Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 07:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f52507f7a75eeb075b26e2258dfc653d54b185ef0658c2fedd4ab8f73317b367.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
f52507f7a75eeb075b26e2258dfc653d54b185ef0658c2fedd4ab8f73317b367.exe
-
Size
454KB
-
MD5
5bf3f682fd3484161bbe2f106cc7e3e2
-
SHA1
81aa8c7cc5771050123dbaf006396a35997d7e51
-
SHA256
f52507f7a75eeb075b26e2258dfc653d54b185ef0658c2fedd4ab8f73317b367
-
SHA512
301797a6faed0b1ca1b9db2935e1d0d49b257759a622d83b8e59992966d28921eead42bf0ab92dbea0b71ff29367f653ef8aaa09585ad8a1f45cc05d27190890
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3096-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-797-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-914-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-954-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-1485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4764 m0666.exe 2228 86402.exe 3112 808822.exe 3896 m8444.exe 3364 880880.exe 4648 28620.exe 4240 nhtthh.exe 668 i026060.exe 4980 826660.exe 3952 644440.exe 4936 9btbhn.exe 532 060202.exe 1948 xxxlflf.exe 4192 4888886.exe 3468 lrrlrfl.exe 2060 nhbbhn.exe 1004 8644880.exe 4312 ddjdd.exe 4520 dpjjj.exe 4888 dvdvj.exe 1440 dvpvv.exe 3988 4260484.exe 4572 btbtnb.exe 4528 84428.exe 4468 00880.exe 5024 vvjdd.exe 3020 8222884.exe 536 88880.exe 344 xlrlrlx.exe 1600 9nttnt.exe 4644 jpppp.exe 2444 660222.exe 1180 62668.exe 1064 42868.exe 376 4208288.exe 3120 006662.exe 3928 622222.exe 456 04268.exe 3132 xxxrrxx.exe 1968 60666.exe 2664 20800.exe 4408 20282.exe 664 0268844.exe 3992 0228486.exe 2888 482024.exe 5104 64682.exe 1032 0824068.exe 1780 jdddd.exe 4376 26884.exe 2248 xlllrrl.exe 2144 rrfxlfr.exe 5060 pvddv.exe 2228 9ppjd.exe 3112 06222.exe 3644 6202446.exe 264 ddppv.exe 2112 rfrxllr.exe 2152 vvvdp.exe 2008 rrffffl.exe 2304 frlffll.exe 380 flfxlff.exe 4224 tttbhb.exe 1132 hnttbb.exe 2928 dvjdp.exe -
resource yara_rule behavioral2/memory/3096-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-682-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6268062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c848444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2028466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6480864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 842020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0000806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8226060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8804444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0268844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3096 wrote to memory of 4764 3096 f52507f7a75eeb075b26e2258dfc653d54b185ef0658c2fedd4ab8f73317b367.exe 83 PID 3096 wrote to memory of 4764 3096 f52507f7a75eeb075b26e2258dfc653d54b185ef0658c2fedd4ab8f73317b367.exe 83 PID 3096 wrote to memory of 4764 3096 f52507f7a75eeb075b26e2258dfc653d54b185ef0658c2fedd4ab8f73317b367.exe 83 PID 4764 wrote to memory of 2228 4764 m0666.exe 84 PID 4764 wrote to memory of 2228 4764 m0666.exe 84 PID 4764 wrote to memory of 2228 4764 m0666.exe 84 PID 2228 wrote to memory of 3112 2228 86402.exe 85 PID 2228 wrote to memory of 3112 2228 86402.exe 85 PID 2228 wrote to memory of 3112 2228 86402.exe 85 PID 3112 wrote to memory of 3896 3112 808822.exe 86 PID 3112 wrote to memory of 3896 3112 808822.exe 86 PID 3112 wrote to memory of 3896 3112 808822.exe 86 PID 3896 wrote to memory of 3364 3896 m8444.exe 87 PID 3896 wrote to memory of 3364 3896 m8444.exe 87 PID 3896 wrote to memory of 3364 3896 m8444.exe 87 PID 3364 wrote to memory of 4648 3364 880880.exe 88 PID 3364 wrote to memory of 4648 3364 880880.exe 88 PID 3364 wrote to memory of 4648 3364 880880.exe 88 PID 4648 wrote to memory of 4240 4648 28620.exe 89 PID 4648 wrote to memory of 4240 4648 28620.exe 89 PID 4648 wrote to memory of 4240 4648 28620.exe 89 PID 4240 wrote to memory of 668 4240 nhtthh.exe 90 PID 4240 wrote to memory of 668 4240 nhtthh.exe 90 PID 4240 wrote to memory of 668 4240 nhtthh.exe 90 PID 668 wrote to memory of 4980 668 i026060.exe 91 PID 668 wrote to memory of 4980 668 i026060.exe 91 PID 668 wrote to memory of 4980 668 i026060.exe 91 PID 4980 wrote to memory of 3952 4980 826660.exe 92 PID 4980 wrote to memory of 3952 4980 826660.exe 92 PID 4980 wrote to memory of 3952 4980 826660.exe 92 PID 3952 wrote to memory of 4936 3952 644440.exe 93 PID 3952 wrote to memory of 4936 3952 644440.exe 93 PID 3952 wrote to memory of 4936 3952 644440.exe 93 PID 4936 wrote to memory of 532 4936 9btbhn.exe 94 PID 4936 wrote to memory of 532 4936 9btbhn.exe 94 PID 4936 wrote to memory of 532 4936 9btbhn.exe 94 PID 532 wrote to memory of 1948 532 060202.exe 95 PID 532 wrote to memory of 1948 532 060202.exe 95 PID 532 wrote to memory of 1948 532 060202.exe 95 PID 1948 wrote to memory of 4192 1948 xxxlflf.exe 96 PID 1948 wrote to memory of 4192 1948 xxxlflf.exe 96 PID 1948 wrote to memory of 4192 1948 xxxlflf.exe 96 PID 4192 wrote to memory of 3468 4192 4888886.exe 97 PID 4192 wrote to memory of 3468 4192 4888886.exe 97 PID 4192 wrote to memory of 3468 4192 4888886.exe 97 PID 3468 wrote to memory of 2060 3468 lrrlrfl.exe 98 PID 3468 wrote to memory of 2060 3468 lrrlrfl.exe 98 PID 3468 wrote to memory of 2060 3468 lrrlrfl.exe 98 PID 2060 wrote to memory of 1004 2060 nhbbhn.exe 99 PID 2060 wrote to memory of 1004 2060 nhbbhn.exe 99 PID 2060 wrote to memory of 1004 2060 nhbbhn.exe 99 PID 1004 wrote to memory of 4312 1004 8644880.exe 100 PID 1004 wrote to memory of 4312 1004 8644880.exe 100 PID 1004 wrote to memory of 4312 1004 8644880.exe 100 PID 4312 wrote to memory of 4520 4312 ddjdd.exe 101 PID 4312 wrote to memory of 4520 4312 ddjdd.exe 101 PID 4312 wrote to memory of 4520 4312 ddjdd.exe 101 PID 4520 wrote to memory of 4888 4520 dpjjj.exe 102 PID 4520 wrote to memory of 4888 4520 dpjjj.exe 102 PID 4520 wrote to memory of 4888 4520 dpjjj.exe 102 PID 4888 wrote to memory of 1440 4888 dvdvj.exe 103 PID 4888 wrote to memory of 1440 4888 dvdvj.exe 103 PID 4888 wrote to memory of 1440 4888 dvdvj.exe 103 PID 1440 wrote to memory of 3988 1440 dvpvv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f52507f7a75eeb075b26e2258dfc653d54b185ef0658c2fedd4ab8f73317b367.exe"C:\Users\Admin\AppData\Local\Temp\f52507f7a75eeb075b26e2258dfc653d54b185ef0658c2fedd4ab8f73317b367.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\m0666.exec:\m0666.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\86402.exec:\86402.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\808822.exec:\808822.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\m8444.exec:\m8444.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\880880.exec:\880880.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
\??\c:\28620.exec:\28620.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\nhtthh.exec:\nhtthh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\i026060.exec:\i026060.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\826660.exec:\826660.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\644440.exec:\644440.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\9btbhn.exec:\9btbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\060202.exec:\060202.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\xxxlflf.exec:\xxxlflf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\4888886.exec:\4888886.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\lrrlrfl.exec:\lrrlrfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\nhbbhn.exec:\nhbbhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\8644880.exec:\8644880.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\ddjdd.exec:\ddjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\dpjjj.exec:\dpjjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\dvdvj.exec:\dvdvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\dvpvv.exec:\dvpvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\4260484.exec:\4260484.exe23⤵
- Executes dropped EXE
PID:3988 -
\??\c:\btbtnb.exec:\btbtnb.exe24⤵
- Executes dropped EXE
PID:4572 -
\??\c:\84428.exec:\84428.exe25⤵
- Executes dropped EXE
PID:4528 -
\??\c:\00880.exec:\00880.exe26⤵
- Executes dropped EXE
PID:4468 -
\??\c:\vvjdd.exec:\vvjdd.exe27⤵
- Executes dropped EXE
PID:5024 -
\??\c:\8222884.exec:\8222884.exe28⤵
- Executes dropped EXE
PID:3020 -
\??\c:\88880.exec:\88880.exe29⤵
- Executes dropped EXE
PID:536 -
\??\c:\xlrlrlx.exec:\xlrlrlx.exe30⤵
- Executes dropped EXE
PID:344 -
\??\c:\9nttnt.exec:\9nttnt.exe31⤵
- Executes dropped EXE
PID:1600 -
\??\c:\jpppp.exec:\jpppp.exe32⤵
- Executes dropped EXE
PID:4644 -
\??\c:\660222.exec:\660222.exe33⤵
- Executes dropped EXE
PID:2444 -
\??\c:\62668.exec:\62668.exe34⤵
- Executes dropped EXE
PID:1180 -
\??\c:\42868.exec:\42868.exe35⤵
- Executes dropped EXE
PID:1064 -
\??\c:\4208288.exec:\4208288.exe36⤵
- Executes dropped EXE
PID:376 -
\??\c:\006662.exec:\006662.exe37⤵
- Executes dropped EXE
PID:3120 -
\??\c:\622222.exec:\622222.exe38⤵
- Executes dropped EXE
PID:3928 -
\??\c:\04268.exec:\04268.exe39⤵
- Executes dropped EXE
PID:456 -
\??\c:\xxxrrxx.exec:\xxxrrxx.exe40⤵
- Executes dropped EXE
PID:3132 -
\??\c:\60666.exec:\60666.exe41⤵
- Executes dropped EXE
PID:1968 -
\??\c:\20800.exec:\20800.exe42⤵
- Executes dropped EXE
PID:2664 -
\??\c:\20282.exec:\20282.exe43⤵
- Executes dropped EXE
PID:4408 -
\??\c:\0268844.exec:\0268844.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:664 -
\??\c:\0228486.exec:\0228486.exe45⤵
- Executes dropped EXE
PID:3992 -
\??\c:\482024.exec:\482024.exe46⤵
- Executes dropped EXE
PID:2888 -
\??\c:\64682.exec:\64682.exe47⤵
- Executes dropped EXE
PID:5104 -
\??\c:\0824068.exec:\0824068.exe48⤵
- Executes dropped EXE
PID:1032 -
\??\c:\jdddd.exec:\jdddd.exe49⤵
- Executes dropped EXE
PID:1780 -
\??\c:\26884.exec:\26884.exe50⤵
- Executes dropped EXE
PID:4376 -
\??\c:\xlllrrl.exec:\xlllrrl.exe51⤵
- Executes dropped EXE
PID:2248 -
\??\c:\rrfxlfr.exec:\rrfxlfr.exe52⤵
- Executes dropped EXE
PID:2144 -
\??\c:\pvddv.exec:\pvddv.exe53⤵
- Executes dropped EXE
PID:5060 -
\??\c:\9ppjd.exec:\9ppjd.exe54⤵
- Executes dropped EXE
PID:2228 -
\??\c:\06222.exec:\06222.exe55⤵
- Executes dropped EXE
PID:3112 -
\??\c:\6202446.exec:\6202446.exe56⤵
- Executes dropped EXE
PID:3644 -
\??\c:\ddppv.exec:\ddppv.exe57⤵
- Executes dropped EXE
PID:264 -
\??\c:\rfrxllr.exec:\rfrxllr.exe58⤵
- Executes dropped EXE
PID:2112 -
\??\c:\vvvdp.exec:\vvvdp.exe59⤵
- Executes dropped EXE
PID:2152 -
\??\c:\rrffffl.exec:\rrffffl.exe60⤵
- Executes dropped EXE
PID:2008 -
\??\c:\frlffll.exec:\frlffll.exe61⤵
- Executes dropped EXE
PID:2304 -
\??\c:\flfxlff.exec:\flfxlff.exe62⤵
- Executes dropped EXE
PID:380 -
\??\c:\tttbhb.exec:\tttbhb.exe63⤵
- Executes dropped EXE
PID:4224 -
\??\c:\hnttbb.exec:\hnttbb.exe64⤵
- Executes dropped EXE
PID:1132 -
\??\c:\dvjdp.exec:\dvjdp.exe65⤵
- Executes dropped EXE
PID:2928 -
\??\c:\228888.exec:\228888.exe66⤵PID:1328
-
\??\c:\flrxxff.exec:\flrxxff.exe67⤵PID:532
-
\??\c:\nhbtbh.exec:\nhbtbh.exe68⤵PID:1928
-
\??\c:\240000.exec:\240000.exe69⤵PID:1540
-
\??\c:\llfllfr.exec:\llfllfr.exe70⤵PID:3648
-
\??\c:\rxrxfxl.exec:\rxrxfxl.exe71⤵PID:4480
-
\??\c:\bhnnnn.exec:\bhnnnn.exe72⤵PID:3468
-
\??\c:\vvpjv.exec:\vvpjv.exe73⤵PID:3168
-
\??\c:\60666.exec:\60666.exe74⤵PID:3608
-
\??\c:\tthhhh.exec:\tthhhh.exe75⤵PID:2264
-
\??\c:\280044.exec:\280044.exe76⤵PID:2376
-
\??\c:\xfrfxxx.exec:\xfrfxxx.exe77⤵PID:4520
-
\??\c:\2422666.exec:\2422666.exe78⤵PID:2432
-
\??\c:\a6222.exec:\a6222.exe79⤵PID:4888
-
\??\c:\ddjjj.exec:\ddjjj.exe80⤵
- System Location Discovery: System Language Discovery
PID:1676 -
\??\c:\2648800.exec:\2648800.exe81⤵PID:4784
-
\??\c:\66828.exec:\66828.exe82⤵PID:3988
-
\??\c:\28684.exec:\28684.exe83⤵PID:900
-
\??\c:\lfllrrx.exec:\lfllrrx.exe84⤵PID:4620
-
\??\c:\fxxxrlx.exec:\fxxxrlx.exe85⤵PID:5052
-
\??\c:\06888.exec:\06888.exe86⤵PID:4468
-
\??\c:\2066260.exec:\2066260.exe87⤵PID:4228
-
\??\c:\ffrrrxx.exec:\ffrrrxx.exe88⤵PID:4516
-
\??\c:\vddvv.exec:\vddvv.exe89⤵PID:3020
-
\??\c:\6882048.exec:\6882048.exe90⤵PID:4060
-
\??\c:\224444.exec:\224444.exe91⤵PID:404
-
\??\c:\nbnntt.exec:\nbnntt.exe92⤵PID:5072
-
\??\c:\2802024.exec:\2802024.exe93⤵PID:1196
-
\??\c:\ddpvj.exec:\ddpvj.exe94⤵PID:4132
-
\??\c:\nnnhbh.exec:\nnnhbh.exe95⤵PID:5084
-
\??\c:\020406.exec:\020406.exe96⤵PID:1620
-
\??\c:\rffxfff.exec:\rffxfff.exe97⤵PID:2036
-
\??\c:\llllrrr.exec:\llllrrr.exe98⤵PID:4168
-
\??\c:\62804.exec:\62804.exe99⤵PID:4844
-
\??\c:\03jppd.exec:\03jppd.exe100⤵PID:1772
-
\??\c:\jjpdj.exec:\jjpdj.exe101⤵PID:2412
-
\??\c:\688488.exec:\688488.exe102⤵PID:456
-
\??\c:\42882.exec:\42882.exe103⤵PID:3432
-
\??\c:\804048.exec:\804048.exe104⤵PID:2764
-
\??\c:\26882.exec:\26882.exe105⤵PID:1792
-
\??\c:\04048.exec:\04048.exe106⤵PID:3388
-
\??\c:\9ffffll.exec:\9ffffll.exe107⤵PID:2092
-
\??\c:\64042.exec:\64042.exe108⤵PID:2644
-
\??\c:\m6226.exec:\m6226.exe109⤵PID:3656
-
\??\c:\842880.exec:\842880.exe110⤵PID:5104
-
\??\c:\pjvvv.exec:\pjvvv.exe111⤵PID:4328
-
\??\c:\vpjvv.exec:\vpjvv.exe112⤵PID:4704
-
\??\c:\rlrrrrf.exec:\rlrrrrf.exe113⤵PID:2884
-
\??\c:\dpjvp.exec:\dpjvp.exe114⤵PID:2248
-
\??\c:\02460.exec:\02460.exe115⤵PID:2120
-
\??\c:\8226448.exec:\8226448.exe116⤵PID:5060
-
\??\c:\6600600.exec:\6600600.exe117⤵PID:2228
-
\??\c:\pjpjd.exec:\pjpjd.exe118⤵PID:3112
-
\??\c:\02204.exec:\02204.exe119⤵PID:3644
-
\??\c:\5vjjj.exec:\5vjjj.exe120⤵PID:4648
-
\??\c:\6060062.exec:\6060062.exe121⤵PID:4456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-