Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 00:20
Behavioral task
behavioral1
Sample
7e491917a08bebbcc0b2d1ddfa1f99c3d41cde96cd2cbb801d0c0c839fcf1e18.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7e491917a08bebbcc0b2d1ddfa1f99c3d41cde96cd2cbb801d0c0c839fcf1e18.exe
-
Size
97KB
-
MD5
d38bdfb25e383f1d740af9fb7e8c534f
-
SHA1
1632f2af56a65b178799c35703d3540893f3c0c1
-
SHA256
7e491917a08bebbcc0b2d1ddfa1f99c3d41cde96cd2cbb801d0c0c839fcf1e18
-
SHA512
a35a90462741fd2811f281fe467e9791c40c2f8339f55bf931dbdc5ddccc4dccf3e74c012ff77a593de513285e913bcc54a8df64e4efed608a62bb0eeff5d21f
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgz:8cm4FmowdHoSgWrXUgz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/1272-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4628-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1188-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2160-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3956-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/396-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2892-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/264-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2644-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3644-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1500-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4292-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2188-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4268-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3428-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3364-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1792-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3288-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4460-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1092-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/932-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/884-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3384-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/344-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/748-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1876-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2556-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1112-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1744-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4256-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/776-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/456-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3560-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1364-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2596-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4504-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/708-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2804-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4168-450-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1212-463-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1704-478-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/884-489-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-726-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
0668064.exe2868446.exebbbhtn.exe666424.exe4882662.exevvjjp.exe8480088.exepjddd.exe4826880.exerlfffff.exedjvvj.exe66682.exejdjpj.exe6022840.exexlxflll.exe4424068.exexlrlllr.exe2242686.exe24044.exe6046046.exethnnbn.exe84664.exexxxrrrf.exe226266.exexxrllrl.exe0286008.exem6822.exe4862286.exe8022480.exe8002008.exerrxxrfr.exe5pvvp.exe848422.exe24808.exe04824.exennbthh.exexfxlfrf.exe48060.exe488888.exe9dvjv.exettthtn.exejvjvd.exe468822.exedppdd.exerxfffrl.exe0888824.exedvjdd.exelrrrflf.exe8844888.exe8802486.exehhbttb.exejdddj.exe404428.exe840022.exelrfxlxx.exexxrfrlf.exe44648.exe0866480.exellrxrrf.exefrrrrrr.exehnbnnh.exe200688.exeg8488.exe26422.exepid Process 4628 0668064.exe 2192 2868446.exe 1188 bbbhtn.exe 2544 666424.exe 2160 4882662.exe 3264 vvjjp.exe 5028 8480088.exe 3956 pjddd.exe 5072 4826880.exe 4016 rlfffff.exe 396 djvvj.exe 1460 66682.exe 2892 jdjpj.exe 2184 6022840.exe 264 xlxflll.exe 244 4424068.exe 2644 xlrlllr.exe 4532 2242686.exe 1944 24044.exe 3480 6046046.exe 3644 thnnbn.exe 1984 84664.exe 1500 xxxrrrf.exe 4292 226266.exe 4280 xxrllrl.exe 2188 0286008.exe 4268 m6822.exe 3428 4862286.exe 2216 8022480.exe 3584 8002008.exe 3364 rrxxrfr.exe 3664 5pvvp.exe 5048 848422.exe 1792 24808.exe 3288 04824.exe 4460 nnbthh.exe 1092 xfxlfrf.exe 932 48060.exe 2036 488888.exe 4992 9dvjv.exe 884 ttthtn.exe 1384 jvjvd.exe 3384 468822.exe 4600 dppdd.exe 4140 rxfffrl.exe 4420 0888824.exe 3960 dvjdd.exe 344 lrrrflf.exe 3860 8844888.exe 3636 8802486.exe 1540 hhbttb.exe 748 jdddj.exe 3952 404428.exe 3572 840022.exe 2884 lrfxlxx.exe 560 xxrfrlf.exe 1376 44648.exe 4408 0866480.exe 1824 llrxrrf.exe 5016 frrrrrr.exe 1876 hnbnnh.exe 4748 200688.exe 1828 g8488.exe 4916 26422.exe -
Processes:
resource yara_rule behavioral2/memory/1272-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0018000000023c3e-3.dat upx behavioral2/memory/1272-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-8.dat upx behavioral2/memory/2192-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4628-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-12.dat upx behavioral2/memory/2192-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-19.dat upx behavioral2/memory/1188-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-24.dat upx behavioral2/memory/2544-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-29.dat upx behavioral2/memory/2160-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-34.dat upx behavioral2/memory/3264-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-39.dat upx behavioral2/memory/5028-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-45.dat upx behavioral2/memory/5072-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3956-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-50.dat upx behavioral2/memory/5072-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-55.dat upx behavioral2/memory/4016-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-60.dat upx behavioral2/memory/396-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-66.dat upx behavioral2/files/0x0007000000023cc2-70.dat upx behavioral2/memory/2892-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-74.dat upx behavioral2/files/0x0007000000023cc4-78.dat upx behavioral2/memory/264-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-83.dat upx behavioral2/files/0x0009000000023cb0-87.dat upx behavioral2/memory/2644-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-92.dat upx behavioral2/files/0x0007000000023cc7-97.dat upx behavioral2/memory/3480-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc8-103.dat upx behavioral2/memory/3644-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc9-108.dat upx behavioral2/memory/4532-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-111.dat upx behavioral2/files/0x0007000000023ccb-115.dat upx behavioral2/memory/1500-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-122.dat upx behavioral2/memory/4292-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cce-125.dat upx behavioral2/memory/4280-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccf-131.dat upx behavioral2/memory/2188-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd0-136.dat upx behavioral2/memory/4268-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd1-140.dat upx behavioral2/memory/3428-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd2-145.dat upx behavioral2/files/0x0007000000023cd3-149.dat upx behavioral2/files/0x0007000000023cd4-154.dat upx behavioral2/memory/3664-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3364-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1792-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3288-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4460-169-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
tbhnnn.exe84408.exe0866480.exe802220.exebnhnbn.exevvvpj.exejvddd.exe46068.exe2460444.exevvpdv.exehhbttb.exennnhbb.exepdvjv.exebtnnht.exe886000.exe26888.exennttnn.exe6226282.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0866480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2460444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 886000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6226282.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7e491917a08bebbcc0b2d1ddfa1f99c3d41cde96cd2cbb801d0c0c839fcf1e18.exe0668064.exe2868446.exebbbhtn.exe666424.exe4882662.exevvjjp.exe8480088.exepjddd.exe4826880.exerlfffff.exedjvvj.exe66682.exejdjpj.exe6022840.exexlxflll.exe4424068.exexlrlllr.exe2242686.exe24044.exe6046046.exethnnbn.exedescription pid Process procid_target PID 1272 wrote to memory of 4628 1272 7e491917a08bebbcc0b2d1ddfa1f99c3d41cde96cd2cbb801d0c0c839fcf1e18.exe 82 PID 1272 wrote to memory of 4628 1272 7e491917a08bebbcc0b2d1ddfa1f99c3d41cde96cd2cbb801d0c0c839fcf1e18.exe 82 PID 1272 wrote to memory of 4628 1272 7e491917a08bebbcc0b2d1ddfa1f99c3d41cde96cd2cbb801d0c0c839fcf1e18.exe 82 PID 4628 wrote to memory of 2192 4628 0668064.exe 83 PID 4628 wrote to memory of 2192 4628 0668064.exe 83 PID 4628 wrote to memory of 2192 4628 0668064.exe 83 PID 2192 wrote to memory of 1188 2192 2868446.exe 84 PID 2192 wrote to memory of 1188 2192 2868446.exe 84 PID 2192 wrote to memory of 1188 2192 2868446.exe 84 PID 1188 wrote to memory of 2544 1188 bbbhtn.exe 85 PID 1188 wrote to memory of 2544 1188 bbbhtn.exe 85 PID 1188 wrote to memory of 2544 1188 bbbhtn.exe 85 PID 2544 wrote to memory of 2160 2544 666424.exe 86 PID 2544 wrote to memory of 2160 2544 666424.exe 86 PID 2544 wrote to memory of 2160 2544 666424.exe 86 PID 2160 wrote to memory of 3264 2160 4882662.exe 87 PID 2160 wrote to memory of 3264 2160 4882662.exe 87 PID 2160 wrote to memory of 3264 2160 4882662.exe 87 PID 3264 wrote to memory of 5028 3264 vvjjp.exe 88 PID 3264 wrote to memory of 5028 3264 vvjjp.exe 88 PID 3264 wrote to memory of 5028 3264 vvjjp.exe 88 PID 5028 wrote to memory of 3956 5028 8480088.exe 89 PID 5028 wrote to memory of 3956 5028 8480088.exe 89 PID 5028 wrote to memory of 3956 5028 8480088.exe 89 PID 3956 wrote to memory of 5072 3956 pjddd.exe 90 PID 3956 wrote to memory of 5072 3956 pjddd.exe 90 PID 3956 wrote to memory of 5072 3956 pjddd.exe 90 PID 5072 wrote to memory of 4016 5072 4826880.exe 91 PID 5072 wrote to memory of 4016 5072 4826880.exe 91 PID 5072 wrote to memory of 4016 5072 4826880.exe 91 PID 4016 wrote to memory of 396 4016 rlfffff.exe 92 PID 4016 wrote to memory of 396 4016 rlfffff.exe 92 PID 4016 wrote to memory of 396 4016 rlfffff.exe 92 PID 396 wrote to memory of 1460 396 djvvj.exe 93 PID 396 wrote to memory of 1460 396 djvvj.exe 93 PID 396 wrote to memory of 1460 396 djvvj.exe 93 PID 1460 wrote to memory of 2892 1460 66682.exe 94 PID 1460 wrote to memory of 2892 1460 66682.exe 94 PID 1460 wrote to memory of 2892 1460 66682.exe 94 PID 2892 wrote to memory of 2184 2892 jdjpj.exe 95 PID 2892 wrote to memory of 2184 2892 jdjpj.exe 95 PID 2892 wrote to memory of 2184 2892 jdjpj.exe 95 PID 2184 wrote to memory of 264 2184 6022840.exe 96 PID 2184 wrote to memory of 264 2184 6022840.exe 96 PID 2184 wrote to memory of 264 2184 6022840.exe 96 PID 264 wrote to memory of 244 264 xlxflll.exe 97 PID 264 wrote to memory of 244 264 xlxflll.exe 97 PID 264 wrote to memory of 244 264 xlxflll.exe 97 PID 244 wrote to memory of 2644 244 4424068.exe 98 PID 244 wrote to memory of 2644 244 4424068.exe 98 PID 244 wrote to memory of 2644 244 4424068.exe 98 PID 2644 wrote to memory of 4532 2644 xlrlllr.exe 99 PID 2644 wrote to memory of 4532 2644 xlrlllr.exe 99 PID 2644 wrote to memory of 4532 2644 xlrlllr.exe 99 PID 4532 wrote to memory of 1944 4532 2242686.exe 100 PID 4532 wrote to memory of 1944 4532 2242686.exe 100 PID 4532 wrote to memory of 1944 4532 2242686.exe 100 PID 1944 wrote to memory of 3480 1944 24044.exe 101 PID 1944 wrote to memory of 3480 1944 24044.exe 101 PID 1944 wrote to memory of 3480 1944 24044.exe 101 PID 3480 wrote to memory of 3644 3480 6046046.exe 102 PID 3480 wrote to memory of 3644 3480 6046046.exe 102 PID 3480 wrote to memory of 3644 3480 6046046.exe 102 PID 3644 wrote to memory of 1984 3644 thnnbn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e491917a08bebbcc0b2d1ddfa1f99c3d41cde96cd2cbb801d0c0c839fcf1e18.exe"C:\Users\Admin\AppData\Local\Temp\7e491917a08bebbcc0b2d1ddfa1f99c3d41cde96cd2cbb801d0c0c839fcf1e18.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\0668064.exec:\0668064.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\2868446.exec:\2868446.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\bbbhtn.exec:\bbbhtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\666424.exec:\666424.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\4882662.exec:\4882662.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\vvjjp.exec:\vvjjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\8480088.exec:\8480088.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\pjddd.exec:\pjddd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\4826880.exec:\4826880.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\rlfffff.exec:\rlfffff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\djvvj.exec:\djvvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\66682.exec:\66682.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\jdjpj.exec:\jdjpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\6022840.exec:\6022840.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\xlxflll.exec:\xlxflll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\4424068.exec:\4424068.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\xlrlllr.exec:\xlrlllr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\2242686.exec:\2242686.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\24044.exec:\24044.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\6046046.exec:\6046046.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\thnnbn.exec:\thnnbn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\84664.exec:\84664.exe23⤵
- Executes dropped EXE
PID:1984 -
\??\c:\xxxrrrf.exec:\xxxrrrf.exe24⤵
- Executes dropped EXE
PID:1500 -
\??\c:\226266.exec:\226266.exe25⤵
- Executes dropped EXE
PID:4292 -
\??\c:\xxrllrl.exec:\xxrllrl.exe26⤵
- Executes dropped EXE
PID:4280 -
\??\c:\0286008.exec:\0286008.exe27⤵
- Executes dropped EXE
PID:2188 -
\??\c:\m6822.exec:\m6822.exe28⤵
- Executes dropped EXE
PID:4268 -
\??\c:\4862286.exec:\4862286.exe29⤵
- Executes dropped EXE
PID:3428 -
\??\c:\8022480.exec:\8022480.exe30⤵
- Executes dropped EXE
PID:2216 -
\??\c:\8002008.exec:\8002008.exe31⤵
- Executes dropped EXE
PID:3584 -
\??\c:\rrxxrfr.exec:\rrxxrfr.exe32⤵
- Executes dropped EXE
PID:3364 -
\??\c:\5pvvp.exec:\5pvvp.exe33⤵
- Executes dropped EXE
PID:3664 -
\??\c:\848422.exec:\848422.exe34⤵
- Executes dropped EXE
PID:5048 -
\??\c:\24808.exec:\24808.exe35⤵
- Executes dropped EXE
PID:1792 -
\??\c:\04824.exec:\04824.exe36⤵
- Executes dropped EXE
PID:3288 -
\??\c:\nnbthh.exec:\nnbthh.exe37⤵
- Executes dropped EXE
PID:4460 -
\??\c:\xfxlfrf.exec:\xfxlfrf.exe38⤵
- Executes dropped EXE
PID:1092 -
\??\c:\48060.exec:\48060.exe39⤵
- Executes dropped EXE
PID:932 -
\??\c:\488888.exec:\488888.exe40⤵
- Executes dropped EXE
PID:2036 -
\??\c:\9dvjv.exec:\9dvjv.exe41⤵
- Executes dropped EXE
PID:4992 -
\??\c:\ttthtn.exec:\ttthtn.exe42⤵
- Executes dropped EXE
PID:884 -
\??\c:\jvjvd.exec:\jvjvd.exe43⤵
- Executes dropped EXE
PID:1384 -
\??\c:\468822.exec:\468822.exe44⤵
- Executes dropped EXE
PID:3384 -
\??\c:\dppdd.exec:\dppdd.exe45⤵
- Executes dropped EXE
PID:4600 -
\??\c:\rxfffrl.exec:\rxfffrl.exe46⤵
- Executes dropped EXE
PID:4140 -
\??\c:\0888824.exec:\0888824.exe47⤵
- Executes dropped EXE
PID:4420 -
\??\c:\dvjdd.exec:\dvjdd.exe48⤵
- Executes dropped EXE
PID:3960 -
\??\c:\lrrrflf.exec:\lrrrflf.exe49⤵
- Executes dropped EXE
PID:344 -
\??\c:\8844888.exec:\8844888.exe50⤵
- Executes dropped EXE
PID:3860 -
\??\c:\8802486.exec:\8802486.exe51⤵
- Executes dropped EXE
PID:3636 -
\??\c:\hhbttb.exec:\hhbttb.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540 -
\??\c:\jdddj.exec:\jdddj.exe53⤵
- Executes dropped EXE
PID:748 -
\??\c:\404428.exec:\404428.exe54⤵
- Executes dropped EXE
PID:3952 -
\??\c:\840022.exec:\840022.exe55⤵
- Executes dropped EXE
PID:3572 -
\??\c:\lrfxlxx.exec:\lrfxlxx.exe56⤵
- Executes dropped EXE
PID:2884 -
\??\c:\xxrfrlf.exec:\xxrfrlf.exe57⤵
- Executes dropped EXE
PID:560 -
\??\c:\44648.exec:\44648.exe58⤵
- Executes dropped EXE
PID:1376 -
\??\c:\0866480.exec:\0866480.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408 -
\??\c:\llrxrrf.exec:\llrxrrf.exe60⤵
- Executes dropped EXE
PID:1824 -
\??\c:\frrrrrr.exec:\frrrrrr.exe61⤵
- Executes dropped EXE
PID:5016 -
\??\c:\hnbnnh.exec:\hnbnnh.exe62⤵
- Executes dropped EXE
PID:1876 -
\??\c:\200688.exec:\200688.exe63⤵
- Executes dropped EXE
PID:4748 -
\??\c:\g8488.exec:\g8488.exe64⤵
- Executes dropped EXE
PID:1828 -
\??\c:\26422.exec:\26422.exe65⤵
- Executes dropped EXE
PID:4916 -
\??\c:\jpdjd.exec:\jpdjd.exe66⤵PID:2208
-
\??\c:\htnbht.exec:\htnbht.exe67⤵PID:2556
-
\??\c:\thnbhh.exec:\thnbhh.exe68⤵PID:1112
-
\??\c:\jppdp.exec:\jppdp.exe69⤵PID:3648
-
\??\c:\jjvdd.exec:\jjvdd.exe70⤵PID:3296
-
\??\c:\hbtttt.exec:\hbtttt.exe71⤵PID:2876
-
\??\c:\vjjdp.exec:\vjjdp.exe72⤵PID:2576
-
\??\c:\nbnbbb.exec:\nbnbbb.exe73⤵PID:2740
-
\??\c:\4088842.exec:\4088842.exe74⤵PID:1744
-
\??\c:\ntnttt.exec:\ntnttt.exe75⤵PID:4016
-
\??\c:\ffrlrfr.exec:\ffrlrfr.exe76⤵PID:1096
-
\??\c:\k22840.exec:\k22840.exe77⤵PID:4256
-
\??\c:\rrflfxl.exec:\rrflfxl.exe78⤵PID:3500
-
\??\c:\2622486.exec:\2622486.exe79⤵PID:2016
-
\??\c:\jjjjd.exec:\jjjjd.exe80⤵PID:776
-
\??\c:\djpvv.exec:\djpvv.exe81⤵PID:456
-
\??\c:\04608.exec:\04608.exe82⤵PID:3668
-
\??\c:\64464.exec:\64464.exe83⤵PID:3480
-
\??\c:\0466248.exec:\0466248.exe84⤵PID:3980
-
\??\c:\008206.exec:\008206.exe85⤵PID:4312
-
\??\c:\xrrlflx.exec:\xrrlflx.exe86⤵PID:5092
-
\??\c:\80206.exec:\80206.exe87⤵PID:3560
-
\??\c:\bnnhnn.exec:\bnnhnn.exe88⤵PID:2172
-
\??\c:\bnttbh.exec:\bnttbh.exe89⤵PID:3180
-
\??\c:\44422.exec:\44422.exe90⤵PID:1476
-
\??\c:\xfffxxx.exec:\xfffxxx.exe91⤵PID:2188
-
\??\c:\g2826.exec:\g2826.exe92⤵PID:4696
-
\??\c:\4660240.exec:\4660240.exe93⤵PID:1240
-
\??\c:\pdddv.exec:\pdddv.exe94⤵PID:4296
-
\??\c:\hhtntt.exec:\hhtntt.exe95⤵PID:1364
-
\??\c:\28624.exec:\28624.exe96⤵PID:3544
-
\??\c:\9xlxlxr.exec:\9xlxlxr.exe97⤵PID:4012
-
\??\c:\pdjvv.exec:\pdjvv.exe98⤵PID:4128
-
\??\c:\jdjjp.exec:\jdjjp.exe99⤵PID:3964
-
\??\c:\c022844.exec:\c022844.exe100⤵PID:3804
-
\??\c:\bbntht.exec:\bbntht.exe101⤵PID:4536
-
\??\c:\06826.exec:\06826.exe102⤵PID:2420
-
\??\c:\048044.exec:\048044.exe103⤵PID:2604
-
\??\c:\nnhbnn.exec:\nnhbnn.exe104⤵PID:4904
-
\??\c:\hbnntn.exec:\hbnntn.exe105⤵PID:3408
-
\??\c:\dvvjd.exec:\dvvjd.exe106⤵PID:4708
-
\??\c:\9nhhhh.exec:\9nhhhh.exe107⤵PID:3132
-
\??\c:\886000.exec:\886000.exe108⤵
- System Location Discovery: System Language Discovery
PID:3608 -
\??\c:\48444.exec:\48444.exe109⤵PID:1244
-
\??\c:\tthbhh.exec:\tthbhh.exe110⤵PID:2888
-
\??\c:\lxllrxf.exec:\lxllrxf.exe111⤵PID:1392
-
\??\c:\06284.exec:\06284.exe112⤵PID:3328
-
\??\c:\s0424.exec:\s0424.exe113⤵PID:2596
-
\??\c:\46222.exec:\46222.exe114⤵PID:4788
-
\??\c:\82448.exec:\82448.exe115⤵PID:3972
-
\??\c:\820444.exec:\820444.exe116⤵PID:1960
-
\??\c:\ttbbhh.exec:\ttbbhh.exe117⤵PID:4528
-
\??\c:\g0266.exec:\g0266.exe118⤵PID:2784
-
\??\c:\tbbbtb.exec:\tbbbtb.exe119⤵PID:3516
-
\??\c:\dvpjv.exec:\dvpjv.exe120⤵PID:2372
-
\??\c:\s0004.exec:\s0004.exe121⤵PID:1540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-