Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 08:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe
-
Size
456KB
-
MD5
879edf229a3ad8d1bd495ee5144949c4
-
SHA1
c016fedda18e1a7bd17e50beecb3e16447901e72
-
SHA256
858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397
-
SHA512
b46534caf4c14742000ecef02f7a14f574a060d3a2cbaa4455df966080a51450c684322814de035afa7d1a7af8d231e56efc9bd0d055cada9e511ffc6276497d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRM:q7Tc2NYHUrAwfMp3CDRM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1160-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-768-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-894-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-1084-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-1206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-1462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1160 444248.exe 4360 642428.exe 3400 7nhbhb.exe 4692 rlfrlxr.exe 1840 ffflfxx.exe 4560 e00426.exe 1392 406604.exe 1996 646426.exe 3568 406082.exe 3832 288486.exe 628 8444888.exe 4588 80600.exe 4016 a6222.exe 1512 djvpp.exe 4084 1fffrxx.exe 3976 vvjjj.exe 1756 g0660.exe 4256 1ppjj.exe 868 644260.exe 2744 ppdvv.exe 1340 9pjjd.exe 4324 28846.exe 2856 q46000.exe 3828 22642.exe 4860 rlrxxfl.exe 412 806628.exe 3540 e28844.exe 1888 02888.exe 4732 bbnnbt.exe 4876 nbbbtn.exe 3416 606060.exe 2580 lrflrlx.exe 2188 nnhbtt.exe 4788 nhnhhb.exe 964 djppj.exe 2776 8260488.exe 2176 s4604.exe 836 3rrllll.exe 1940 4280826.exe 1708 bbbtnt.exe 4164 800444.exe 1060 3rxlxxr.exe 4984 jjddj.exe 2052 xrxxffl.exe 1096 ddpjv.exe 808 686206.exe 3632 hntthh.exe 1260 m6860.exe 2364 1tnnhn.exe 2292 e82806.exe 4904 824400.exe 3400 44600.exe 2028 4006228.exe 2852 6208004.exe 5064 lfrrrrr.exe 1472 1jpvv.exe 212 bnnhhn.exe 1392 a8482.exe 3572 9vvjj.exe 3944 lxfxrrl.exe 764 4860280.exe 1952 20046.exe 3464 3djpj.exe 628 hhthtn.exe -
resource yara_rule behavioral2/memory/1160-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-768-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-894-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-979-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2404444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 066600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4280826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 224 wrote to memory of 1160 224 858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe 83 PID 224 wrote to memory of 1160 224 858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe 83 PID 224 wrote to memory of 1160 224 858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe 83 PID 1160 wrote to memory of 4360 1160 444248.exe 84 PID 1160 wrote to memory of 4360 1160 444248.exe 84 PID 1160 wrote to memory of 4360 1160 444248.exe 84 PID 4360 wrote to memory of 3400 4360 642428.exe 85 PID 4360 wrote to memory of 3400 4360 642428.exe 85 PID 4360 wrote to memory of 3400 4360 642428.exe 85 PID 3400 wrote to memory of 4692 3400 7nhbhb.exe 86 PID 3400 wrote to memory of 4692 3400 7nhbhb.exe 86 PID 3400 wrote to memory of 4692 3400 7nhbhb.exe 86 PID 4692 wrote to memory of 1840 4692 rlfrlxr.exe 87 PID 4692 wrote to memory of 1840 4692 rlfrlxr.exe 87 PID 4692 wrote to memory of 1840 4692 rlfrlxr.exe 87 PID 1840 wrote to memory of 4560 1840 ffflfxx.exe 88 PID 1840 wrote to memory of 4560 1840 ffflfxx.exe 88 PID 1840 wrote to memory of 4560 1840 ffflfxx.exe 88 PID 4560 wrote to memory of 1392 4560 e00426.exe 89 PID 4560 wrote to memory of 1392 4560 e00426.exe 89 PID 4560 wrote to memory of 1392 4560 e00426.exe 89 PID 1392 wrote to memory of 1996 1392 406604.exe 90 PID 1392 wrote to memory of 1996 1392 406604.exe 90 PID 1392 wrote to memory of 1996 1392 406604.exe 90 PID 1996 wrote to memory of 3568 1996 646426.exe 91 PID 1996 wrote to memory of 3568 1996 646426.exe 91 PID 1996 wrote to memory of 3568 1996 646426.exe 91 PID 3568 wrote to memory of 3832 3568 406082.exe 92 PID 3568 wrote to memory of 3832 3568 406082.exe 92 PID 3568 wrote to memory of 3832 3568 406082.exe 92 PID 3832 wrote to memory of 628 3832 288486.exe 93 PID 3832 wrote to memory of 628 3832 288486.exe 93 PID 3832 wrote to memory of 628 3832 288486.exe 93 PID 628 wrote to memory of 4588 628 8444888.exe 94 PID 628 wrote to memory of 4588 628 8444888.exe 94 PID 628 wrote to memory of 4588 628 8444888.exe 94 PID 4588 wrote to memory of 4016 4588 80600.exe 95 PID 4588 wrote to memory of 4016 4588 80600.exe 95 PID 4588 wrote to memory of 4016 4588 80600.exe 95 PID 4016 wrote to memory of 1512 4016 a6222.exe 96 PID 4016 wrote to memory of 1512 4016 a6222.exe 96 PID 4016 wrote to memory of 1512 4016 a6222.exe 96 PID 1512 wrote to memory of 4084 1512 djvpp.exe 97 PID 1512 wrote to memory of 4084 1512 djvpp.exe 97 PID 1512 wrote to memory of 4084 1512 djvpp.exe 97 PID 4084 wrote to memory of 3976 4084 1fffrxx.exe 98 PID 4084 wrote to memory of 3976 4084 1fffrxx.exe 98 PID 4084 wrote to memory of 3976 4084 1fffrxx.exe 98 PID 3976 wrote to memory of 1756 3976 vvjjj.exe 99 PID 3976 wrote to memory of 1756 3976 vvjjj.exe 99 PID 3976 wrote to memory of 1756 3976 vvjjj.exe 99 PID 1756 wrote to memory of 4256 1756 g0660.exe 100 PID 1756 wrote to memory of 4256 1756 g0660.exe 100 PID 1756 wrote to memory of 4256 1756 g0660.exe 100 PID 4256 wrote to memory of 868 4256 1ppjj.exe 101 PID 4256 wrote to memory of 868 4256 1ppjj.exe 101 PID 4256 wrote to memory of 868 4256 1ppjj.exe 101 PID 868 wrote to memory of 2744 868 644260.exe 102 PID 868 wrote to memory of 2744 868 644260.exe 102 PID 868 wrote to memory of 2744 868 644260.exe 102 PID 2744 wrote to memory of 1340 2744 ppdvv.exe 103 PID 2744 wrote to memory of 1340 2744 ppdvv.exe 103 PID 2744 wrote to memory of 1340 2744 ppdvv.exe 103 PID 1340 wrote to memory of 4324 1340 9pjjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe"C:\Users\Admin\AppData\Local\Temp\858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\444248.exec:\444248.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\642428.exec:\642428.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\7nhbhb.exec:\7nhbhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\rlfrlxr.exec:\rlfrlxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\ffflfxx.exec:\ffflfxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\e00426.exec:\e00426.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\406604.exec:\406604.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\646426.exec:\646426.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\406082.exec:\406082.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\288486.exec:\288486.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\8444888.exec:\8444888.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\80600.exec:\80600.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\a6222.exec:\a6222.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\djvpp.exec:\djvpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\1fffrxx.exec:\1fffrxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\vvjjj.exec:\vvjjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\g0660.exec:\g0660.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\1ppjj.exec:\1ppjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\644260.exec:\644260.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\ppdvv.exec:\ppdvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\9pjjd.exec:\9pjjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\28846.exec:\28846.exe23⤵
- Executes dropped EXE
PID:4324 -
\??\c:\q46000.exec:\q46000.exe24⤵
- Executes dropped EXE
PID:2856 -
\??\c:\22642.exec:\22642.exe25⤵
- Executes dropped EXE
PID:3828 -
\??\c:\rlrxxfl.exec:\rlrxxfl.exe26⤵
- Executes dropped EXE
PID:4860 -
\??\c:\806628.exec:\806628.exe27⤵
- Executes dropped EXE
PID:412 -
\??\c:\e28844.exec:\e28844.exe28⤵
- Executes dropped EXE
PID:3540 -
\??\c:\02888.exec:\02888.exe29⤵
- Executes dropped EXE
PID:1888 -
\??\c:\bbnnbt.exec:\bbnnbt.exe30⤵
- Executes dropped EXE
PID:4732 -
\??\c:\nbbbtn.exec:\nbbbtn.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4876 -
\??\c:\606060.exec:\606060.exe32⤵
- Executes dropped EXE
PID:3416 -
\??\c:\lrflrlx.exec:\lrflrlx.exe33⤵
- Executes dropped EXE
PID:2580 -
\??\c:\nnhbtt.exec:\nnhbtt.exe34⤵
- Executes dropped EXE
PID:2188 -
\??\c:\nhnhhb.exec:\nhnhhb.exe35⤵
- Executes dropped EXE
PID:4788 -
\??\c:\djppj.exec:\djppj.exe36⤵
- Executes dropped EXE
PID:964 -
\??\c:\8260488.exec:\8260488.exe37⤵
- Executes dropped EXE
PID:2776 -
\??\c:\s4604.exec:\s4604.exe38⤵
- Executes dropped EXE
PID:2176 -
\??\c:\3rrllll.exec:\3rrllll.exe39⤵
- Executes dropped EXE
PID:836 -
\??\c:\4280826.exec:\4280826.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1940 -
\??\c:\bbbtnt.exec:\bbbtnt.exe41⤵
- Executes dropped EXE
PID:1708 -
\??\c:\800444.exec:\800444.exe42⤵
- Executes dropped EXE
PID:4164 -
\??\c:\3rxlxxr.exec:\3rxlxxr.exe43⤵
- Executes dropped EXE
PID:1060 -
\??\c:\jjddj.exec:\jjddj.exe44⤵
- Executes dropped EXE
PID:4984 -
\??\c:\xrxxffl.exec:\xrxxffl.exe45⤵
- Executes dropped EXE
PID:2052 -
\??\c:\ddpjv.exec:\ddpjv.exe46⤵
- Executes dropped EXE
PID:1096 -
\??\c:\686206.exec:\686206.exe47⤵
- Executes dropped EXE
PID:808 -
\??\c:\hntthh.exec:\hntthh.exe48⤵
- Executes dropped EXE
PID:3632 -
\??\c:\m6860.exec:\m6860.exe49⤵
- Executes dropped EXE
PID:1260 -
\??\c:\1tnnhn.exec:\1tnnhn.exe50⤵
- Executes dropped EXE
PID:2364 -
\??\c:\e82806.exec:\e82806.exe51⤵
- Executes dropped EXE
PID:2292 -
\??\c:\824400.exec:\824400.exe52⤵
- Executes dropped EXE
PID:4904 -
\??\c:\44600.exec:\44600.exe53⤵
- Executes dropped EXE
PID:3400 -
\??\c:\4006228.exec:\4006228.exe54⤵
- Executes dropped EXE
PID:2028 -
\??\c:\6208004.exec:\6208004.exe55⤵
- Executes dropped EXE
PID:2852 -
\??\c:\lfrrrrr.exec:\lfrrrrr.exe56⤵
- Executes dropped EXE
PID:5064 -
\??\c:\1jpvv.exec:\1jpvv.exe57⤵
- Executes dropped EXE
PID:1472 -
\??\c:\bnnhhn.exec:\bnnhhn.exe58⤵
- Executes dropped EXE
PID:212 -
\??\c:\a8482.exec:\a8482.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1392 -
\??\c:\9vvjj.exec:\9vvjj.exe60⤵
- Executes dropped EXE
PID:3572 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe61⤵
- Executes dropped EXE
PID:3944 -
\??\c:\4860280.exec:\4860280.exe62⤵
- Executes dropped EXE
PID:764 -
\??\c:\20046.exec:\20046.exe63⤵
- Executes dropped EXE
PID:1952 -
\??\c:\3djpj.exec:\3djpj.exe64⤵
- Executes dropped EXE
PID:3464 -
\??\c:\hhthtn.exec:\hhthtn.exe65⤵
- Executes dropped EXE
PID:628 -
\??\c:\lrrlxrf.exec:\lrrlxrf.exe66⤵PID:4048
-
\??\c:\a6648.exec:\a6648.exe67⤵PID:2436
-
\??\c:\s4082.exec:\s4082.exe68⤵PID:4696
-
\??\c:\ttbbbh.exec:\ttbbbh.exe69⤵PID:3528
-
\??\c:\nnbnht.exec:\nnbnht.exe70⤵PID:4356
-
\??\c:\pdjdv.exec:\pdjdv.exe71⤵PID:1116
-
\??\c:\802604.exec:\802604.exe72⤵PID:2124
-
\??\c:\2008608.exec:\2008608.exe73⤵PID:2164
-
\??\c:\jvvjv.exec:\jvvjv.exe74⤵
- System Location Discovery: System Language Discovery
PID:2056 -
\??\c:\22448.exec:\22448.exe75⤵PID:868
-
\??\c:\xllxrlf.exec:\xllxrlf.exe76⤵PID:4428
-
\??\c:\q40440.exec:\q40440.exe77⤵PID:700
-
\??\c:\1bhbbb.exec:\1bhbbb.exe78⤵PID:4136
-
\??\c:\8026660.exec:\8026660.exe79⤵PID:3820
-
\??\c:\1hnhbb.exec:\1hnhbb.exe80⤵PID:2876
-
\??\c:\266048.exec:\266048.exe81⤵PID:2224
-
\??\c:\080808.exec:\080808.exe82⤵PID:2724
-
\??\c:\3hbhtt.exec:\3hbhtt.exe83⤵PID:3596
-
\??\c:\jvpdv.exec:\jvpdv.exe84⤵PID:4040
-
\??\c:\42264.exec:\42264.exe85⤵PID:4400
-
\??\c:\w44260.exec:\w44260.exe86⤵PID:4420
-
\??\c:\xxfxrlf.exec:\xxfxrlf.exe87⤵PID:4852
-
\??\c:\6484264.exec:\6484264.exe88⤵PID:2040
-
\??\c:\3bbtnn.exec:\3bbtnn.exe89⤵PID:2988
-
\??\c:\thnbht.exec:\thnbht.exe90⤵PID:2276
-
\??\c:\m2808.exec:\m2808.exe91⤵PID:1456
-
\??\c:\082008.exec:\082008.exe92⤵PID:2728
-
\??\c:\7ppjp.exec:\7ppjp.exe93⤵PID:4996
-
\??\c:\8826442.exec:\8826442.exe94⤵PID:3936
-
\??\c:\888200.exec:\888200.exe95⤵PID:4364
-
\??\c:\9xxlxxr.exec:\9xxlxxr.exe96⤵PID:3856
-
\??\c:\vpvpd.exec:\vpvpd.exe97⤵PID:2980
-
\??\c:\g4222.exec:\g4222.exe98⤵PID:4980
-
\??\c:\tnnhbb.exec:\tnnhbb.exe99⤵PID:1752
-
\??\c:\dvdvv.exec:\dvdvv.exe100⤵PID:5056
-
\??\c:\bnnbnh.exec:\bnnbnh.exe101⤵PID:4956
-
\??\c:\dddpd.exec:\dddpd.exe102⤵PID:1740
-
\??\c:\5vdvp.exec:\5vdvp.exe103⤵
- System Location Discovery: System Language Discovery
PID:2132 -
\??\c:\8260660.exec:\8260660.exe104⤵PID:3228
-
\??\c:\9rlfrrl.exec:\9rlfrrl.exe105⤵
- System Location Discovery: System Language Discovery
PID:116 -
\??\c:\rlrllll.exec:\rlrllll.exe106⤵PID:1096
-
\??\c:\3thbtt.exec:\3thbtt.exe107⤵PID:4492
-
\??\c:\3flxrrf.exec:\3flxrrf.exe108⤵PID:884
-
\??\c:\1rlfxrl.exec:\1rlfxrl.exe109⤵PID:3360
-
\??\c:\00464.exec:\00464.exe110⤵PID:224
-
\??\c:\682200.exec:\682200.exe111⤵PID:2260
-
\??\c:\nbhtnh.exec:\nbhtnh.exe112⤵PID:3484
-
\??\c:\42864.exec:\42864.exe113⤵PID:5116
-
\??\c:\644240.exec:\644240.exe114⤵PID:5044
-
\??\c:\4882664.exec:\4882664.exe115⤵PID:2028
-
\??\c:\002082.exec:\002082.exe116⤵PID:1840
-
\??\c:\o044864.exec:\o044864.exe117⤵PID:1720
-
\??\c:\e46488.exec:\e46488.exe118⤵PID:4992
-
\??\c:\pddjv.exec:\pddjv.exe119⤵PID:1920
-
\??\c:\xxxfxrf.exec:\xxxfxrf.exe120⤵PID:740
-
\??\c:\28426.exec:\28426.exe121⤵PID:1676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-