Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 03:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c19be7e025657c493f23a91b93a47f68e445d94ada334c021c2931dbae5562a9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c19be7e025657c493f23a91b93a47f68e445d94ada334c021c2931dbae5562a9.exe
-
Size
454KB
-
MD5
c1bd2986f735a8c2e9dd7b425b1cb4cb
-
SHA1
cfba901e715fc7dd77804c4d4f630ba970365e20
-
SHA256
c19be7e025657c493f23a91b93a47f68e445d94ada334c021c2931dbae5562a9
-
SHA512
f1757a98809634301c32d4df17ea93135f8eef6ec0443cf30d658e20dc9e75ee0e51443b5dc46161a4ac974b3c4ecfa1c06605e54dd2c02d023a04c7e586b713
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTU:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4064-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-854-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-1462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-1883-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4064 jdvpp.exe 1516 nhnhhn.exe 2116 0866228.exe 4204 jpjjd.exe 1636 04060.exe 2708 frfffff.exe 216 48862.exe 2040 24008.exe 1696 8600444.exe 916 028888.exe 3304 26286.exe 1160 2220882.exe 2096 rrxrflr.exe 4968 fxllfrr.exe 1372 nntnhh.exe 5116 0084064.exe 220 vvvjj.exe 4068 bbhbbt.exe 4296 tttttt.exe 4368 1vpjp.exe 2060 48422.exe 3080 824840.exe 1416 jvdvp.exe 3520 tbtbbh.exe 4748 i060400.exe 3388 xrrrlff.exe 1612 244888.exe 3264 lfxrffl.exe 2400 0400662.exe 4896 e66602.exe 868 28448.exe 2216 hhtnbb.exe 4680 04484.exe 1004 48644.exe 2668 bnttth.exe 4128 800462.exe 4036 0422226.exe 2556 44048.exe 548 ffrlrrl.exe 1016 xxffllx.exe 2024 4022226.exe 3100 fxlllff.exe 4620 e40488.exe 228 042622.exe 4144 thntnn.exe 4948 86282.exe 5000 i442660.exe 348 066082.exe 372 86048.exe 1640 pjvpj.exe 4324 26426.exe 2480 bthhnn.exe 3512 a2604.exe 3604 bhhtnh.exe 3828 pdvpd.exe 3588 602620.exe 676 xrflxfx.exe 2436 2200262.exe 2708 vppjv.exe 4092 rlxxrxr.exe 3060 6286222.exe 1224 5rrflfx.exe 4392 bthbhb.exe 4008 vjpjd.exe -
resource yara_rule behavioral2/memory/4064-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-873-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6448264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u404882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8608608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04228.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1640 wrote to memory of 4064 1640 c19be7e025657c493f23a91b93a47f68e445d94ada334c021c2931dbae5562a9.exe 83 PID 1640 wrote to memory of 4064 1640 c19be7e025657c493f23a91b93a47f68e445d94ada334c021c2931dbae5562a9.exe 83 PID 1640 wrote to memory of 4064 1640 c19be7e025657c493f23a91b93a47f68e445d94ada334c021c2931dbae5562a9.exe 83 PID 4064 wrote to memory of 1516 4064 jdvpp.exe 84 PID 4064 wrote to memory of 1516 4064 jdvpp.exe 84 PID 4064 wrote to memory of 1516 4064 jdvpp.exe 84 PID 1516 wrote to memory of 2116 1516 nhnhhn.exe 85 PID 1516 wrote to memory of 2116 1516 nhnhhn.exe 85 PID 1516 wrote to memory of 2116 1516 nhnhhn.exe 85 PID 2116 wrote to memory of 4204 2116 0866228.exe 86 PID 2116 wrote to memory of 4204 2116 0866228.exe 86 PID 2116 wrote to memory of 4204 2116 0866228.exe 86 PID 4204 wrote to memory of 1636 4204 jpjjd.exe 87 PID 4204 wrote to memory of 1636 4204 jpjjd.exe 87 PID 4204 wrote to memory of 1636 4204 jpjjd.exe 87 PID 1636 wrote to memory of 2708 1636 04060.exe 88 PID 1636 wrote to memory of 2708 1636 04060.exe 88 PID 1636 wrote to memory of 2708 1636 04060.exe 88 PID 2708 wrote to memory of 216 2708 frfffff.exe 89 PID 2708 wrote to memory of 216 2708 frfffff.exe 89 PID 2708 wrote to memory of 216 2708 frfffff.exe 89 PID 216 wrote to memory of 2040 216 48862.exe 90 PID 216 wrote to memory of 2040 216 48862.exe 90 PID 216 wrote to memory of 2040 216 48862.exe 90 PID 2040 wrote to memory of 1696 2040 24008.exe 91 PID 2040 wrote to memory of 1696 2040 24008.exe 91 PID 2040 wrote to memory of 1696 2040 24008.exe 91 PID 1696 wrote to memory of 916 1696 8600444.exe 92 PID 1696 wrote to memory of 916 1696 8600444.exe 92 PID 1696 wrote to memory of 916 1696 8600444.exe 92 PID 916 wrote to memory of 3304 916 028888.exe 93 PID 916 wrote to memory of 3304 916 028888.exe 93 PID 916 wrote to memory of 3304 916 028888.exe 93 PID 3304 wrote to memory of 1160 3304 26286.exe 94 PID 3304 wrote to memory of 1160 3304 26286.exe 94 PID 3304 wrote to memory of 1160 3304 26286.exe 94 PID 1160 wrote to memory of 2096 1160 2220882.exe 95 PID 1160 wrote to memory of 2096 1160 2220882.exe 95 PID 1160 wrote to memory of 2096 1160 2220882.exe 95 PID 2096 wrote to memory of 4968 2096 rrxrflr.exe 96 PID 2096 wrote to memory of 4968 2096 rrxrflr.exe 96 PID 2096 wrote to memory of 4968 2096 rrxrflr.exe 96 PID 4968 wrote to memory of 1372 4968 fxllfrr.exe 97 PID 4968 wrote to memory of 1372 4968 fxllfrr.exe 97 PID 4968 wrote to memory of 1372 4968 fxllfrr.exe 97 PID 1372 wrote to memory of 5116 1372 nntnhh.exe 98 PID 1372 wrote to memory of 5116 1372 nntnhh.exe 98 PID 1372 wrote to memory of 5116 1372 nntnhh.exe 98 PID 5116 wrote to memory of 220 5116 0084064.exe 99 PID 5116 wrote to memory of 220 5116 0084064.exe 99 PID 5116 wrote to memory of 220 5116 0084064.exe 99 PID 220 wrote to memory of 4068 220 vvvjj.exe 100 PID 220 wrote to memory of 4068 220 vvvjj.exe 100 PID 220 wrote to memory of 4068 220 vvvjj.exe 100 PID 4068 wrote to memory of 4296 4068 bbhbbt.exe 101 PID 4068 wrote to memory of 4296 4068 bbhbbt.exe 101 PID 4068 wrote to memory of 4296 4068 bbhbbt.exe 101 PID 4296 wrote to memory of 4368 4296 tttttt.exe 102 PID 4296 wrote to memory of 4368 4296 tttttt.exe 102 PID 4296 wrote to memory of 4368 4296 tttttt.exe 102 PID 4368 wrote to memory of 2060 4368 1vpjp.exe 103 PID 4368 wrote to memory of 2060 4368 1vpjp.exe 103 PID 4368 wrote to memory of 2060 4368 1vpjp.exe 103 PID 2060 wrote to memory of 3080 2060 48422.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c19be7e025657c493f23a91b93a47f68e445d94ada334c021c2931dbae5562a9.exe"C:\Users\Admin\AppData\Local\Temp\c19be7e025657c493f23a91b93a47f68e445d94ada334c021c2931dbae5562a9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\jdvpp.exec:\jdvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\nhnhhn.exec:\nhnhhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\0866228.exec:\0866228.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\jpjjd.exec:\jpjjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\04060.exec:\04060.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\frfffff.exec:\frfffff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\48862.exec:\48862.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\24008.exec:\24008.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\8600444.exec:\8600444.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\028888.exec:\028888.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\26286.exec:\26286.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\2220882.exec:\2220882.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\rrxrflr.exec:\rrxrflr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\fxllfrr.exec:\fxllfrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\nntnhh.exec:\nntnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\0084064.exec:\0084064.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\vvvjj.exec:\vvvjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\bbhbbt.exec:\bbhbbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\tttttt.exec:\tttttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\1vpjp.exec:\1vpjp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\48422.exec:\48422.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\824840.exec:\824840.exe23⤵
- Executes dropped EXE
PID:3080 -
\??\c:\jvdvp.exec:\jvdvp.exe24⤵
- Executes dropped EXE
PID:1416 -
\??\c:\tbtbbh.exec:\tbtbbh.exe25⤵
- Executes dropped EXE
PID:3520 -
\??\c:\i060400.exec:\i060400.exe26⤵
- Executes dropped EXE
PID:4748 -
\??\c:\xrrrlff.exec:\xrrrlff.exe27⤵
- Executes dropped EXE
PID:3388 -
\??\c:\244888.exec:\244888.exe28⤵
- Executes dropped EXE
PID:1612 -
\??\c:\lfxrffl.exec:\lfxrffl.exe29⤵
- Executes dropped EXE
PID:3264 -
\??\c:\0400662.exec:\0400662.exe30⤵
- Executes dropped EXE
PID:2400 -
\??\c:\e66602.exec:\e66602.exe31⤵
- Executes dropped EXE
PID:4896 -
\??\c:\28448.exec:\28448.exe32⤵
- Executes dropped EXE
PID:868 -
\??\c:\hhtnbb.exec:\hhtnbb.exe33⤵
- Executes dropped EXE
PID:2216 -
\??\c:\04484.exec:\04484.exe34⤵
- Executes dropped EXE
PID:4680 -
\??\c:\48644.exec:\48644.exe35⤵
- Executes dropped EXE
PID:1004 -
\??\c:\bnttth.exec:\bnttth.exe36⤵
- Executes dropped EXE
PID:2668 -
\??\c:\800462.exec:\800462.exe37⤵
- Executes dropped EXE
PID:4128 -
\??\c:\0422226.exec:\0422226.exe38⤵
- Executes dropped EXE
PID:4036 -
\??\c:\44048.exec:\44048.exe39⤵
- Executes dropped EXE
PID:2556 -
\??\c:\ffrlrrl.exec:\ffrlrrl.exe40⤵
- Executes dropped EXE
PID:548 -
\??\c:\xxffllx.exec:\xxffllx.exe41⤵
- Executes dropped EXE
PID:1016 -
\??\c:\4022226.exec:\4022226.exe42⤵
- Executes dropped EXE
PID:2024 -
\??\c:\fxlllff.exec:\fxlllff.exe43⤵
- Executes dropped EXE
PID:3100 -
\??\c:\e40488.exec:\e40488.exe44⤵
- Executes dropped EXE
PID:4620 -
\??\c:\042622.exec:\042622.exe45⤵
- Executes dropped EXE
PID:228 -
\??\c:\thntnn.exec:\thntnn.exe46⤵
- Executes dropped EXE
PID:4144 -
\??\c:\86282.exec:\86282.exe47⤵
- Executes dropped EXE
PID:4948 -
\??\c:\i442660.exec:\i442660.exe48⤵
- Executes dropped EXE
PID:5000 -
\??\c:\066082.exec:\066082.exe49⤵
- Executes dropped EXE
PID:348 -
\??\c:\86048.exec:\86048.exe50⤵
- Executes dropped EXE
PID:372 -
\??\c:\pjvpj.exec:\pjvpj.exe51⤵
- Executes dropped EXE
PID:1640 -
\??\c:\26426.exec:\26426.exe52⤵
- Executes dropped EXE
PID:4324 -
\??\c:\bthhnn.exec:\bthhnn.exe53⤵
- Executes dropped EXE
PID:2480 -
\??\c:\a2604.exec:\a2604.exe54⤵
- Executes dropped EXE
PID:3512 -
\??\c:\bhhtnh.exec:\bhhtnh.exe55⤵
- Executes dropped EXE
PID:3604 -
\??\c:\pdvpd.exec:\pdvpd.exe56⤵
- Executes dropped EXE
PID:3828 -
\??\c:\602620.exec:\602620.exe57⤵
- Executes dropped EXE
PID:3588 -
\??\c:\xrflxfx.exec:\xrflxfx.exe58⤵
- Executes dropped EXE
PID:676 -
\??\c:\2200262.exec:\2200262.exe59⤵
- Executes dropped EXE
PID:2436 -
\??\c:\vppjv.exec:\vppjv.exe60⤵
- Executes dropped EXE
PID:2708 -
\??\c:\rlxxrxr.exec:\rlxxrxr.exe61⤵
- Executes dropped EXE
PID:4092 -
\??\c:\6286222.exec:\6286222.exe62⤵
- Executes dropped EXE
PID:3060 -
\??\c:\5rrflfx.exec:\5rrflfx.exe63⤵
- Executes dropped EXE
PID:1224 -
\??\c:\bthbhb.exec:\bthbhb.exe64⤵
- Executes dropped EXE
PID:4392 -
\??\c:\vjpjd.exec:\vjpjd.exe65⤵
- Executes dropped EXE
PID:4008 -
\??\c:\vddpj.exec:\vddpj.exe66⤵PID:1496
-
\??\c:\xrllffx.exec:\xrllffx.exe67⤵PID:3684
-
\??\c:\400486.exec:\400486.exe68⤵PID:2520
-
\??\c:\4248866.exec:\4248866.exe69⤵PID:1536
-
\??\c:\0248444.exec:\0248444.exe70⤵PID:2960
-
\??\c:\8262886.exec:\8262886.exe71⤵PID:1064
-
\??\c:\a8826.exec:\a8826.exe72⤵PID:3612
-
\??\c:\64064.exec:\64064.exe73⤵PID:4864
-
\??\c:\4842264.exec:\4842264.exe74⤵PID:720
-
\??\c:\804442.exec:\804442.exe75⤵PID:4764
-
\??\c:\ttbhnh.exec:\ttbhnh.exe76⤵
- System Location Discovery: System Language Discovery
PID:536 -
\??\c:\dppjd.exec:\dppjd.exe77⤵PID:1840
-
\??\c:\5bbthh.exec:\5bbthh.exe78⤵PID:4436
-
\??\c:\064068.exec:\064068.exe79⤵PID:1244
-
\??\c:\8026448.exec:\8026448.exe80⤵PID:4084
-
\??\c:\ttnbnh.exec:\ttnbnh.exe81⤵PID:1184
-
\??\c:\822082.exec:\822082.exe82⤵PID:4208
-
\??\c:\200462.exec:\200462.exe83⤵PID:2136
-
\??\c:\xlfrlfr.exec:\xlfrlfr.exe84⤵PID:3432
-
\??\c:\266048.exec:\266048.exe85⤵PID:1652
-
\??\c:\406426.exec:\406426.exe86⤵PID:1012
-
\??\c:\xxxxrrf.exec:\xxxxrrf.exe87⤵PID:5028
-
\??\c:\vjdpj.exec:\vjdpj.exe88⤵PID:904
-
\??\c:\ffrrllr.exec:\ffrrllr.exe89⤵PID:3836
-
\??\c:\06828.exec:\06828.exe90⤵PID:1076
-
\??\c:\lrrlllf.exec:\lrrlllf.exe91⤵PID:2288
-
\??\c:\ntthhb.exec:\ntthhb.exe92⤵PID:544
-
\??\c:\nhnhbb.exec:\nhnhbb.exe93⤵PID:748
-
\??\c:\tnnbht.exec:\tnnbht.exe94⤵PID:2528
-
\??\c:\nbntbn.exec:\nbntbn.exe95⤵PID:2216
-
\??\c:\bhhthb.exec:\bhhthb.exe96⤵PID:4680
-
\??\c:\rxxfxfl.exec:\rxxfxfl.exe97⤵PID:4364
-
\??\c:\djpdp.exec:\djpdp.exe98⤵PID:3528
-
\??\c:\nhtttb.exec:\nhtttb.exe99⤵PID:1116
-
\??\c:\2688266.exec:\2688266.exe100⤵PID:4328
-
\??\c:\4806660.exec:\4806660.exe101⤵PID:2768
-
\??\c:\tbhbth.exec:\tbhbth.exe102⤵PID:1500
-
\??\c:\xxxrffx.exec:\xxxrffx.exe103⤵PID:652
-
\??\c:\6242048.exec:\6242048.exe104⤵PID:2620
-
\??\c:\a4020.exec:\a4020.exe105⤵PID:1448
-
\??\c:\8608280.exec:\8608280.exe106⤵PID:4348
-
\??\c:\86466.exec:\86466.exe107⤵PID:4904
-
\??\c:\xrlxfrl.exec:\xrlxfrl.exe108⤵PID:2156
-
\??\c:\206422.exec:\206422.exe109⤵PID:4688
-
\??\c:\684866.exec:\684866.exe110⤵PID:2596
-
\??\c:\88642.exec:\88642.exe111⤵PID:4292
-
\??\c:\828804.exec:\828804.exe112⤵PID:4220
-
\??\c:\6686824.exec:\6686824.exe113⤵PID:372
-
\??\c:\3rrlxfl.exec:\3rrlxfl.exe114⤵PID:1640
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe115⤵PID:2336
-
\??\c:\888248.exec:\888248.exe116⤵PID:4312
-
\??\c:\64660.exec:\64660.exe117⤵PID:3452
-
\??\c:\28864.exec:\28864.exe118⤵PID:3996
-
\??\c:\5lfrllx.exec:\5lfrllx.exe119⤵PID:2416
-
\??\c:\vpddj.exec:\vpddj.exe120⤵PID:4204
-
\??\c:\frrlxrl.exec:\frrlxrl.exe121⤵PID:3588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-