Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 23:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe
-
Size
454KB
-
MD5
cc0c065724488972a1c8f1f2e000515b
-
SHA1
4bd38c74608cc853bbe577e0e1f0a55f7669cd6a
-
SHA256
820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857
-
SHA512
74bb2aa94c3d20617ae03a709362ccee1bb1f7a36359c599bbeb66ecbdc07eef806a1b43a080eae6302219e4bd747734e3b49bda17bbb51193ef5e525919e5b0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4216-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-840-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-929-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4216 08644.exe 2416 6666448.exe 4516 jddpj.exe 1976 e40040.exe 2116 rfflffx.exe 1480 2600880.exe 4068 82660.exe 3480 24482.exe 2980 4686886.exe 3028 s0004.exe 3108 006664.exe 996 26044.exe 4284 86044.exe 1004 3hhbtt.exe 2828 8682662.exe 4740 62082.exe 5016 5nttnh.exe 3504 4402420.exe 404 48860.exe 1784 ttbttt.exe 4676 pjjjd.exe 656 hnnhbt.exe 3856 frxxrfx.exe 4820 6200400.exe 5112 866044.exe 2456 ppvvd.exe 3884 hnnhhh.exe 2988 dpvvp.exe 3440 800608.exe 5028 482288.exe 4772 c622626.exe 1088 2282644.exe 4032 frxrffx.exe 2248 4448226.exe 1312 e02000.exe 2844 4224888.exe 3696 84048.exe 3460 4800262.exe 3572 00266.exe 4276 o220600.exe 2428 q22228.exe 4968 400600.exe 1684 jjddv.exe 2412 llxrxxf.exe 2320 828680.exe 1464 rxrllll.exe 2968 vpdvd.exe 3024 jvjdv.exe 4872 402660.exe 4476 hnnbbn.exe 3340 jpvvp.exe 2528 828480.exe 3916 rlfxlll.exe 1328 hbnnbt.exe 4932 bnnhht.exe 3108 vpjdv.exe 2896 02084.exe 2576 2640604.exe 872 6406662.exe 4604 0022282.exe 2952 80248.exe 1972 thnhbh.exe 1436 jvddp.exe 4904 jdvdd.exe -
resource yara_rule behavioral2/memory/4216-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-610-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 288282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8848222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6888826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0626622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 4216 2872 820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe 82 PID 2872 wrote to memory of 4216 2872 820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe 82 PID 2872 wrote to memory of 4216 2872 820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe 82 PID 4216 wrote to memory of 2416 4216 08644.exe 83 PID 4216 wrote to memory of 2416 4216 08644.exe 83 PID 4216 wrote to memory of 2416 4216 08644.exe 83 PID 2416 wrote to memory of 4516 2416 6666448.exe 84 PID 2416 wrote to memory of 4516 2416 6666448.exe 84 PID 2416 wrote to memory of 4516 2416 6666448.exe 84 PID 4516 wrote to memory of 1976 4516 jddpj.exe 85 PID 4516 wrote to memory of 1976 4516 jddpj.exe 85 PID 4516 wrote to memory of 1976 4516 jddpj.exe 85 PID 1976 wrote to memory of 2116 1976 e40040.exe 86 PID 1976 wrote to memory of 2116 1976 e40040.exe 86 PID 1976 wrote to memory of 2116 1976 e40040.exe 86 PID 2116 wrote to memory of 1480 2116 rfflffx.exe 87 PID 2116 wrote to memory of 1480 2116 rfflffx.exe 87 PID 2116 wrote to memory of 1480 2116 rfflffx.exe 87 PID 1480 wrote to memory of 4068 1480 2600880.exe 88 PID 1480 wrote to memory of 4068 1480 2600880.exe 88 PID 1480 wrote to memory of 4068 1480 2600880.exe 88 PID 4068 wrote to memory of 3480 4068 82660.exe 89 PID 4068 wrote to memory of 3480 4068 82660.exe 89 PID 4068 wrote to memory of 3480 4068 82660.exe 89 PID 3480 wrote to memory of 2980 3480 24482.exe 90 PID 3480 wrote to memory of 2980 3480 24482.exe 90 PID 3480 wrote to memory of 2980 3480 24482.exe 90 PID 2980 wrote to memory of 3028 2980 4686886.exe 91 PID 2980 wrote to memory of 3028 2980 4686886.exe 91 PID 2980 wrote to memory of 3028 2980 4686886.exe 91 PID 3028 wrote to memory of 3108 3028 s0004.exe 92 PID 3028 wrote to memory of 3108 3028 s0004.exe 92 PID 3028 wrote to memory of 3108 3028 s0004.exe 92 PID 3108 wrote to memory of 996 3108 006664.exe 93 PID 3108 wrote to memory of 996 3108 006664.exe 93 PID 3108 wrote to memory of 996 3108 006664.exe 93 PID 996 wrote to memory of 4284 996 26044.exe 94 PID 996 wrote to memory of 4284 996 26044.exe 94 PID 996 wrote to memory of 4284 996 26044.exe 94 PID 4284 wrote to memory of 1004 4284 86044.exe 95 PID 4284 wrote to memory of 1004 4284 86044.exe 95 PID 4284 wrote to memory of 1004 4284 86044.exe 95 PID 1004 wrote to memory of 2828 1004 3hhbtt.exe 96 PID 1004 wrote to memory of 2828 1004 3hhbtt.exe 96 PID 1004 wrote to memory of 2828 1004 3hhbtt.exe 96 PID 2828 wrote to memory of 4740 2828 8682662.exe 97 PID 2828 wrote to memory of 4740 2828 8682662.exe 97 PID 2828 wrote to memory of 4740 2828 8682662.exe 97 PID 4740 wrote to memory of 5016 4740 62082.exe 98 PID 4740 wrote to memory of 5016 4740 62082.exe 98 PID 4740 wrote to memory of 5016 4740 62082.exe 98 PID 5016 wrote to memory of 3504 5016 5nttnh.exe 99 PID 5016 wrote to memory of 3504 5016 5nttnh.exe 99 PID 5016 wrote to memory of 3504 5016 5nttnh.exe 99 PID 3504 wrote to memory of 404 3504 4402420.exe 100 PID 3504 wrote to memory of 404 3504 4402420.exe 100 PID 3504 wrote to memory of 404 3504 4402420.exe 100 PID 404 wrote to memory of 1784 404 48860.exe 101 PID 404 wrote to memory of 1784 404 48860.exe 101 PID 404 wrote to memory of 1784 404 48860.exe 101 PID 1784 wrote to memory of 4676 1784 ttbttt.exe 102 PID 1784 wrote to memory of 4676 1784 ttbttt.exe 102 PID 1784 wrote to memory of 4676 1784 ttbttt.exe 102 PID 4676 wrote to memory of 656 4676 pjjjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe"C:\Users\Admin\AppData\Local\Temp\820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\08644.exec:\08644.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\6666448.exec:\6666448.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\jddpj.exec:\jddpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\e40040.exec:\e40040.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\rfflffx.exec:\rfflffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\2600880.exec:\2600880.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\82660.exec:\82660.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\24482.exec:\24482.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\4686886.exec:\4686886.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\s0004.exec:\s0004.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\006664.exec:\006664.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\26044.exec:\26044.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\86044.exec:\86044.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\3hhbtt.exec:\3hhbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\8682662.exec:\8682662.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\62082.exec:\62082.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\5nttnh.exec:\5nttnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\4402420.exec:\4402420.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\48860.exec:\48860.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\ttbttt.exec:\ttbttt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\pjjjd.exec:\pjjjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\hnnhbt.exec:\hnnhbt.exe23⤵
- Executes dropped EXE
PID:656 -
\??\c:\frxxrfx.exec:\frxxrfx.exe24⤵
- Executes dropped EXE
PID:3856 -
\??\c:\6200400.exec:\6200400.exe25⤵
- Executes dropped EXE
PID:4820 -
\??\c:\866044.exec:\866044.exe26⤵
- Executes dropped EXE
PID:5112 -
\??\c:\ppvvd.exec:\ppvvd.exe27⤵
- Executes dropped EXE
PID:2456 -
\??\c:\hnnhhh.exec:\hnnhhh.exe28⤵
- Executes dropped EXE
PID:3884 -
\??\c:\dpvvp.exec:\dpvvp.exe29⤵
- Executes dropped EXE
PID:2988 -
\??\c:\800608.exec:\800608.exe30⤵
- Executes dropped EXE
PID:3440 -
\??\c:\482288.exec:\482288.exe31⤵
- Executes dropped EXE
PID:5028 -
\??\c:\c622626.exec:\c622626.exe32⤵
- Executes dropped EXE
PID:4772 -
\??\c:\2282644.exec:\2282644.exe33⤵
- Executes dropped EXE
PID:1088 -
\??\c:\frxrffx.exec:\frxrffx.exe34⤵
- Executes dropped EXE
PID:4032 -
\??\c:\4448226.exec:\4448226.exe35⤵
- Executes dropped EXE
PID:2248 -
\??\c:\e02000.exec:\e02000.exe36⤵
- Executes dropped EXE
PID:1312 -
\??\c:\4224888.exec:\4224888.exe37⤵
- Executes dropped EXE
PID:2844 -
\??\c:\84048.exec:\84048.exe38⤵
- Executes dropped EXE
PID:3696 -
\??\c:\4800262.exec:\4800262.exe39⤵
- Executes dropped EXE
PID:3460 -
\??\c:\00266.exec:\00266.exe40⤵
- Executes dropped EXE
PID:3572 -
\??\c:\o220600.exec:\o220600.exe41⤵
- Executes dropped EXE
PID:4276 -
\??\c:\q22228.exec:\q22228.exe42⤵
- Executes dropped EXE
PID:2428 -
\??\c:\400600.exec:\400600.exe43⤵
- Executes dropped EXE
PID:4968 -
\??\c:\jjddv.exec:\jjddv.exe44⤵
- Executes dropped EXE
PID:1684 -
\??\c:\llxrxxf.exec:\llxrxxf.exe45⤵
- Executes dropped EXE
PID:2412 -
\??\c:\828680.exec:\828680.exe46⤵
- Executes dropped EXE
PID:2320 -
\??\c:\rxrllll.exec:\rxrllll.exe47⤵
- Executes dropped EXE
PID:1464 -
\??\c:\vpdvd.exec:\vpdvd.exe48⤵
- Executes dropped EXE
PID:2968 -
\??\c:\jvjdv.exec:\jvjdv.exe49⤵
- Executes dropped EXE
PID:3024 -
\??\c:\402660.exec:\402660.exe50⤵
- Executes dropped EXE
PID:4872 -
\??\c:\hnnbbn.exec:\hnnbbn.exe51⤵
- Executes dropped EXE
PID:4476 -
\??\c:\jpvvp.exec:\jpvvp.exe52⤵
- Executes dropped EXE
PID:3340 -
\??\c:\828480.exec:\828480.exe53⤵
- Executes dropped EXE
PID:2528 -
\??\c:\rlfxlll.exec:\rlfxlll.exe54⤵
- Executes dropped EXE
PID:3916 -
\??\c:\hbnnbt.exec:\hbnnbt.exe55⤵
- Executes dropped EXE
PID:1328 -
\??\c:\bnnhht.exec:\bnnhht.exe56⤵
- Executes dropped EXE
PID:4932 -
\??\c:\vpjdv.exec:\vpjdv.exe57⤵
- Executes dropped EXE
PID:3108 -
\??\c:\02084.exec:\02084.exe58⤵
- Executes dropped EXE
PID:2896 -
\??\c:\2640604.exec:\2640604.exe59⤵
- Executes dropped EXE
PID:2576 -
\??\c:\6406662.exec:\6406662.exe60⤵
- Executes dropped EXE
PID:872 -
\??\c:\0022282.exec:\0022282.exe61⤵
- Executes dropped EXE
PID:4604 -
\??\c:\80248.exec:\80248.exe62⤵
- Executes dropped EXE
PID:2952 -
\??\c:\thnhbh.exec:\thnhbh.exe63⤵
- Executes dropped EXE
PID:1972 -
\??\c:\jvddp.exec:\jvddp.exe64⤵
- Executes dropped EXE
PID:1436 -
\??\c:\jdvdd.exec:\jdvdd.exe65⤵
- Executes dropped EXE
PID:4904 -
\??\c:\6028222.exec:\6028222.exe66⤵PID:3504
-
\??\c:\644466.exec:\644466.exe67⤵PID:2436
-
\??\c:\dddvv.exec:\dddvv.exe68⤵PID:4316
-
\??\c:\5vdvj.exec:\5vdvj.exe69⤵PID:2156
-
\??\c:\4426688.exec:\4426688.exe70⤵PID:4680
-
\??\c:\5lrlxll.exec:\5lrlxll.exe71⤵PID:3868
-
\??\c:\q46044.exec:\q46044.exe72⤵PID:1120
-
\??\c:\04826.exec:\04826.exe73⤵PID:3608
-
\??\c:\nhthhb.exec:\nhthhb.exe74⤵PID:2376
-
\??\c:\xlrrrrl.exec:\xlrrrrl.exe75⤵PID:3092
-
\??\c:\jjvpv.exec:\jjvpv.exe76⤵PID:4392
-
\??\c:\642266.exec:\642266.exe77⤵PID:2708
-
\??\c:\26660.exec:\26660.exe78⤵PID:4820
-
\??\c:\pjjjp.exec:\pjjjp.exe79⤵PID:920
-
\??\c:\llfxlrl.exec:\llfxlrl.exe80⤵PID:4116
-
\??\c:\fxffrrx.exec:\fxffrrx.exe81⤵PID:3392
-
\??\c:\0248266.exec:\0248266.exe82⤵PID:1648
-
\??\c:\tbtttt.exec:\tbtttt.exe83⤵PID:3884
-
\??\c:\644826.exec:\644826.exe84⤵PID:392
-
\??\c:\tttnhh.exec:\tttnhh.exe85⤵PID:1096
-
\??\c:\28082.exec:\28082.exe86⤵PID:3472
-
\??\c:\nnnnbh.exec:\nnnnbh.exe87⤵PID:1748
-
\??\c:\484864.exec:\484864.exe88⤵PID:436
-
\??\c:\6066448.exec:\6066448.exe89⤵PID:3268
-
\??\c:\7tnhbb.exec:\7tnhbb.exe90⤵PID:2452
-
\??\c:\82882.exec:\82882.exe91⤵PID:4588
-
\??\c:\206022.exec:\206022.exe92⤵PID:5108
-
\??\c:\680444.exec:\680444.exe93⤵PID:2248
-
\??\c:\484444.exec:\484444.exe94⤵PID:4504
-
\??\c:\0464848.exec:\0464848.exe95⤵PID:2844
-
\??\c:\048266.exec:\048266.exe96⤵PID:3780
-
\??\c:\26466.exec:\26466.exe97⤵PID:1508
-
\??\c:\5nhbtt.exec:\5nhbtt.exe98⤵PID:4288
-
\??\c:\280688.exec:\280688.exe99⤵PID:808
-
\??\c:\204666.exec:\204666.exe100⤵PID:3052
-
\??\c:\rxrfrfx.exec:\rxrfrfx.exe101⤵PID:3908
-
\??\c:\20226.exec:\20226.exe102⤵PID:4796
-
\??\c:\jvjvv.exec:\jvjvv.exe103⤵PID:3084
-
\??\c:\624482.exec:\624482.exe104⤵PID:2416
-
\??\c:\064822.exec:\064822.exe105⤵PID:3524
-
\??\c:\402826.exec:\402826.exe106⤵PID:1976
-
\??\c:\ttbtnn.exec:\ttbtnn.exe107⤵PID:4312
-
\??\c:\240044.exec:\240044.exe108⤵PID:2692
-
\??\c:\m0644.exec:\m0644.exe109⤵PID:2724
-
\??\c:\rrxxffl.exec:\rrxxffl.exe110⤵PID:4444
-
\??\c:\00046.exec:\00046.exe111⤵PID:3012
-
\??\c:\dvvjd.exec:\dvvjd.exe112⤵PID:4428
-
\??\c:\406044.exec:\406044.exe113⤵PID:3916
-
\??\c:\i862260.exec:\i862260.exe114⤵PID:2204
-
\??\c:\tttbbn.exec:\tttbbn.exe115⤵PID:4072
-
\??\c:\622488.exec:\622488.exe116⤵PID:4900
-
\??\c:\xxxlxrl.exec:\xxxlxrl.exe117⤵PID:2060
-
\??\c:\htnnhh.exec:\htnnhh.exe118⤵PID:4556
-
\??\c:\686268.exec:\686268.exe119⤵PID:872
-
\??\c:\88686.exec:\88686.exe120⤵PID:1848
-
\??\c:\dpvpd.exec:\dpvpd.exe121⤵PID:4740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-