Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 07:47
Behavioral task
behavioral1
Sample
3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe
-
Size
335KB
-
MD5
5c607a1bc09df2b598835688cd4bef86
-
SHA1
059ec216e2d5e557570179b623107a8fe7ef5b23
-
SHA256
3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e
-
SHA512
44074d20040f262c4f3ebbac6cffd1374042fdbc74570cb6e7c1897351b31c75de67d5951dcde6df2796bab46111af4b5a08c62d8812a0019314d6a3e217f3ae
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRp:R4wFHoSHYHUrAwfMp3CDRp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1508-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3912-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5020-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2980-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2128-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4892-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2100-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2756-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1760-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2036-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2144-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1828-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3372-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3140-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1408-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/516-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3164-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4944-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3240-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1128-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1080-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3540-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1088-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3888-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4056-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4384-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4848-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3924-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4664-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4360-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1408-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1488-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1160-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4224-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2404-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3904-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4396-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/836-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3924-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3152-472-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3444-497-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4192-560-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3064-833-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-857-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3856-1338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3512 44882.exe 1192 m4048.exe 2216 048482.exe 3456 djpdj.exe 3912 260064.exe 5020 tbhbhh.exe 2980 k02266.exe 4028 664044.exe 2128 26226.exe 4892 800444.exe 2172 02040.exe 2100 pjvjd.exe 4508 htbthh.exe 4384 tnnnbn.exe 1416 u844004.exe 4056 486026.exe 5048 8022000.exe 4484 nhttnt.exe 2408 402448.exe 3988 420044.exe 2332 5jvpj.exe 3888 28048.exe 3248 0222666.exe 1088 htbtnn.exe 3540 1bnnnt.exe 1080 462266.exe 1144 068862.exe 1128 5pdvd.exe 3240 lffxxxx.exe 4944 lrxxxrr.exe 3164 28604.exe 2928 xffxlrl.exe 516 64420.exe 2764 7rlfxxl.exe 4816 8604260.exe 5108 pddvp.exe 1228 k84084.exe 1408 44042.exe 1660 02208.exe 3140 426486.exe 2748 9xrfrlx.exe 2756 6420882.exe 3592 jppdv.exe 3372 5nthbt.exe 64 86426.exe 3004 6444248.exe 1828 rlffrxr.exe 1760 lrxxrlf.exe 624 bhtnhb.exe 1084 288204.exe 464 htbnnh.exe 4280 64820.exe 3764 866448.exe 4960 00642.exe 4204 640460.exe 5028 206426.exe 2856 284860.exe 2144 7jdpd.exe 4440 thnbnh.exe 2036 446426.exe 4116 40666.exe 3512 bbhbnn.exe 836 688648.exe 4848 82440.exe -
resource yara_rule behavioral2/memory/1508-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c91-3.dat upx behavioral2/memory/1508-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-8.dat upx behavioral2/memory/3512-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-11.dat upx behavioral2/files/0x0007000000023c97-17.dat upx behavioral2/memory/2216-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-22.dat upx behavioral2/memory/3456-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-27.dat upx behavioral2/memory/3912-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-32.dat upx behavioral2/memory/5020-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-37.dat upx behavioral2/memory/2980-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-42.dat upx behavioral2/memory/2128-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4028-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2128-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-48.dat upx behavioral2/files/0x0008000000023c92-53.dat upx behavioral2/memory/4892-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2172-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-58.dat upx behavioral2/files/0x0007000000023ca0-63.dat upx behavioral2/memory/4508-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2100-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-70.dat upx behavioral2/files/0x0007000000023ca3-75.dat upx behavioral2/files/0x0007000000023ca5-83.dat upx behavioral2/files/0x0007000000023ca6-89.dat upx behavioral2/memory/4484-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2332-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2756-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1760-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2036-224-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2144-220-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4204-213-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/464-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1828-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3372-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3140-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1408-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4816-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/516-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-156.dat upx behavioral2/memory/3164-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-151.dat upx behavioral2/memory/4944-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-146.dat upx behavioral2/memory/3240-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-141.dat upx behavioral2/memory/1128-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-136.dat upx behavioral2/files/0x0007000000023caf-132.dat upx behavioral2/memory/1080-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-127.dat upx behavioral2/memory/3540-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-122.dat upx behavioral2/memory/1088-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-117.dat upx behavioral2/memory/3248-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-112.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6004264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 660426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4402200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8066000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0222222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u226004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802600.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1508 wrote to memory of 3512 1508 3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe 83 PID 1508 wrote to memory of 3512 1508 3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe 83 PID 1508 wrote to memory of 3512 1508 3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe 83 PID 3512 wrote to memory of 1192 3512 44882.exe 84 PID 3512 wrote to memory of 1192 3512 44882.exe 84 PID 3512 wrote to memory of 1192 3512 44882.exe 84 PID 1192 wrote to memory of 2216 1192 m4048.exe 85 PID 1192 wrote to memory of 2216 1192 m4048.exe 85 PID 1192 wrote to memory of 2216 1192 m4048.exe 85 PID 2216 wrote to memory of 3456 2216 048482.exe 86 PID 2216 wrote to memory of 3456 2216 048482.exe 86 PID 2216 wrote to memory of 3456 2216 048482.exe 86 PID 3456 wrote to memory of 3912 3456 djpdj.exe 87 PID 3456 wrote to memory of 3912 3456 djpdj.exe 87 PID 3456 wrote to memory of 3912 3456 djpdj.exe 87 PID 3912 wrote to memory of 5020 3912 260064.exe 88 PID 3912 wrote to memory of 5020 3912 260064.exe 88 PID 3912 wrote to memory of 5020 3912 260064.exe 88 PID 5020 wrote to memory of 2980 5020 tbhbhh.exe 89 PID 5020 wrote to memory of 2980 5020 tbhbhh.exe 89 PID 5020 wrote to memory of 2980 5020 tbhbhh.exe 89 PID 2980 wrote to memory of 4028 2980 k02266.exe 90 PID 2980 wrote to memory of 4028 2980 k02266.exe 90 PID 2980 wrote to memory of 4028 2980 k02266.exe 90 PID 4028 wrote to memory of 2128 4028 664044.exe 91 PID 4028 wrote to memory of 2128 4028 664044.exe 91 PID 4028 wrote to memory of 2128 4028 664044.exe 91 PID 2128 wrote to memory of 4892 2128 26226.exe 92 PID 2128 wrote to memory of 4892 2128 26226.exe 92 PID 2128 wrote to memory of 4892 2128 26226.exe 92 PID 4892 wrote to memory of 2172 4892 800444.exe 93 PID 4892 wrote to memory of 2172 4892 800444.exe 93 PID 4892 wrote to memory of 2172 4892 800444.exe 93 PID 2172 wrote to memory of 2100 2172 02040.exe 94 PID 2172 wrote to memory of 2100 2172 02040.exe 94 PID 2172 wrote to memory of 2100 2172 02040.exe 94 PID 2100 wrote to memory of 4508 2100 pjvjd.exe 95 PID 2100 wrote to memory of 4508 2100 pjvjd.exe 95 PID 2100 wrote to memory of 4508 2100 pjvjd.exe 95 PID 4508 wrote to memory of 4384 4508 htbthh.exe 96 PID 4508 wrote to memory of 4384 4508 htbthh.exe 96 PID 4508 wrote to memory of 4384 4508 htbthh.exe 96 PID 4384 wrote to memory of 1416 4384 tnnnbn.exe 97 PID 4384 wrote to memory of 1416 4384 tnnnbn.exe 97 PID 4384 wrote to memory of 1416 4384 tnnnbn.exe 97 PID 1416 wrote to memory of 4056 1416 u844004.exe 98 PID 1416 wrote to memory of 4056 1416 u844004.exe 98 PID 1416 wrote to memory of 4056 1416 u844004.exe 98 PID 4056 wrote to memory of 5048 4056 486026.exe 99 PID 4056 wrote to memory of 5048 4056 486026.exe 99 PID 4056 wrote to memory of 5048 4056 486026.exe 99 PID 5048 wrote to memory of 4484 5048 8022000.exe 100 PID 5048 wrote to memory of 4484 5048 8022000.exe 100 PID 5048 wrote to memory of 4484 5048 8022000.exe 100 PID 4484 wrote to memory of 2408 4484 nhttnt.exe 101 PID 4484 wrote to memory of 2408 4484 nhttnt.exe 101 PID 4484 wrote to memory of 2408 4484 nhttnt.exe 101 PID 2408 wrote to memory of 3988 2408 402448.exe 102 PID 2408 wrote to memory of 3988 2408 402448.exe 102 PID 2408 wrote to memory of 3988 2408 402448.exe 102 PID 3988 wrote to memory of 2332 3988 420044.exe 103 PID 3988 wrote to memory of 2332 3988 420044.exe 103 PID 3988 wrote to memory of 2332 3988 420044.exe 103 PID 2332 wrote to memory of 3888 2332 5jvpj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe"C:\Users\Admin\AppData\Local\Temp\3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\44882.exec:\44882.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\m4048.exec:\m4048.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\048482.exec:\048482.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\djpdj.exec:\djpdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\260064.exec:\260064.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\tbhbhh.exec:\tbhbhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\k02266.exec:\k02266.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\664044.exec:\664044.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\26226.exec:\26226.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\800444.exec:\800444.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\02040.exec:\02040.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\pjvjd.exec:\pjvjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\htbthh.exec:\htbthh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\tnnnbn.exec:\tnnnbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\u844004.exec:\u844004.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\486026.exec:\486026.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\8022000.exec:\8022000.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\nhttnt.exec:\nhttnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\402448.exec:\402448.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\420044.exec:\420044.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\5jvpj.exec:\5jvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\28048.exec:\28048.exe23⤵
- Executes dropped EXE
PID:3888 -
\??\c:\0222666.exec:\0222666.exe24⤵
- Executes dropped EXE
PID:3248 -
\??\c:\htbtnn.exec:\htbtnn.exe25⤵
- Executes dropped EXE
PID:1088 -
\??\c:\1bnnnt.exec:\1bnnnt.exe26⤵
- Executes dropped EXE
PID:3540 -
\??\c:\462266.exec:\462266.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1080 -
\??\c:\068862.exec:\068862.exe28⤵
- Executes dropped EXE
PID:1144 -
\??\c:\5pdvd.exec:\5pdvd.exe29⤵
- Executes dropped EXE
PID:1128 -
\??\c:\lffxxxx.exec:\lffxxxx.exe30⤵
- Executes dropped EXE
PID:3240 -
\??\c:\lrxxxrr.exec:\lrxxxrr.exe31⤵
- Executes dropped EXE
PID:4944 -
\??\c:\28604.exec:\28604.exe32⤵
- Executes dropped EXE
PID:3164 -
\??\c:\xffxlrl.exec:\xffxlrl.exe33⤵
- Executes dropped EXE
PID:2928 -
\??\c:\64420.exec:\64420.exe34⤵
- Executes dropped EXE
PID:516 -
\??\c:\7rlfxxl.exec:\7rlfxxl.exe35⤵
- Executes dropped EXE
PID:2764 -
\??\c:\8604260.exec:\8604260.exe36⤵
- Executes dropped EXE
PID:4816 -
\??\c:\pddvp.exec:\pddvp.exe37⤵
- Executes dropped EXE
PID:5108 -
\??\c:\k84084.exec:\k84084.exe38⤵
- Executes dropped EXE
PID:1228 -
\??\c:\44042.exec:\44042.exe39⤵
- Executes dropped EXE
PID:1408 -
\??\c:\02208.exec:\02208.exe40⤵
- Executes dropped EXE
PID:1660 -
\??\c:\426486.exec:\426486.exe41⤵
- Executes dropped EXE
PID:3140 -
\??\c:\9xrfrlx.exec:\9xrfrlx.exe42⤵
- Executes dropped EXE
PID:2748 -
\??\c:\6420882.exec:\6420882.exe43⤵
- Executes dropped EXE
PID:2756 -
\??\c:\jppdv.exec:\jppdv.exe44⤵
- Executes dropped EXE
PID:3592 -
\??\c:\5nthbt.exec:\5nthbt.exe45⤵
- Executes dropped EXE
PID:3372 -
\??\c:\86426.exec:\86426.exe46⤵
- Executes dropped EXE
PID:64 -
\??\c:\6444248.exec:\6444248.exe47⤵
- Executes dropped EXE
PID:3004 -
\??\c:\rlffrxr.exec:\rlffrxr.exe48⤵
- Executes dropped EXE
PID:1828 -
\??\c:\lrxxrlf.exec:\lrxxrlf.exe49⤵
- Executes dropped EXE
PID:1760 -
\??\c:\bhtnhb.exec:\bhtnhb.exe50⤵
- Executes dropped EXE
PID:624 -
\??\c:\288204.exec:\288204.exe51⤵
- Executes dropped EXE
PID:1084 -
\??\c:\htbnnh.exec:\htbnnh.exe52⤵
- Executes dropped EXE
PID:464 -
\??\c:\64820.exec:\64820.exe53⤵
- Executes dropped EXE
PID:4280 -
\??\c:\866448.exec:\866448.exe54⤵
- Executes dropped EXE
PID:3764 -
\??\c:\00642.exec:\00642.exe55⤵
- Executes dropped EXE
PID:4960 -
\??\c:\640460.exec:\640460.exe56⤵
- Executes dropped EXE
PID:4204 -
\??\c:\206426.exec:\206426.exe57⤵
- Executes dropped EXE
PID:5028 -
\??\c:\284860.exec:\284860.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
\??\c:\7jdpd.exec:\7jdpd.exe59⤵
- Executes dropped EXE
PID:2144 -
\??\c:\thnbnh.exec:\thnbnh.exe60⤵
- Executes dropped EXE
PID:4440 -
\??\c:\446426.exec:\446426.exe61⤵
- Executes dropped EXE
PID:2036 -
\??\c:\40666.exec:\40666.exe62⤵
- Executes dropped EXE
PID:4116 -
\??\c:\bbhbnn.exec:\bbhbnn.exe63⤵
- Executes dropped EXE
PID:3512 -
\??\c:\688648.exec:\688648.exe64⤵
- Executes dropped EXE
PID:836 -
\??\c:\82440.exec:\82440.exe65⤵
- Executes dropped EXE
PID:4848 -
\??\c:\o008660.exec:\o008660.exe66⤵PID:2216
-
\??\c:\vjjpd.exec:\vjjpd.exe67⤵PID:4060
-
\??\c:\u482604.exec:\u482604.exe68⤵PID:3924
-
\??\c:\28224.exec:\28224.exe69⤵PID:4664
-
\??\c:\420426.exec:\420426.exe70⤵PID:2900
-
\??\c:\w48648.exec:\w48648.exe71⤵PID:5032
-
\??\c:\406042.exec:\406042.exe72⤵PID:2980
-
\??\c:\jpjjd.exec:\jpjjd.exe73⤵PID:1368
-
\??\c:\w80422.exec:\w80422.exe74⤵PID:1432
-
\??\c:\k66426.exec:\k66426.exe75⤵PID:5016
-
\??\c:\ddjpj.exec:\ddjpj.exe76⤵PID:3264
-
\??\c:\22668.exec:\22668.exe77⤵PID:2344
-
\??\c:\82824.exec:\82824.exe78⤵PID:1608
-
\??\c:\4286208.exec:\4286208.exe79⤵PID:2912
-
\??\c:\228682.exec:\228682.exe80⤵PID:800
-
\??\c:\6686442.exec:\6686442.exe81⤵PID:1968
-
\??\c:\9rfxlll.exec:\9rfxlll.exe82⤵PID:4384
-
\??\c:\3dvjv.exec:\3dvjv.exe83⤵PID:1156
-
\??\c:\lfxlfxr.exec:\lfxlfxr.exe84⤵PID:3572
-
\??\c:\822082.exec:\822082.exe85⤵PID:5048
-
\??\c:\3pvjv.exec:\3pvjv.exe86⤵PID:3676
-
\??\c:\llfrfxl.exec:\llfrfxl.exe87⤵PID:2064
-
\??\c:\646406.exec:\646406.exe88⤵PID:3900
-
\??\c:\62464.exec:\62464.exe89⤵PID:3412
-
\??\c:\ppjvj.exec:\ppjvj.exe90⤵PID:4084
-
\??\c:\vvvpj.exec:\vvvpj.exe91⤵PID:4432
-
\??\c:\ppdvp.exec:\ppdvp.exe92⤵PID:2692
-
\??\c:\1hbnnh.exec:\1hbnnh.exe93⤵PID:4360
-
\??\c:\606026.exec:\606026.exe94⤵PID:2940
-
\??\c:\hnnhtn.exec:\hnnhtn.exe95⤵PID:2816
-
\??\c:\4402200.exec:\4402200.exe96⤵
- System Location Discovery: System Language Discovery
PID:1128 -
\??\c:\06442.exec:\06442.exe97⤵PID:3780
-
\??\c:\ddjvj.exec:\ddjvj.exe98⤵PID:3240
-
\??\c:\42484.exec:\42484.exe99⤵PID:1424
-
\??\c:\fxxlfxl.exec:\fxxlfxl.exe100⤵PID:892
-
\??\c:\llrxrlx.exec:\llrxrlx.exe101⤵PID:928
-
\??\c:\frfrlfr.exec:\frfrlfr.exe102⤵PID:3840
-
\??\c:\thnhbt.exec:\thnhbt.exe103⤵PID:4388
-
\??\c:\c848606.exec:\c848606.exe104⤵PID:2072
-
\??\c:\5nbbhb.exec:\5nbbhb.exe105⤵PID:1408
-
\??\c:\u882066.exec:\u882066.exe106⤵PID:2108
-
\??\c:\fxxlfrl.exec:\fxxlfrl.exe107⤵PID:3140
-
\??\c:\9rrfrrf.exec:\9rrfrrf.exe108⤵PID:1488
-
\??\c:\nhhtnh.exec:\nhhtnh.exe109⤵PID:1160
-
\??\c:\2062404.exec:\2062404.exe110⤵PID:384
-
\??\c:\5nnhtb.exec:\5nnhtb.exe111⤵PID:1808
-
\??\c:\6064488.exec:\6064488.exe112⤵PID:2168
-
\??\c:\066426.exec:\066426.exe113⤵PID:4224
-
\??\c:\5xxrfxr.exec:\5xxrfxr.exe114⤵PID:3004
-
\??\c:\k66082.exec:\k66082.exe115⤵PID:2400
-
\??\c:\vpvvv.exec:\vpvvv.exe116⤵PID:2404
-
\??\c:\o448026.exec:\o448026.exe117⤵PID:4760
-
\??\c:\9jjdp.exec:\9jjdp.exe118⤵PID:1084
-
\??\c:\bhhbth.exec:\bhhbth.exe119⤵PID:4600
-
\??\c:\9nhbbb.exec:\9nhbbb.exe120⤵PID:3628
-
\??\c:\dvjpv.exec:\dvjpv.exe121⤵PID:3124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-