Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 19:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe
-
Size
458KB
-
MD5
784872ea17556eb59718107706d52b98
-
SHA1
626bbdd4366e12b055edcfcb944181a17e35d44c
-
SHA256
4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967
-
SHA512
5369e2b0ae1bbd0476e99e0e2723c1eb20456e137924e3e4bbd56aaf74055381367169398f18e3b2a29d0b895ef04471fedded5a8505a028f7771f6c027a129f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5012-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-904-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-1520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-1527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3104 ppvvv.exe 4672 88868.exe 2036 g0686.exe 2992 jdjvv.exe 4340 q28086.exe 3504 bnhbnn.exe 2252 240426.exe 116 tnhbnh.exe 3748 dvpjd.exe 2656 dddpv.exe 4296 60480.exe 4552 688604.exe 4352 6002808.exe 3556 1nhbnh.exe 2008 02208.exe 1584 00646.exe 4772 5lxrfrf.exe 4528 66642.exe 768 444204.exe 620 fxrrrrr.exe 2268 828248.exe 2712 rffrxrx.exe 1048 tbbnbt.exe 3148 204208.exe 1060 2242608.exe 2932 3hnnbh.exe 4492 w66864.exe 2732 088264.exe 840 648460.exe 3924 s0464.exe 4928 5llxfrr.exe 1760 668648.exe 4132 frfrfrf.exe 4568 nhnhtn.exe 4672 dpjvj.exe 2240 6442482.exe 4216 bnhhnh.exe 4340 ddjvj.exe 3996 00080.exe 3472 jvjpd.exe 100 6404486.exe 2704 tbbtnh.exe 1736 8400820.exe 2656 080422.exe 4304 m6042.exe 5020 pvdjv.exe 3948 jjvdp.exe 2340 5ddpj.exe 4728 4482482.exe 3400 rrfrrff.exe 1188 8842608.exe 1400 bbbthb.exe 1680 lxxlxrf.exe 940 htthtn.exe 1016 pvpdp.exe 2436 644204.exe 4840 rxrfrfr.exe 2268 7ffrfrr.exe 4668 lxrlxrf.exe 1788 vjpjv.exe 1808 vppvj.exe 1316 2482482.exe 3944 022086.exe 4348 1jdvj.exe -
resource yara_rule behavioral2/memory/5012-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-665-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k40420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4226088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 220286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i666004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8400886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5012 wrote to memory of 3104 5012 4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe 89 PID 5012 wrote to memory of 3104 5012 4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe 89 PID 5012 wrote to memory of 3104 5012 4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe 89 PID 3104 wrote to memory of 4672 3104 ppvvv.exe 90 PID 3104 wrote to memory of 4672 3104 ppvvv.exe 90 PID 3104 wrote to memory of 4672 3104 ppvvv.exe 90 PID 4672 wrote to memory of 2036 4672 88868.exe 91 PID 4672 wrote to memory of 2036 4672 88868.exe 91 PID 4672 wrote to memory of 2036 4672 88868.exe 91 PID 2036 wrote to memory of 2992 2036 g0686.exe 92 PID 2036 wrote to memory of 2992 2036 g0686.exe 92 PID 2036 wrote to memory of 2992 2036 g0686.exe 92 PID 2992 wrote to memory of 4340 2992 jdjvv.exe 93 PID 2992 wrote to memory of 4340 2992 jdjvv.exe 93 PID 2992 wrote to memory of 4340 2992 jdjvv.exe 93 PID 4340 wrote to memory of 3504 4340 q28086.exe 94 PID 4340 wrote to memory of 3504 4340 q28086.exe 94 PID 4340 wrote to memory of 3504 4340 q28086.exe 94 PID 3504 wrote to memory of 2252 3504 bnhbnn.exe 95 PID 3504 wrote to memory of 2252 3504 bnhbnn.exe 95 PID 3504 wrote to memory of 2252 3504 bnhbnn.exe 95 PID 2252 wrote to memory of 116 2252 240426.exe 96 PID 2252 wrote to memory of 116 2252 240426.exe 96 PID 2252 wrote to memory of 116 2252 240426.exe 96 PID 116 wrote to memory of 3748 116 tnhbnh.exe 97 PID 116 wrote to memory of 3748 116 tnhbnh.exe 97 PID 116 wrote to memory of 3748 116 tnhbnh.exe 97 PID 3748 wrote to memory of 2656 3748 dvpjd.exe 99 PID 3748 wrote to memory of 2656 3748 dvpjd.exe 99 PID 3748 wrote to memory of 2656 3748 dvpjd.exe 99 PID 2656 wrote to memory of 4296 2656 dddpv.exe 100 PID 2656 wrote to memory of 4296 2656 dddpv.exe 100 PID 2656 wrote to memory of 4296 2656 dddpv.exe 100 PID 4296 wrote to memory of 4552 4296 60480.exe 101 PID 4296 wrote to memory of 4552 4296 60480.exe 101 PID 4296 wrote to memory of 4552 4296 60480.exe 101 PID 4552 wrote to memory of 4352 4552 688604.exe 103 PID 4552 wrote to memory of 4352 4552 688604.exe 103 PID 4552 wrote to memory of 4352 4552 688604.exe 103 PID 4352 wrote to memory of 3556 4352 6002808.exe 104 PID 4352 wrote to memory of 3556 4352 6002808.exe 104 PID 4352 wrote to memory of 3556 4352 6002808.exe 104 PID 3556 wrote to memory of 2008 3556 1nhbnh.exe 105 PID 3556 wrote to memory of 2008 3556 1nhbnh.exe 105 PID 3556 wrote to memory of 2008 3556 1nhbnh.exe 105 PID 2008 wrote to memory of 1584 2008 02208.exe 106 PID 2008 wrote to memory of 1584 2008 02208.exe 106 PID 2008 wrote to memory of 1584 2008 02208.exe 106 PID 1584 wrote to memory of 4772 1584 00646.exe 107 PID 1584 wrote to memory of 4772 1584 00646.exe 107 PID 1584 wrote to memory of 4772 1584 00646.exe 107 PID 4772 wrote to memory of 4528 4772 5lxrfrf.exe 108 PID 4772 wrote to memory of 4528 4772 5lxrfrf.exe 108 PID 4772 wrote to memory of 4528 4772 5lxrfrf.exe 108 PID 4528 wrote to memory of 768 4528 66642.exe 109 PID 4528 wrote to memory of 768 4528 66642.exe 109 PID 4528 wrote to memory of 768 4528 66642.exe 109 PID 768 wrote to memory of 620 768 444204.exe 110 PID 768 wrote to memory of 620 768 444204.exe 110 PID 768 wrote to memory of 620 768 444204.exe 110 PID 620 wrote to memory of 2268 620 fxrrrrr.exe 111 PID 620 wrote to memory of 2268 620 fxrrrrr.exe 111 PID 620 wrote to memory of 2268 620 fxrrrrr.exe 111 PID 2268 wrote to memory of 2712 2268 828248.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe"C:\Users\Admin\AppData\Local\Temp\4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\ppvvv.exec:\ppvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\88868.exec:\88868.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\g0686.exec:\g0686.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\jdjvv.exec:\jdjvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\q28086.exec:\q28086.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\bnhbnn.exec:\bnhbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\240426.exec:\240426.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\tnhbnh.exec:\tnhbnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\dvpjd.exec:\dvpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\dddpv.exec:\dddpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\60480.exec:\60480.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\688604.exec:\688604.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\6002808.exec:\6002808.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\1nhbnh.exec:\1nhbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\02208.exec:\02208.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\00646.exec:\00646.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\5lxrfrf.exec:\5lxrfrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\66642.exec:\66642.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\444204.exec:\444204.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\fxrrrrr.exec:\fxrrrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\828248.exec:\828248.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\rffrxrx.exec:\rffrxrx.exe23⤵
- Executes dropped EXE
PID:2712 -
\??\c:\tbbnbt.exec:\tbbnbt.exe24⤵
- Executes dropped EXE
PID:1048 -
\??\c:\204208.exec:\204208.exe25⤵
- Executes dropped EXE
PID:3148 -
\??\c:\2242608.exec:\2242608.exe26⤵
- Executes dropped EXE
PID:1060 -
\??\c:\3hnnbh.exec:\3hnnbh.exe27⤵
- Executes dropped EXE
PID:2932 -
\??\c:\w66864.exec:\w66864.exe28⤵
- Executes dropped EXE
PID:4492 -
\??\c:\088264.exec:\088264.exe29⤵
- Executes dropped EXE
PID:2732 -
\??\c:\648460.exec:\648460.exe30⤵
- Executes dropped EXE
PID:840 -
\??\c:\s0464.exec:\s0464.exe31⤵
- Executes dropped EXE
PID:3924 -
\??\c:\5llxfrr.exec:\5llxfrr.exe32⤵
- Executes dropped EXE
PID:4928 -
\??\c:\668648.exec:\668648.exe33⤵
- Executes dropped EXE
PID:1760 -
\??\c:\frfrfrf.exec:\frfrfrf.exe34⤵
- Executes dropped EXE
PID:4132 -
\??\c:\nhnhtn.exec:\nhnhtn.exe35⤵
- Executes dropped EXE
PID:4568 -
\??\c:\dpjvj.exec:\dpjvj.exe36⤵
- Executes dropped EXE
PID:4672 -
\??\c:\6442482.exec:\6442482.exe37⤵
- Executes dropped EXE
PID:2240 -
\??\c:\bnhhnh.exec:\bnhhnh.exe38⤵
- Executes dropped EXE
PID:4216 -
\??\c:\ddjvj.exec:\ddjvj.exe39⤵
- Executes dropped EXE
PID:4340 -
\??\c:\00080.exec:\00080.exe40⤵
- Executes dropped EXE
PID:3996 -
\??\c:\jvjpd.exec:\jvjpd.exe41⤵
- Executes dropped EXE
PID:3472 -
\??\c:\6404486.exec:\6404486.exe42⤵
- Executes dropped EXE
PID:100 -
\??\c:\tbbtnh.exec:\tbbtnh.exe43⤵
- Executes dropped EXE
PID:2704 -
\??\c:\8400820.exec:\8400820.exe44⤵
- Executes dropped EXE
PID:1736 -
\??\c:\080422.exec:\080422.exe45⤵
- Executes dropped EXE
PID:2656 -
\??\c:\m6042.exec:\m6042.exe46⤵
- Executes dropped EXE
PID:4304 -
\??\c:\pvdjv.exec:\pvdjv.exe47⤵
- Executes dropped EXE
PID:5020 -
\??\c:\jjvdp.exec:\jjvdp.exe48⤵
- Executes dropped EXE
PID:3948 -
\??\c:\5ddpj.exec:\5ddpj.exe49⤵
- Executes dropped EXE
PID:2340 -
\??\c:\4482482.exec:\4482482.exe50⤵
- Executes dropped EXE
PID:4728 -
\??\c:\rrfrrff.exec:\rrfrrff.exe51⤵
- Executes dropped EXE
PID:3400 -
\??\c:\8842608.exec:\8842608.exe52⤵
- Executes dropped EXE
PID:1188 -
\??\c:\bbbthb.exec:\bbbthb.exe53⤵
- Executes dropped EXE
PID:1400 -
\??\c:\lxxlxrf.exec:\lxxlxrf.exe54⤵
- Executes dropped EXE
PID:1680 -
\??\c:\htthtn.exec:\htthtn.exe55⤵
- Executes dropped EXE
PID:940 -
\??\c:\pvpdp.exec:\pvpdp.exe56⤵
- Executes dropped EXE
PID:1016 -
\??\c:\644204.exec:\644204.exe57⤵
- Executes dropped EXE
PID:2436 -
\??\c:\rxrfrfr.exec:\rxrfrfr.exe58⤵
- Executes dropped EXE
PID:4840 -
\??\c:\7ffrfrr.exec:\7ffrfrr.exe59⤵
- Executes dropped EXE
PID:2268 -
\??\c:\lxrlxrf.exec:\lxrlxrf.exe60⤵
- Executes dropped EXE
PID:4668 -
\??\c:\vjpjv.exec:\vjpjv.exe61⤵
- Executes dropped EXE
PID:1788 -
\??\c:\vppvj.exec:\vppvj.exe62⤵
- Executes dropped EXE
PID:1808 -
\??\c:\2482482.exec:\2482482.exe63⤵
- Executes dropped EXE
PID:1316 -
\??\c:\022086.exec:\022086.exe64⤵
- Executes dropped EXE
PID:3944 -
\??\c:\1jdvj.exec:\1jdvj.exe65⤵
- Executes dropped EXE
PID:4348 -
\??\c:\2264284.exec:\2264284.exe66⤵PID:1516
-
\??\c:\nbnhtn.exec:\nbnhtn.exe67⤵PID:2080
-
\??\c:\lrfrlfr.exec:\lrfrlfr.exe68⤵PID:804
-
\??\c:\8848260.exec:\8848260.exe69⤵PID:3444
-
\??\c:\0260264.exec:\0260264.exe70⤵PID:1716
-
\??\c:\488208.exec:\488208.exe71⤵PID:3252
-
\??\c:\bnnbtn.exec:\bnnbtn.exe72⤵PID:2820
-
\??\c:\htthht.exec:\htthht.exe73⤵PID:3552
-
\??\c:\06082.exec:\06082.exe74⤵PID:936
-
\??\c:\244248.exec:\244248.exe75⤵PID:4584
-
\??\c:\222082.exec:\222082.exe76⤵PID:3924
-
\??\c:\tnhhnh.exec:\tnhhnh.exe77⤵PID:2464
-
\??\c:\004864.exec:\004864.exe78⤵PID:3452
-
\??\c:\nhbntn.exec:\nhbntn.exe79⤵PID:1204
-
\??\c:\nbbnbt.exec:\nbbnbt.exe80⤵PID:4568
-
\??\c:\bhbnhb.exec:\bhbnhb.exe81⤵PID:1088
-
\??\c:\k40420.exec:\k40420.exe82⤵
- System Location Discovery: System Language Discovery
PID:4216 -
\??\c:\7bntbt.exec:\7bntbt.exe83⤵PID:4340
-
\??\c:\dvpjv.exec:\dvpjv.exe84⤵PID:4736
-
\??\c:\lrlxxrl.exec:\lrlxxrl.exe85⤵PID:5108
-
\??\c:\jvvjv.exec:\jvvjv.exe86⤵PID:3748
-
\??\c:\k44420.exec:\k44420.exe87⤵PID:1568
-
\??\c:\frfrlfr.exec:\frfrlfr.exe88⤵PID:4304
-
\??\c:\lrrlfxr.exec:\lrrlfxr.exe89⤵PID:3200
-
\??\c:\frxrfxl.exec:\frxrfxl.exe90⤵PID:4716
-
\??\c:\220242.exec:\220242.exe91⤵PID:4168
-
\??\c:\c282600.exec:\c282600.exe92⤵PID:4844
-
\??\c:\8080868.exec:\8080868.exe93⤵PID:5060
-
\??\c:\200886.exec:\200886.exe94⤵PID:3156
-
\??\c:\xlfrlfr.exec:\xlfrlfr.exe95⤵PID:3856
-
\??\c:\3pdvj.exec:\3pdvj.exe96⤵PID:3548
-
\??\c:\0660820.exec:\0660820.exe97⤵PID:4192
-
\??\c:\8662082.exec:\8662082.exe98⤵PID:4140
-
\??\c:\rfxlfrl.exec:\rfxlfrl.exe99⤵PID:4500
-
\??\c:\u022608.exec:\u022608.exe100⤵PID:1440
-
\??\c:\3vppd.exec:\3vppd.exe101⤵PID:4840
-
\??\c:\1xxrxrf.exec:\1xxrxrf.exe102⤵PID:3608
-
\??\c:\040860.exec:\040860.exe103⤵PID:2916
-
\??\c:\m2248.exec:\m2248.exe104⤵PID:2712
-
\??\c:\hbhhnn.exec:\hbhhnn.exe105⤵PID:680
-
\??\c:\bnhbnh.exec:\bnhbnh.exe106⤵PID:4400
-
\??\c:\xflffxl.exec:\xflffxl.exe107⤵PID:4724
-
\??\c:\fxxrxxf.exec:\fxxrxxf.exe108⤵PID:2524
-
\??\c:\lfrrfxl.exec:\lfrrfxl.exe109⤵PID:3884
-
\??\c:\jvdvj.exec:\jvdvj.exe110⤵PID:4972
-
\??\c:\7xxllff.exec:\7xxllff.exe111⤵PID:3612
-
\??\c:\64088.exec:\64088.exe112⤵PID:4688
-
\??\c:\7jjvp.exec:\7jjvp.exe113⤵PID:4648
-
\??\c:\lffrlfr.exec:\lffrlfr.exe114⤵PID:3512
-
\??\c:\640400.exec:\640400.exe115⤵PID:3124
-
\??\c:\xlxlrrf.exec:\xlxlrrf.exe116⤵PID:392
-
\??\c:\bhtnnt.exec:\bhtnnt.exe117⤵PID:4700
-
\??\c:\9ffxllf.exec:\9ffxllf.exe118⤵PID:1944
-
\??\c:\g4486.exec:\g4486.exe119⤵PID:4464
-
\??\c:\22264.exec:\22264.exe120⤵PID:4476
-
\??\c:\vjpjp.exec:\vjpjp.exe121⤵PID:4928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-