Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 05:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c7adb509e2d024df1e3e7514672c17eda9510df5c3fc7a94b75f341c38757bd5N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c7adb509e2d024df1e3e7514672c17eda9510df5c3fc7a94b75f341c38757bd5N.exe
-
Size
454KB
-
MD5
e7e553355f041388007157493d3ca190
-
SHA1
bcc2edb4942beb5c4b90fc2bdb98515f683c8e13
-
SHA256
c7adb509e2d024df1e3e7514672c17eda9510df5c3fc7a94b75f341c38757bd5
-
SHA512
42594b5fb72a6a24266fbbc7f0853e51c403d4e24ea16c69fd3d57e2fdc8261b273edd63f41b68b0a10cf534169efbf92ba570fcd311f07f0a36735541fe8608
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3200-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-883-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-996-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-1195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-1295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-1938-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2356 8406282.exe 3452 86080.exe 4008 662884.exe 1148 8848002.exe 2220 k88266.exe 3836 3jjvj.exe 1888 rlfrlrf.exe 1896 a4048.exe 4452 0080684.exe 2840 q20204.exe 1564 00042.exe 4852 hnhbtn.exe 3504 djjdv.exe 3044 684888.exe 4768 6600220.exe 556 602660.exe 1988 rrrxlxf.exe 2448 220604.exe 4260 vvvvp.exe 1884 628222.exe 3404 pvddd.exe 1836 2460444.exe 452 7pdvv.exe 4368 hbhbnt.exe 4556 fxlfxll.exe 4916 0200088.exe 116 fffflll.exe 620 tnnttb.exe 2956 6844488.exe 1264 8260488.exe 3060 1nbbhh.exe 2868 866206.exe 1940 60804.exe 4044 c828264.exe 3056 jddvp.exe 4804 680864.exe 4524 082660.exe 2904 24440.exe 2700 nhbntt.exe 2324 llfrflx.exe 2908 m0608.exe 1412 08084.exe 1980 22262.exe 2652 httbnb.exe 4408 tbnbhh.exe 4504 bbtnbt.exe 2492 dvdpj.exe 1628 jjjdv.exe 4892 46064.exe 4320 tnnhbn.exe 5024 vvdvp.exe 3200 404860.exe 4468 frffxrl.exe 1260 g4482.exe 3660 bnhbtn.exe 3620 48260.exe 4488 40648.exe 4268 00082.exe 1452 244228.exe 728 6660888.exe 2008 lxfxlfx.exe 1888 bbbnnb.exe 3956 2088660.exe 2280 3vdvp.exe -
resource yara_rule behavioral2/memory/3200-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-849-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-883-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-996-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-1195-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0404060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i444882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e88204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4808842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0626486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3200 wrote to memory of 2356 3200 c7adb509e2d024df1e3e7514672c17eda9510df5c3fc7a94b75f341c38757bd5N.exe 83 PID 3200 wrote to memory of 2356 3200 c7adb509e2d024df1e3e7514672c17eda9510df5c3fc7a94b75f341c38757bd5N.exe 83 PID 3200 wrote to memory of 2356 3200 c7adb509e2d024df1e3e7514672c17eda9510df5c3fc7a94b75f341c38757bd5N.exe 83 PID 2356 wrote to memory of 3452 2356 8406282.exe 84 PID 2356 wrote to memory of 3452 2356 8406282.exe 84 PID 2356 wrote to memory of 3452 2356 8406282.exe 84 PID 3452 wrote to memory of 4008 3452 86080.exe 85 PID 3452 wrote to memory of 4008 3452 86080.exe 85 PID 3452 wrote to memory of 4008 3452 86080.exe 85 PID 4008 wrote to memory of 1148 4008 662884.exe 86 PID 4008 wrote to memory of 1148 4008 662884.exe 86 PID 4008 wrote to memory of 1148 4008 662884.exe 86 PID 1148 wrote to memory of 2220 1148 8848002.exe 87 PID 1148 wrote to memory of 2220 1148 8848002.exe 87 PID 1148 wrote to memory of 2220 1148 8848002.exe 87 PID 2220 wrote to memory of 3836 2220 k88266.exe 88 PID 2220 wrote to memory of 3836 2220 k88266.exe 88 PID 2220 wrote to memory of 3836 2220 k88266.exe 88 PID 3836 wrote to memory of 1888 3836 3jjvj.exe 89 PID 3836 wrote to memory of 1888 3836 3jjvj.exe 89 PID 3836 wrote to memory of 1888 3836 3jjvj.exe 89 PID 1888 wrote to memory of 1896 1888 rlfrlrf.exe 90 PID 1888 wrote to memory of 1896 1888 rlfrlrf.exe 90 PID 1888 wrote to memory of 1896 1888 rlfrlrf.exe 90 PID 1896 wrote to memory of 4452 1896 a4048.exe 91 PID 1896 wrote to memory of 4452 1896 a4048.exe 91 PID 1896 wrote to memory of 4452 1896 a4048.exe 91 PID 4452 wrote to memory of 2840 4452 0080684.exe 92 PID 4452 wrote to memory of 2840 4452 0080684.exe 92 PID 4452 wrote to memory of 2840 4452 0080684.exe 92 PID 2840 wrote to memory of 1564 2840 q20204.exe 93 PID 2840 wrote to memory of 1564 2840 q20204.exe 93 PID 2840 wrote to memory of 1564 2840 q20204.exe 93 PID 1564 wrote to memory of 4852 1564 00042.exe 94 PID 1564 wrote to memory of 4852 1564 00042.exe 94 PID 1564 wrote to memory of 4852 1564 00042.exe 94 PID 4852 wrote to memory of 3504 4852 hnhbtn.exe 95 PID 4852 wrote to memory of 3504 4852 hnhbtn.exe 95 PID 4852 wrote to memory of 3504 4852 hnhbtn.exe 95 PID 3504 wrote to memory of 3044 3504 djjdv.exe 96 PID 3504 wrote to memory of 3044 3504 djjdv.exe 96 PID 3504 wrote to memory of 3044 3504 djjdv.exe 96 PID 3044 wrote to memory of 4768 3044 684888.exe 97 PID 3044 wrote to memory of 4768 3044 684888.exe 97 PID 3044 wrote to memory of 4768 3044 684888.exe 97 PID 4768 wrote to memory of 556 4768 6600220.exe 98 PID 4768 wrote to memory of 556 4768 6600220.exe 98 PID 4768 wrote to memory of 556 4768 6600220.exe 98 PID 556 wrote to memory of 1988 556 602660.exe 99 PID 556 wrote to memory of 1988 556 602660.exe 99 PID 556 wrote to memory of 1988 556 602660.exe 99 PID 1988 wrote to memory of 2448 1988 rrrxlxf.exe 100 PID 1988 wrote to memory of 2448 1988 rrrxlxf.exe 100 PID 1988 wrote to memory of 2448 1988 rrrxlxf.exe 100 PID 2448 wrote to memory of 4260 2448 220604.exe 101 PID 2448 wrote to memory of 4260 2448 220604.exe 101 PID 2448 wrote to memory of 4260 2448 220604.exe 101 PID 4260 wrote to memory of 1884 4260 vvvvp.exe 102 PID 4260 wrote to memory of 1884 4260 vvvvp.exe 102 PID 4260 wrote to memory of 1884 4260 vvvvp.exe 102 PID 1884 wrote to memory of 3404 1884 628222.exe 103 PID 1884 wrote to memory of 3404 1884 628222.exe 103 PID 1884 wrote to memory of 3404 1884 628222.exe 103 PID 3404 wrote to memory of 1836 3404 pvddd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7adb509e2d024df1e3e7514672c17eda9510df5c3fc7a94b75f341c38757bd5N.exe"C:\Users\Admin\AppData\Local\Temp\c7adb509e2d024df1e3e7514672c17eda9510df5c3fc7a94b75f341c38757bd5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\8406282.exec:\8406282.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\86080.exec:\86080.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\662884.exec:\662884.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\8848002.exec:\8848002.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\k88266.exec:\k88266.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\3jjvj.exec:\3jjvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\rlfrlrf.exec:\rlfrlrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\a4048.exec:\a4048.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\0080684.exec:\0080684.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\q20204.exec:\q20204.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\00042.exec:\00042.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\hnhbtn.exec:\hnhbtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\djjdv.exec:\djjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\684888.exec:\684888.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\6600220.exec:\6600220.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\602660.exec:\602660.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\rrrxlxf.exec:\rrrxlxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\220604.exec:\220604.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\vvvvp.exec:\vvvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\628222.exec:\628222.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\pvddd.exec:\pvddd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\2460444.exec:\2460444.exe23⤵
- Executes dropped EXE
PID:1836 -
\??\c:\7pdvv.exec:\7pdvv.exe24⤵
- Executes dropped EXE
PID:452 -
\??\c:\hbhbnt.exec:\hbhbnt.exe25⤵
- Executes dropped EXE
PID:4368 -
\??\c:\fxlfxll.exec:\fxlfxll.exe26⤵
- Executes dropped EXE
PID:4556 -
\??\c:\0200088.exec:\0200088.exe27⤵
- Executes dropped EXE
PID:4916 -
\??\c:\fffflll.exec:\fffflll.exe28⤵
- Executes dropped EXE
PID:116 -
\??\c:\tnnttb.exec:\tnnttb.exe29⤵
- Executes dropped EXE
PID:620 -
\??\c:\6844488.exec:\6844488.exe30⤵
- Executes dropped EXE
PID:2956 -
\??\c:\8260488.exec:\8260488.exe31⤵
- Executes dropped EXE
PID:1264 -
\??\c:\1nbbhh.exec:\1nbbhh.exe32⤵
- Executes dropped EXE
PID:3060 -
\??\c:\866206.exec:\866206.exe33⤵
- Executes dropped EXE
PID:2868 -
\??\c:\60804.exec:\60804.exe34⤵
- Executes dropped EXE
PID:1940 -
\??\c:\c828264.exec:\c828264.exe35⤵
- Executes dropped EXE
PID:4044 -
\??\c:\jddvp.exec:\jddvp.exe36⤵
- Executes dropped EXE
PID:3056 -
\??\c:\680864.exec:\680864.exe37⤵
- Executes dropped EXE
PID:4804 -
\??\c:\082660.exec:\082660.exe38⤵
- Executes dropped EXE
PID:4524 -
\??\c:\24440.exec:\24440.exe39⤵
- Executes dropped EXE
PID:2904 -
\??\c:\nhbntt.exec:\nhbntt.exe40⤵
- Executes dropped EXE
PID:2700 -
\??\c:\llfrflx.exec:\llfrflx.exe41⤵
- Executes dropped EXE
PID:2324 -
\??\c:\m0608.exec:\m0608.exe42⤵
- Executes dropped EXE
PID:2908 -
\??\c:\08084.exec:\08084.exe43⤵
- Executes dropped EXE
PID:1412 -
\??\c:\22262.exec:\22262.exe44⤵
- Executes dropped EXE
PID:1980 -
\??\c:\httbnb.exec:\httbnb.exe45⤵
- Executes dropped EXE
PID:2652 -
\??\c:\tbnbhh.exec:\tbnbhh.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408 -
\??\c:\bbtnbt.exec:\bbtnbt.exe47⤵
- Executes dropped EXE
PID:4504 -
\??\c:\dvdpj.exec:\dvdpj.exe48⤵
- Executes dropped EXE
PID:2492 -
\??\c:\jjjdv.exec:\jjjdv.exe49⤵
- Executes dropped EXE
PID:1628 -
\??\c:\46064.exec:\46064.exe50⤵
- Executes dropped EXE
PID:4892 -
\??\c:\tnnhbn.exec:\tnnhbn.exe51⤵
- Executes dropped EXE
PID:4320 -
\??\c:\vvdvp.exec:\vvdvp.exe52⤵
- Executes dropped EXE
PID:5024 -
\??\c:\404860.exec:\404860.exe53⤵
- Executes dropped EXE
PID:3200 -
\??\c:\frffxrl.exec:\frffxrl.exe54⤵
- Executes dropped EXE
PID:4468 -
\??\c:\g4482.exec:\g4482.exe55⤵
- Executes dropped EXE
PID:1260 -
\??\c:\bnhbtn.exec:\bnhbtn.exe56⤵
- Executes dropped EXE
PID:3660 -
\??\c:\48260.exec:\48260.exe57⤵
- Executes dropped EXE
PID:3620 -
\??\c:\40648.exec:\40648.exe58⤵
- Executes dropped EXE
PID:4488 -
\??\c:\00082.exec:\00082.exe59⤵
- Executes dropped EXE
PID:4268 -
\??\c:\244228.exec:\244228.exe60⤵
- Executes dropped EXE
PID:1452 -
\??\c:\6660888.exec:\6660888.exe61⤵
- Executes dropped EXE
PID:728 -
\??\c:\lxfxlfx.exec:\lxfxlfx.exe62⤵
- Executes dropped EXE
PID:2008 -
\??\c:\bbbnnb.exec:\bbbnnb.exe63⤵
- Executes dropped EXE
PID:1888 -
\??\c:\2088660.exec:\2088660.exe64⤵
- Executes dropped EXE
PID:3956 -
\??\c:\3vdvp.exec:\3vdvp.exe65⤵
- Executes dropped EXE
PID:2280 -
\??\c:\424288.exec:\424288.exe66⤵PID:3120
-
\??\c:\20482.exec:\20482.exe67⤵PID:3280
-
\??\c:\bthbbb.exec:\bthbbb.exe68⤵PID:840
-
\??\c:\k64008.exec:\k64008.exe69⤵PID:1408
-
\??\c:\24604.exec:\24604.exe70⤵PID:2496
-
\??\c:\dvddv.exec:\dvddv.exe71⤵PID:3504
-
\??\c:\7xxrlfl.exec:\7xxrlfl.exe72⤵PID:3044
-
\??\c:\086204.exec:\086204.exe73⤵PID:3500
-
\??\c:\llrrlxl.exec:\llrrlxl.exe74⤵PID:4768
-
\??\c:\rllrlfx.exec:\rllrlfx.exe75⤵PID:1988
-
\??\c:\s2404.exec:\s2404.exe76⤵PID:2268
-
\??\c:\c864628.exec:\c864628.exe77⤵PID:5116
-
\??\c:\606200.exec:\606200.exe78⤵PID:2604
-
\??\c:\ntnnth.exec:\ntnnth.exe79⤵PID:4260
-
\??\c:\g0260.exec:\g0260.exe80⤵PID:1556
-
\??\c:\nnbtbh.exec:\nnbtbh.exe81⤵PID:3372
-
\??\c:\vpvvv.exec:\vpvvv.exe82⤵PID:3404
-
\??\c:\dvppv.exec:\dvppv.exe83⤵PID:1836
-
\??\c:\044882.exec:\044882.exe84⤵PID:1184
-
\??\c:\frfxrlf.exec:\frfxrlf.exe85⤵PID:4344
-
\??\c:\2420868.exec:\2420868.exe86⤵PID:1060
-
\??\c:\600224.exec:\600224.exe87⤵PID:5092
-
\??\c:\rfxrfxr.exec:\rfxrfxr.exe88⤵PID:216
-
\??\c:\pvjpj.exec:\pvjpj.exe89⤵PID:112
-
\??\c:\jjjdv.exec:\jjjdv.exe90⤵PID:3720
-
\??\c:\046660.exec:\046660.exe91⤵PID:3064
-
\??\c:\460082.exec:\460082.exe92⤵PID:4724
-
\??\c:\2260826.exec:\2260826.exe93⤵PID:3900
-
\??\c:\ffffxxr.exec:\ffffxxr.exe94⤵PID:3648
-
\??\c:\pjvvj.exec:\pjvvj.exe95⤵PID:1176
-
\??\c:\02226.exec:\02226.exe96⤵PID:4808
-
\??\c:\06660.exec:\06660.exe97⤵PID:4472
-
\??\c:\0404888.exec:\0404888.exe98⤵PID:4000
-
\??\c:\8264222.exec:\8264222.exe99⤵PID:4292
-
\??\c:\htbtnn.exec:\htbtnn.exe100⤵PID:3056
-
\??\c:\bthbnn.exec:\bthbnn.exe101⤵PID:4804
-
\??\c:\004482.exec:\004482.exe102⤵PID:3496
-
\??\c:\6284444.exec:\6284444.exe103⤵PID:1324
-
\??\c:\dvdvv.exec:\dvdvv.exe104⤵PID:1504
-
\??\c:\9nhbbb.exec:\9nhbbb.exe105⤵PID:4300
-
\??\c:\8664066.exec:\8664066.exe106⤵PID:4456
-
\??\c:\42822.exec:\42822.exe107⤵PID:1008
-
\??\c:\048044.exec:\048044.exe108⤵PID:3972
-
\??\c:\tnttth.exec:\tnttth.exe109⤵PID:3792
-
\??\c:\0240448.exec:\0240448.exe110⤵PID:4972
-
\??\c:\5vppj.exec:\5vppj.exe111⤵PID:3964
-
\??\c:\8082666.exec:\8082666.exe112⤵PID:4584
-
\??\c:\dvvpj.exec:\dvvpj.exe113⤵PID:2744
-
\??\c:\6088800.exec:\6088800.exe114⤵PID:2028
-
\??\c:\8400448.exec:\8400448.exe115⤵PID:4176
-
\??\c:\608844.exec:\608844.exe116⤵PID:1780
-
\??\c:\0482660.exec:\0482660.exe117⤵PID:4868
-
\??\c:\ntbhhb.exec:\ntbhhb.exe118⤵PID:2356
-
\??\c:\6448882.exec:\6448882.exe119⤵PID:540
-
\??\c:\tbhhnn.exec:\tbhhnn.exe120⤵PID:3676
-
\??\c:\5lrllll.exec:\5lrllll.exe121⤵PID:1668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-