Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 15:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe
-
Size
456KB
-
MD5
6ddf887a55590e37b0a0b09645946bdf
-
SHA1
62878f3f0bedda9ad0e37e3d2598e0bac40e9c62
-
SHA256
c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e
-
SHA512
2d391a388188e673991c43e3a7e196fb0389178cb555a2daba1c11a6856c4241b2c7a9e2759385ab3da1fc8c5a044a9889e1ee8295c746151a2cd230379b899e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2176-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/324-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-838-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-957-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2176 m8606.exe 404 pvppj.exe 2520 m2422.exe 1344 vpjdv.exe 1808 862222.exe 2904 5pvpp.exe 4908 2448004.exe 3996 nnhhhh.exe 2980 4688844.exe 4936 hnttbh.exe 2388 422204.exe 2036 80660.exe 812 vvdpp.exe 2840 20444.exe 2704 66424.exe 3880 bnthnh.exe 1864 g4640.exe 1144 404426.exe 3976 flxrlfx.exe 4112 60048.exe 4980 422064.exe 3472 thbthb.exe 4564 u064820.exe 4540 6004826.exe 5052 286688.exe 2336 1pppv.exe 4900 06826.exe 4524 dpppp.exe 2436 lfrrlrr.exe 468 lfxrxrx.exe 1148 rrfffff.exe 1760 646464.exe 4124 rlxrxrf.exe 3416 206486.exe 3412 djdvv.exe 640 a0048.exe 768 1btnhh.exe 1736 rffrlfr.exe 4408 4004886.exe 2296 1dpvj.exe 2516 xrrlxrx.exe 824 fllrfxl.exe 2948 7nnbbb.exe 1996 246268.exe 3908 hbhhbh.exe 4328 42666.exe 1840 3nnbtt.exe 5056 00426.exe 2176 9xlfrrl.exe 1272 644620.exe 4724 40048.exe 1388 rlfrrrl.exe 2096 hhthth.exe 3012 flrrffx.exe 2148 i626822.exe 3648 04464.exe 3500 0024822.exe 4912 86820.exe 2160 7ddvd.exe 2780 vddvp.exe 5060 482060.exe 4052 0804448.exe 5100 i464822.exe 2116 djjvp.exe -
resource yara_rule behavioral2/memory/2176-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/324-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-671-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u282608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8004206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2176 2880 c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe 83 PID 2880 wrote to memory of 2176 2880 c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe 83 PID 2880 wrote to memory of 2176 2880 c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe 83 PID 2176 wrote to memory of 404 2176 m8606.exe 84 PID 2176 wrote to memory of 404 2176 m8606.exe 84 PID 2176 wrote to memory of 404 2176 m8606.exe 84 PID 404 wrote to memory of 2520 404 pvppj.exe 85 PID 404 wrote to memory of 2520 404 pvppj.exe 85 PID 404 wrote to memory of 2520 404 pvppj.exe 85 PID 2520 wrote to memory of 1344 2520 m2422.exe 86 PID 2520 wrote to memory of 1344 2520 m2422.exe 86 PID 2520 wrote to memory of 1344 2520 m2422.exe 86 PID 1344 wrote to memory of 1808 1344 vpjdv.exe 87 PID 1344 wrote to memory of 1808 1344 vpjdv.exe 87 PID 1344 wrote to memory of 1808 1344 vpjdv.exe 87 PID 1808 wrote to memory of 2904 1808 862222.exe 88 PID 1808 wrote to memory of 2904 1808 862222.exe 88 PID 1808 wrote to memory of 2904 1808 862222.exe 88 PID 2904 wrote to memory of 4908 2904 5pvpp.exe 89 PID 2904 wrote to memory of 4908 2904 5pvpp.exe 89 PID 2904 wrote to memory of 4908 2904 5pvpp.exe 89 PID 4908 wrote to memory of 3996 4908 2448004.exe 90 PID 4908 wrote to memory of 3996 4908 2448004.exe 90 PID 4908 wrote to memory of 3996 4908 2448004.exe 90 PID 3996 wrote to memory of 2980 3996 nnhhhh.exe 91 PID 3996 wrote to memory of 2980 3996 nnhhhh.exe 91 PID 3996 wrote to memory of 2980 3996 nnhhhh.exe 91 PID 2980 wrote to memory of 4936 2980 4688844.exe 92 PID 2980 wrote to memory of 4936 2980 4688844.exe 92 PID 2980 wrote to memory of 4936 2980 4688844.exe 92 PID 4936 wrote to memory of 2388 4936 hnttbh.exe 93 PID 4936 wrote to memory of 2388 4936 hnttbh.exe 93 PID 4936 wrote to memory of 2388 4936 hnttbh.exe 93 PID 2388 wrote to memory of 2036 2388 422204.exe 94 PID 2388 wrote to memory of 2036 2388 422204.exe 94 PID 2388 wrote to memory of 2036 2388 422204.exe 94 PID 2036 wrote to memory of 812 2036 80660.exe 95 PID 2036 wrote to memory of 812 2036 80660.exe 95 PID 2036 wrote to memory of 812 2036 80660.exe 95 PID 812 wrote to memory of 2840 812 vvdpp.exe 96 PID 812 wrote to memory of 2840 812 vvdpp.exe 96 PID 812 wrote to memory of 2840 812 vvdpp.exe 96 PID 2840 wrote to memory of 2704 2840 20444.exe 97 PID 2840 wrote to memory of 2704 2840 20444.exe 97 PID 2840 wrote to memory of 2704 2840 20444.exe 97 PID 2704 wrote to memory of 3880 2704 66424.exe 98 PID 2704 wrote to memory of 3880 2704 66424.exe 98 PID 2704 wrote to memory of 3880 2704 66424.exe 98 PID 3880 wrote to memory of 1864 3880 bnthnh.exe 99 PID 3880 wrote to memory of 1864 3880 bnthnh.exe 99 PID 3880 wrote to memory of 1864 3880 bnthnh.exe 99 PID 1864 wrote to memory of 1144 1864 g4640.exe 100 PID 1864 wrote to memory of 1144 1864 g4640.exe 100 PID 1864 wrote to memory of 1144 1864 g4640.exe 100 PID 1144 wrote to memory of 3976 1144 404426.exe 101 PID 1144 wrote to memory of 3976 1144 404426.exe 101 PID 1144 wrote to memory of 3976 1144 404426.exe 101 PID 3976 wrote to memory of 4112 3976 flxrlfx.exe 102 PID 3976 wrote to memory of 4112 3976 flxrlfx.exe 102 PID 3976 wrote to memory of 4112 3976 flxrlfx.exe 102 PID 4112 wrote to memory of 4980 4112 60048.exe 103 PID 4112 wrote to memory of 4980 4112 60048.exe 103 PID 4112 wrote to memory of 4980 4112 60048.exe 103 PID 4980 wrote to memory of 3472 4980 422064.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe"C:\Users\Admin\AppData\Local\Temp\c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\m8606.exec:\m8606.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\pvppj.exec:\pvppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\m2422.exec:\m2422.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\vpjdv.exec:\vpjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\862222.exec:\862222.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\5pvpp.exec:\5pvpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\2448004.exec:\2448004.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\nnhhhh.exec:\nnhhhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\4688844.exec:\4688844.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\hnttbh.exec:\hnttbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\422204.exec:\422204.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\80660.exec:\80660.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\vvdpp.exec:\vvdpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\20444.exec:\20444.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\66424.exec:\66424.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\bnthnh.exec:\bnthnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\g4640.exec:\g4640.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\404426.exec:\404426.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\flxrlfx.exec:\flxrlfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\60048.exec:\60048.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\422064.exec:\422064.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\thbthb.exec:\thbthb.exe23⤵
- Executes dropped EXE
PID:3472 -
\??\c:\u064820.exec:\u064820.exe24⤵
- Executes dropped EXE
PID:4564 -
\??\c:\6004826.exec:\6004826.exe25⤵
- Executes dropped EXE
PID:4540 -
\??\c:\286688.exec:\286688.exe26⤵
- Executes dropped EXE
PID:5052 -
\??\c:\1pppv.exec:\1pppv.exe27⤵
- Executes dropped EXE
PID:2336 -
\??\c:\06826.exec:\06826.exe28⤵
- Executes dropped EXE
PID:4900 -
\??\c:\dpppp.exec:\dpppp.exe29⤵
- Executes dropped EXE
PID:4524 -
\??\c:\lfrrlrr.exec:\lfrrlrr.exe30⤵
- Executes dropped EXE
PID:2436 -
\??\c:\lfxrxrx.exec:\lfxrxrx.exe31⤵
- Executes dropped EXE
PID:468 -
\??\c:\rrfffff.exec:\rrfffff.exe32⤵
- Executes dropped EXE
PID:1148 -
\??\c:\646464.exec:\646464.exe33⤵
- Executes dropped EXE
PID:1760 -
\??\c:\rlxrxrf.exec:\rlxrxrf.exe34⤵
- Executes dropped EXE
PID:4124 -
\??\c:\206486.exec:\206486.exe35⤵
- Executes dropped EXE
PID:3416 -
\??\c:\djdvv.exec:\djdvv.exe36⤵
- Executes dropped EXE
PID:3412 -
\??\c:\a0048.exec:\a0048.exe37⤵
- Executes dropped EXE
PID:640 -
\??\c:\1btnhh.exec:\1btnhh.exe38⤵
- Executes dropped EXE
PID:768 -
\??\c:\rffrlfr.exec:\rffrlfr.exe39⤵
- Executes dropped EXE
PID:1736 -
\??\c:\4004886.exec:\4004886.exe40⤵
- Executes dropped EXE
PID:4408 -
\??\c:\1dpvj.exec:\1dpvj.exe41⤵
- Executes dropped EXE
PID:2296 -
\??\c:\xrrlxrx.exec:\xrrlxrx.exe42⤵
- Executes dropped EXE
PID:2516 -
\??\c:\fllrfxl.exec:\fllrfxl.exe43⤵
- Executes dropped EXE
PID:824 -
\??\c:\7nnbbb.exec:\7nnbbb.exe44⤵
- Executes dropped EXE
PID:2948 -
\??\c:\246268.exec:\246268.exe45⤵
- Executes dropped EXE
PID:1996 -
\??\c:\hbhhbh.exec:\hbhhbh.exe46⤵
- Executes dropped EXE
PID:3908 -
\??\c:\42666.exec:\42666.exe47⤵
- Executes dropped EXE
PID:4328 -
\??\c:\3nnbtt.exec:\3nnbtt.exe48⤵
- Executes dropped EXE
PID:1840 -
\??\c:\00426.exec:\00426.exe49⤵
- Executes dropped EXE
PID:5056 -
\??\c:\9xlfrrl.exec:\9xlfrrl.exe50⤵
- Executes dropped EXE
PID:2176 -
\??\c:\644620.exec:\644620.exe51⤵
- Executes dropped EXE
PID:1272 -
\??\c:\40048.exec:\40048.exe52⤵
- Executes dropped EXE
PID:4724 -
\??\c:\rlfrrrl.exec:\rlfrrrl.exe53⤵
- Executes dropped EXE
PID:1388 -
\??\c:\hhthth.exec:\hhthth.exe54⤵
- Executes dropped EXE
PID:2096 -
\??\c:\flrrffx.exec:\flrrffx.exe55⤵
- Executes dropped EXE
PID:3012 -
\??\c:\i626822.exec:\i626822.exe56⤵
- Executes dropped EXE
PID:2148 -
\??\c:\04464.exec:\04464.exe57⤵
- Executes dropped EXE
PID:3648 -
\??\c:\0024822.exec:\0024822.exe58⤵
- Executes dropped EXE
PID:3500 -
\??\c:\86820.exec:\86820.exe59⤵
- Executes dropped EXE
PID:4912 -
\??\c:\7ddvd.exec:\7ddvd.exe60⤵
- Executes dropped EXE
PID:2160 -
\??\c:\vddvp.exec:\vddvp.exe61⤵
- Executes dropped EXE
PID:2780 -
\??\c:\482060.exec:\482060.exe62⤵
- Executes dropped EXE
PID:5060 -
\??\c:\0804448.exec:\0804448.exe63⤵
- Executes dropped EXE
PID:4052 -
\??\c:\i464822.exec:\i464822.exe64⤵
- Executes dropped EXE
PID:5100 -
\??\c:\djjvp.exec:\djjvp.exe65⤵
- Executes dropped EXE
PID:2116 -
\??\c:\nnhbtn.exec:\nnhbtn.exe66⤵PID:4792
-
\??\c:\g2820.exec:\g2820.exe67⤵PID:4824
-
\??\c:\44264.exec:\44264.exe68⤵PID:2840
-
\??\c:\9pdvj.exec:\9pdvj.exe69⤵PID:3944
-
\??\c:\btttnb.exec:\btttnb.exe70⤵PID:2972
-
\??\c:\044828.exec:\044828.exe71⤵PID:3692
-
\??\c:\46628.exec:\46628.exe72⤵PID:2304
-
\??\c:\lrxlfxr.exec:\lrxlfxr.exe73⤵PID:4848
-
\??\c:\062604.exec:\062604.exe74⤵PID:1728
-
\??\c:\66200.exec:\66200.exe75⤵PID:4696
-
\??\c:\nhnnnn.exec:\nhnnnn.exe76⤵PID:3640
-
\??\c:\048066.exec:\048066.exe77⤵PID:224
-
\??\c:\2082020.exec:\2082020.exe78⤵PID:212
-
\??\c:\04482.exec:\04482.exe79⤵PID:4336
-
\??\c:\46608.exec:\46608.exe80⤵
- System Location Discovery: System Language Discovery
PID:2508 -
\??\c:\9llrfxl.exec:\9llrfxl.exe81⤵PID:3524
-
\??\c:\048826.exec:\048826.exe82⤵PID:876
-
\??\c:\06226.exec:\06226.exe83⤵PID:4872
-
\??\c:\0864206.exec:\0864206.exe84⤵PID:2416
-
\??\c:\42648.exec:\42648.exe85⤵PID:2436
-
\??\c:\488204.exec:\488204.exe86⤵PID:2072
-
\??\c:\8448226.exec:\8448226.exe87⤵PID:4804
-
\??\c:\7hnbbb.exec:\7hnbbb.exe88⤵PID:3280
-
\??\c:\6442004.exec:\6442004.exe89⤵PID:1056
-
\??\c:\c680602.exec:\c680602.exe90⤵PID:3480
-
\??\c:\26082.exec:\26082.exe91⤵PID:4544
-
\??\c:\jdjdj.exec:\jdjdj.exe92⤵PID:4184
-
\??\c:\i442604.exec:\i442604.exe93⤵PID:1720
-
\??\c:\644422.exec:\644422.exe94⤵PID:452
-
\??\c:\dvvvp.exec:\dvvvp.exe95⤵PID:3052
-
\??\c:\pppjv.exec:\pppjv.exe96⤵PID:4840
-
\??\c:\1vvjd.exec:\1vvjd.exe97⤵PID:3424
-
\??\c:\a4648.exec:\a4648.exe98⤵PID:380
-
\??\c:\q24266.exec:\q24266.exe99⤵PID:3208
-
\??\c:\bnnbnn.exec:\bnnbnn.exe100⤵PID:4344
-
\??\c:\dvvjd.exec:\dvvjd.exe101⤵PID:2348
-
\??\c:\jvddj.exec:\jvddj.exe102⤵PID:4708
-
\??\c:\m2024.exec:\m2024.exe103⤵PID:1176
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe104⤵PID:404
-
\??\c:\7pjdp.exec:\7pjdp.exe105⤵PID:4528
-
\??\c:\fllfrlx.exec:\fllfrlx.exe106⤵PID:1808
-
\??\c:\htnhtn.exec:\htnhtn.exe107⤵PID:3672
-
\??\c:\hnnbnb.exec:\hnnbnb.exe108⤵PID:4704
-
\??\c:\rllfxrl.exec:\rllfxrl.exe109⤵PID:3164
-
\??\c:\rlllfxx.exec:\rlllfxx.exe110⤵PID:2944
-
\??\c:\40604.exec:\40604.exe111⤵PID:1328
-
\??\c:\vjvpv.exec:\vjvpv.exe112⤵PID:1084
-
\??\c:\80846.exec:\80846.exe113⤵PID:5060
-
\??\c:\862208.exec:\862208.exe114⤵PID:1772
-
\??\c:\pdddv.exec:\pdddv.exe115⤵PID:4784
-
\??\c:\djpjj.exec:\djpjj.exe116⤵PID:2036
-
\??\c:\8460460.exec:\8460460.exe117⤵PID:3268
-
\??\c:\vjjdv.exec:\vjjdv.exe118⤵PID:3252
-
\??\c:\jvjdv.exec:\jvjdv.exe119⤵
- System Location Discovery: System Language Discovery
PID:2720 -
\??\c:\lxlrllf.exec:\lxlrllf.exe120⤵PID:3880
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe121⤵PID:1864
-
\??\c:\lxfxlfx.exec:\lxfxlfx.exe122⤵PID:428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-