Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2024, 23:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7ccaf8e3da3a9477abcae1c950355fba0f1e4d7b78484b101c8d5d61316784f0.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7ccaf8e3da3a9477abcae1c950355fba0f1e4d7b78484b101c8d5d61316784f0.exe
-
Size
452KB
-
MD5
0252144d2335949454dcf3c267877070
-
SHA1
94c719b9d11afb0ee84a91a4aeca628775927f5c
-
SHA256
7ccaf8e3da3a9477abcae1c950355fba0f1e4d7b78484b101c8d5d61316784f0
-
SHA512
94be7f71c3eedafef0c18e30a3a97134d040f1807b95b9cb2eff87ac8bcbe2b3672858d716dfd8254a9b6a84daacf58c3d646dd89c59834c1a77d98e7e6731df
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeI:q7Tc2NYHUrAwfMp3CDI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2304-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-1616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-1704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3912 s8860.exe 4188 s8286.exe 412 vdppd.exe 2872 0404208.exe 1032 2080626.exe 5100 tntntn.exe 372 624008.exe 4152 60660.exe 2368 rxfxrlf.exe 2772 6462288.exe 1904 068846.exe 744 ddppv.exe 2944 fxffxff.exe 2768 440004.exe 4908 bbhhtt.exe 2916 tbttnh.exe 4708 68402.exe 1508 0482222.exe 4728 206840.exe 4464 hnnhhb.exe 3036 tthhhb.exe 1636 u640644.exe 4856 1flfrll.exe 4052 84666.exe 3420 llfflfl.exe 3668 9ntthn.exe 2160 llllffr.exe 3832 0688660.exe 3176 08000.exe 2276 hbbtnh.exe 1816 flxllxx.exe 3020 66824.exe 1496 2804808.exe 1536 2062086.exe 2020 46660.exe 4568 pjjpp.exe 3308 bhtbht.exe 924 pvpvd.exe 3428 jjddj.exe 1972 htnnbb.exe 4880 228200.exe 4672 btbbnn.exe 64 242446.exe 3896 bhtbnb.exe 3984 flrlfxr.exe 2800 rflfrrf.exe 3888 7dvpj.exe 4428 7thbnh.exe 3396 hbhbhh.exe 1156 0804844.exe 3860 0888444.exe 1036 7rrlfff.exe 4444 dpjjv.exe 3596 lfflxlx.exe 456 lxffxxr.exe 2832 xfrxfrr.exe 1668 jjpvj.exe 1700 thbthh.exe 920 ppjpj.exe 4540 hhhtnh.exe 4576 620660.exe 3540 8626848.exe 3792 7vvpj.exe 2368 8408086.exe -
resource yara_rule behavioral2/memory/2304-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-735-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4666482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i202480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0826600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2304 wrote to memory of 3912 2304 7ccaf8e3da3a9477abcae1c950355fba0f1e4d7b78484b101c8d5d61316784f0.exe 84 PID 2304 wrote to memory of 3912 2304 7ccaf8e3da3a9477abcae1c950355fba0f1e4d7b78484b101c8d5d61316784f0.exe 84 PID 2304 wrote to memory of 3912 2304 7ccaf8e3da3a9477abcae1c950355fba0f1e4d7b78484b101c8d5d61316784f0.exe 84 PID 3912 wrote to memory of 4188 3912 s8860.exe 85 PID 3912 wrote to memory of 4188 3912 s8860.exe 85 PID 3912 wrote to memory of 4188 3912 s8860.exe 85 PID 4188 wrote to memory of 412 4188 s8286.exe 86 PID 4188 wrote to memory of 412 4188 s8286.exe 86 PID 4188 wrote to memory of 412 4188 s8286.exe 86 PID 412 wrote to memory of 2872 412 vdppd.exe 87 PID 412 wrote to memory of 2872 412 vdppd.exe 87 PID 412 wrote to memory of 2872 412 vdppd.exe 87 PID 2872 wrote to memory of 1032 2872 0404208.exe 88 PID 2872 wrote to memory of 1032 2872 0404208.exe 88 PID 2872 wrote to memory of 1032 2872 0404208.exe 88 PID 1032 wrote to memory of 5100 1032 2080626.exe 89 PID 1032 wrote to memory of 5100 1032 2080626.exe 89 PID 1032 wrote to memory of 5100 1032 2080626.exe 89 PID 5100 wrote to memory of 372 5100 tntntn.exe 90 PID 5100 wrote to memory of 372 5100 tntntn.exe 90 PID 5100 wrote to memory of 372 5100 tntntn.exe 90 PID 372 wrote to memory of 4152 372 624008.exe 91 PID 372 wrote to memory of 4152 372 624008.exe 91 PID 372 wrote to memory of 4152 372 624008.exe 91 PID 4152 wrote to memory of 2368 4152 60660.exe 92 PID 4152 wrote to memory of 2368 4152 60660.exe 92 PID 4152 wrote to memory of 2368 4152 60660.exe 92 PID 2368 wrote to memory of 2772 2368 rxfxrlf.exe 93 PID 2368 wrote to memory of 2772 2368 rxfxrlf.exe 93 PID 2368 wrote to memory of 2772 2368 rxfxrlf.exe 93 PID 2772 wrote to memory of 1904 2772 6462288.exe 94 PID 2772 wrote to memory of 1904 2772 6462288.exe 94 PID 2772 wrote to memory of 1904 2772 6462288.exe 94 PID 1904 wrote to memory of 744 1904 068846.exe 95 PID 1904 wrote to memory of 744 1904 068846.exe 95 PID 1904 wrote to memory of 744 1904 068846.exe 95 PID 744 wrote to memory of 2944 744 ddppv.exe 96 PID 744 wrote to memory of 2944 744 ddppv.exe 96 PID 744 wrote to memory of 2944 744 ddppv.exe 96 PID 2944 wrote to memory of 2768 2944 fxffxff.exe 97 PID 2944 wrote to memory of 2768 2944 fxffxff.exe 97 PID 2944 wrote to memory of 2768 2944 fxffxff.exe 97 PID 2768 wrote to memory of 4908 2768 440004.exe 98 PID 2768 wrote to memory of 4908 2768 440004.exe 98 PID 2768 wrote to memory of 4908 2768 440004.exe 98 PID 4908 wrote to memory of 2916 4908 bbhhtt.exe 99 PID 4908 wrote to memory of 2916 4908 bbhhtt.exe 99 PID 4908 wrote to memory of 2916 4908 bbhhtt.exe 99 PID 2916 wrote to memory of 4708 2916 tbttnh.exe 100 PID 2916 wrote to memory of 4708 2916 tbttnh.exe 100 PID 2916 wrote to memory of 4708 2916 tbttnh.exe 100 PID 4708 wrote to memory of 1508 4708 68402.exe 101 PID 4708 wrote to memory of 1508 4708 68402.exe 101 PID 4708 wrote to memory of 1508 4708 68402.exe 101 PID 1508 wrote to memory of 4728 1508 0482222.exe 102 PID 1508 wrote to memory of 4728 1508 0482222.exe 102 PID 1508 wrote to memory of 4728 1508 0482222.exe 102 PID 4728 wrote to memory of 4464 4728 206840.exe 103 PID 4728 wrote to memory of 4464 4728 206840.exe 103 PID 4728 wrote to memory of 4464 4728 206840.exe 103 PID 4464 wrote to memory of 3036 4464 hnnhhb.exe 104 PID 4464 wrote to memory of 3036 4464 hnnhhb.exe 104 PID 4464 wrote to memory of 3036 4464 hnnhhb.exe 104 PID 3036 wrote to memory of 1636 3036 tthhhb.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ccaf8e3da3a9477abcae1c950355fba0f1e4d7b78484b101c8d5d61316784f0.exe"C:\Users\Admin\AppData\Local\Temp\7ccaf8e3da3a9477abcae1c950355fba0f1e4d7b78484b101c8d5d61316784f0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\s8860.exec:\s8860.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\s8286.exec:\s8286.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\vdppd.exec:\vdppd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\0404208.exec:\0404208.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\2080626.exec:\2080626.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\tntntn.exec:\tntntn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\624008.exec:\624008.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\60660.exec:\60660.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\6462288.exec:\6462288.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\068846.exec:\068846.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\ddppv.exec:\ddppv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\fxffxff.exec:\fxffxff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\440004.exec:\440004.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\bbhhtt.exec:\bbhhtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\tbttnh.exec:\tbttnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\68402.exec:\68402.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\0482222.exec:\0482222.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\206840.exec:\206840.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\hnnhhb.exec:\hnnhhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\tthhhb.exec:\tthhhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\u640644.exec:\u640644.exe23⤵
- Executes dropped EXE
PID:1636 -
\??\c:\1flfrll.exec:\1flfrll.exe24⤵
- Executes dropped EXE
PID:4856 -
\??\c:\84666.exec:\84666.exe25⤵
- Executes dropped EXE
PID:4052 -
\??\c:\llfflfl.exec:\llfflfl.exe26⤵
- Executes dropped EXE
PID:3420 -
\??\c:\9ntthn.exec:\9ntthn.exe27⤵
- Executes dropped EXE
PID:3668 -
\??\c:\llllffr.exec:\llllffr.exe28⤵
- Executes dropped EXE
PID:2160 -
\??\c:\0688660.exec:\0688660.exe29⤵
- Executes dropped EXE
PID:3832 -
\??\c:\08000.exec:\08000.exe30⤵
- Executes dropped EXE
PID:3176 -
\??\c:\hbbtnh.exec:\hbbtnh.exe31⤵
- Executes dropped EXE
PID:2276 -
\??\c:\flxllxx.exec:\flxllxx.exe32⤵
- Executes dropped EXE
PID:1816 -
\??\c:\66824.exec:\66824.exe33⤵
- Executes dropped EXE
PID:3020 -
\??\c:\2804808.exec:\2804808.exe34⤵
- Executes dropped EXE
PID:1496 -
\??\c:\2062086.exec:\2062086.exe35⤵
- Executes dropped EXE
PID:1536 -
\??\c:\46660.exec:\46660.exe36⤵
- Executes dropped EXE
PID:2020 -
\??\c:\pjjpp.exec:\pjjpp.exe37⤵
- Executes dropped EXE
PID:4568 -
\??\c:\bhtbht.exec:\bhtbht.exe38⤵
- Executes dropped EXE
PID:3308 -
\??\c:\pvpvd.exec:\pvpvd.exe39⤵
- Executes dropped EXE
PID:924 -
\??\c:\jjddj.exec:\jjddj.exe40⤵
- Executes dropped EXE
PID:3428 -
\??\c:\htnnbb.exec:\htnnbb.exe41⤵
- Executes dropped EXE
PID:1972 -
\??\c:\228200.exec:\228200.exe42⤵
- Executes dropped EXE
PID:4880 -
\??\c:\btbbnn.exec:\btbbnn.exe43⤵
- Executes dropped EXE
PID:4672 -
\??\c:\242446.exec:\242446.exe44⤵
- Executes dropped EXE
PID:64 -
\??\c:\bhtbnb.exec:\bhtbnb.exe45⤵
- Executes dropped EXE
PID:3896 -
\??\c:\flrlfxr.exec:\flrlfxr.exe46⤵
- Executes dropped EXE
PID:3984 -
\??\c:\rflfrrf.exec:\rflfrrf.exe47⤵
- Executes dropped EXE
PID:2800 -
\??\c:\7dvpj.exec:\7dvpj.exe48⤵
- Executes dropped EXE
PID:3888 -
\??\c:\7thbnh.exec:\7thbnh.exe49⤵
- Executes dropped EXE
PID:4428 -
\??\c:\hbhbhh.exec:\hbhbhh.exe50⤵
- Executes dropped EXE
PID:3396 -
\??\c:\0804844.exec:\0804844.exe51⤵
- Executes dropped EXE
PID:1156 -
\??\c:\0888444.exec:\0888444.exe52⤵
- Executes dropped EXE
PID:3860 -
\??\c:\7rrlfff.exec:\7rrlfff.exe53⤵
- Executes dropped EXE
PID:1036 -
\??\c:\dpjjv.exec:\dpjjv.exe54⤵
- Executes dropped EXE
PID:4444 -
\??\c:\lfflxlx.exec:\lfflxlx.exe55⤵
- Executes dropped EXE
PID:3596 -
\??\c:\lxffxxr.exec:\lxffxxr.exe56⤵
- Executes dropped EXE
PID:456 -
\??\c:\xfrxfrr.exec:\xfrxfrr.exe57⤵
- Executes dropped EXE
PID:2832 -
\??\c:\jjpvj.exec:\jjpvj.exe58⤵
- Executes dropped EXE
PID:1668 -
\??\c:\thbthh.exec:\thbthh.exe59⤵
- Executes dropped EXE
PID:1700 -
\??\c:\ppjpj.exec:\ppjpj.exe60⤵
- Executes dropped EXE
PID:920 -
\??\c:\hhhtnh.exec:\hhhtnh.exe61⤵
- Executes dropped EXE
PID:4540 -
\??\c:\620660.exec:\620660.exe62⤵
- Executes dropped EXE
PID:4576 -
\??\c:\8626848.exec:\8626848.exe63⤵
- Executes dropped EXE
PID:3540 -
\??\c:\7vvpj.exec:\7vvpj.exe64⤵
- Executes dropped EXE
PID:3792 -
\??\c:\8408086.exec:\8408086.exe65⤵
- Executes dropped EXE
PID:2368 -
\??\c:\w88282.exec:\w88282.exe66⤵PID:4420
-
\??\c:\8226004.exec:\8226004.exe67⤵PID:404
-
\??\c:\3xrrrrr.exec:\3xrrrrr.exe68⤵PID:400
-
\??\c:\6400444.exec:\6400444.exe69⤵PID:2608
-
\??\c:\rllfxxr.exec:\rllfxxr.exe70⤵PID:4844
-
\??\c:\46608.exec:\46608.exe71⤵PID:3456
-
\??\c:\jjvjv.exec:\jjvjv.exe72⤵PID:4072
-
\??\c:\8020482.exec:\8020482.exe73⤵PID:3000
-
\??\c:\04200.exec:\04200.exe74⤵PID:4660
-
\??\c:\nttnbh.exec:\nttnbh.exe75⤵PID:4688
-
\??\c:\846624.exec:\846624.exe76⤵PID:3884
-
\??\c:\hhhhbh.exec:\hhhhbh.exe77⤵PID:1728
-
\??\c:\246288.exec:\246288.exe78⤵PID:3552
-
\??\c:\620620.exec:\620620.exe79⤵PID:2344
-
\??\c:\08840.exec:\08840.exe80⤵PID:536
-
\??\c:\8624224.exec:\8624224.exe81⤵PID:4792
-
\??\c:\pvjjd.exec:\pvjjd.exe82⤵PID:1260
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe83⤵PID:2664
-
\??\c:\frlrfrf.exec:\frlrfrf.exe84⤵PID:2392
-
\??\c:\htbnhh.exec:\htbnhh.exe85⤵PID:3336
-
\??\c:\0288840.exec:\0288840.exe86⤵PID:3324
-
\??\c:\64004.exec:\64004.exe87⤵PID:4912
-
\??\c:\44046.exec:\44046.exe88⤵PID:3668
-
\??\c:\jjdjd.exec:\jjdjd.exe89⤵PID:2160
-
\??\c:\26048.exec:\26048.exe90⤵PID:3732
-
\??\c:\btbthn.exec:\btbthn.exe91⤵PID:4176
-
\??\c:\rffxxxf.exec:\rffxxxf.exe92⤵PID:4616
-
\??\c:\ntttth.exec:\ntttth.exe93⤵PID:2276
-
\??\c:\bbthnn.exec:\bbthnn.exe94⤵PID:332
-
\??\c:\0004066.exec:\0004066.exe95⤵PID:2224
-
\??\c:\xlxfflf.exec:\xlxfflf.exe96⤵PID:1496
-
\??\c:\6682660.exec:\6682660.exe97⤵PID:2572
-
\??\c:\80824.exec:\80824.exe98⤵PID:2172
-
\??\c:\8284440.exec:\8284440.exe99⤵PID:4044
-
\??\c:\9jddp.exec:\9jddp.exe100⤵PID:4088
-
\??\c:\thttbb.exec:\thttbb.exe101⤵PID:4628
-
\??\c:\2842266.exec:\2842266.exe102⤵PID:3868
-
\??\c:\224440.exec:\224440.exe103⤵PID:4116
-
\??\c:\846060.exec:\846060.exe104⤵PID:5036
-
\??\c:\fxxrllf.exec:\fxxrllf.exe105⤵PID:1972
-
\??\c:\6860888.exec:\6860888.exe106⤵PID:3068
-
\??\c:\bhhhhn.exec:\bhhhhn.exe107⤵PID:3924
-
\??\c:\64404.exec:\64404.exe108⤵PID:4868
-
\??\c:\lfllxrx.exec:\lfllxrx.exe109⤵PID:4948
-
\??\c:\86040.exec:\86040.exe110⤵PID:4816
-
\??\c:\5djdd.exec:\5djdd.exe111⤵PID:1644
-
\??\c:\8206260.exec:\8206260.exe112⤵PID:4532
-
\??\c:\840086.exec:\840086.exe113⤵PID:4636
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe114⤵PID:2304
-
\??\c:\008440.exec:\008440.exe115⤵PID:5028
-
\??\c:\44286.exec:\44286.exe116⤵PID:3936
-
\??\c:\04226.exec:\04226.exe117⤵PID:4360
-
\??\c:\040002.exec:\040002.exe118⤵PID:3484
-
\??\c:\e40668.exec:\e40668.exe119⤵PID:2292
-
\??\c:\7xxrlrl.exec:\7xxrlrl.exe120⤵PID:932
-
\??\c:\266488.exec:\266488.exe121⤵PID:4340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-