Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 20:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
58a0e7a6b963caff8a02a2b260c75aea811463ce181891f58757cca9217f3bc2N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
58a0e7a6b963caff8a02a2b260c75aea811463ce181891f58757cca9217f3bc2N.exe
-
Size
455KB
-
MD5
153383f01b08c5991ba0ede9f63213e0
-
SHA1
3f85016a2081cf3b493d8278d8902386a2808c6d
-
SHA256
58a0e7a6b963caff8a02a2b260c75aea811463ce181891f58757cca9217f3bc2
-
SHA512
6312fddb9d15f3bec9af73bd4f154ba2478cd3ab3dec28e01e3c254eb35144a890ddbefc1606e09ddc0de931f1a9fcb475bad270a9072b1aa332af7821c78309
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRa:q7Tc2NYHUrAwfMp3CDRa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/116-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1780 00442.exe 4724 c648266.exe 3648 42860.exe 2268 488260.exe 3208 6064882.exe 5052 2024884.exe 64 8626042.exe 4588 2882684.exe 4060 080044.exe 1696 e02604.exe 1152 4282608.exe 1068 dppjd.exe 3892 llrrfll.exe 2236 dvjdj.exe 3672 86266.exe 940 20226.exe 3664 nbhbtt.exe 2848 e88822.exe 4712 442626.exe 4980 i242604.exe 3812 668866.exe 3460 040440.exe 1464 422828.exe 2224 00048.exe 1344 vvdpj.exe 2496 c848288.exe 3524 c060480.exe 2672 5jjdp.exe 4812 nhtntb.exe 4964 a4482.exe 2944 08264.exe 2884 btnhnn.exe 4424 dvvpd.exe 2284 0882048.exe 4288 4420448.exe 1652 64048.exe 2260 084822.exe 1332 86262.exe 2540 vpjjd.exe 4680 264646.exe 1284 llxrlll.exe 4960 hbnbbb.exe 4848 04044.exe 3676 0422266.exe 1092 82604.exe 2840 424888.exe 4520 fxfrxrr.exe 4464 tnhbth.exe 3400 frrfxrl.exe 1932 rrrrlfx.exe 4612 lrrrlxr.exe 216 1rrlfxr.exe 3316 6008260.exe 4300 408200.exe 5088 pdjdv.exe 1048 tbbttb.exe 4824 nhnhtn.exe 1952 4064826.exe 1380 nttnhb.exe 904 htbtnb.exe 2316 w24222.exe 64 rxxrlfx.exe 4744 fxrxrfx.exe 3068 866266.exe -
resource yara_rule behavioral2/memory/116-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-823-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0088222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 822446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8200662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8204444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 116 wrote to memory of 1780 116 58a0e7a6b963caff8a02a2b260c75aea811463ce181891f58757cca9217f3bc2N.exe 82 PID 116 wrote to memory of 1780 116 58a0e7a6b963caff8a02a2b260c75aea811463ce181891f58757cca9217f3bc2N.exe 82 PID 116 wrote to memory of 1780 116 58a0e7a6b963caff8a02a2b260c75aea811463ce181891f58757cca9217f3bc2N.exe 82 PID 1780 wrote to memory of 4724 1780 00442.exe 83 PID 1780 wrote to memory of 4724 1780 00442.exe 83 PID 1780 wrote to memory of 4724 1780 00442.exe 83 PID 4724 wrote to memory of 3648 4724 c648266.exe 84 PID 4724 wrote to memory of 3648 4724 c648266.exe 84 PID 4724 wrote to memory of 3648 4724 c648266.exe 84 PID 3648 wrote to memory of 2268 3648 42860.exe 85 PID 3648 wrote to memory of 2268 3648 42860.exe 85 PID 3648 wrote to memory of 2268 3648 42860.exe 85 PID 2268 wrote to memory of 3208 2268 488260.exe 86 PID 2268 wrote to memory of 3208 2268 488260.exe 86 PID 2268 wrote to memory of 3208 2268 488260.exe 86 PID 3208 wrote to memory of 5052 3208 6064882.exe 87 PID 3208 wrote to memory of 5052 3208 6064882.exe 87 PID 3208 wrote to memory of 5052 3208 6064882.exe 87 PID 5052 wrote to memory of 64 5052 2024884.exe 88 PID 5052 wrote to memory of 64 5052 2024884.exe 88 PID 5052 wrote to memory of 64 5052 2024884.exe 88 PID 64 wrote to memory of 4588 64 8626042.exe 89 PID 64 wrote to memory of 4588 64 8626042.exe 89 PID 64 wrote to memory of 4588 64 8626042.exe 89 PID 4588 wrote to memory of 4060 4588 2882684.exe 90 PID 4588 wrote to memory of 4060 4588 2882684.exe 90 PID 4588 wrote to memory of 4060 4588 2882684.exe 90 PID 4060 wrote to memory of 1696 4060 080044.exe 91 PID 4060 wrote to memory of 1696 4060 080044.exe 91 PID 4060 wrote to memory of 1696 4060 080044.exe 91 PID 1696 wrote to memory of 1152 1696 e02604.exe 92 PID 1696 wrote to memory of 1152 1696 e02604.exe 92 PID 1696 wrote to memory of 1152 1696 e02604.exe 92 PID 1152 wrote to memory of 1068 1152 4282608.exe 93 PID 1152 wrote to memory of 1068 1152 4282608.exe 93 PID 1152 wrote to memory of 1068 1152 4282608.exe 93 PID 1068 wrote to memory of 3892 1068 dppjd.exe 148 PID 1068 wrote to memory of 3892 1068 dppjd.exe 148 PID 1068 wrote to memory of 3892 1068 dppjd.exe 148 PID 3892 wrote to memory of 2236 3892 llrrfll.exe 95 PID 3892 wrote to memory of 2236 3892 llrrfll.exe 95 PID 3892 wrote to memory of 2236 3892 llrrfll.exe 95 PID 2236 wrote to memory of 3672 2236 dvjdj.exe 96 PID 2236 wrote to memory of 3672 2236 dvjdj.exe 96 PID 2236 wrote to memory of 3672 2236 dvjdj.exe 96 PID 3672 wrote to memory of 940 3672 86266.exe 97 PID 3672 wrote to memory of 940 3672 86266.exe 97 PID 3672 wrote to memory of 940 3672 86266.exe 97 PID 940 wrote to memory of 3664 940 20226.exe 98 PID 940 wrote to memory of 3664 940 20226.exe 98 PID 940 wrote to memory of 3664 940 20226.exe 98 PID 3664 wrote to memory of 2848 3664 nbhbtt.exe 154 PID 3664 wrote to memory of 2848 3664 nbhbtt.exe 154 PID 3664 wrote to memory of 2848 3664 nbhbtt.exe 154 PID 2848 wrote to memory of 4712 2848 e88822.exe 100 PID 2848 wrote to memory of 4712 2848 e88822.exe 100 PID 2848 wrote to memory of 4712 2848 e88822.exe 100 PID 4712 wrote to memory of 4980 4712 442626.exe 101 PID 4712 wrote to memory of 4980 4712 442626.exe 101 PID 4712 wrote to memory of 4980 4712 442626.exe 101 PID 4980 wrote to memory of 3812 4980 i242604.exe 102 PID 4980 wrote to memory of 3812 4980 i242604.exe 102 PID 4980 wrote to memory of 3812 4980 i242604.exe 102 PID 3812 wrote to memory of 3460 3812 668866.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\58a0e7a6b963caff8a02a2b260c75aea811463ce181891f58757cca9217f3bc2N.exe"C:\Users\Admin\AppData\Local\Temp\58a0e7a6b963caff8a02a2b260c75aea811463ce181891f58757cca9217f3bc2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\00442.exec:\00442.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\c648266.exec:\c648266.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\42860.exec:\42860.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\488260.exec:\488260.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\6064882.exec:\6064882.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\2024884.exec:\2024884.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\8626042.exec:\8626042.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\2882684.exec:\2882684.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\080044.exec:\080044.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\e02604.exec:\e02604.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\4282608.exec:\4282608.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\dppjd.exec:\dppjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\llrrfll.exec:\llrrfll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\dvjdj.exec:\dvjdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\86266.exec:\86266.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\20226.exec:\20226.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\nbhbtt.exec:\nbhbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\e88822.exec:\e88822.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\442626.exec:\442626.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\i242604.exec:\i242604.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\668866.exec:\668866.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\040440.exec:\040440.exe23⤵
- Executes dropped EXE
PID:3460 -
\??\c:\422828.exec:\422828.exe24⤵
- Executes dropped EXE
PID:1464 -
\??\c:\00048.exec:\00048.exe25⤵
- Executes dropped EXE
PID:2224 -
\??\c:\vvdpj.exec:\vvdpj.exe26⤵
- Executes dropped EXE
PID:1344 -
\??\c:\c848288.exec:\c848288.exe27⤵
- Executes dropped EXE
PID:2496 -
\??\c:\c060480.exec:\c060480.exe28⤵
- Executes dropped EXE
PID:3524 -
\??\c:\5jjdp.exec:\5jjdp.exe29⤵
- Executes dropped EXE
PID:2672 -
\??\c:\nhtntb.exec:\nhtntb.exe30⤵
- Executes dropped EXE
PID:4812 -
\??\c:\a4482.exec:\a4482.exe31⤵
- Executes dropped EXE
PID:4964 -
\??\c:\08264.exec:\08264.exe32⤵
- Executes dropped EXE
PID:2944 -
\??\c:\btnhnn.exec:\btnhnn.exe33⤵
- Executes dropped EXE
PID:2884 -
\??\c:\dvvpd.exec:\dvvpd.exe34⤵
- Executes dropped EXE
PID:4424 -
\??\c:\0882048.exec:\0882048.exe35⤵
- Executes dropped EXE
PID:2284 -
\??\c:\4420448.exec:\4420448.exe36⤵
- Executes dropped EXE
PID:4288 -
\??\c:\64048.exec:\64048.exe37⤵
- Executes dropped EXE
PID:1652 -
\??\c:\084822.exec:\084822.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2260 -
\??\c:\86262.exec:\86262.exe39⤵
- Executes dropped EXE
PID:1332 -
\??\c:\vpjjd.exec:\vpjjd.exe40⤵
- Executes dropped EXE
PID:2540 -
\??\c:\264646.exec:\264646.exe41⤵
- Executes dropped EXE
PID:4680 -
\??\c:\llxrlll.exec:\llxrlll.exe42⤵
- Executes dropped EXE
PID:1284 -
\??\c:\hbnbbb.exec:\hbnbbb.exe43⤵
- Executes dropped EXE
PID:4960 -
\??\c:\04044.exec:\04044.exe44⤵
- Executes dropped EXE
PID:4848 -
\??\c:\0422266.exec:\0422266.exe45⤵
- Executes dropped EXE
PID:3676 -
\??\c:\82604.exec:\82604.exe46⤵
- Executes dropped EXE
PID:1092 -
\??\c:\424888.exec:\424888.exe47⤵
- Executes dropped EXE
PID:2840 -
\??\c:\fxfrxrr.exec:\fxfrxrr.exe48⤵
- Executes dropped EXE
PID:4520 -
\??\c:\tnhbth.exec:\tnhbth.exe49⤵
- Executes dropped EXE
PID:4464 -
\??\c:\frrfxrl.exec:\frrfxrl.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3400 -
\??\c:\rrrrlfx.exec:\rrrrlfx.exe51⤵
- Executes dropped EXE
PID:1932 -
\??\c:\lrrrlxr.exec:\lrrrlxr.exe52⤵
- Executes dropped EXE
PID:4612 -
\??\c:\1rrlfxr.exec:\1rrlfxr.exe53⤵
- Executes dropped EXE
PID:216 -
\??\c:\6008260.exec:\6008260.exe54⤵
- Executes dropped EXE
PID:3316 -
\??\c:\408200.exec:\408200.exe55⤵
- Executes dropped EXE
PID:4300 -
\??\c:\pdjdv.exec:\pdjdv.exe56⤵
- Executes dropped EXE
PID:5088 -
\??\c:\tbbttb.exec:\tbbttb.exe57⤵
- Executes dropped EXE
PID:1048 -
\??\c:\nhnhtn.exec:\nhnhtn.exe58⤵
- Executes dropped EXE
PID:4824 -
\??\c:\4064826.exec:\4064826.exe59⤵
- Executes dropped EXE
PID:1952 -
\??\c:\nttnhb.exec:\nttnhb.exe60⤵
- Executes dropped EXE
PID:1380 -
\??\c:\htbtnb.exec:\htbtnb.exe61⤵
- Executes dropped EXE
PID:904 -
\??\c:\w24222.exec:\w24222.exe62⤵
- Executes dropped EXE
PID:2316 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe63⤵
- Executes dropped EXE
PID:64 -
\??\c:\fxrxrfx.exec:\fxrxrfx.exe64⤵
- Executes dropped EXE
PID:4744 -
\??\c:\866266.exec:\866266.exe65⤵
- Executes dropped EXE
PID:3068 -
\??\c:\600000.exec:\600000.exe66⤵PID:2292
-
\??\c:\3djdj.exec:\3djdj.exe67⤵PID:1040
-
\??\c:\422482.exec:\422482.exe68⤵PID:3892
-
\??\c:\jdjpv.exec:\jdjpv.exe69⤵PID:2804
-
\??\c:\2888204.exec:\2888204.exe70⤵PID:3780
-
\??\c:\dvdvd.exec:\dvdvd.exe71⤵PID:3000
-
\??\c:\bhnhbb.exec:\bhnhbb.exe72⤵PID:3528
-
\??\c:\hntnhh.exec:\hntnhh.exe73⤵PID:2956
-
\??\c:\8248048.exec:\8248048.exe74⤵PID:2848
-
\??\c:\442288.exec:\442288.exe75⤵PID:3428
-
\??\c:\4842260.exec:\4842260.exe76⤵PID:3320
-
\??\c:\62864.exec:\62864.exe77⤵PID:2448
-
\??\c:\pjjvj.exec:\pjjvj.exe78⤵PID:1240
-
\??\c:\80064.exec:\80064.exe79⤵PID:2720
-
\??\c:\88826.exec:\88826.exe80⤵PID:2964
-
\??\c:\84600.exec:\84600.exe81⤵PID:2224
-
\??\c:\4808880.exec:\4808880.exe82⤵PID:4668
-
\??\c:\jjpjd.exec:\jjpjd.exe83⤵PID:2496
-
\??\c:\840842.exec:\840842.exe84⤵PID:3524
-
\??\c:\bbbtnh.exec:\bbbtnh.exe85⤵PID:2064
-
\??\c:\48448.exec:\48448.exe86⤵PID:2244
-
\??\c:\9ppdv.exec:\9ppdv.exe87⤵PID:2724
-
\??\c:\286666.exec:\286666.exe88⤵PID:4808
-
\??\c:\4866060.exec:\4866060.exe89⤵PID:2884
-
\??\c:\842044.exec:\842044.exe90⤵PID:1976
-
\??\c:\hntnhh.exec:\hntnhh.exe91⤵PID:2256
-
\??\c:\7nthtn.exec:\7nthtn.exe92⤵PID:4288
-
\??\c:\ppdvp.exec:\ppdvp.exe93⤵PID:2736
-
\??\c:\684888.exec:\684888.exe94⤵PID:2260
-
\??\c:\w68600.exec:\w68600.exe95⤵PID:4304
-
\??\c:\nhbbtt.exec:\nhbbtt.exe96⤵PID:3280
-
\??\c:\nttnnn.exec:\nttnnn.exe97⤵PID:2072
-
\??\c:\044888.exec:\044888.exe98⤵PID:3020
-
\??\c:\llfrrlr.exec:\llfrrlr.exe99⤵PID:3848
-
\??\c:\06226.exec:\06226.exe100⤵PID:812
-
\??\c:\1xrlfxr.exec:\1xrlfxr.exe101⤵PID:4756
-
\??\c:\240046.exec:\240046.exe102⤵PID:1400
-
\??\c:\26260.exec:\26260.exe103⤵PID:3616
-
\??\c:\rxxrffx.exec:\rxxrffx.exe104⤵PID:4832
-
\??\c:\48042.exec:\48042.exe105⤵PID:1168
-
\??\c:\3rlxxrr.exec:\3rlxxrr.exe106⤵PID:1732
-
\??\c:\82284.exec:\82284.exe107⤵PID:4392
-
\??\c:\648204.exec:\648204.exe108⤵PID:4800
-
\??\c:\c842660.exec:\c842660.exe109⤵PID:1932
-
\??\c:\860282.exec:\860282.exe110⤵PID:3684
-
\??\c:\xfrlllf.exec:\xfrlllf.exe111⤵PID:2436
-
\??\c:\464448.exec:\464448.exe112⤵PID:2028
-
\??\c:\a2848.exec:\a2848.exe113⤵PID:920
-
\??\c:\dvjdv.exec:\dvjdv.exe114⤵PID:760
-
\??\c:\hthhbb.exec:\hthhbb.exe115⤵PID:1300
-
\??\c:\20080.exec:\20080.exe116⤵PID:2668
-
\??\c:\0482664.exec:\0482664.exe117⤵PID:2336
-
\??\c:\xlrlfrl.exec:\xlrlfrl.exe118⤵PID:2268
-
\??\c:\62260.exec:\62260.exe119⤵PID:3452
-
\??\c:\40228.exec:\40228.exe120⤵PID:3568
-
\??\c:\pjpjj.exec:\pjpjj.exe121⤵PID:8
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-