec:\4286046.exe105⤵PID:860
-
\??\c:\26206.exec:\26206.exe106⤵PID:1068
-
\??\c:\6886486.exec:\6886486.exe107⤵PID:4476
-
\??\c:\thhtnh.exec:\thhtnh.exe108⤵PID:4692
-
\??\c:\6620820.exec:\6620820.exe109⤵PID:3632
-
\??\c:\m4606.exec:\m4606.exe110⤵PID:2788
-
\??\c:\vvpvv.exec:\vvpvv.exe111⤵PID:1344
-
\??\c:\602000.exec:\602000.exe112⤵PID:216
-
\??\c:\06266.exec:\06266.exe113⤵PID:2860
-
\??\c:\a8424.exec:\a8424.exe114⤵PID:4760
-
\??\c:\bhnhnn.exec:\bhnhnn.exe115⤵PID:3148
-
\??\c:\9bbnhb.exec:\9bbnhb.exe116⤵PID:4852
-
\??\c:\0660886.exec:\0660886.exe117⤵PID:2488
-
\??\c:\668604.exec:\668604.exe118⤵PID:1724
-
\??\c:\e88204.exec:\e88204.exe119⤵PID:1172
-
\??\c:\vjpjd.exec:\vjpjd.exe120⤵PID:2320
-
\??\c:\5djvv.exec:\5djvv.exe121⤵PID:1404
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-