Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 09:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
de80eb1a5237295f3470a983c96c6e790107c00c10204a870c4021cc40771a16N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
de80eb1a5237295f3470a983c96c6e790107c00c10204a870c4021cc40771a16N.exe
-
Size
456KB
-
MD5
467c8d79b7e1458e481cb453762c2c90
-
SHA1
2e344d10c8d93c56b9d68af32c50712ecb37d3ef
-
SHA256
de80eb1a5237295f3470a983c96c6e790107c00c10204a870c4021cc40771a16
-
SHA512
ae4a723bc418083fb5cf19e7e3872ffbcb1717c21b0ace778741491aca06af9320b756806eebd07d83c5ce84db23ed6b47c09d80c6c8775c9f975e199775e7b9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRG:q7Tc2NYHUrAwfMp3CDRG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2980-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-860-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-1204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-1520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-1924-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1584 5pdpd.exe 3292 1vpdv.exe 3760 46686.exe 4940 9ppdp.exe 2320 22866.exe 1944 600600.exe 760 260246.exe 1368 xxlfxfr.exe 2096 lrxxfff.exe 3448 xfrfxxr.exe 1020 220404.exe 860 06260.exe 920 848048.exe 3092 0448226.exe 4180 04486.exe 2224 bnhtbb.exe 5084 xfffrfr.exe 1868 062608.exe 4468 q02222.exe 1164 vdjdd.exe 2220 600460.exe 852 7hhbnt.exe 1824 606004.exe 3540 vvvvd.exe 3524 ffffxxx.exe 4776 vvvjd.exe 964 nhttnb.exe 4560 9hhbbb.exe 2128 9pvpp.exe 2384 xxfrllf.exe 5108 0088826.exe 1260 bbnbht.exe 216 062262.exe 452 8642222.exe 4052 pjjdp.exe 1060 44860.exe 1208 rlrllfl.exe 1608 8208882.exe 3612 648624.exe 1264 0408266.exe 3772 0608260.exe 4484 08262.exe 4828 pjdvd.exe 3456 7djdv.exe 1740 482686.exe 2436 pjjdv.exe 4184 0682480.exe 3408 rlxrlfx.exe 4680 pddpp.exe 4544 nhnhtn.exe 3112 rxfxrrr.exe 4576 48444.exe 3340 c408226.exe 4464 2468480.exe 552 g4044.exe 4844 nhhbnn.exe 5048 tnhbtt.exe 3588 hhnnhb.exe 3264 e66204.exe 3988 0884220.exe 972 222004.exe 2252 fffrrll.exe 716 nbnnhh.exe 1820 1jpjd.exe -
resource yara_rule behavioral2/memory/2980-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-553-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k42868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8442608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e66204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2644040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i020222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4282604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 1584 2980 de80eb1a5237295f3470a983c96c6e790107c00c10204a870c4021cc40771a16N.exe 83 PID 2980 wrote to memory of 1584 2980 de80eb1a5237295f3470a983c96c6e790107c00c10204a870c4021cc40771a16N.exe 83 PID 2980 wrote to memory of 1584 2980 de80eb1a5237295f3470a983c96c6e790107c00c10204a870c4021cc40771a16N.exe 83 PID 1584 wrote to memory of 3292 1584 5pdpd.exe 84 PID 1584 wrote to memory of 3292 1584 5pdpd.exe 84 PID 1584 wrote to memory of 3292 1584 5pdpd.exe 84 PID 3292 wrote to memory of 3760 3292 1vpdv.exe 85 PID 3292 wrote to memory of 3760 3292 1vpdv.exe 85 PID 3292 wrote to memory of 3760 3292 1vpdv.exe 85 PID 3760 wrote to memory of 4940 3760 46686.exe 86 PID 3760 wrote to memory of 4940 3760 46686.exe 86 PID 3760 wrote to memory of 4940 3760 46686.exe 86 PID 4940 wrote to memory of 2320 4940 9ppdp.exe 87 PID 4940 wrote to memory of 2320 4940 9ppdp.exe 87 PID 4940 wrote to memory of 2320 4940 9ppdp.exe 87 PID 2320 wrote to memory of 1944 2320 22866.exe 88 PID 2320 wrote to memory of 1944 2320 22866.exe 88 PID 2320 wrote to memory of 1944 2320 22866.exe 88 PID 1944 wrote to memory of 760 1944 600600.exe 89 PID 1944 wrote to memory of 760 1944 600600.exe 89 PID 1944 wrote to memory of 760 1944 600600.exe 89 PID 760 wrote to memory of 1368 760 260246.exe 90 PID 760 wrote to memory of 1368 760 260246.exe 90 PID 760 wrote to memory of 1368 760 260246.exe 90 PID 1368 wrote to memory of 2096 1368 xxlfxfr.exe 91 PID 1368 wrote to memory of 2096 1368 xxlfxfr.exe 91 PID 1368 wrote to memory of 2096 1368 xxlfxfr.exe 91 PID 2096 wrote to memory of 3448 2096 lrxxfff.exe 92 PID 2096 wrote to memory of 3448 2096 lrxxfff.exe 92 PID 2096 wrote to memory of 3448 2096 lrxxfff.exe 92 PID 3448 wrote to memory of 1020 3448 xfrfxxr.exe 93 PID 3448 wrote to memory of 1020 3448 xfrfxxr.exe 93 PID 3448 wrote to memory of 1020 3448 xfrfxxr.exe 93 PID 1020 wrote to memory of 860 1020 220404.exe 94 PID 1020 wrote to memory of 860 1020 220404.exe 94 PID 1020 wrote to memory of 860 1020 220404.exe 94 PID 860 wrote to memory of 920 860 06260.exe 95 PID 860 wrote to memory of 920 860 06260.exe 95 PID 860 wrote to memory of 920 860 06260.exe 95 PID 920 wrote to memory of 3092 920 848048.exe 96 PID 920 wrote to memory of 3092 920 848048.exe 96 PID 920 wrote to memory of 3092 920 848048.exe 96 PID 3092 wrote to memory of 4180 3092 0448226.exe 97 PID 3092 wrote to memory of 4180 3092 0448226.exe 97 PID 3092 wrote to memory of 4180 3092 0448226.exe 97 PID 4180 wrote to memory of 2224 4180 04486.exe 98 PID 4180 wrote to memory of 2224 4180 04486.exe 98 PID 4180 wrote to memory of 2224 4180 04486.exe 98 PID 2224 wrote to memory of 5084 2224 bnhtbb.exe 99 PID 2224 wrote to memory of 5084 2224 bnhtbb.exe 99 PID 2224 wrote to memory of 5084 2224 bnhtbb.exe 99 PID 5084 wrote to memory of 1868 5084 xfffrfr.exe 100 PID 5084 wrote to memory of 1868 5084 xfffrfr.exe 100 PID 5084 wrote to memory of 1868 5084 xfffrfr.exe 100 PID 1868 wrote to memory of 4468 1868 062608.exe 101 PID 1868 wrote to memory of 4468 1868 062608.exe 101 PID 1868 wrote to memory of 4468 1868 062608.exe 101 PID 4468 wrote to memory of 1164 4468 q02222.exe 102 PID 4468 wrote to memory of 1164 4468 q02222.exe 102 PID 4468 wrote to memory of 1164 4468 q02222.exe 102 PID 1164 wrote to memory of 2220 1164 vdjdd.exe 103 PID 1164 wrote to memory of 2220 1164 vdjdd.exe 103 PID 1164 wrote to memory of 2220 1164 vdjdd.exe 103 PID 2220 wrote to memory of 852 2220 600460.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\de80eb1a5237295f3470a983c96c6e790107c00c10204a870c4021cc40771a16N.exe"C:\Users\Admin\AppData\Local\Temp\de80eb1a5237295f3470a983c96c6e790107c00c10204a870c4021cc40771a16N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\5pdpd.exec:\5pdpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\1vpdv.exec:\1vpdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\46686.exec:\46686.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\9ppdp.exec:\9ppdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\22866.exec:\22866.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\600600.exec:\600600.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\260246.exec:\260246.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\xxlfxfr.exec:\xxlfxfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\lrxxfff.exec:\lrxxfff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\xfrfxxr.exec:\xfrfxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\220404.exec:\220404.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\06260.exec:\06260.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\848048.exec:\848048.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\0448226.exec:\0448226.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\04486.exec:\04486.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\bnhtbb.exec:\bnhtbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\xfffrfr.exec:\xfffrfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\062608.exec:\062608.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\q02222.exec:\q02222.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\vdjdd.exec:\vdjdd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\600460.exec:\600460.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\7hhbnt.exec:\7hhbnt.exe23⤵
- Executes dropped EXE
PID:852 -
\??\c:\606004.exec:\606004.exe24⤵
- Executes dropped EXE
PID:1824 -
\??\c:\vvvvd.exec:\vvvvd.exe25⤵
- Executes dropped EXE
PID:3540 -
\??\c:\ffffxxx.exec:\ffffxxx.exe26⤵
- Executes dropped EXE
PID:3524 -
\??\c:\vvvjd.exec:\vvvjd.exe27⤵
- Executes dropped EXE
PID:4776 -
\??\c:\nhttnb.exec:\nhttnb.exe28⤵
- Executes dropped EXE
PID:964 -
\??\c:\9hhbbb.exec:\9hhbbb.exe29⤵
- Executes dropped EXE
PID:4560 -
\??\c:\9pvpp.exec:\9pvpp.exe30⤵
- Executes dropped EXE
PID:2128 -
\??\c:\xxfrllf.exec:\xxfrllf.exe31⤵
- Executes dropped EXE
PID:2384 -
\??\c:\0088826.exec:\0088826.exe32⤵
- Executes dropped EXE
PID:5108 -
\??\c:\bbnbht.exec:\bbnbht.exe33⤵
- Executes dropped EXE
PID:1260 -
\??\c:\062262.exec:\062262.exe34⤵
- Executes dropped EXE
PID:216 -
\??\c:\8642222.exec:\8642222.exe35⤵
- Executes dropped EXE
PID:452 -
\??\c:\pjjdp.exec:\pjjdp.exe36⤵
- Executes dropped EXE
PID:4052 -
\??\c:\44860.exec:\44860.exe37⤵
- Executes dropped EXE
PID:1060 -
\??\c:\rlrllfl.exec:\rlrllfl.exe38⤵
- Executes dropped EXE
PID:1208 -
\??\c:\8208882.exec:\8208882.exe39⤵
- Executes dropped EXE
PID:1608 -
\??\c:\648624.exec:\648624.exe40⤵
- Executes dropped EXE
PID:3612 -
\??\c:\0408266.exec:\0408266.exe41⤵
- Executes dropped EXE
PID:1264 -
\??\c:\0608260.exec:\0608260.exe42⤵
- Executes dropped EXE
PID:3772 -
\??\c:\08262.exec:\08262.exe43⤵
- Executes dropped EXE
PID:4484 -
\??\c:\pjdvd.exec:\pjdvd.exe44⤵
- Executes dropped EXE
PID:4828 -
\??\c:\7djdv.exec:\7djdv.exe45⤵
- Executes dropped EXE
PID:3456 -
\??\c:\482686.exec:\482686.exe46⤵
- Executes dropped EXE
PID:1740 -
\??\c:\pjjdv.exec:\pjjdv.exe47⤵
- Executes dropped EXE
PID:2436 -
\??\c:\0682480.exec:\0682480.exe48⤵
- Executes dropped EXE
PID:4184 -
\??\c:\rlxrlfx.exec:\rlxrlfx.exe49⤵
- Executes dropped EXE
PID:3408 -
\??\c:\pddpp.exec:\pddpp.exe50⤵
- Executes dropped EXE
PID:4680 -
\??\c:\nhnhtn.exec:\nhnhtn.exe51⤵
- Executes dropped EXE
PID:4544 -
\??\c:\rxfxrrr.exec:\rxfxrrr.exe52⤵
- Executes dropped EXE
PID:3112 -
\??\c:\48444.exec:\48444.exe53⤵
- Executes dropped EXE
PID:4576 -
\??\c:\c408226.exec:\c408226.exe54⤵
- Executes dropped EXE
PID:3340 -
\??\c:\2468480.exec:\2468480.exe55⤵
- Executes dropped EXE
PID:4464 -
\??\c:\g4044.exec:\g4044.exe56⤵
- Executes dropped EXE
PID:552 -
\??\c:\nhhbnn.exec:\nhhbnn.exe57⤵
- Executes dropped EXE
PID:4844 -
\??\c:\tnhbtt.exec:\tnhbtt.exe58⤵
- Executes dropped EXE
PID:5048 -
\??\c:\hhnnhb.exec:\hhnnhb.exe59⤵
- Executes dropped EXE
PID:3588 -
\??\c:\e66204.exec:\e66204.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3264 -
\??\c:\0884220.exec:\0884220.exe61⤵
- Executes dropped EXE
PID:3988 -
\??\c:\222004.exec:\222004.exe62⤵
- Executes dropped EXE
PID:972 -
\??\c:\fffrrll.exec:\fffrrll.exe63⤵
- Executes dropped EXE
PID:2252 -
\??\c:\nbnnhh.exec:\nbnnhh.exe64⤵
- Executes dropped EXE
PID:716 -
\??\c:\1jpjd.exec:\1jpjd.exe65⤵
- Executes dropped EXE
PID:1820 -
\??\c:\0020408.exec:\0020408.exe66⤵PID:4980
-
\??\c:\2682604.exec:\2682604.exe67⤵PID:2136
-
\??\c:\dvvvp.exec:\dvvvp.exe68⤵PID:3684
-
\??\c:\0626022.exec:\0626022.exe69⤵PID:3204
-
\??\c:\nnttnt.exec:\nnttnt.exe70⤵PID:4652
-
\??\c:\48666.exec:\48666.exe71⤵PID:3092
-
\??\c:\4880888.exec:\4880888.exe72⤵PID:4744
-
\??\c:\fllfrlf.exec:\fllfrlf.exe73⤵PID:3584
-
\??\c:\88604.exec:\88604.exe74⤵PID:1860
-
\??\c:\rfrfrlx.exec:\rfrfrlx.exe75⤵PID:2704
-
\??\c:\8664860.exec:\8664860.exe76⤵PID:2988
-
\??\c:\2828024.exec:\2828024.exe77⤵PID:2024
-
\??\c:\k42868.exec:\k42868.exe78⤵
- System Location Discovery: System Language Discovery
PID:4092 -
\??\c:\ppjvp.exec:\ppjvp.exe79⤵
- System Location Discovery: System Language Discovery
PID:3756 -
\??\c:\nhhthb.exec:\nhhthb.exe80⤵PID:4340
-
\??\c:\444264.exec:\444264.exe81⤵PID:4488
-
\??\c:\402666.exec:\402666.exe82⤵PID:1284
-
\??\c:\fxllffx.exec:\fxllffx.exe83⤵PID:3144
-
\??\c:\hnbbbb.exec:\hnbbbb.exe84⤵PID:2820
-
\??\c:\vppjd.exec:\vppjd.exe85⤵PID:3428
-
\??\c:\llxrxxx.exec:\llxrxxx.exe86⤵PID:4924
-
\??\c:\640866.exec:\640866.exe87⤵PID:3712
-
\??\c:\rxfrrlf.exec:\rxfrrlf.exe88⤵
- System Location Discovery: System Language Discovery
PID:3928 -
\??\c:\888266.exec:\888266.exe89⤵PID:4560
-
\??\c:\djjpd.exec:\djjpd.exe90⤵PID:664
-
\??\c:\o440484.exec:\o440484.exe91⤵PID:5016
-
\??\c:\bhbthb.exec:\bhbthb.exe92⤵PID:4772
-
\??\c:\jvvjv.exec:\jvvjv.exe93⤵
- System Location Discovery: System Language Discovery
PID:1268 -
\??\c:\422048.exec:\422048.exe94⤵PID:3280
-
\??\c:\dvjdv.exec:\dvjdv.exe95⤵PID:4500
-
\??\c:\6444882.exec:\6444882.exe96⤵PID:2816
-
\??\c:\nhnbtt.exec:\nhnbtt.exe97⤵PID:2588
-
\??\c:\bntnhb.exec:\bntnhb.exe98⤵PID:720
-
\??\c:\ffrrlfx.exec:\ffrrlfx.exe99⤵
- System Location Discovery: System Language Discovery
PID:1900 -
\??\c:\824466.exec:\824466.exe100⤵
- System Location Discovery: System Language Discovery
PID:1672 -
\??\c:\k80488.exec:\k80488.exe101⤵PID:1720
-
\??\c:\vpppv.exec:\vpppv.exe102⤵PID:1608
-
\??\c:\884860.exec:\884860.exe103⤵PID:4760
-
\??\c:\thnntn.exec:\thnntn.exe104⤵PID:4904
-
\??\c:\6660804.exec:\6660804.exe105⤵PID:2104
-
\??\c:\tnbtbb.exec:\tnbtbb.exe106⤵PID:4836
-
\??\c:\thnbhb.exec:\thnbhb.exe107⤵PID:1592
-
\??\c:\thtnbt.exec:\thtnbt.exe108⤵PID:2324
-
\??\c:\q20042.exec:\q20042.exe109⤵PID:4436
-
\??\c:\7vjjd.exec:\7vjjd.exe110⤵PID:4184
-
\??\c:\httbtb.exec:\httbtb.exe111⤵PID:4832
-
\??\c:\frrlllf.exec:\frrlllf.exe112⤵PID:3172
-
\??\c:\8200482.exec:\8200482.exe113⤵PID:4816
-
\??\c:\82484.exec:\82484.exe114⤵PID:4948
-
\??\c:\c064204.exec:\c064204.exe115⤵PID:4844
-
\??\c:\86604.exec:\86604.exe116⤵PID:3672
-
\??\c:\8648620.exec:\8648620.exe117⤵PID:2020
-
\??\c:\rrrrlll.exec:\rrrrlll.exe118⤵PID:4304
-
\??\c:\vjdvj.exec:\vjdvj.exe119⤵PID:1368
-
\??\c:\7pdvp.exec:\7pdvp.exe120⤵PID:3912
-
\??\c:\bhnnbb.exec:\bhnnbb.exe121⤵PID:2772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-