Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 08:47
Behavioral task
behavioral1
Sample
7a558039508dd74926e0d353f250b74746a08be59b85f08f5babfa97b43adc92N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
7a558039508dd74926e0d353f250b74746a08be59b85f08f5babfa97b43adc92N.exe
-
Size
454KB
-
MD5
a91b9ca39012ba1c8cce4b248e5e9240
-
SHA1
c13892b092fada4d0b4ab25d5d208948d842fd16
-
SHA256
7a558039508dd74926e0d353f250b74746a08be59b85f08f5babfa97b43adc92
-
SHA512
2733da6247522a6770a563a997480e68049f81befa61a35c61306bac09d9ac9dd0dd726ccefba432a04a2ef8c3426f1b740ade4383edaf447316ae03732b32e6
-
SSDEEP
12288:04wFHoSyd0V3eFp3IDvSbh5nPYERM8mXzploE:rd0gFp3lz1/uzploE
Malware Config
Signatures
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3516-7-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/396-10-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4004-55-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4848-73-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4552-121-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4792-260-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1996-300-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3672-320-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2732-370-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1704-381-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2748-396-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1116-389-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/232-377-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3424-363-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4972-353-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3928-343-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3640-333-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/264-310-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1988-296-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2068-283-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4272-279-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4688-247-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4912-243-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/224-238-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2236-232-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/220-227-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4968-214-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2892-209-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2992-193-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2696-190-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2228-179-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1676-172-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4336-166-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4976-156-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4756-150-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2908-144-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3672-132-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1104-115-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4668-109-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/876-103-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1628-97-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3276-91-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2544-85-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3004-79-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/960-67-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3452-61-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1976-49-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/816-43-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1792-36-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3512-33-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3964-30-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/900-25-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2552-17-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1012-455-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3180-459-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1920-520-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4604-662-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1700-772-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2824-806-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3868-909-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3944-1000-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/404-1172-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 396 040448.exe 2552 64226.exe 900 8040040.exe 3512 pjjpj.exe 3964 xxxrrlf.exe 1792 1flfxxr.exe 816 648068.exe 1976 dpvvp.exe 4004 vppdv.exe 3452 064406.exe 960 422600.exe 4848 bnbtnn.exe 3004 u422284.exe 2544 g8060.exe 3276 nttntb.exe 1628 nttbhn.exe 876 488266.exe 4668 rxflxxf.exe 1104 frfxfff.exe 4552 62882.exe 1672 002266.exe 3672 tnnhhh.exe 3016 dvvpj.exe 2908 pdvpp.exe 4756 6422004.exe 4976 880422.exe 4944 86860.exe 4336 thbtnt.exe 1676 826826.exe 2228 406004.exe 4056 66266.exe 2696 xflfxxr.exe 2992 bthhbb.exe 4052 jjjvp.exe 1356 5pdvd.exe 3624 vjpjp.exe 2524 s0262.exe 2892 6686826.exe 4968 88420.exe 4664 68860.exe 408 s2260.exe 4800 5tthhb.exe 220 pjdvj.exe 2820 hhhnhb.exe 2236 btbbnn.exe 224 lfrlrfl.exe 4912 28008.exe 4688 pppdv.exe 3520 204448.exe 4724 4844044.exe 3508 42004.exe 4792 9hnhtt.exe 1948 64666.exe 3956 hthbtt.exe 216 dvjpj.exe 1612 hthtth.exe 1444 64260.exe 4272 480004.exe 2068 24600.exe 3620 xxffxxl.exe 744 tbhtnh.exe 3032 86802.exe 1988 jvjjd.exe 1996 06222.exe -
resource yara_rule behavioral2/memory/3516-0-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000c000000023b11-3.dat upx behavioral2/memory/3516-7-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x0032000000023b65-9.dat upx behavioral2/memory/396-10-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000a000000023b66-12.dat upx behavioral2/memory/3512-22-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000a000000023b68-28.dat upx behavioral2/files/0x000a000000023b69-35.dat upx behavioral2/files/0x000a000000023b6a-40.dat upx behavioral2/memory/4004-55-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000a000000023b6e-65.dat upx behavioral2/memory/4848-73-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000a000000023b71-83.dat upx behavioral2/files/0x000a000000023b73-95.dat upx behavioral2/memory/4552-121-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4792-260-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1996-300-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3672-320-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2732-370-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1704-381-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2748-396-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1116-389-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/232-377-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3424-363-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4972-353-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3928-343-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3640-333-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/264-310-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1988-296-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2068-283-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4272-279-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4688-247-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4912-243-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/224-238-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2236-232-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/220-227-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4968-214-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2892-209-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2992-193-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2696-190-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000a000000023b83-186.dat upx behavioral2/files/0x000a000000023b82-181.dat upx behavioral2/memory/2228-179-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000a000000023b81-176.dat upx behavioral2/memory/1676-172-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000a000000023b80-170.dat upx behavioral2/memory/4336-166-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000a000000023b7f-163.dat upx behavioral2/files/0x000a000000023b7e-158.dat upx behavioral2/memory/4976-156-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000a000000023b7d-152.dat upx behavioral2/memory/4756-150-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000a000000023b7c-146.dat upx behavioral2/memory/2908-144-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000a000000023b7b-141.dat upx behavioral2/files/0x000a000000023b7a-136.dat upx behavioral2/memory/3672-132-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000a000000023b79-130.dat upx behavioral2/files/0x000a000000023b78-125.dat upx behavioral2/files/0x000a000000023b77-119.dat upx behavioral2/memory/1104-115-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/files/0x000a000000023b76-113.dat upx behavioral2/memory/4668-109-0x0000000000400000-0x0000000000438000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2604660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8220864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0066604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3516 wrote to memory of 396 3516 7a558039508dd74926e0d353f250b74746a08be59b85f08f5babfa97b43adc92N.exe 83 PID 3516 wrote to memory of 396 3516 7a558039508dd74926e0d353f250b74746a08be59b85f08f5babfa97b43adc92N.exe 83 PID 3516 wrote to memory of 396 3516 7a558039508dd74926e0d353f250b74746a08be59b85f08f5babfa97b43adc92N.exe 83 PID 396 wrote to memory of 2552 396 040448.exe 84 PID 396 wrote to memory of 2552 396 040448.exe 84 PID 396 wrote to memory of 2552 396 040448.exe 84 PID 2552 wrote to memory of 900 2552 64226.exe 85 PID 2552 wrote to memory of 900 2552 64226.exe 85 PID 2552 wrote to memory of 900 2552 64226.exe 85 PID 900 wrote to memory of 3512 900 8040040.exe 87 PID 900 wrote to memory of 3512 900 8040040.exe 87 PID 900 wrote to memory of 3512 900 8040040.exe 87 PID 3512 wrote to memory of 3964 3512 pjjpj.exe 88 PID 3512 wrote to memory of 3964 3512 pjjpj.exe 88 PID 3512 wrote to memory of 3964 3512 pjjpj.exe 88 PID 3964 wrote to memory of 1792 3964 xxxrrlf.exe 89 PID 3964 wrote to memory of 1792 3964 xxxrrlf.exe 89 PID 3964 wrote to memory of 1792 3964 xxxrrlf.exe 89 PID 1792 wrote to memory of 816 1792 1flfxxr.exe 90 PID 1792 wrote to memory of 816 1792 1flfxxr.exe 90 PID 1792 wrote to memory of 816 1792 1flfxxr.exe 90 PID 816 wrote to memory of 1976 816 648068.exe 91 PID 816 wrote to memory of 1976 816 648068.exe 91 PID 816 wrote to memory of 1976 816 648068.exe 91 PID 1976 wrote to memory of 4004 1976 dpvvp.exe 92 PID 1976 wrote to memory of 4004 1976 dpvvp.exe 92 PID 1976 wrote to memory of 4004 1976 dpvvp.exe 92 PID 4004 wrote to memory of 3452 4004 vppdv.exe 93 PID 4004 wrote to memory of 3452 4004 vppdv.exe 93 PID 4004 wrote to memory of 3452 4004 vppdv.exe 93 PID 3452 wrote to memory of 960 3452 064406.exe 94 PID 3452 wrote to memory of 960 3452 064406.exe 94 PID 3452 wrote to memory of 960 3452 064406.exe 94 PID 960 wrote to memory of 4848 960 422600.exe 95 PID 960 wrote to memory of 4848 960 422600.exe 95 PID 960 wrote to memory of 4848 960 422600.exe 95 PID 4848 wrote to memory of 3004 4848 bnbtnn.exe 96 PID 4848 wrote to memory of 3004 4848 bnbtnn.exe 96 PID 4848 wrote to memory of 3004 4848 bnbtnn.exe 96 PID 3004 wrote to memory of 2544 3004 u422284.exe 97 PID 3004 wrote to memory of 2544 3004 u422284.exe 97 PID 3004 wrote to memory of 2544 3004 u422284.exe 97 PID 2544 wrote to memory of 3276 2544 g8060.exe 98 PID 2544 wrote to memory of 3276 2544 g8060.exe 98 PID 2544 wrote to memory of 3276 2544 g8060.exe 98 PID 3276 wrote to memory of 1628 3276 nttntb.exe 99 PID 3276 wrote to memory of 1628 3276 nttntb.exe 99 PID 3276 wrote to memory of 1628 3276 nttntb.exe 99 PID 1628 wrote to memory of 876 1628 nttbhn.exe 100 PID 1628 wrote to memory of 876 1628 nttbhn.exe 100 PID 1628 wrote to memory of 876 1628 nttbhn.exe 100 PID 876 wrote to memory of 4668 876 488266.exe 101 PID 876 wrote to memory of 4668 876 488266.exe 101 PID 876 wrote to memory of 4668 876 488266.exe 101 PID 4668 wrote to memory of 1104 4668 rxflxxf.exe 102 PID 4668 wrote to memory of 1104 4668 rxflxxf.exe 102 PID 4668 wrote to memory of 1104 4668 rxflxxf.exe 102 PID 1104 wrote to memory of 4552 1104 frfxfff.exe 103 PID 1104 wrote to memory of 4552 1104 frfxfff.exe 103 PID 1104 wrote to memory of 4552 1104 frfxfff.exe 103 PID 4552 wrote to memory of 1672 4552 62882.exe 104 PID 4552 wrote to memory of 1672 4552 62882.exe 104 PID 4552 wrote to memory of 1672 4552 62882.exe 104 PID 1672 wrote to memory of 3672 1672 002266.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a558039508dd74926e0d353f250b74746a08be59b85f08f5babfa97b43adc92N.exe"C:\Users\Admin\AppData\Local\Temp\7a558039508dd74926e0d353f250b74746a08be59b85f08f5babfa97b43adc92N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\040448.exec:\040448.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\64226.exec:\64226.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\8040040.exec:\8040040.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\pjjpj.exec:\pjjpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\xxxrrlf.exec:\xxxrrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\1flfxxr.exec:\1flfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\648068.exec:\648068.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\dpvvp.exec:\dpvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\vppdv.exec:\vppdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\064406.exec:\064406.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\422600.exec:\422600.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\bnbtnn.exec:\bnbtnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\u422284.exec:\u422284.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\g8060.exec:\g8060.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\nttntb.exec:\nttntb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\nttbhn.exec:\nttbhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\488266.exec:\488266.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\rxflxxf.exec:\rxflxxf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\frfxfff.exec:\frfxfff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\62882.exec:\62882.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\002266.exec:\002266.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\tnnhhh.exec:\tnnhhh.exe23⤵
- Executes dropped EXE
PID:3672 -
\??\c:\dvvpj.exec:\dvvpj.exe24⤵
- Executes dropped EXE
PID:3016 -
\??\c:\pdvpp.exec:\pdvpp.exe25⤵
- Executes dropped EXE
PID:2908 -
\??\c:\6422004.exec:\6422004.exe26⤵
- Executes dropped EXE
PID:4756 -
\??\c:\880422.exec:\880422.exe27⤵
- Executes dropped EXE
PID:4976 -
\??\c:\86860.exec:\86860.exe28⤵
- Executes dropped EXE
PID:4944 -
\??\c:\thbtnt.exec:\thbtnt.exe29⤵
- Executes dropped EXE
PID:4336 -
\??\c:\826826.exec:\826826.exe30⤵
- Executes dropped EXE
PID:1676 -
\??\c:\406004.exec:\406004.exe31⤵
- Executes dropped EXE
PID:2228 -
\??\c:\66266.exec:\66266.exe32⤵
- Executes dropped EXE
PID:4056 -
\??\c:\xflfxxr.exec:\xflfxxr.exe33⤵
- Executes dropped EXE
PID:2696 -
\??\c:\bthhbb.exec:\bthhbb.exe34⤵
- Executes dropped EXE
PID:2992 -
\??\c:\jjjvp.exec:\jjjvp.exe35⤵
- Executes dropped EXE
PID:4052 -
\??\c:\5pdvd.exec:\5pdvd.exe36⤵
- Executes dropped EXE
PID:1356 -
\??\c:\vjpjp.exec:\vjpjp.exe37⤵
- Executes dropped EXE
PID:3624 -
\??\c:\s0262.exec:\s0262.exe38⤵
- Executes dropped EXE
PID:2524 -
\??\c:\6686826.exec:\6686826.exe39⤵
- Executes dropped EXE
PID:2892 -
\??\c:\88420.exec:\88420.exe40⤵
- Executes dropped EXE
PID:4968 -
\??\c:\68860.exec:\68860.exe41⤵
- Executes dropped EXE
PID:4664 -
\??\c:\s2260.exec:\s2260.exe42⤵
- Executes dropped EXE
PID:408 -
\??\c:\5tthhb.exec:\5tthhb.exe43⤵
- Executes dropped EXE
PID:4800 -
\??\c:\pjdvj.exec:\pjdvj.exe44⤵
- Executes dropped EXE
PID:220 -
\??\c:\hhhnhb.exec:\hhhnhb.exe45⤵
- Executes dropped EXE
PID:2820 -
\??\c:\btbbnn.exec:\btbbnn.exe46⤵
- Executes dropped EXE
PID:2236 -
\??\c:\286260.exec:\286260.exe47⤵PID:3940
-
\??\c:\lfrlrfl.exec:\lfrlrfl.exe48⤵
- Executes dropped EXE
PID:224 -
\??\c:\28008.exec:\28008.exe49⤵
- Executes dropped EXE
PID:4912 -
\??\c:\pppdv.exec:\pppdv.exe50⤵
- Executes dropped EXE
PID:4688 -
\??\c:\204448.exec:\204448.exe51⤵
- Executes dropped EXE
PID:3520 -
\??\c:\4844044.exec:\4844044.exe52⤵
- Executes dropped EXE
PID:4724 -
\??\c:\42004.exec:\42004.exe53⤵
- Executes dropped EXE
PID:3508 -
\??\c:\9hnhtt.exec:\9hnhtt.exe54⤵
- Executes dropped EXE
PID:4792 -
\??\c:\64666.exec:\64666.exe55⤵
- Executes dropped EXE
PID:1948 -
\??\c:\hthbtt.exec:\hthbtt.exe56⤵
- Executes dropped EXE
PID:3956 -
\??\c:\dvjpj.exec:\dvjpj.exe57⤵
- Executes dropped EXE
PID:216 -
\??\c:\hthtth.exec:\hthtth.exe58⤵
- Executes dropped EXE
PID:1612 -
\??\c:\64260.exec:\64260.exe59⤵
- Executes dropped EXE
PID:1444 -
\??\c:\480004.exec:\480004.exe60⤵
- Executes dropped EXE
PID:4272 -
\??\c:\24600.exec:\24600.exe61⤵
- Executes dropped EXE
PID:2068 -
\??\c:\xxffxxl.exec:\xxffxxl.exe62⤵
- Executes dropped EXE
PID:3620 -
\??\c:\tbhtnh.exec:\tbhtnh.exe63⤵
- Executes dropped EXE
PID:744 -
\??\c:\86802.exec:\86802.exe64⤵
- Executes dropped EXE
PID:3032 -
\??\c:\jvjjd.exec:\jvjjd.exe65⤵
- Executes dropped EXE
PID:1988 -
\??\c:\06222.exec:\06222.exe66⤵
- Executes dropped EXE
PID:1996 -
\??\c:\fxxrllf.exec:\fxxrllf.exe67⤵PID:4460
-
\??\c:\bntthh.exec:\bntthh.exe68⤵
- System Location Discovery: System Language Discovery
PID:3908 -
\??\c:\8226000.exec:\8226000.exe69⤵PID:264
-
\??\c:\xrllfxx.exec:\xrllfxx.exe70⤵PID:1124
-
\??\c:\04826.exec:\04826.exe71⤵PID:1012
-
\??\c:\2468266.exec:\2468266.exe72⤵PID:3672
-
\??\c:\vpvpj.exec:\vpvpj.exe73⤵PID:2580
-
\??\c:\w86266.exec:\w86266.exe74⤵PID:872
-
\??\c:\dppjj.exec:\dppjj.exe75⤵PID:3552
-
\??\c:\hhnhhh.exec:\hhnhhh.exe76⤵PID:3640
-
\??\c:\vpvvv.exec:\vpvvv.exe77⤵PID:2500
-
\??\c:\68660.exec:\68660.exe78⤵PID:3176
-
\??\c:\jvvpd.exec:\jvvpd.exe79⤵PID:3928
-
\??\c:\xrfxffl.exec:\xrfxffl.exe80⤵PID:4500
-
\??\c:\5ffxllx.exec:\5ffxllx.exe81⤵PID:4804
-
\??\c:\8486082.exec:\8486082.exe82⤵PID:4972
-
\??\c:\vjdvj.exec:\vjdvj.exe83⤵PID:4964
-
\??\c:\xrlxlll.exec:\xrlxlll.exe84⤵PID:4052
-
\??\c:\4022042.exec:\4022042.exe85⤵PID:3424
-
\??\c:\22082.exec:\22082.exe86⤵PID:4452
-
\??\c:\8882288.exec:\8882288.exe87⤵PID:2732
-
\??\c:\2004046.exec:\2004046.exe88⤵PID:4968
-
\??\c:\64266.exec:\64266.exe89⤵PID:232
-
\??\c:\dpjpj.exec:\dpjpj.exe90⤵PID:1704
-
\??\c:\08006.exec:\08006.exe91⤵PID:1852
-
\??\c:\xflrffr.exec:\xflrffr.exe92⤵PID:2820
-
\??\c:\4826060.exec:\4826060.exe93⤵PID:1116
-
\??\c:\o066000.exec:\o066000.exe94⤵PID:4200
-
\??\c:\0406684.exec:\0406684.exe95⤵PID:2748
-
\??\c:\60420.exec:\60420.exe96⤵PID:1492
-
\??\c:\06260.exec:\06260.exe97⤵PID:548
-
\??\c:\q66048.exec:\q66048.exe98⤵PID:1968
-
\??\c:\tbbtbb.exec:\tbbtbb.exe99⤵PID:4012
-
\??\c:\vvvjv.exec:\vvvjv.exe100⤵PID:4436
-
\??\c:\rllrrff.exec:\rllrrff.exe101⤵PID:820
-
\??\c:\btnbtt.exec:\btnbtt.exe102⤵PID:4712
-
\??\c:\jpdpd.exec:\jpdpd.exe103⤵PID:3960
-
\??\c:\3pvpj.exec:\3pvpj.exe104⤵PID:556
-
\??\c:\tnhbhb.exec:\tnhbhb.exe105⤵PID:4320
-
\??\c:\842600.exec:\842600.exe106⤵PID:744
-
\??\c:\04206.exec:\04206.exe107⤵PID:1804
-
\??\c:\0622660.exec:\0622660.exe108⤵PID:3752
-
\??\c:\xfxrxfr.exec:\xfxrxfr.exe109⤵PID:2320
-
\??\c:\2802060.exec:\2802060.exe110⤵PID:5096
-
\??\c:\3jjpj.exec:\3jjpj.exe111⤵PID:2996
-
\??\c:\s2448.exec:\s2448.exe112⤵PID:1572
-
\??\c:\6686824.exec:\6686824.exe113⤵PID:1012
-
\??\c:\80084.exec:\80084.exe114⤵PID:3180
-
\??\c:\fllfflf.exec:\fllfflf.exe115⤵PID:1816
-
\??\c:\vvdpv.exec:\vvdpv.exe116⤵PID:3944
-
\??\c:\jdvjd.exec:\jdvjd.exe117⤵PID:3552
-
\??\c:\64286.exec:\64286.exe118⤵PID:4544
-
\??\c:\jjdvp.exec:\jjdvp.exe119⤵PID:4736
-
\??\c:\g6860.exec:\g6860.exe120⤵PID:468
-
\??\c:\xrfxxxr.exec:\xrfxxxr.exe121⤵
- System Location Discovery: System Language Discovery
PID:3924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-