Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 20:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2178a280dc24367f480725e44d98a79501ae11270866c13b1d50080aab4d26b9.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2178a280dc24367f480725e44d98a79501ae11270866c13b1d50080aab4d26b9.exe
-
Size
454KB
-
MD5
3e5494a26ef56ac7f8a239176dd0ec2a
-
SHA1
520f5af752342274e8eeeac4ca6545be589ca051
-
SHA256
2178a280dc24367f480725e44d98a79501ae11270866c13b1d50080aab4d26b9
-
SHA512
b688246d911e0c006cd26247ca45b247b08a9a14bbbe8f46cd7988076d9a85e9fcefdfb9474547502fdf917d03309f78148241358ece10d5e9dcdd6798f0c49c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3996-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-1205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-1474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4156 k48664.exe 1648 a0204.exe 1680 vpvvv.exe 2060 pddpd.exe 2896 i620088.exe 1928 rxfflfr.exe 4128 688642.exe 528 1hbntn.exe 912 1nhbth.exe 3648 tbhhbh.exe 4660 xrllxlx.exe 3616 3jdpd.exe 2376 6468608.exe 1764 rxrfrll.exe 1812 22826.exe 2412 rrrlffl.exe 1096 48006.exe 4300 2646464.exe 3896 28060.exe 4392 828288.exe 4748 1hnhbt.exe 3984 xrxrrrx.exe 1844 3thntb.exe 4724 rlfxlfx.exe 2352 lfxlflr.exe 3312 tththb.exe 2940 i248226.exe 2248 ppddv.exe 3240 nnnnhn.exe 4976 0008046.exe 3520 llxrfxl.exe 4656 g2642.exe 3960 000820.exe 5100 lrfrfxl.exe 3736 rxxrlxr.exe 1736 406082.exe 5072 g0642.exe 1436 60862.exe 4540 rlxrfrf.exe 4312 5jjvp.exe 4076 hnbnbt.exe 2780 rfrxlrr.exe 1892 24864.exe 1120 o402606.exe 1648 666648.exe 968 i048820.exe 3568 8660848.exe 4572 frlfrrl.exe 4464 48842.exe 2896 204860.exe 4760 9jvdv.exe 1780 3lflxrf.exe 528 8620088.exe 912 jjpdp.exe 3560 tnhbbb.exe 4072 840444.exe 2004 8620046.exe 3648 4060000.exe 1548 5bhhbh.exe 3772 jjjdv.exe 5088 406088.exe 3212 42086.exe 1872 6064608.exe 2272 tnnbtn.exe -
resource yara_rule behavioral2/memory/3996-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-805-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4260264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0882482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w04248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8626048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 008862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3996 wrote to memory of 4156 3996 2178a280dc24367f480725e44d98a79501ae11270866c13b1d50080aab4d26b9.exe 85 PID 3996 wrote to memory of 4156 3996 2178a280dc24367f480725e44d98a79501ae11270866c13b1d50080aab4d26b9.exe 85 PID 3996 wrote to memory of 4156 3996 2178a280dc24367f480725e44d98a79501ae11270866c13b1d50080aab4d26b9.exe 85 PID 4156 wrote to memory of 1648 4156 k48664.exe 86 PID 4156 wrote to memory of 1648 4156 k48664.exe 86 PID 4156 wrote to memory of 1648 4156 k48664.exe 86 PID 1648 wrote to memory of 1680 1648 a0204.exe 87 PID 1648 wrote to memory of 1680 1648 a0204.exe 87 PID 1648 wrote to memory of 1680 1648 a0204.exe 87 PID 1680 wrote to memory of 2060 1680 vpvvv.exe 88 PID 1680 wrote to memory of 2060 1680 vpvvv.exe 88 PID 1680 wrote to memory of 2060 1680 vpvvv.exe 88 PID 2060 wrote to memory of 2896 2060 pddpd.exe 89 PID 2060 wrote to memory of 2896 2060 pddpd.exe 89 PID 2060 wrote to memory of 2896 2060 pddpd.exe 89 PID 2896 wrote to memory of 1928 2896 i620088.exe 90 PID 2896 wrote to memory of 1928 2896 i620088.exe 90 PID 2896 wrote to memory of 1928 2896 i620088.exe 90 PID 1928 wrote to memory of 4128 1928 rxfflfr.exe 91 PID 1928 wrote to memory of 4128 1928 rxfflfr.exe 91 PID 1928 wrote to memory of 4128 1928 rxfflfr.exe 91 PID 4128 wrote to memory of 528 4128 688642.exe 92 PID 4128 wrote to memory of 528 4128 688642.exe 92 PID 4128 wrote to memory of 528 4128 688642.exe 92 PID 528 wrote to memory of 912 528 1hbntn.exe 93 PID 528 wrote to memory of 912 528 1hbntn.exe 93 PID 528 wrote to memory of 912 528 1hbntn.exe 93 PID 912 wrote to memory of 3648 912 1nhbth.exe 94 PID 912 wrote to memory of 3648 912 1nhbth.exe 94 PID 912 wrote to memory of 3648 912 1nhbth.exe 94 PID 3648 wrote to memory of 4660 3648 tbhhbh.exe 95 PID 3648 wrote to memory of 4660 3648 tbhhbh.exe 95 PID 3648 wrote to memory of 4660 3648 tbhhbh.exe 95 PID 4660 wrote to memory of 3616 4660 xrllxlx.exe 96 PID 4660 wrote to memory of 3616 4660 xrllxlx.exe 96 PID 4660 wrote to memory of 3616 4660 xrllxlx.exe 96 PID 3616 wrote to memory of 2376 3616 3jdpd.exe 97 PID 3616 wrote to memory of 2376 3616 3jdpd.exe 97 PID 3616 wrote to memory of 2376 3616 3jdpd.exe 97 PID 2376 wrote to memory of 1764 2376 6468608.exe 98 PID 2376 wrote to memory of 1764 2376 6468608.exe 98 PID 2376 wrote to memory of 1764 2376 6468608.exe 98 PID 1764 wrote to memory of 1812 1764 rxrfrll.exe 99 PID 1764 wrote to memory of 1812 1764 rxrfrll.exe 99 PID 1764 wrote to memory of 1812 1764 rxrfrll.exe 99 PID 1812 wrote to memory of 2412 1812 22826.exe 100 PID 1812 wrote to memory of 2412 1812 22826.exe 100 PID 1812 wrote to memory of 2412 1812 22826.exe 100 PID 2412 wrote to memory of 1096 2412 rrrlffl.exe 101 PID 2412 wrote to memory of 1096 2412 rrrlffl.exe 101 PID 2412 wrote to memory of 1096 2412 rrrlffl.exe 101 PID 1096 wrote to memory of 4300 1096 48006.exe 102 PID 1096 wrote to memory of 4300 1096 48006.exe 102 PID 1096 wrote to memory of 4300 1096 48006.exe 102 PID 4300 wrote to memory of 3896 4300 2646464.exe 103 PID 4300 wrote to memory of 3896 4300 2646464.exe 103 PID 4300 wrote to memory of 3896 4300 2646464.exe 103 PID 3896 wrote to memory of 4392 3896 28060.exe 104 PID 3896 wrote to memory of 4392 3896 28060.exe 104 PID 3896 wrote to memory of 4392 3896 28060.exe 104 PID 4392 wrote to memory of 4748 4392 828288.exe 105 PID 4392 wrote to memory of 4748 4392 828288.exe 105 PID 4392 wrote to memory of 4748 4392 828288.exe 105 PID 4748 wrote to memory of 3984 4748 1hnhbt.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2178a280dc24367f480725e44d98a79501ae11270866c13b1d50080aab4d26b9.exe"C:\Users\Admin\AppData\Local\Temp\2178a280dc24367f480725e44d98a79501ae11270866c13b1d50080aab4d26b9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\k48664.exec:\k48664.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\a0204.exec:\a0204.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\vpvvv.exec:\vpvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\pddpd.exec:\pddpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\i620088.exec:\i620088.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\rxfflfr.exec:\rxfflfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\688642.exec:\688642.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\1hbntn.exec:\1hbntn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\1nhbth.exec:\1nhbth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\tbhhbh.exec:\tbhhbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\xrllxlx.exec:\xrllxlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\3jdpd.exec:\3jdpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\6468608.exec:\6468608.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\rxrfrll.exec:\rxrfrll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\22826.exec:\22826.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\rrrlffl.exec:\rrrlffl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\48006.exec:\48006.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\2646464.exec:\2646464.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\28060.exec:\28060.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\828288.exec:\828288.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\1hnhbt.exec:\1hnhbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\xrxrrrx.exec:\xrxrrrx.exe23⤵
- Executes dropped EXE
PID:3984 -
\??\c:\3thntb.exec:\3thntb.exe24⤵
- Executes dropped EXE
PID:1844 -
\??\c:\rlfxlfx.exec:\rlfxlfx.exe25⤵
- Executes dropped EXE
PID:4724 -
\??\c:\lfxlflr.exec:\lfxlflr.exe26⤵
- Executes dropped EXE
PID:2352 -
\??\c:\tththb.exec:\tththb.exe27⤵
- Executes dropped EXE
PID:3312 -
\??\c:\i248226.exec:\i248226.exe28⤵
- Executes dropped EXE
PID:2940 -
\??\c:\ppddv.exec:\ppddv.exe29⤵
- Executes dropped EXE
PID:2248 -
\??\c:\nnnnhn.exec:\nnnnhn.exe30⤵
- Executes dropped EXE
PID:3240 -
\??\c:\0008046.exec:\0008046.exe31⤵
- Executes dropped EXE
PID:4976 -
\??\c:\llxrfxl.exec:\llxrfxl.exe32⤵
- Executes dropped EXE
PID:3520 -
\??\c:\g2642.exec:\g2642.exe33⤵
- Executes dropped EXE
PID:4656 -
\??\c:\000820.exec:\000820.exe34⤵
- Executes dropped EXE
PID:3960 -
\??\c:\lrfrfxl.exec:\lrfrfxl.exe35⤵
- Executes dropped EXE
PID:5100 -
\??\c:\rxxrlxr.exec:\rxxrlxr.exe36⤵
- Executes dropped EXE
PID:3736 -
\??\c:\406082.exec:\406082.exe37⤵
- Executes dropped EXE
PID:1736 -
\??\c:\g0642.exec:\g0642.exe38⤵
- Executes dropped EXE
PID:5072 -
\??\c:\60862.exec:\60862.exe39⤵
- Executes dropped EXE
PID:1436 -
\??\c:\rlxrfrf.exec:\rlxrfrf.exe40⤵
- Executes dropped EXE
PID:4540 -
\??\c:\5jjvp.exec:\5jjvp.exe41⤵
- Executes dropped EXE
PID:4312 -
\??\c:\hnbnbt.exec:\hnbnbt.exe42⤵
- Executes dropped EXE
PID:4076 -
\??\c:\rfrxlrr.exec:\rfrxlrr.exe43⤵
- Executes dropped EXE
PID:2780 -
\??\c:\24864.exec:\24864.exe44⤵
- Executes dropped EXE
PID:1892 -
\??\c:\o402606.exec:\o402606.exe45⤵
- Executes dropped EXE
PID:1120 -
\??\c:\666648.exec:\666648.exe46⤵
- Executes dropped EXE
PID:1648 -
\??\c:\i048820.exec:\i048820.exe47⤵
- Executes dropped EXE
PID:968 -
\??\c:\8660848.exec:\8660848.exe48⤵
- Executes dropped EXE
PID:3568 -
\??\c:\frlfrrl.exec:\frlfrrl.exe49⤵
- Executes dropped EXE
PID:4572 -
\??\c:\48842.exec:\48842.exe50⤵
- Executes dropped EXE
PID:4464 -
\??\c:\204860.exec:\204860.exe51⤵
- Executes dropped EXE
PID:2896 -
\??\c:\9jvdv.exec:\9jvdv.exe52⤵
- Executes dropped EXE
PID:4760 -
\??\c:\3lflxrf.exec:\3lflxrf.exe53⤵
- Executes dropped EXE
PID:1780 -
\??\c:\8620088.exec:\8620088.exe54⤵
- Executes dropped EXE
PID:528 -
\??\c:\jjpdp.exec:\jjpdp.exe55⤵
- Executes dropped EXE
PID:912 -
\??\c:\tnhbbb.exec:\tnhbbb.exe56⤵
- Executes dropped EXE
PID:3560 -
\??\c:\840444.exec:\840444.exe57⤵
- Executes dropped EXE
PID:4072 -
\??\c:\8620046.exec:\8620046.exe58⤵
- Executes dropped EXE
PID:2004 -
\??\c:\4060000.exec:\4060000.exe59⤵
- Executes dropped EXE
PID:3648 -
\??\c:\5bhhbh.exec:\5bhhbh.exe60⤵
- Executes dropped EXE
PID:1548 -
\??\c:\jjjdv.exec:\jjjdv.exe61⤵
- Executes dropped EXE
PID:3772 -
\??\c:\406088.exec:\406088.exe62⤵
- Executes dropped EXE
PID:5088 -
\??\c:\42086.exec:\42086.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3212 -
\??\c:\6064608.exec:\6064608.exe64⤵
- Executes dropped EXE
PID:1872 -
\??\c:\tnnbtn.exec:\tnnbtn.exe65⤵
- Executes dropped EXE
PID:2272 -
\??\c:\ddpjd.exec:\ddpjd.exe66⤵PID:548
-
\??\c:\9vdpj.exec:\9vdpj.exe67⤵PID:468
-
\??\c:\60220.exec:\60220.exe68⤵PID:448
-
\??\c:\jvdpj.exec:\jvdpj.exe69⤵PID:408
-
\??\c:\1fxrxrf.exec:\1fxrxrf.exe70⤵PID:536
-
\??\c:\i486408.exec:\i486408.exe71⤵PID:1272
-
\??\c:\06266.exec:\06266.exe72⤵PID:1180
-
\??\c:\vvvpd.exec:\vvvpd.exe73⤵PID:4248
-
\??\c:\02642.exec:\02642.exe74⤵PID:3984
-
\??\c:\202600.exec:\202600.exe75⤵PID:3904
-
\??\c:\1rlfxxr.exec:\1rlfxxr.exe76⤵PID:1672
-
\??\c:\200488.exec:\200488.exe77⤵PID:5008
-
\??\c:\4608642.exec:\4608642.exe78⤵PID:2352
-
\??\c:\k02622.exec:\k02622.exe79⤵PID:4536
-
\??\c:\48482.exec:\48482.exe80⤵PID:2960
-
\??\c:\dvjvd.exec:\dvjvd.exe81⤵PID:2940
-
\??\c:\djvdj.exec:\djvdj.exe82⤵
- System Location Discovery: System Language Discovery
PID:2248 -
\??\c:\frrlxfr.exec:\frrlxfr.exe83⤵PID:4560
-
\??\c:\vpppj.exec:\vpppj.exe84⤵PID:4604
-
\??\c:\440448.exec:\440448.exe85⤵PID:3472
-
\??\c:\1vvpj.exec:\1vvpj.exe86⤵PID:4372
-
\??\c:\e04648.exec:\e04648.exe87⤵PID:4904
-
\??\c:\i884484.exec:\i884484.exe88⤵PID:2340
-
\??\c:\2248882.exec:\2248882.exe89⤵PID:2596
-
\??\c:\i066004.exec:\i066004.exe90⤵PID:4268
-
\??\c:\44486.exec:\44486.exe91⤵PID:4592
-
\??\c:\1jjvj.exec:\1jjvj.exe92⤵PID:2456
-
\??\c:\642208.exec:\642208.exe93⤵PID:4144
-
\??\c:\o608642.exec:\o608642.exe94⤵PID:724
-
\??\c:\0248660.exec:\0248660.exe95⤵PID:4940
-
\??\c:\60004.exec:\60004.exe96⤵PID:2804
-
\??\c:\jjpdv.exec:\jjpdv.exe97⤵PID:4076
-
\??\c:\c664648.exec:\c664648.exe98⤵PID:4484
-
\??\c:\e40222.exec:\e40222.exe99⤵PID:4336
-
\??\c:\7hthth.exec:\7hthth.exe100⤵PID:3452
-
\??\c:\5jvjv.exec:\5jvjv.exe101⤵PID:2712
-
\??\c:\1nnbtn.exec:\1nnbtn.exe102⤵PID:4440
-
\??\c:\e66866.exec:\e66866.exe103⤵PID:2292
-
\??\c:\rxfxlfr.exec:\rxfxlfr.exe104⤵PID:4664
-
\??\c:\9lxrffr.exec:\9lxrffr.exe105⤵PID:2468
-
\??\c:\dvpdp.exec:\dvpdp.exe106⤵PID:1772
-
\??\c:\a0042.exec:\a0042.exe107⤵PID:1928
-
\??\c:\tnthnt.exec:\tnthnt.exe108⤵PID:4732
-
\??\c:\o842486.exec:\o842486.exe109⤵PID:3076
-
\??\c:\9hhtnh.exec:\9hhtnh.exe110⤵PID:4512
-
\??\c:\62266.exec:\62266.exe111⤵PID:3844
-
\??\c:\vpvpj.exec:\vpvpj.exe112⤵PID:4492
-
\??\c:\bhnbhb.exec:\bhnbhb.exe113⤵PID:4912
-
\??\c:\280860.exec:\280860.exe114⤵PID:1568
-
\??\c:\htnbnh.exec:\htnbnh.exe115⤵PID:4208
-
\??\c:\8886820.exec:\8886820.exe116⤵PID:1176
-
\??\c:\6442604.exec:\6442604.exe117⤵PID:1560
-
\??\c:\pvpdd.exec:\pvpdd.exe118⤵PID:3808
-
\??\c:\9dpjv.exec:\9dpjv.exe119⤵PID:4488
-
\??\c:\dvdpj.exec:\dvdpj.exe120⤵PID:4660
-
\??\c:\2022228.exec:\2022228.exe121⤵PID:3088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-