Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 00:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9d9929eebfd300ef9d13550e4fe2c2fe2b4d622b354fa41b8e9da6b5dff3bca4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9d9929eebfd300ef9d13550e4fe2c2fe2b4d622b354fa41b8e9da6b5dff3bca4.exe
-
Size
453KB
-
MD5
13ed63c418584307b03ac91b1e029c28
-
SHA1
735ed9ef0d0238afc43829710724fb8d019c4e3e
-
SHA256
9d9929eebfd300ef9d13550e4fe2c2fe2b4d622b354fa41b8e9da6b5dff3bca4
-
SHA512
ea24617d2ff7acb2144439b164580caecfa77e1a3dfd31ac7c6fb8e94bcf6dfc22cae3956d915e63f1347a1fca742d5542a961d2e7b85c39be44cbbaeb701a00
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1420-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-941-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-1574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-1786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1620 22826.exe 3104 jdddd.exe 3496 a0004.exe 2140 1rrrlrr.exe 4316 4882222.exe 3652 26400.exe 2900 flrxxxr.exe 3960 60048.exe 2908 3llxrrr.exe 4784 nhhbbb.exe 684 tnttnn.exe 4808 xfxfflr.exe 616 628226.exe 2924 a2882.exe 2940 tbbhnt.exe 3252 c660444.exe 4624 202222.exe 4120 nnnhtt.exe 4848 jppdp.exe 5056 666266.exe 2424 00648.exe 2260 dvppv.exe 2356 8682082.exe 3024 4060826.exe 3160 btbnnh.exe 2968 3vjvp.exe 4020 vdvpd.exe 4064 nthbtn.exe 2340 jpjvp.exe 2372 002244.exe 1976 hnnbtn.exe 900 m6648.exe 3208 044482.exe 872 08882.exe 1688 jddpv.exe 2448 82208.exe 2176 428802.exe 3180 bbntht.exe 2500 242846.exe 4940 fflxlxl.exe 956 lfxlfrl.exe 3008 dpvjd.exe 2964 bhhbtn.exe 4552 ntbnbn.exe 728 ppjpv.exe 1228 20048.exe 3152 lrrllxx.exe 4340 4882640.exe 1484 06602.exe 2068 1bbtnn.exe 2948 7jjdv.exe 4192 5llfrrl.exe 3448 7jvpv.exe 3560 nhnhnn.exe 2792 68422.exe 212 g6866.exe 2140 04040.exe 4508 482666.exe 232 0846266.exe 3652 ttthtn.exe 4516 nbthtn.exe 5024 htnntt.exe 1652 dpjvj.exe 4856 nnhnht.exe -
resource yara_rule behavioral2/memory/1420-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-941-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-1332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-1396-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2866682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u804888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2260240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 666426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e02600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42842.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1420 wrote to memory of 1620 1420 9d9929eebfd300ef9d13550e4fe2c2fe2b4d622b354fa41b8e9da6b5dff3bca4.exe 83 PID 1420 wrote to memory of 1620 1420 9d9929eebfd300ef9d13550e4fe2c2fe2b4d622b354fa41b8e9da6b5dff3bca4.exe 83 PID 1420 wrote to memory of 1620 1420 9d9929eebfd300ef9d13550e4fe2c2fe2b4d622b354fa41b8e9da6b5dff3bca4.exe 83 PID 1620 wrote to memory of 3104 1620 22826.exe 84 PID 1620 wrote to memory of 3104 1620 22826.exe 84 PID 1620 wrote to memory of 3104 1620 22826.exe 84 PID 3104 wrote to memory of 3496 3104 jdddd.exe 85 PID 3104 wrote to memory of 3496 3104 jdddd.exe 85 PID 3104 wrote to memory of 3496 3104 jdddd.exe 85 PID 3496 wrote to memory of 2140 3496 a0004.exe 86 PID 3496 wrote to memory of 2140 3496 a0004.exe 86 PID 3496 wrote to memory of 2140 3496 a0004.exe 86 PID 2140 wrote to memory of 4316 2140 1rrrlrr.exe 87 PID 2140 wrote to memory of 4316 2140 1rrrlrr.exe 87 PID 2140 wrote to memory of 4316 2140 1rrrlrr.exe 87 PID 4316 wrote to memory of 3652 4316 4882222.exe 88 PID 4316 wrote to memory of 3652 4316 4882222.exe 88 PID 4316 wrote to memory of 3652 4316 4882222.exe 88 PID 3652 wrote to memory of 2900 3652 26400.exe 89 PID 3652 wrote to memory of 2900 3652 26400.exe 89 PID 3652 wrote to memory of 2900 3652 26400.exe 89 PID 2900 wrote to memory of 3960 2900 flrxxxr.exe 90 PID 2900 wrote to memory of 3960 2900 flrxxxr.exe 90 PID 2900 wrote to memory of 3960 2900 flrxxxr.exe 90 PID 3960 wrote to memory of 2908 3960 60048.exe 91 PID 3960 wrote to memory of 2908 3960 60048.exe 91 PID 3960 wrote to memory of 2908 3960 60048.exe 91 PID 2908 wrote to memory of 4784 2908 3llxrrr.exe 92 PID 2908 wrote to memory of 4784 2908 3llxrrr.exe 92 PID 2908 wrote to memory of 4784 2908 3llxrrr.exe 92 PID 4784 wrote to memory of 684 4784 nhhbbb.exe 93 PID 4784 wrote to memory of 684 4784 nhhbbb.exe 93 PID 4784 wrote to memory of 684 4784 nhhbbb.exe 93 PID 684 wrote to memory of 4808 684 tnttnn.exe 94 PID 684 wrote to memory of 4808 684 tnttnn.exe 94 PID 684 wrote to memory of 4808 684 tnttnn.exe 94 PID 4808 wrote to memory of 616 4808 xfxfflr.exe 95 PID 4808 wrote to memory of 616 4808 xfxfflr.exe 95 PID 4808 wrote to memory of 616 4808 xfxfflr.exe 95 PID 616 wrote to memory of 2924 616 628226.exe 96 PID 616 wrote to memory of 2924 616 628226.exe 96 PID 616 wrote to memory of 2924 616 628226.exe 96 PID 2924 wrote to memory of 2940 2924 a2882.exe 97 PID 2924 wrote to memory of 2940 2924 a2882.exe 97 PID 2924 wrote to memory of 2940 2924 a2882.exe 97 PID 2940 wrote to memory of 3252 2940 tbbhnt.exe 98 PID 2940 wrote to memory of 3252 2940 tbbhnt.exe 98 PID 2940 wrote to memory of 3252 2940 tbbhnt.exe 98 PID 3252 wrote to memory of 4624 3252 c660444.exe 99 PID 3252 wrote to memory of 4624 3252 c660444.exe 99 PID 3252 wrote to memory of 4624 3252 c660444.exe 99 PID 4624 wrote to memory of 4120 4624 202222.exe 100 PID 4624 wrote to memory of 4120 4624 202222.exe 100 PID 4624 wrote to memory of 4120 4624 202222.exe 100 PID 4120 wrote to memory of 4848 4120 nnnhtt.exe 101 PID 4120 wrote to memory of 4848 4120 nnnhtt.exe 101 PID 4120 wrote to memory of 4848 4120 nnnhtt.exe 101 PID 4848 wrote to memory of 5056 4848 jppdp.exe 102 PID 4848 wrote to memory of 5056 4848 jppdp.exe 102 PID 4848 wrote to memory of 5056 4848 jppdp.exe 102 PID 5056 wrote to memory of 2424 5056 666266.exe 103 PID 5056 wrote to memory of 2424 5056 666266.exe 103 PID 5056 wrote to memory of 2424 5056 666266.exe 103 PID 2424 wrote to memory of 2260 2424 00648.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d9929eebfd300ef9d13550e4fe2c2fe2b4d622b354fa41b8e9da6b5dff3bca4.exe"C:\Users\Admin\AppData\Local\Temp\9d9929eebfd300ef9d13550e4fe2c2fe2b4d622b354fa41b8e9da6b5dff3bca4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\22826.exec:\22826.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\jdddd.exec:\jdddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\a0004.exec:\a0004.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\1rrrlrr.exec:\1rrrlrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\4882222.exec:\4882222.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\26400.exec:\26400.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\flrxxxr.exec:\flrxxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\60048.exec:\60048.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\3llxrrr.exec:\3llxrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\nhhbbb.exec:\nhhbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\tnttnn.exec:\tnttnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\xfxfflr.exec:\xfxfflr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\628226.exec:\628226.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616 -
\??\c:\a2882.exec:\a2882.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\tbbhnt.exec:\tbbhnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\c660444.exec:\c660444.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\202222.exec:\202222.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\nnnhtt.exec:\nnnhtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\jppdp.exec:\jppdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\666266.exec:\666266.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\00648.exec:\00648.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\dvppv.exec:\dvppv.exe23⤵
- Executes dropped EXE
PID:2260 -
\??\c:\8682082.exec:\8682082.exe24⤵
- Executes dropped EXE
PID:2356 -
\??\c:\4060826.exec:\4060826.exe25⤵
- Executes dropped EXE
PID:3024 -
\??\c:\btbnnh.exec:\btbnnh.exe26⤵
- Executes dropped EXE
PID:3160 -
\??\c:\3vjvp.exec:\3vjvp.exe27⤵
- Executes dropped EXE
PID:2968 -
\??\c:\vdvpd.exec:\vdvpd.exe28⤵
- Executes dropped EXE
PID:4020 -
\??\c:\nthbtn.exec:\nthbtn.exe29⤵
- Executes dropped EXE
PID:4064 -
\??\c:\jpjvp.exec:\jpjvp.exe30⤵
- Executes dropped EXE
PID:2340 -
\??\c:\002244.exec:\002244.exe31⤵
- Executes dropped EXE
PID:2372 -
\??\c:\hnnbtn.exec:\hnnbtn.exe32⤵
- Executes dropped EXE
PID:1976 -
\??\c:\m6648.exec:\m6648.exe33⤵
- Executes dropped EXE
PID:900 -
\??\c:\044482.exec:\044482.exe34⤵
- Executes dropped EXE
PID:3208 -
\??\c:\08882.exec:\08882.exe35⤵
- Executes dropped EXE
PID:872 -
\??\c:\jddpv.exec:\jddpv.exe36⤵
- Executes dropped EXE
PID:1688 -
\??\c:\82208.exec:\82208.exe37⤵
- Executes dropped EXE
PID:2448 -
\??\c:\428802.exec:\428802.exe38⤵
- Executes dropped EXE
PID:2176 -
\??\c:\bbntht.exec:\bbntht.exe39⤵
- Executes dropped EXE
PID:3180 -
\??\c:\242846.exec:\242846.exe40⤵
- Executes dropped EXE
PID:2500 -
\??\c:\fflxlxl.exec:\fflxlxl.exe41⤵
- Executes dropped EXE
PID:4940 -
\??\c:\lfxlfrl.exec:\lfxlfrl.exe42⤵
- Executes dropped EXE
PID:956 -
\??\c:\dpvjd.exec:\dpvjd.exe43⤵
- Executes dropped EXE
PID:3008 -
\??\c:\bhhbtn.exec:\bhhbtn.exe44⤵
- Executes dropped EXE
PID:2964 -
\??\c:\ntbnbn.exec:\ntbnbn.exe45⤵
- Executes dropped EXE
PID:4552 -
\??\c:\ppjpv.exec:\ppjpv.exe46⤵
- Executes dropped EXE
PID:728 -
\??\c:\20048.exec:\20048.exe47⤵
- Executes dropped EXE
PID:1228 -
\??\c:\lrrllxx.exec:\lrrllxx.exe48⤵
- Executes dropped EXE
PID:3152 -
\??\c:\4882640.exec:\4882640.exe49⤵
- Executes dropped EXE
PID:4340 -
\??\c:\06602.exec:\06602.exe50⤵
- Executes dropped EXE
PID:1484 -
\??\c:\1bbtnn.exec:\1bbtnn.exe51⤵
- Executes dropped EXE
PID:2068 -
\??\c:\7jjdv.exec:\7jjdv.exe52⤵
- Executes dropped EXE
PID:2948 -
\??\c:\5llfrrl.exec:\5llfrrl.exe53⤵
- Executes dropped EXE
PID:4192 -
\??\c:\7jvpv.exec:\7jvpv.exe54⤵
- Executes dropped EXE
PID:3448 -
\??\c:\nhnhnn.exec:\nhnhnn.exe55⤵
- Executes dropped EXE
PID:3560 -
\??\c:\68422.exec:\68422.exe56⤵
- Executes dropped EXE
PID:2792 -
\??\c:\g6866.exec:\g6866.exe57⤵
- Executes dropped EXE
PID:212 -
\??\c:\04040.exec:\04040.exe58⤵
- Executes dropped EXE
PID:2140 -
\??\c:\482666.exec:\482666.exe59⤵
- Executes dropped EXE
PID:4508 -
\??\c:\0846266.exec:\0846266.exe60⤵
- Executes dropped EXE
PID:232 -
\??\c:\ttthtn.exec:\ttthtn.exe61⤵
- Executes dropped EXE
PID:3652 -
\??\c:\nbthtn.exec:\nbthtn.exe62⤵
- Executes dropped EXE
PID:4516 -
\??\c:\htnntt.exec:\htnntt.exe63⤵
- Executes dropped EXE
PID:5024 -
\??\c:\dpjvj.exec:\dpjvj.exe64⤵
- Executes dropped EXE
PID:1652 -
\??\c:\nnhnht.exec:\nnhnht.exe65⤵
- Executes dropped EXE
PID:4856 -
\??\c:\hbbtnh.exec:\hbbtnh.exe66⤵PID:4784
-
\??\c:\xflfrrl.exec:\xflfrrl.exe67⤵PID:1432
-
\??\c:\pvdpd.exec:\pvdpd.exe68⤵PID:1600
-
\??\c:\fxlfrxl.exec:\fxlfrxl.exe69⤵PID:1644
-
\??\c:\btttnh.exec:\btttnh.exe70⤵PID:4100
-
\??\c:\4248880.exec:\4248880.exe71⤵PID:3456
-
\??\c:\vjpjd.exec:\vjpjd.exe72⤵PID:3148
-
\??\c:\228648.exec:\228648.exe73⤵PID:2920
-
\??\c:\lrxrlll.exec:\lrxrlll.exe74⤵PID:2412
-
\??\c:\u020448.exec:\u020448.exe75⤵PID:3252
-
\??\c:\o064204.exec:\o064204.exe76⤵PID:1636
-
\??\c:\7hthnb.exec:\7hthnb.exe77⤵PID:4120
-
\??\c:\9bhbtn.exec:\9bhbtn.exe78⤵PID:3128
-
\??\c:\800822.exec:\800822.exe79⤵PID:4848
-
\??\c:\jvpjd.exec:\jvpjd.exe80⤵PID:696
-
\??\c:\nhbtnn.exec:\nhbtnn.exe81⤵PID:2712
-
\??\c:\02664.exec:\02664.exe82⤵PID:2188
-
\??\c:\82664.exec:\82664.exe83⤵PID:4580
-
\??\c:\9ddvj.exec:\9ddvj.exe84⤵PID:3116
-
\??\c:\htbnhb.exec:\htbnhb.exe85⤵PID:2776
-
\??\c:\62286.exec:\62286.exe86⤵PID:1944
-
\??\c:\026048.exec:\026048.exe87⤵PID:2388
-
\??\c:\o846446.exec:\o846446.exe88⤵PID:4684
-
\??\c:\pjdvv.exec:\pjdvv.exe89⤵PID:4904
-
\??\c:\hbnhbb.exec:\hbnhbb.exe90⤵PID:2856
-
\??\c:\2688222.exec:\2688222.exe91⤵PID:2864
-
\??\c:\dvvpj.exec:\dvvpj.exe92⤵PID:3488
-
\??\c:\rrlflfx.exec:\rrlflfx.exe93⤵PID:3508
-
\??\c:\lfxlfxr.exec:\lfxlfxr.exe94⤵PID:528
-
\??\c:\48262.exec:\48262.exe95⤵PID:4512
-
\??\c:\1llxlfr.exec:\1llxlfr.exe96⤵PID:4000
-
\??\c:\g6688.exec:\g6688.exe97⤵PID:4408
-
\??\c:\8222660.exec:\8222660.exe98⤵PID:2916
-
\??\c:\lrrfxxl.exec:\lrrfxxl.exe99⤵PID:2240
-
\??\c:\60082.exec:\60082.exe100⤵PID:1820
-
\??\c:\60444.exec:\60444.exe101⤵PID:1436
-
\??\c:\ppdvv.exec:\ppdvv.exe102⤵PID:4352
-
\??\c:\6686482.exec:\6686482.exe103⤵PID:2476
-
\??\c:\20044.exec:\20044.exe104⤵PID:2556
-
\??\c:\288822.exec:\288822.exe105⤵PID:2604
-
\??\c:\lfffrxl.exec:\lfffrxl.exe106⤵PID:1900
-
\??\c:\s6826.exec:\s6826.exe107⤵PID:4720
-
\??\c:\000426.exec:\000426.exe108⤵PID:2156
-
\??\c:\vvvpp.exec:\vvvpp.exe109⤵PID:228
-
\??\c:\nnnhtt.exec:\nnnhtt.exe110⤵PID:3692
-
\??\c:\htbthh.exec:\htbthh.exe111⤵PID:1520
-
\??\c:\s0048.exec:\s0048.exe112⤵PID:720
-
\??\c:\84608.exec:\84608.exe113⤵PID:4324
-
\??\c:\lrllfff.exec:\lrllfff.exe114⤵PID:1524
-
\??\c:\m6884.exec:\m6884.exe115⤵PID:3520
-
\??\c:\28860.exec:\28860.exe116⤵PID:2904
-
\??\c:\48266.exec:\48266.exe117⤵PID:3352
-
\??\c:\g2824.exec:\g2824.exe118⤵PID:3044
-
\??\c:\864860.exec:\864860.exe119⤵
- System Location Discovery: System Language Discovery
PID:384 -
\??\c:\thbtnh.exec:\thbtnh.exe120⤵PID:3560
-
\??\c:\1xfxrrr.exec:\1xfxrrr.exe121⤵PID:2792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-