Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 06:23
Behavioral task
behavioral1
Sample
c7b8ed5ceaf18191492886b8a24bc449f6abe23e826b43cd67c03d253d74f751.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c7b8ed5ceaf18191492886b8a24bc449f6abe23e826b43cd67c03d253d74f751.exe
-
Size
347KB
-
MD5
6c3f3d01c703a5c6d1398770e539fc76
-
SHA1
d925f70adf8bdac2d5eb88346f18cbd00b9d68a4
-
SHA256
c7b8ed5ceaf18191492886b8a24bc449f6abe23e826b43cd67c03d253d74f751
-
SHA512
ac19d832f5dcdc2f17da5bfc842c29fca8684d4c7822620859a85ca4ea2614a047f223af8dfdacab6f2188387dbfd8b4b8608169c4ecfbeca530e71d6c94b1bf
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYA41:R4wFHoS3WXZshJX2VGd41
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/220-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3884-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1008-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1576-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2132-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/672-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2808-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2768-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/444-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1820-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4896-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2948-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3888-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/320-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3220-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4108-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4424-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3800-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/984-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1872-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4464-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1664-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2972-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1376-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4732-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4360-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/632-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4588-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2188-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2240-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1208-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4524-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4900-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3236-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3012-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3156-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3884-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4048-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-470-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-516-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1236-541-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-544-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2640-585-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/352-951-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1744-1064-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2164 622260.exe 3884 jppdv.exe 1948 22204.exe 208 rrrrfrr.exe 1008 jvdvp.exe 1576 660220.exe 2132 822666.exe 672 688828.exe 4564 04622.exe 2808 ntbtbt.exe 2768 424826.exe 444 pjdpj.exe 1820 7nbhtt.exe 4896 606420.exe 2948 06646.exe 3052 02260.exe 4432 662222.exe 3948 hbbbbh.exe 3888 6444480.exe 2924 xffllfr.exe 320 84666.exe 4412 rxfxxxx.exe 3220 w04822.exe 4324 24604.exe 2736 hnbnhh.exe 780 622008.exe 1828 46426.exe 372 0428204.exe 4108 8848208.exe 4424 fffrrlf.exe 3144 04484.exe 3800 0644888.exe 984 dpvpp.exe 4520 jpjdv.exe 1872 0484804.exe 4464 02002.exe 1568 4882666.exe 3788 rffffrl.exe 2248 pdddv.exe 1664 9ffxrrl.exe 3844 84004.exe 2972 24666.exe 2904 466420.exe 3964 5rrlfff.exe 4576 dpddd.exe 1148 jvdjd.exe 1972 jdpjd.exe 1376 tnnhtt.exe 3988 240048.exe 4932 q80444.exe 3104 xrfxxxr.exe 4732 0266064.exe 3536 vjdvj.exe 2856 fffxxlf.exe 4360 8062262.exe 4340 4888288.exe 2480 862604.exe 632 nhhhbh.exe 1780 nbhtbb.exe 4396 q64460.exe 4724 4266240.exe 816 446044.exe 1388 0248822.exe 4140 u802660.exe -
resource yara_rule behavioral2/memory/220-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bef-4.dat upx behavioral2/memory/220-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c88-8.dat upx behavioral2/files/0x0007000000023c8c-14.dat upx behavioral2/memory/1948-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3884-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2164-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8d-20.dat upx behavioral2/memory/208-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-24.dat upx behavioral2/files/0x0007000000023c90-28.dat upx behavioral2/memory/1008-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-33.dat upx behavioral2/memory/1576-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-38.dat upx behavioral2/memory/2132-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-43.dat upx behavioral2/memory/672-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c89-48.dat upx behavioral2/memory/4564-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c94-53.dat upx behavioral2/memory/2768-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2808-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-60.dat upx behavioral2/memory/2768-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-64.dat upx behavioral2/memory/444-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c97-69.dat upx behavioral2/memory/1820-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-75.dat upx behavioral2/memory/4896-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-79.dat upx behavioral2/memory/2948-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3052-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-84.dat upx behavioral2/files/0x0007000000023c9b-89.dat upx behavioral2/files/0x0007000000023c9c-93.dat upx behavioral2/files/0x0007000000023c9d-97.dat upx behavioral2/memory/3888-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-102.dat upx behavioral2/files/0x0007000000023c9f-107.dat upx behavioral2/memory/320-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-111.dat upx behavioral2/memory/3220-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4412-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-118.dat upx behavioral2/files/0x0007000000023ca3-121.dat upx behavioral2/files/0x0007000000023ca4-126.dat upx behavioral2/memory/2736-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-130.dat upx behavioral2/files/0x0007000000023ca6-134.dat upx behavioral2/files/0x0007000000023ca7-138.dat upx behavioral2/files/0x0007000000023ca8-143.dat upx behavioral2/memory/4108-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-149.dat upx behavioral2/memory/4424-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-152.dat upx behavioral2/memory/3800-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/984-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1872-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4464-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2248-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1664-177-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 446486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q80444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0060426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 220 wrote to memory of 2164 220 c7b8ed5ceaf18191492886b8a24bc449f6abe23e826b43cd67c03d253d74f751.exe 83 PID 220 wrote to memory of 2164 220 c7b8ed5ceaf18191492886b8a24bc449f6abe23e826b43cd67c03d253d74f751.exe 83 PID 220 wrote to memory of 2164 220 c7b8ed5ceaf18191492886b8a24bc449f6abe23e826b43cd67c03d253d74f751.exe 83 PID 2164 wrote to memory of 3884 2164 622260.exe 84 PID 2164 wrote to memory of 3884 2164 622260.exe 84 PID 2164 wrote to memory of 3884 2164 622260.exe 84 PID 3884 wrote to memory of 1948 3884 jppdv.exe 85 PID 3884 wrote to memory of 1948 3884 jppdv.exe 85 PID 3884 wrote to memory of 1948 3884 jppdv.exe 85 PID 1948 wrote to memory of 208 1948 22204.exe 86 PID 1948 wrote to memory of 208 1948 22204.exe 86 PID 1948 wrote to memory of 208 1948 22204.exe 86 PID 208 wrote to memory of 1008 208 rrrrfrr.exe 87 PID 208 wrote to memory of 1008 208 rrrrfrr.exe 87 PID 208 wrote to memory of 1008 208 rrrrfrr.exe 87 PID 1008 wrote to memory of 1576 1008 jvdvp.exe 88 PID 1008 wrote to memory of 1576 1008 jvdvp.exe 88 PID 1008 wrote to memory of 1576 1008 jvdvp.exe 88 PID 1576 wrote to memory of 2132 1576 660220.exe 89 PID 1576 wrote to memory of 2132 1576 660220.exe 89 PID 1576 wrote to memory of 2132 1576 660220.exe 89 PID 2132 wrote to memory of 672 2132 822666.exe 90 PID 2132 wrote to memory of 672 2132 822666.exe 90 PID 2132 wrote to memory of 672 2132 822666.exe 90 PID 672 wrote to memory of 4564 672 688828.exe 91 PID 672 wrote to memory of 4564 672 688828.exe 91 PID 672 wrote to memory of 4564 672 688828.exe 91 PID 4564 wrote to memory of 2808 4564 04622.exe 92 PID 4564 wrote to memory of 2808 4564 04622.exe 92 PID 4564 wrote to memory of 2808 4564 04622.exe 92 PID 2808 wrote to memory of 2768 2808 ntbtbt.exe 93 PID 2808 wrote to memory of 2768 2808 ntbtbt.exe 93 PID 2808 wrote to memory of 2768 2808 ntbtbt.exe 93 PID 2768 wrote to memory of 444 2768 424826.exe 94 PID 2768 wrote to memory of 444 2768 424826.exe 94 PID 2768 wrote to memory of 444 2768 424826.exe 94 PID 444 wrote to memory of 1820 444 pjdpj.exe 95 PID 444 wrote to memory of 1820 444 pjdpj.exe 95 PID 444 wrote to memory of 1820 444 pjdpj.exe 95 PID 1820 wrote to memory of 4896 1820 7nbhtt.exe 96 PID 1820 wrote to memory of 4896 1820 7nbhtt.exe 96 PID 1820 wrote to memory of 4896 1820 7nbhtt.exe 96 PID 4896 wrote to memory of 2948 4896 606420.exe 97 PID 4896 wrote to memory of 2948 4896 606420.exe 97 PID 4896 wrote to memory of 2948 4896 606420.exe 97 PID 2948 wrote to memory of 3052 2948 06646.exe 98 PID 2948 wrote to memory of 3052 2948 06646.exe 98 PID 2948 wrote to memory of 3052 2948 06646.exe 98 PID 3052 wrote to memory of 4432 3052 02260.exe 99 PID 3052 wrote to memory of 4432 3052 02260.exe 99 PID 3052 wrote to memory of 4432 3052 02260.exe 99 PID 4432 wrote to memory of 3948 4432 662222.exe 100 PID 4432 wrote to memory of 3948 4432 662222.exe 100 PID 4432 wrote to memory of 3948 4432 662222.exe 100 PID 3948 wrote to memory of 3888 3948 hbbbbh.exe 101 PID 3948 wrote to memory of 3888 3948 hbbbbh.exe 101 PID 3948 wrote to memory of 3888 3948 hbbbbh.exe 101 PID 3888 wrote to memory of 2924 3888 6444480.exe 102 PID 3888 wrote to memory of 2924 3888 6444480.exe 102 PID 3888 wrote to memory of 2924 3888 6444480.exe 102 PID 2924 wrote to memory of 320 2924 xffllfr.exe 103 PID 2924 wrote to memory of 320 2924 xffllfr.exe 103 PID 2924 wrote to memory of 320 2924 xffllfr.exe 103 PID 320 wrote to memory of 4412 320 84666.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7b8ed5ceaf18191492886b8a24bc449f6abe23e826b43cd67c03d253d74f751.exe"C:\Users\Admin\AppData\Local\Temp\c7b8ed5ceaf18191492886b8a24bc449f6abe23e826b43cd67c03d253d74f751.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\622260.exec:\622260.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\jppdv.exec:\jppdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\22204.exec:\22204.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\rrrrfrr.exec:\rrrrfrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\jvdvp.exec:\jvdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\660220.exec:\660220.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\822666.exec:\822666.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\688828.exec:\688828.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\04622.exec:\04622.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\ntbtbt.exec:\ntbtbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\424826.exec:\424826.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\pjdpj.exec:\pjdpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\7nbhtt.exec:\7nbhtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\606420.exec:\606420.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\06646.exec:\06646.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\02260.exec:\02260.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\662222.exec:\662222.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\hbbbbh.exec:\hbbbbh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\6444480.exec:\6444480.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\xffllfr.exec:\xffllfr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\84666.exec:\84666.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\rxfxxxx.exec:\rxfxxxx.exe23⤵
- Executes dropped EXE
PID:4412 -
\??\c:\w04822.exec:\w04822.exe24⤵
- Executes dropped EXE
PID:3220 -
\??\c:\24604.exec:\24604.exe25⤵
- Executes dropped EXE
PID:4324 -
\??\c:\hnbnhh.exec:\hnbnhh.exe26⤵
- Executes dropped EXE
PID:2736 -
\??\c:\622008.exec:\622008.exe27⤵
- Executes dropped EXE
PID:780 -
\??\c:\46426.exec:\46426.exe28⤵
- Executes dropped EXE
PID:1828 -
\??\c:\0428204.exec:\0428204.exe29⤵
- Executes dropped EXE
PID:372 -
\??\c:\8848208.exec:\8848208.exe30⤵
- Executes dropped EXE
PID:4108 -
\??\c:\fffrrlf.exec:\fffrrlf.exe31⤵
- Executes dropped EXE
PID:4424 -
\??\c:\04484.exec:\04484.exe32⤵
- Executes dropped EXE
PID:3144 -
\??\c:\0644888.exec:\0644888.exe33⤵
- Executes dropped EXE
PID:3800 -
\??\c:\dpvpp.exec:\dpvpp.exe34⤵
- Executes dropped EXE
PID:984 -
\??\c:\jpjdv.exec:\jpjdv.exe35⤵
- Executes dropped EXE
PID:4520 -
\??\c:\0484804.exec:\0484804.exe36⤵
- Executes dropped EXE
PID:1872 -
\??\c:\02002.exec:\02002.exe37⤵
- Executes dropped EXE
PID:4464 -
\??\c:\4882666.exec:\4882666.exe38⤵
- Executes dropped EXE
PID:1568 -
\??\c:\rffffrl.exec:\rffffrl.exe39⤵
- Executes dropped EXE
PID:3788 -
\??\c:\pdddv.exec:\pdddv.exe40⤵
- Executes dropped EXE
PID:2248 -
\??\c:\9ffxrrl.exec:\9ffxrrl.exe41⤵
- Executes dropped EXE
PID:1664 -
\??\c:\84004.exec:\84004.exe42⤵
- Executes dropped EXE
PID:3844 -
\??\c:\24666.exec:\24666.exe43⤵
- Executes dropped EXE
PID:2972 -
\??\c:\466420.exec:\466420.exe44⤵
- Executes dropped EXE
PID:2904 -
\??\c:\5rrlfff.exec:\5rrlfff.exe45⤵
- Executes dropped EXE
PID:3964 -
\??\c:\dpddd.exec:\dpddd.exe46⤵
- Executes dropped EXE
PID:4576 -
\??\c:\jvdjd.exec:\jvdjd.exe47⤵
- Executes dropped EXE
PID:1148 -
\??\c:\jdpjd.exec:\jdpjd.exe48⤵
- Executes dropped EXE
PID:1972 -
\??\c:\tnnhtt.exec:\tnnhtt.exe49⤵
- Executes dropped EXE
PID:1376 -
\??\c:\240048.exec:\240048.exe50⤵
- Executes dropped EXE
PID:3988 -
\??\c:\q80444.exec:\q80444.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4932 -
\??\c:\xrfxxxr.exec:\xrfxxxr.exe52⤵
- Executes dropped EXE
PID:3104 -
\??\c:\0266064.exec:\0266064.exe53⤵
- Executes dropped EXE
PID:4732 -
\??\c:\vjdvj.exec:\vjdvj.exe54⤵
- Executes dropped EXE
PID:3536 -
\??\c:\fffxxlf.exec:\fffxxlf.exe55⤵
- Executes dropped EXE
PID:2856 -
\??\c:\8062262.exec:\8062262.exe56⤵
- Executes dropped EXE
PID:4360 -
\??\c:\4888288.exec:\4888288.exe57⤵
- Executes dropped EXE
PID:4340 -
\??\c:\862604.exec:\862604.exe58⤵
- Executes dropped EXE
PID:2480 -
\??\c:\nhhhbh.exec:\nhhhbh.exe59⤵
- Executes dropped EXE
PID:632 -
\??\c:\nbhtbb.exec:\nbhtbb.exe60⤵
- Executes dropped EXE
PID:1780 -
\??\c:\q64460.exec:\q64460.exe61⤵
- Executes dropped EXE
PID:4396 -
\??\c:\4266240.exec:\4266240.exe62⤵
- Executes dropped EXE
PID:4724 -
\??\c:\446044.exec:\446044.exe63⤵
- Executes dropped EXE
PID:816 -
\??\c:\0248822.exec:\0248822.exe64⤵
- Executes dropped EXE
PID:1388 -
\??\c:\u802660.exec:\u802660.exe65⤵
- Executes dropped EXE
PID:4140 -
\??\c:\q06668.exec:\q06668.exe66⤵PID:4588
-
\??\c:\002226.exec:\002226.exe67⤵PID:5052
-
\??\c:\828266.exec:\828266.exe68⤵PID:672
-
\??\c:\thnnnn.exec:\thnnnn.exe69⤵PID:2416
-
\??\c:\8206680.exec:\8206680.exe70⤵PID:3520
-
\??\c:\2804864.exec:\2804864.exe71⤵PID:336
-
\??\c:\nhnnhn.exec:\nhnnhn.exe72⤵PID:456
-
\??\c:\886602.exec:\886602.exe73⤵PID:2888
-
\??\c:\q02826.exec:\q02826.exe74⤵PID:212
-
\??\c:\c066228.exec:\c066228.exe75⤵PID:2188
-
\??\c:\00000.exec:\00000.exe76⤵PID:2240
-
\??\c:\2000440.exec:\2000440.exe77⤵PID:1820
-
\??\c:\04860.exec:\04860.exe78⤵PID:5032
-
\??\c:\o842682.exec:\o842682.exe79⤵PID:1336
-
\??\c:\k48266.exec:\k48266.exe80⤵PID:2948
-
\??\c:\64602.exec:\64602.exe81⤵PID:4752
-
\??\c:\ddvpj.exec:\ddvpj.exe82⤵PID:1208
-
\??\c:\620868.exec:\620868.exe83⤵PID:2552
-
\??\c:\tbhbnh.exec:\tbhbnh.exe84⤵PID:2528
-
\??\c:\5rlrlfx.exec:\5rlrlfx.exe85⤵PID:460
-
\??\c:\i226042.exec:\i226042.exe86⤵PID:4524
-
\??\c:\a8006.exec:\a8006.exe87⤵PID:4900
-
\??\c:\ttbhhh.exec:\ttbhhh.exe88⤵PID:1032
-
\??\c:\jddpj.exec:\jddpj.exe89⤵PID:4208
-
\??\c:\vjjdv.exec:\vjjdv.exe90⤵PID:4540
-
\??\c:\284422.exec:\284422.exe91⤵PID:1508
-
\??\c:\rflrrrr.exec:\rflrrrr.exe92⤵PID:4248
-
\??\c:\e44480.exec:\e44480.exe93⤵PID:2392
-
\??\c:\04842.exec:\04842.exe94⤵PID:2956
-
\??\c:\0628222.exec:\0628222.exe95⤵PID:2648
-
\??\c:\bthnbh.exec:\bthnbh.exe96⤵PID:1828
-
\??\c:\u626044.exec:\u626044.exe97⤵PID:1352
-
\??\c:\bnnhbt.exec:\bnnhbt.exe98⤵PID:3236
-
\??\c:\bthhbt.exec:\bthhbt.exe99⤵PID:4616
-
\??\c:\e86048.exec:\e86048.exe100⤵PID:4008
-
\??\c:\rfrrrrl.exec:\rfrrrrl.exe101⤵PID:4536
-
\??\c:\fxrrlll.exec:\fxrrlll.exe102⤵PID:3144
-
\??\c:\7hhtnn.exec:\7hhtnn.exe103⤵PID:2224
-
\??\c:\0868422.exec:\0868422.exe104⤵PID:3012
-
\??\c:\420040.exec:\420040.exe105⤵PID:4936
-
\??\c:\6482604.exec:\6482604.exe106⤵PID:4364
-
\??\c:\4466660.exec:\4466660.exe107⤵PID:3352
-
\??\c:\9lrlxxl.exec:\9lrlxxl.exe108⤵PID:4464
-
\??\c:\a4000.exec:\a4000.exe109⤵PID:1568
-
\??\c:\660826.exec:\660826.exe110⤵PID:2608
-
\??\c:\nhbtnh.exec:\nhbtnh.exe111⤵PID:3156
-
\??\c:\824488.exec:\824488.exe112⤵PID:1496
-
\??\c:\2662086.exec:\2662086.exe113⤵PID:960
-
\??\c:\jdvdv.exec:\jdvdv.exe114⤵PID:4604
-
\??\c:\lxlfxxx.exec:\lxlfxxx.exe115⤵PID:2864
-
\??\c:\w26200.exec:\w26200.exe116⤵PID:3964
-
\??\c:\9nhbtn.exec:\9nhbtn.exe117⤵PID:2900
-
\??\c:\q42268.exec:\q42268.exe118⤵PID:4120
-
\??\c:\828866.exec:\828866.exe119⤵PID:2228
-
\??\c:\28280.exec:\28280.exe120⤵PID:3000
-
\??\c:\60884.exec:\60884.exe121⤵PID:2056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-