Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a20136213384e8487dc4cb5e4dc4c2e94427e509d8fb213ab4e7f8126791a283.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a20136213384e8487dc4cb5e4dc4c2e94427e509d8fb213ab4e7f8126791a283.exe
-
Size
454KB
-
MD5
24ee11649df7174f5daeae23063c1bd1
-
SHA1
4c926fda55c3f8b2f4eac8008a325aa7101b19ae
-
SHA256
a20136213384e8487dc4cb5e4dc4c2e94427e509d8fb213ab4e7f8126791a283
-
SHA512
a05da8c57e252f08b7b8739b0f229fe2e35839c7e6f7db5360750fbba3d1cae476771817f07ae36f2355728ee350e2e6f67230acb338977c8b16cf8847261193
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe17:q7Tc2NYHUrAwfMp3CD17
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2808-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-840-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-919-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-1214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4232 28260.exe 3708 jpppv.exe 448 5ddjj.exe 2608 64288.exe 2688 tnbbtt.exe 2648 nhhbtt.exe 4260 xxllfff.exe 4684 82222.exe 4920 284440.exe 2660 4842644.exe 1652 04662.exe 3284 8048226.exe 3124 rffxrlf.exe 4376 02628.exe 4224 3vvdd.exe 4992 4080868.exe 3168 0664642.exe 1484 426242.exe 3100 tttnhb.exe 2164 6868806.exe 4996 nhthth.exe 4968 26266.exe 1704 hbnhhn.exe 1628 w04602.exe 4676 00248.exe 2948 xlrrlrl.exe 5020 w46048.exe 1668 djjjd.exe 1864 k80488.exe 2600 pjdvv.exe 392 46626.exe 3116 u846864.exe 3380 6220808.exe 4700 jvvvp.exe 5088 frrrxxx.exe 1324 dvdvd.exe 2528 8248240.exe 1028 jpjjd.exe 3028 dvdjp.exe 436 rlfxrll.exe 3212 vjvpj.exe 3428 hthbbb.exe 2288 pjvpp.exe 1476 8066602.exe 804 rrrllll.exe 1540 ddddd.exe 3708 bbhntb.exe 636 nnnttt.exe 1396 7ffxrxr.exe 3752 llfxllf.exe 444 5djjd.exe 2264 nthhbt.exe 1080 frxxxxx.exe 1360 tbnttt.exe 4248 8686222.exe 5040 24266.exe 4920 jppdd.exe 3744 thtbnb.exe 1220 fxxxrrx.exe 4008 w22868.exe 1480 vjpjd.exe 2912 46860.exe 2868 btnbtn.exe 4052 pvvjv.exe -
resource yara_rule behavioral2/memory/2808-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-919-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4804444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2260482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2464482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 204242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8460004.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 4232 2808 a20136213384e8487dc4cb5e4dc4c2e94427e509d8fb213ab4e7f8126791a283.exe 83 PID 2808 wrote to memory of 4232 2808 a20136213384e8487dc4cb5e4dc4c2e94427e509d8fb213ab4e7f8126791a283.exe 83 PID 2808 wrote to memory of 4232 2808 a20136213384e8487dc4cb5e4dc4c2e94427e509d8fb213ab4e7f8126791a283.exe 83 PID 4232 wrote to memory of 3708 4232 28260.exe 84 PID 4232 wrote to memory of 3708 4232 28260.exe 84 PID 4232 wrote to memory of 3708 4232 28260.exe 84 PID 3708 wrote to memory of 448 3708 jpppv.exe 85 PID 3708 wrote to memory of 448 3708 jpppv.exe 85 PID 3708 wrote to memory of 448 3708 jpppv.exe 85 PID 448 wrote to memory of 2608 448 5ddjj.exe 86 PID 448 wrote to memory of 2608 448 5ddjj.exe 86 PID 448 wrote to memory of 2608 448 5ddjj.exe 86 PID 2608 wrote to memory of 2688 2608 64288.exe 87 PID 2608 wrote to memory of 2688 2608 64288.exe 87 PID 2608 wrote to memory of 2688 2608 64288.exe 87 PID 2688 wrote to memory of 2648 2688 tnbbtt.exe 88 PID 2688 wrote to memory of 2648 2688 tnbbtt.exe 88 PID 2688 wrote to memory of 2648 2688 tnbbtt.exe 88 PID 2648 wrote to memory of 4260 2648 nhhbtt.exe 89 PID 2648 wrote to memory of 4260 2648 nhhbtt.exe 89 PID 2648 wrote to memory of 4260 2648 nhhbtt.exe 89 PID 4260 wrote to memory of 4684 4260 xxllfff.exe 90 PID 4260 wrote to memory of 4684 4260 xxllfff.exe 90 PID 4260 wrote to memory of 4684 4260 xxllfff.exe 90 PID 4684 wrote to memory of 4920 4684 82222.exe 91 PID 4684 wrote to memory of 4920 4684 82222.exe 91 PID 4684 wrote to memory of 4920 4684 82222.exe 91 PID 4920 wrote to memory of 2660 4920 284440.exe 92 PID 4920 wrote to memory of 2660 4920 284440.exe 92 PID 4920 wrote to memory of 2660 4920 284440.exe 92 PID 2660 wrote to memory of 1652 2660 4842644.exe 93 PID 2660 wrote to memory of 1652 2660 4842644.exe 93 PID 2660 wrote to memory of 1652 2660 4842644.exe 93 PID 1652 wrote to memory of 3284 1652 04662.exe 94 PID 1652 wrote to memory of 3284 1652 04662.exe 94 PID 1652 wrote to memory of 3284 1652 04662.exe 94 PID 3284 wrote to memory of 3124 3284 8048226.exe 95 PID 3284 wrote to memory of 3124 3284 8048226.exe 95 PID 3284 wrote to memory of 3124 3284 8048226.exe 95 PID 3124 wrote to memory of 4376 3124 rffxrlf.exe 96 PID 3124 wrote to memory of 4376 3124 rffxrlf.exe 96 PID 3124 wrote to memory of 4376 3124 rffxrlf.exe 96 PID 4376 wrote to memory of 4224 4376 02628.exe 97 PID 4376 wrote to memory of 4224 4376 02628.exe 97 PID 4376 wrote to memory of 4224 4376 02628.exe 97 PID 4224 wrote to memory of 4992 4224 3vvdd.exe 98 PID 4224 wrote to memory of 4992 4224 3vvdd.exe 98 PID 4224 wrote to memory of 4992 4224 3vvdd.exe 98 PID 4992 wrote to memory of 3168 4992 4080868.exe 99 PID 4992 wrote to memory of 3168 4992 4080868.exe 99 PID 4992 wrote to memory of 3168 4992 4080868.exe 99 PID 3168 wrote to memory of 1484 3168 0664642.exe 100 PID 3168 wrote to memory of 1484 3168 0664642.exe 100 PID 3168 wrote to memory of 1484 3168 0664642.exe 100 PID 1484 wrote to memory of 3100 1484 426242.exe 101 PID 1484 wrote to memory of 3100 1484 426242.exe 101 PID 1484 wrote to memory of 3100 1484 426242.exe 101 PID 3100 wrote to memory of 2164 3100 tttnhb.exe 102 PID 3100 wrote to memory of 2164 3100 tttnhb.exe 102 PID 3100 wrote to memory of 2164 3100 tttnhb.exe 102 PID 2164 wrote to memory of 4996 2164 6868806.exe 103 PID 2164 wrote to memory of 4996 2164 6868806.exe 103 PID 2164 wrote to memory of 4996 2164 6868806.exe 103 PID 4996 wrote to memory of 4968 4996 nhthth.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a20136213384e8487dc4cb5e4dc4c2e94427e509d8fb213ab4e7f8126791a283.exe"C:\Users\Admin\AppData\Local\Temp\a20136213384e8487dc4cb5e4dc4c2e94427e509d8fb213ab4e7f8126791a283.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\28260.exec:\28260.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\jpppv.exec:\jpppv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\5ddjj.exec:\5ddjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\64288.exec:\64288.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\tnbbtt.exec:\tnbbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\nhhbtt.exec:\nhhbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\xxllfff.exec:\xxllfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\82222.exec:\82222.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\284440.exec:\284440.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\4842644.exec:\4842644.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\04662.exec:\04662.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\8048226.exec:\8048226.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\rffxrlf.exec:\rffxrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\02628.exec:\02628.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\3vvdd.exec:\3vvdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\4080868.exec:\4080868.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\0664642.exec:\0664642.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\426242.exec:\426242.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\tttnhb.exec:\tttnhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\6868806.exec:\6868806.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\nhthth.exec:\nhthth.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\26266.exec:\26266.exe23⤵
- Executes dropped EXE
PID:4968 -
\??\c:\hbnhhn.exec:\hbnhhn.exe24⤵
- Executes dropped EXE
PID:1704 -
\??\c:\w04602.exec:\w04602.exe25⤵
- Executes dropped EXE
PID:1628 -
\??\c:\00248.exec:\00248.exe26⤵
- Executes dropped EXE
PID:4676 -
\??\c:\xlrrlrl.exec:\xlrrlrl.exe27⤵
- Executes dropped EXE
PID:2948 -
\??\c:\w46048.exec:\w46048.exe28⤵
- Executes dropped EXE
PID:5020 -
\??\c:\djjjd.exec:\djjjd.exe29⤵
- Executes dropped EXE
PID:1668 -
\??\c:\k80488.exec:\k80488.exe30⤵
- Executes dropped EXE
PID:1864 -
\??\c:\pjdvv.exec:\pjdvv.exe31⤵
- Executes dropped EXE
PID:2600 -
\??\c:\46626.exec:\46626.exe32⤵
- Executes dropped EXE
PID:392 -
\??\c:\u846864.exec:\u846864.exe33⤵
- Executes dropped EXE
PID:3116 -
\??\c:\6220808.exec:\6220808.exe34⤵
- Executes dropped EXE
PID:3380 -
\??\c:\jvvvp.exec:\jvvvp.exe35⤵
- Executes dropped EXE
PID:4700 -
\??\c:\frrrxxx.exec:\frrrxxx.exe36⤵
- Executes dropped EXE
PID:5088 -
\??\c:\dvdvd.exec:\dvdvd.exe37⤵
- Executes dropped EXE
PID:1324 -
\??\c:\8248240.exec:\8248240.exe38⤵
- Executes dropped EXE
PID:2528 -
\??\c:\jpjjd.exec:\jpjjd.exe39⤵
- Executes dropped EXE
PID:1028 -
\??\c:\dvdjp.exec:\dvdjp.exe40⤵
- Executes dropped EXE
PID:3028 -
\??\c:\rlfxrll.exec:\rlfxrll.exe41⤵
- Executes dropped EXE
PID:436 -
\??\c:\vjvpj.exec:\vjvpj.exe42⤵
- Executes dropped EXE
PID:3212 -
\??\c:\hthbbb.exec:\hthbbb.exe43⤵
- Executes dropped EXE
PID:3428 -
\??\c:\pjvpp.exec:\pjvpp.exe44⤵
- Executes dropped EXE
PID:2288 -
\??\c:\8066602.exec:\8066602.exe45⤵
- Executes dropped EXE
PID:1476 -
\??\c:\rrrllll.exec:\rrrllll.exe46⤵
- Executes dropped EXE
PID:804 -
\??\c:\ddddd.exec:\ddddd.exe47⤵
- Executes dropped EXE
PID:1540 -
\??\c:\bbhntb.exec:\bbhntb.exe48⤵
- Executes dropped EXE
PID:3708 -
\??\c:\nnnttt.exec:\nnnttt.exe49⤵
- Executes dropped EXE
PID:636 -
\??\c:\7ffxrxr.exec:\7ffxrxr.exe50⤵
- Executes dropped EXE
PID:1396 -
\??\c:\llfxllf.exec:\llfxllf.exe51⤵
- Executes dropped EXE
PID:3752 -
\??\c:\5djjd.exec:\5djjd.exe52⤵
- Executes dropped EXE
PID:444 -
\??\c:\nthhbt.exec:\nthhbt.exe53⤵
- Executes dropped EXE
PID:2264 -
\??\c:\frxxxxx.exec:\frxxxxx.exe54⤵
- Executes dropped EXE
PID:1080 -
\??\c:\tbnttt.exec:\tbnttt.exe55⤵
- Executes dropped EXE
PID:1360 -
\??\c:\8686222.exec:\8686222.exe56⤵
- Executes dropped EXE
PID:4248 -
\??\c:\24266.exec:\24266.exe57⤵
- Executes dropped EXE
PID:5040 -
\??\c:\jppdd.exec:\jppdd.exe58⤵
- Executes dropped EXE
PID:4920 -
\??\c:\thtbnb.exec:\thtbnb.exe59⤵
- Executes dropped EXE
PID:3744 -
\??\c:\fxxxrrx.exec:\fxxxrrx.exe60⤵
- Executes dropped EXE
PID:1220 -
\??\c:\w22868.exec:\w22868.exe61⤵
- Executes dropped EXE
PID:4008 -
\??\c:\vjpjd.exec:\vjpjd.exe62⤵
- Executes dropped EXE
PID:1480 -
\??\c:\46860.exec:\46860.exe63⤵
- Executes dropped EXE
PID:2912 -
\??\c:\btnbtn.exec:\btnbtn.exe64⤵
- Executes dropped EXE
PID:2868 -
\??\c:\pvvjv.exec:\pvvjv.exe65⤵
- Executes dropped EXE
PID:4052 -
\??\c:\048024.exec:\048024.exe66⤵PID:3320
-
\??\c:\q42426.exec:\q42426.exe67⤵PID:4992
-
\??\c:\bhhtnb.exec:\bhhtnb.exe68⤵PID:2972
-
\??\c:\28044.exec:\28044.exe69⤵PID:1432
-
\??\c:\4288208.exec:\4288208.exe70⤵PID:4804
-
\??\c:\406006.exec:\406006.exe71⤵PID:1444
-
\??\c:\vdvdd.exec:\vdvdd.exe72⤵PID:2164
-
\??\c:\lllxlff.exec:\lllxlff.exe73⤵PID:3984
-
\??\c:\280020.exec:\280020.exe74⤵PID:2872
-
\??\c:\4800802.exec:\4800802.exe75⤵PID:1804
-
\??\c:\llxlxfl.exec:\llxlxfl.exe76⤵PID:4548
-
\??\c:\7lxflxf.exec:\7lxflxf.exe77⤵PID:3264
-
\??\c:\6848664.exec:\6848664.exe78⤵PID:1344
-
\??\c:\04044.exec:\04044.exe79⤵PID:2508
-
\??\c:\4240000.exec:\4240000.exe80⤵PID:4676
-
\??\c:\k88826.exec:\k88826.exe81⤵PID:4040
-
\??\c:\286266.exec:\286266.exe82⤵PID:4760
-
\??\c:\i826004.exec:\i826004.exe83⤵PID:1884
-
\??\c:\vjjpv.exec:\vjjpv.exe84⤵PID:1668
-
\??\c:\804864.exec:\804864.exe85⤵PID:4948
-
\??\c:\60842.exec:\60842.exe86⤵PID:4796
-
\??\c:\64060.exec:\64060.exe87⤵PID:5028
-
\??\c:\dpddv.exec:\dpddv.exe88⤵PID:3764
-
\??\c:\ppjdv.exec:\ppjdv.exe89⤵PID:2000
-
\??\c:\42280.exec:\42280.exe90⤵
- System Location Discovery: System Language Discovery
PID:3472 -
\??\c:\5thhbh.exec:\5thhbh.exe91⤵PID:2464
-
\??\c:\ppvpp.exec:\ppvpp.exe92⤵PID:3712
-
\??\c:\jdjdd.exec:\jdjdd.exe93⤵PID:2128
-
\??\c:\ntnhhh.exec:\ntnhhh.exe94⤵PID:4452
-
\??\c:\3rfffxx.exec:\3rfffxx.exe95⤵PID:2368
-
\??\c:\lflfrrx.exec:\lflfrrx.exe96⤵PID:4936
-
\??\c:\nhnhbb.exec:\nhnhbb.exe97⤵
- System Location Discovery: System Language Discovery
PID:3668 -
\??\c:\s8866.exec:\s8866.exe98⤵PID:1316
-
\??\c:\040060.exec:\040060.exe99⤵
- System Location Discovery: System Language Discovery
PID:4332 -
\??\c:\nbnbnh.exec:\nbnbnh.exe100⤵PID:2808
-
\??\c:\u624640.exec:\u624640.exe101⤵PID:3244
-
\??\c:\200488.exec:\200488.exe102⤵PID:1732
-
\??\c:\fxfrllf.exec:\fxfrllf.exe103⤵PID:1672
-
\??\c:\bttnhh.exec:\bttnhh.exe104⤵PID:1352
-
\??\c:\040482.exec:\040482.exe105⤵PID:3708
-
\??\c:\vjdpj.exec:\vjdpj.exe106⤵PID:2944
-
\??\c:\480400.exec:\480400.exe107⤵PID:4680
-
\??\c:\btthnt.exec:\btthnt.exe108⤵PID:4216
-
\??\c:\684440.exec:\684440.exe109⤵PID:3516
-
\??\c:\6664662.exec:\6664662.exe110⤵PID:4388
-
\??\c:\00228.exec:\00228.exe111⤵PID:2264
-
\??\c:\frfrfxl.exec:\frfrfxl.exe112⤵PID:4424
-
\??\c:\nnbbtn.exec:\nnbbtn.exe113⤵PID:4252
-
\??\c:\djjjd.exec:\djjjd.exe114⤵PID:1252
-
\??\c:\rlrrllf.exec:\rlrrllf.exe115⤵PID:2976
-
\??\c:\rlrffff.exec:\rlrffff.exe116⤵PID:1836
-
\??\c:\22246.exec:\22246.exe117⤵PID:4692
-
\??\c:\btnbtn.exec:\btnbtn.exe118⤵PID:1068
-
\??\c:\lxfxxxx.exec:\lxfxxxx.exe119⤵PID:508
-
\??\c:\6682688.exec:\6682688.exe120⤵PID:3536
-
\??\c:\i020004.exec:\i020004.exe121⤵PID:3424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-