Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 19:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e789c597f1ff53ebcc7f7b416c333595d23da38c40b666b21f3304d32b602ee.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0e789c597f1ff53ebcc7f7b416c333595d23da38c40b666b21f3304d32b602ee.exe
-
Size
453KB
-
MD5
5572e457f6fc73a158b7c0c9d9f771da
-
SHA1
f88bce79be443b9deb26b5835d24bffdec8605cc
-
SHA256
0e789c597f1ff53ebcc7f7b416c333595d23da38c40b666b21f3304d32b602ee
-
SHA512
f493c622b9c019fbd32e8d2dc559866ab9ed5ccbe1be15ea47fe9357d962db3efd3cf0d66e6abf37dfed85f192a57e2e8eb90af7f026bc3538f5e7631163a69a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2012-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-812-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-841-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-888-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-949-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-1008-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-1156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-1647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-1672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-1790-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 764 0282266.exe 2020 jppjj.exe 3820 2244800.exe 1164 lflxrxr.exe 4784 26048.exe 3556 26666.exe 1440 btnhhh.exe 4008 844444.exe 884 84266.exe 1692 040600.exe 4968 804400.exe 3248 240484.exe 4072 xflfxxx.exe 4688 lrxrrll.exe 2332 4822626.exe 4040 lffxxxx.exe 2176 jvpdv.exe 2920 1rlfrrl.exe 3824 5djdp.exe 4624 fllfxxx.exe 3604 bnttnn.exe 2460 48206.exe 4012 dvddv.exe 512 9nhbbn.exe 3268 djdjj.exe 3716 xrrrlll.exe 4484 6240448.exe 1484 840484.exe 1012 dvdpj.exe 2152 6620826.exe 4000 hnntht.exe 848 pvpjv.exe 5008 jjdpd.exe 1612 jjvdv.exe 5112 vdjvj.exe 3664 7hthtt.exe 4856 bbtnhb.exe 2668 nntnbt.exe 2376 6028462.exe 4372 flffxrr.exe 4588 lflxlfx.exe 2752 nhhbhb.exe 764 pjdvv.exe 4572 1pdvd.exe 2548 pjpjd.exe 624 5pjjd.exe 2516 84608.exe 3920 k06442.exe 1712 bttnnn.exe 4132 i840684.exe 3356 g0266.exe 1396 262468.exe 1432 3llxfxf.exe 4816 lxrrlxl.exe 4472 46440.exe 5108 42422.exe 3140 a2820.exe 4752 c244226.exe 1488 dpvpp.exe 4016 2682622.exe 2600 60482.exe 744 4060448.exe 1156 vddpd.exe 3524 084866.exe -
resource yara_rule behavioral2/memory/2012-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-875-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-888-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-949-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4226048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q80040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u486406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnnt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 764 2012 0e789c597f1ff53ebcc7f7b416c333595d23da38c40b666b21f3304d32b602ee.exe 83 PID 2012 wrote to memory of 764 2012 0e789c597f1ff53ebcc7f7b416c333595d23da38c40b666b21f3304d32b602ee.exe 83 PID 2012 wrote to memory of 764 2012 0e789c597f1ff53ebcc7f7b416c333595d23da38c40b666b21f3304d32b602ee.exe 83 PID 764 wrote to memory of 2020 764 0282266.exe 84 PID 764 wrote to memory of 2020 764 0282266.exe 84 PID 764 wrote to memory of 2020 764 0282266.exe 84 PID 2020 wrote to memory of 3820 2020 jppjj.exe 85 PID 2020 wrote to memory of 3820 2020 jppjj.exe 85 PID 2020 wrote to memory of 3820 2020 jppjj.exe 85 PID 3820 wrote to memory of 1164 3820 2244800.exe 86 PID 3820 wrote to memory of 1164 3820 2244800.exe 86 PID 3820 wrote to memory of 1164 3820 2244800.exe 86 PID 1164 wrote to memory of 4784 1164 lflxrxr.exe 87 PID 1164 wrote to memory of 4784 1164 lflxrxr.exe 87 PID 1164 wrote to memory of 4784 1164 lflxrxr.exe 87 PID 4784 wrote to memory of 3556 4784 26048.exe 88 PID 4784 wrote to memory of 3556 4784 26048.exe 88 PID 4784 wrote to memory of 3556 4784 26048.exe 88 PID 3556 wrote to memory of 1440 3556 26666.exe 89 PID 3556 wrote to memory of 1440 3556 26666.exe 89 PID 3556 wrote to memory of 1440 3556 26666.exe 89 PID 1440 wrote to memory of 4008 1440 btnhhh.exe 90 PID 1440 wrote to memory of 4008 1440 btnhhh.exe 90 PID 1440 wrote to memory of 4008 1440 btnhhh.exe 90 PID 4008 wrote to memory of 884 4008 844444.exe 91 PID 4008 wrote to memory of 884 4008 844444.exe 91 PID 4008 wrote to memory of 884 4008 844444.exe 91 PID 884 wrote to memory of 1692 884 84266.exe 92 PID 884 wrote to memory of 1692 884 84266.exe 92 PID 884 wrote to memory of 1692 884 84266.exe 92 PID 1692 wrote to memory of 4968 1692 040600.exe 93 PID 1692 wrote to memory of 4968 1692 040600.exe 93 PID 1692 wrote to memory of 4968 1692 040600.exe 93 PID 4968 wrote to memory of 3248 4968 804400.exe 94 PID 4968 wrote to memory of 3248 4968 804400.exe 94 PID 4968 wrote to memory of 3248 4968 804400.exe 94 PID 3248 wrote to memory of 4072 3248 240484.exe 95 PID 3248 wrote to memory of 4072 3248 240484.exe 95 PID 3248 wrote to memory of 4072 3248 240484.exe 95 PID 4072 wrote to memory of 4688 4072 xflfxxx.exe 96 PID 4072 wrote to memory of 4688 4072 xflfxxx.exe 96 PID 4072 wrote to memory of 4688 4072 xflfxxx.exe 96 PID 4688 wrote to memory of 2332 4688 lrxrrll.exe 97 PID 4688 wrote to memory of 2332 4688 lrxrrll.exe 97 PID 4688 wrote to memory of 2332 4688 lrxrrll.exe 97 PID 2332 wrote to memory of 4040 2332 4822626.exe 98 PID 2332 wrote to memory of 4040 2332 4822626.exe 98 PID 2332 wrote to memory of 4040 2332 4822626.exe 98 PID 4040 wrote to memory of 2176 4040 lffxxxx.exe 99 PID 4040 wrote to memory of 2176 4040 lffxxxx.exe 99 PID 4040 wrote to memory of 2176 4040 lffxxxx.exe 99 PID 2176 wrote to memory of 2920 2176 jvpdv.exe 100 PID 2176 wrote to memory of 2920 2176 jvpdv.exe 100 PID 2176 wrote to memory of 2920 2176 jvpdv.exe 100 PID 2920 wrote to memory of 3824 2920 1rlfrrl.exe 101 PID 2920 wrote to memory of 3824 2920 1rlfrrl.exe 101 PID 2920 wrote to memory of 3824 2920 1rlfrrl.exe 101 PID 3824 wrote to memory of 4624 3824 5djdp.exe 102 PID 3824 wrote to memory of 4624 3824 5djdp.exe 102 PID 3824 wrote to memory of 4624 3824 5djdp.exe 102 PID 4624 wrote to memory of 3604 4624 fllfxxx.exe 103 PID 4624 wrote to memory of 3604 4624 fllfxxx.exe 103 PID 4624 wrote to memory of 3604 4624 fllfxxx.exe 103 PID 3604 wrote to memory of 2460 3604 bnttnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e789c597f1ff53ebcc7f7b416c333595d23da38c40b666b21f3304d32b602ee.exe"C:\Users\Admin\AppData\Local\Temp\0e789c597f1ff53ebcc7f7b416c333595d23da38c40b666b21f3304d32b602ee.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\0282266.exec:\0282266.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\jppjj.exec:\jppjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\2244800.exec:\2244800.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\lflxrxr.exec:\lflxrxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\26048.exec:\26048.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\26666.exec:\26666.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\btnhhh.exec:\btnhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\844444.exec:\844444.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\84266.exec:\84266.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\040600.exec:\040600.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\804400.exec:\804400.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\240484.exec:\240484.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\xflfxxx.exec:\xflfxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\lrxrrll.exec:\lrxrrll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\4822626.exec:\4822626.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\lffxxxx.exec:\lffxxxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\jvpdv.exec:\jvpdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\1rlfrrl.exec:\1rlfrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\5djdp.exec:\5djdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\fllfxxx.exec:\fllfxxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\bnttnn.exec:\bnttnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\48206.exec:\48206.exe23⤵
- Executes dropped EXE
PID:2460 -
\??\c:\dvddv.exec:\dvddv.exe24⤵
- Executes dropped EXE
PID:4012 -
\??\c:\9nhbbn.exec:\9nhbbn.exe25⤵
- Executes dropped EXE
PID:512 -
\??\c:\djdjj.exec:\djdjj.exe26⤵
- Executes dropped EXE
PID:3268 -
\??\c:\xrrrlll.exec:\xrrrlll.exe27⤵
- Executes dropped EXE
PID:3716 -
\??\c:\6240448.exec:\6240448.exe28⤵
- Executes dropped EXE
PID:4484 -
\??\c:\840484.exec:\840484.exe29⤵
- Executes dropped EXE
PID:1484 -
\??\c:\dvdpj.exec:\dvdpj.exe30⤵
- Executes dropped EXE
PID:1012 -
\??\c:\6620826.exec:\6620826.exe31⤵
- Executes dropped EXE
PID:2152 -
\??\c:\hnntht.exec:\hnntht.exe32⤵
- Executes dropped EXE
PID:4000 -
\??\c:\pvpjv.exec:\pvpjv.exe33⤵
- Executes dropped EXE
PID:848 -
\??\c:\jjdpd.exec:\jjdpd.exe34⤵
- Executes dropped EXE
PID:5008 -
\??\c:\jjvdv.exec:\jjvdv.exe35⤵
- Executes dropped EXE
PID:1612 -
\??\c:\vdjvj.exec:\vdjvj.exe36⤵
- Executes dropped EXE
PID:5112 -
\??\c:\7hthtt.exec:\7hthtt.exe37⤵
- Executes dropped EXE
PID:3664 -
\??\c:\bbtnhb.exec:\bbtnhb.exe38⤵
- Executes dropped EXE
PID:4856 -
\??\c:\nntnbt.exec:\nntnbt.exe39⤵
- Executes dropped EXE
PID:2668 -
\??\c:\6028462.exec:\6028462.exe40⤵
- Executes dropped EXE
PID:2376 -
\??\c:\flffxrr.exec:\flffxrr.exe41⤵
- Executes dropped EXE
PID:4372 -
\??\c:\lflxlfx.exec:\lflxlfx.exe42⤵
- Executes dropped EXE
PID:4588 -
\??\c:\nhhbhb.exec:\nhhbhb.exe43⤵
- Executes dropped EXE
PID:2752 -
\??\c:\pjdvv.exec:\pjdvv.exe44⤵
- Executes dropped EXE
PID:764 -
\??\c:\1pdvd.exec:\1pdvd.exe45⤵
- Executes dropped EXE
PID:4572 -
\??\c:\pjpjd.exec:\pjpjd.exe46⤵
- Executes dropped EXE
PID:2548 -
\??\c:\5pjjd.exec:\5pjjd.exe47⤵
- Executes dropped EXE
PID:624 -
\??\c:\84608.exec:\84608.exe48⤵
- Executes dropped EXE
PID:2516 -
\??\c:\k06442.exec:\k06442.exe49⤵
- Executes dropped EXE
PID:3920 -
\??\c:\bttnnn.exec:\bttnnn.exe50⤵
- Executes dropped EXE
PID:1712 -
\??\c:\i840684.exec:\i840684.exe51⤵
- Executes dropped EXE
PID:4132 -
\??\c:\g0266.exec:\g0266.exe52⤵
- Executes dropped EXE
PID:3356 -
\??\c:\262468.exec:\262468.exe53⤵
- Executes dropped EXE
PID:1396 -
\??\c:\3llxfxf.exec:\3llxfxf.exe54⤵
- Executes dropped EXE
PID:1432 -
\??\c:\lxrrlxl.exec:\lxrrlxl.exe55⤵
- Executes dropped EXE
PID:4816 -
\??\c:\46440.exec:\46440.exe56⤵
- Executes dropped EXE
PID:4472 -
\??\c:\42422.exec:\42422.exe57⤵
- Executes dropped EXE
PID:5108 -
\??\c:\a2820.exec:\a2820.exe58⤵
- Executes dropped EXE
PID:3140 -
\??\c:\c244226.exec:\c244226.exe59⤵
- Executes dropped EXE
PID:4752 -
\??\c:\dpvpp.exec:\dpvpp.exe60⤵
- Executes dropped EXE
PID:1488 -
\??\c:\2682622.exec:\2682622.exe61⤵
- Executes dropped EXE
PID:4016 -
\??\c:\60482.exec:\60482.exe62⤵
- Executes dropped EXE
PID:2600 -
\??\c:\4060448.exec:\4060448.exe63⤵
- Executes dropped EXE
PID:744 -
\??\c:\vddpd.exec:\vddpd.exe64⤵
- Executes dropped EXE
PID:1156 -
\??\c:\084866.exec:\084866.exe65⤵
- Executes dropped EXE
PID:3524 -
\??\c:\hbbbnt.exec:\hbbbnt.exe66⤵PID:4092
-
\??\c:\jdjdv.exec:\jdjdv.exe67⤵PID:1696
-
\??\c:\5nnbnn.exec:\5nnbnn.exe68⤵PID:1540
-
\??\c:\0460444.exec:\0460444.exe69⤵PID:3076
-
\??\c:\082266.exec:\082266.exe70⤵PID:4140
-
\??\c:\hnnbtn.exec:\hnnbtn.exe71⤵PID:1016
-
\??\c:\jjpdp.exec:\jjpdp.exe72⤵PID:3616
-
\??\c:\rlxlxxf.exec:\rlxlxxf.exe73⤵PID:3044
-
\??\c:\040488.exec:\040488.exe74⤵PID:3124
-
\??\c:\u886482.exec:\u886482.exe75⤵PID:4672
-
\??\c:\6444862.exec:\6444862.exe76⤵PID:2828
-
\??\c:\lrxllfx.exec:\lrxllfx.exe77⤵PID:4880
-
\??\c:\fffrfxl.exec:\fffrfxl.exe78⤵PID:4452
-
\??\c:\4408604.exec:\4408604.exe79⤵PID:3388
-
\??\c:\ntbhbt.exec:\ntbhbt.exe80⤵PID:2188
-
\??\c:\5ffxlfx.exec:\5ffxlfx.exe81⤵PID:1180
-
\??\c:\vjdpd.exec:\vjdpd.exe82⤵PID:2068
-
\??\c:\ttbbtb.exec:\ttbbtb.exe83⤵PID:3756
-
\??\c:\o026440.exec:\o026440.exe84⤵PID:1372
-
\??\c:\rxxrfxr.exec:\rxxrfxr.exe85⤵PID:3084
-
\??\c:\9pvpj.exec:\9pvpj.exe86⤵PID:2252
-
\??\c:\hntnnt.exec:\hntnnt.exe87⤵
- System Location Discovery: System Language Discovery
PID:2416 -
\??\c:\066082.exec:\066082.exe88⤵PID:1740
-
\??\c:\fxfxrxr.exec:\fxfxrxr.exe89⤵PID:3404
-
\??\c:\88486.exec:\88486.exe90⤵PID:4512
-
\??\c:\62822.exec:\62822.exe91⤵PID:4944
-
\??\c:\204208.exec:\204208.exe92⤵PID:2300
-
\??\c:\62208.exec:\62208.exe93⤵PID:1160
-
\??\c:\0268260.exec:\0268260.exe94⤵PID:932
-
\??\c:\xflfxxr.exec:\xflfxxr.exe95⤵PID:3416
-
\??\c:\02864.exec:\02864.exe96⤵PID:5008
-
\??\c:\06280.exec:\06280.exe97⤵PID:1612
-
\??\c:\482682.exec:\482682.exe98⤵PID:5112
-
\??\c:\flrrlfx.exec:\flrrlfx.exe99⤵PID:3664
-
\??\c:\a8046.exec:\a8046.exe100⤵PID:4856
-
\??\c:\04086.exec:\04086.exe101⤵PID:2668
-
\??\c:\646004.exec:\646004.exe102⤵PID:2376
-
\??\c:\vdjvp.exec:\vdjvp.exe103⤵PID:4300
-
\??\c:\hbnhbb.exec:\hbnhbb.exe104⤵PID:4276
-
\??\c:\nhtnnn.exec:\nhtnnn.exe105⤵PID:1496
-
\??\c:\2282448.exec:\2282448.exe106⤵PID:1992
-
\??\c:\u888042.exec:\u888042.exe107⤵PID:4884
-
\??\c:\224204.exec:\224204.exe108⤵PID:4864
-
\??\c:\w26884.exec:\w26884.exe109⤵PID:2264
-
\??\c:\nbtntn.exec:\nbtntn.exe110⤵PID:620
-
\??\c:\pppdv.exec:\pppdv.exe111⤵PID:1796
-
\??\c:\pvvpd.exec:\pvvpd.exe112⤵PID:3556
-
\??\c:\jjvjd.exec:\jjvjd.exe113⤵PID:5068
-
\??\c:\ntnhtn.exec:\ntnhtn.exe114⤵PID:3588
-
\??\c:\dpjvd.exec:\dpjvd.exe115⤵PID:1332
-
\??\c:\3lfxlfx.exec:\3lfxlfx.exe116⤵PID:1220
-
\??\c:\88486.exec:\88486.exe117⤵PID:2688
-
\??\c:\28486.exec:\28486.exe118⤵PID:1624
-
\??\c:\s0064.exec:\s0064.exe119⤵PID:2312
-
\??\c:\frxrfff.exec:\frxrfff.exe120⤵PID:4928
-
\??\c:\vpvpd.exec:\vpvpd.exe121⤵PID:1900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-