Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe
-
Size
454KB
-
MD5
1f0826a932f50220d80b1b9cb06ddb01
-
SHA1
9e4909014c3388689442af213a693de08c687ab4
-
SHA256
345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba
-
SHA512
a86113efdc45bb5f63c46cd464abc9958c4d79687dd4d6bb91118eb6a044cde40a6a382152eaa03a9967b60f482725aae1d0ea996123157d9e21b3fca91705f0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4180-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-895-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-1214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-1251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-1695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2008 62820.exe 1736 pjjdp.exe 2132 vjvpv.exe 2312 648484.exe 4084 jvvpd.exe 4388 00604.exe 668 jpjdp.exe 2112 2008620.exe 852 864884.exe 2332 bnhbtn.exe 2928 e62088.exe 232 pdjvp.exe 4880 24422.exe 1576 lffxflf.exe 4912 642848.exe 1544 22602.exe 3100 thhhhh.exe 2408 ntbnhb.exe 3612 444860.exe 1676 620204.exe 4812 thnbnh.exe 2300 lllxrrl.exe 4616 dvjdp.exe 1140 jvvvv.exe 4380 28020.exe 4564 082026.exe 4852 8220820.exe 1636 hnnbnh.exe 1416 vdvjd.exe 3164 4248482.exe 3452 bhhtnt.exe 4644 62048.exe 5084 hnhtnh.exe 1180 2060448.exe 4680 jdddd.exe 376 c026860.exe 5116 0688046.exe 4428 c682048.exe 3304 9llxllf.exe 4016 nhnhbt.exe 3104 468220.exe 1828 pdvjv.exe 1312 64420.exe 4140 rrxffff.exe 2092 648406.exe 2768 vjvpd.exe 2280 tbbntn.exe 1344 064488.exe 1780 e80040.exe 1016 088264.exe 3720 nbnhhb.exe 904 rlrlrll.exe 5060 xlfxrrr.exe 3940 djppp.exe 3364 824266.exe 4216 lfffxxx.exe 2108 608800.exe 4780 jjvjv.exe 3484 7vvpv.exe 2124 pdpdp.exe 992 64820.exe 3124 jddpj.exe 2672 3vdvp.exe 852 xffrrlf.exe -
resource yara_rule behavioral2/memory/4180-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-895-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flflfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q88642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 620048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6282660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2648446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k24848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0282004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4180 wrote to memory of 2008 4180 345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe 83 PID 4180 wrote to memory of 2008 4180 345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe 83 PID 4180 wrote to memory of 2008 4180 345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe 83 PID 2008 wrote to memory of 1736 2008 62820.exe 84 PID 2008 wrote to memory of 1736 2008 62820.exe 84 PID 2008 wrote to memory of 1736 2008 62820.exe 84 PID 1736 wrote to memory of 2132 1736 pjjdp.exe 85 PID 1736 wrote to memory of 2132 1736 pjjdp.exe 85 PID 1736 wrote to memory of 2132 1736 pjjdp.exe 85 PID 2132 wrote to memory of 2312 2132 vjvpv.exe 86 PID 2132 wrote to memory of 2312 2132 vjvpv.exe 86 PID 2132 wrote to memory of 2312 2132 vjvpv.exe 86 PID 2312 wrote to memory of 4084 2312 648484.exe 87 PID 2312 wrote to memory of 4084 2312 648484.exe 87 PID 2312 wrote to memory of 4084 2312 648484.exe 87 PID 4084 wrote to memory of 4388 4084 jvvpd.exe 88 PID 4084 wrote to memory of 4388 4084 jvvpd.exe 88 PID 4084 wrote to memory of 4388 4084 jvvpd.exe 88 PID 4388 wrote to memory of 668 4388 00604.exe 89 PID 4388 wrote to memory of 668 4388 00604.exe 89 PID 4388 wrote to memory of 668 4388 00604.exe 89 PID 668 wrote to memory of 2112 668 jpjdp.exe 90 PID 668 wrote to memory of 2112 668 jpjdp.exe 90 PID 668 wrote to memory of 2112 668 jpjdp.exe 90 PID 2112 wrote to memory of 852 2112 2008620.exe 91 PID 2112 wrote to memory of 852 2112 2008620.exe 91 PID 2112 wrote to memory of 852 2112 2008620.exe 91 PID 852 wrote to memory of 2332 852 864884.exe 92 PID 852 wrote to memory of 2332 852 864884.exe 92 PID 852 wrote to memory of 2332 852 864884.exe 92 PID 2332 wrote to memory of 2928 2332 bnhbtn.exe 93 PID 2332 wrote to memory of 2928 2332 bnhbtn.exe 93 PID 2332 wrote to memory of 2928 2332 bnhbtn.exe 93 PID 2928 wrote to memory of 232 2928 e62088.exe 94 PID 2928 wrote to memory of 232 2928 e62088.exe 94 PID 2928 wrote to memory of 232 2928 e62088.exe 94 PID 232 wrote to memory of 4880 232 pdjvp.exe 95 PID 232 wrote to memory of 4880 232 pdjvp.exe 95 PID 232 wrote to memory of 4880 232 pdjvp.exe 95 PID 4880 wrote to memory of 1576 4880 24422.exe 96 PID 4880 wrote to memory of 1576 4880 24422.exe 96 PID 4880 wrote to memory of 1576 4880 24422.exe 96 PID 1576 wrote to memory of 4912 1576 lffxflf.exe 97 PID 1576 wrote to memory of 4912 1576 lffxflf.exe 97 PID 1576 wrote to memory of 4912 1576 lffxflf.exe 97 PID 4912 wrote to memory of 1544 4912 642848.exe 98 PID 4912 wrote to memory of 1544 4912 642848.exe 98 PID 4912 wrote to memory of 1544 4912 642848.exe 98 PID 1544 wrote to memory of 3100 1544 22602.exe 99 PID 1544 wrote to memory of 3100 1544 22602.exe 99 PID 1544 wrote to memory of 3100 1544 22602.exe 99 PID 3100 wrote to memory of 2408 3100 thhhhh.exe 100 PID 3100 wrote to memory of 2408 3100 thhhhh.exe 100 PID 3100 wrote to memory of 2408 3100 thhhhh.exe 100 PID 2408 wrote to memory of 3612 2408 ntbnhb.exe 101 PID 2408 wrote to memory of 3612 2408 ntbnhb.exe 101 PID 2408 wrote to memory of 3612 2408 ntbnhb.exe 101 PID 3612 wrote to memory of 1676 3612 444860.exe 102 PID 3612 wrote to memory of 1676 3612 444860.exe 102 PID 3612 wrote to memory of 1676 3612 444860.exe 102 PID 1676 wrote to memory of 4812 1676 620204.exe 103 PID 1676 wrote to memory of 4812 1676 620204.exe 103 PID 1676 wrote to memory of 4812 1676 620204.exe 103 PID 4812 wrote to memory of 2300 4812 thnbnh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe"C:\Users\Admin\AppData\Local\Temp\345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\62820.exec:\62820.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\pjjdp.exec:\pjjdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\vjvpv.exec:\vjvpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\648484.exec:\648484.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\jvvpd.exec:\jvvpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\00604.exec:\00604.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\jpjdp.exec:\jpjdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\2008620.exec:\2008620.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\864884.exec:\864884.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\bnhbtn.exec:\bnhbtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\e62088.exec:\e62088.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\pdjvp.exec:\pdjvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\24422.exec:\24422.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\lffxflf.exec:\lffxflf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\642848.exec:\642848.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\22602.exec:\22602.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\thhhhh.exec:\thhhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\ntbnhb.exec:\ntbnhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\444860.exec:\444860.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\620204.exec:\620204.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\thnbnh.exec:\thnbnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\lllxrrl.exec:\lllxrrl.exe23⤵
- Executes dropped EXE
PID:2300 -
\??\c:\dvjdp.exec:\dvjdp.exe24⤵
- Executes dropped EXE
PID:4616 -
\??\c:\jvvvv.exec:\jvvvv.exe25⤵
- Executes dropped EXE
PID:1140 -
\??\c:\28020.exec:\28020.exe26⤵
- Executes dropped EXE
PID:4380 -
\??\c:\082026.exec:\082026.exe27⤵
- Executes dropped EXE
PID:4564 -
\??\c:\8220820.exec:\8220820.exe28⤵
- Executes dropped EXE
PID:4852 -
\??\c:\hnnbnh.exec:\hnnbnh.exe29⤵
- Executes dropped EXE
PID:1636 -
\??\c:\vdvjd.exec:\vdvjd.exe30⤵
- Executes dropped EXE
PID:1416 -
\??\c:\4248482.exec:\4248482.exe31⤵
- Executes dropped EXE
PID:3164 -
\??\c:\bhhtnt.exec:\bhhtnt.exe32⤵
- Executes dropped EXE
PID:3452 -
\??\c:\62048.exec:\62048.exe33⤵
- Executes dropped EXE
PID:4644 -
\??\c:\hnhtnh.exec:\hnhtnh.exe34⤵
- Executes dropped EXE
PID:5084 -
\??\c:\2060448.exec:\2060448.exe35⤵
- Executes dropped EXE
PID:1180 -
\??\c:\jdddd.exec:\jdddd.exe36⤵
- Executes dropped EXE
PID:4680 -
\??\c:\c026860.exec:\c026860.exe37⤵
- Executes dropped EXE
PID:376 -
\??\c:\0688046.exec:\0688046.exe38⤵
- Executes dropped EXE
PID:5116 -
\??\c:\c682048.exec:\c682048.exe39⤵
- Executes dropped EXE
PID:4428 -
\??\c:\9llxllf.exec:\9llxllf.exe40⤵
- Executes dropped EXE
PID:3304 -
\??\c:\nhnhbt.exec:\nhnhbt.exe41⤵
- Executes dropped EXE
PID:4016 -
\??\c:\468220.exec:\468220.exe42⤵
- Executes dropped EXE
PID:3104 -
\??\c:\pdvjv.exec:\pdvjv.exe43⤵
- Executes dropped EXE
PID:1828 -
\??\c:\64420.exec:\64420.exe44⤵
- Executes dropped EXE
PID:1312 -
\??\c:\rrxffff.exec:\rrxffff.exe45⤵
- Executes dropped EXE
PID:4140 -
\??\c:\648406.exec:\648406.exe46⤵
- Executes dropped EXE
PID:2092 -
\??\c:\vjvpd.exec:\vjvpd.exe47⤵
- Executes dropped EXE
PID:2768 -
\??\c:\tbbntn.exec:\tbbntn.exe48⤵
- Executes dropped EXE
PID:2280 -
\??\c:\064488.exec:\064488.exe49⤵
- Executes dropped EXE
PID:1344 -
\??\c:\e80040.exec:\e80040.exe50⤵
- Executes dropped EXE
PID:1780 -
\??\c:\088264.exec:\088264.exe51⤵
- Executes dropped EXE
PID:1016 -
\??\c:\nbnhhb.exec:\nbnhhb.exe52⤵
- Executes dropped EXE
PID:3720 -
\??\c:\rlrlrll.exec:\rlrlrll.exe53⤵
- Executes dropped EXE
PID:904 -
\??\c:\xlfxrrr.exec:\xlfxrrr.exe54⤵
- Executes dropped EXE
PID:5060 -
\??\c:\djppp.exec:\djppp.exe55⤵
- Executes dropped EXE
PID:3940 -
\??\c:\824266.exec:\824266.exe56⤵
- Executes dropped EXE
PID:3364 -
\??\c:\lfffxxx.exec:\lfffxxx.exe57⤵
- Executes dropped EXE
PID:4216 -
\??\c:\608800.exec:\608800.exe58⤵
- Executes dropped EXE
PID:2108 -
\??\c:\jjvjv.exec:\jjvjv.exe59⤵
- Executes dropped EXE
PID:4780 -
\??\c:\7vvpv.exec:\7vvpv.exe60⤵
- Executes dropped EXE
PID:3484 -
\??\c:\pdpdp.exec:\pdpdp.exe61⤵
- Executes dropped EXE
PID:2124 -
\??\c:\64820.exec:\64820.exe62⤵
- Executes dropped EXE
PID:992 -
\??\c:\jddpj.exec:\jddpj.exe63⤵
- Executes dropped EXE
PID:3124 -
\??\c:\3vdvp.exec:\3vdvp.exe64⤵
- Executes dropped EXE
PID:2672 -
\??\c:\xffrrlf.exec:\xffrrlf.exe65⤵
- Executes dropped EXE
PID:852 -
\??\c:\7vvpd.exec:\7vvpd.exe66⤵PID:32
-
\??\c:\6404040.exec:\6404040.exe67⤵PID:2988
-
\??\c:\hbhtnh.exec:\hbhtnh.exe68⤵PID:4924
-
\??\c:\pjdpj.exec:\pjdpj.exe69⤵PID:1268
-
\??\c:\vvjvp.exec:\vvjvp.exe70⤵PID:860
-
\??\c:\o848608.exec:\o848608.exe71⤵PID:4400
-
\??\c:\rxfxlxr.exec:\rxfxlxr.exe72⤵PID:2772
-
\??\c:\9llffff.exec:\9llffff.exe73⤵PID:1540
-
\??\c:\s0048.exec:\s0048.exe74⤵
- System Location Discovery: System Language Discovery
PID:4292 -
\??\c:\62204.exec:\62204.exe75⤵PID:2880
-
\??\c:\pvpjv.exec:\pvpjv.exe76⤵PID:1004
-
\??\c:\8808662.exec:\8808662.exe77⤵PID:3100
-
\??\c:\08426.exec:\08426.exe78⤵PID:2376
-
\??\c:\7tthnh.exec:\7tthnh.exe79⤵PID:4900
-
\??\c:\pjjvv.exec:\pjjvv.exe80⤵PID:5076
-
\??\c:\8220404.exec:\8220404.exe81⤵PID:640
-
\??\c:\080428.exec:\080428.exe82⤵PID:4220
-
\??\c:\7pjvd.exec:\7pjvd.exe83⤵PID:2164
-
\??\c:\vdjjv.exec:\vdjjv.exe84⤵PID:1860
-
\??\c:\xrxllff.exec:\xrxllff.exe85⤵PID:1028
-
\??\c:\nnnhtn.exec:\nnnhtn.exe86⤵PID:1564
-
\??\c:\1xlxlfr.exec:\1xlxlfr.exe87⤵PID:4148
-
\??\c:\lrrflxr.exec:\lrrflxr.exe88⤵PID:5052
-
\??\c:\848264.exec:\848264.exe89⤵PID:3020
-
\??\c:\484248.exec:\484248.exe90⤵PID:684
-
\??\c:\s0206.exec:\s0206.exe91⤵PID:4736
-
\??\c:\06086.exec:\06086.exe92⤵PID:1696
-
\??\c:\9xrllll.exec:\9xrllll.exe93⤵PID:920
-
\??\c:\jvvpd.exec:\jvvpd.exe94⤵PID:1196
-
\??\c:\86608.exec:\86608.exe95⤵PID:3444
-
\??\c:\htnbtn.exec:\htnbtn.exe96⤵PID:1532
-
\??\c:\08886.exec:\08886.exe97⤵PID:2064
-
\??\c:\nbhbbb.exec:\nbhbbb.exe98⤵PID:4556
-
\??\c:\lfllfxr.exec:\lfllfxr.exe99⤵PID:1064
-
\??\c:\hhbnhb.exec:\hhbnhb.exe100⤵PID:3080
-
\??\c:\rffxrlf.exec:\rffxrlf.exe101⤵PID:1772
-
\??\c:\jdvjd.exec:\jdvjd.exe102⤵PID:5116
-
\??\c:\2622642.exec:\2622642.exe103⤵PID:2412
-
\??\c:\866486.exec:\866486.exe104⤵PID:1740
-
\??\c:\84048.exec:\84048.exe105⤵PID:3944
-
\??\c:\jvpvp.exec:\jvpvp.exe106⤵PID:3104
-
\??\c:\lrrxlfr.exec:\lrrxlfr.exe107⤵PID:3860
-
\??\c:\jjjdv.exec:\jjjdv.exe108⤵PID:4560
-
\??\c:\jvpjv.exec:\jvpjv.exe109⤵PID:4140
-
\??\c:\84486.exec:\84486.exe110⤵PID:4460
-
\??\c:\pjvpd.exec:\pjvpd.exe111⤵PID:4696
-
\??\c:\224224.exec:\224224.exe112⤵PID:3640
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe113⤵PID:4336
-
\??\c:\dvjvj.exec:\dvjvj.exe114⤵PID:4684
-
\??\c:\8206404.exec:\8206404.exe115⤵PID:1256
-
\??\c:\lrrffxr.exec:\lrrffxr.exe116⤵PID:4796
-
\??\c:\nhhtbt.exec:\nhhtbt.exe117⤵PID:2612
-
\??\c:\248686.exec:\248686.exe118⤵PID:2804
-
\??\c:\a2426.exec:\a2426.exe119⤵PID:2416
-
\??\c:\pvvjd.exec:\pvvjd.exe120⤵PID:4960
-
\??\c:\llrrrrx.exec:\llrrrrx.exe121⤵PID:184
-
\??\c:\3nhhtn.exec:\3nhhtn.exe122⤵PID:4856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-