Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2024, 00:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe
-
Size
456KB
-
MD5
96b5302905713cbc556dba40b2724fd6
-
SHA1
059cb0172902c0c0aa6bd56642b8d1003d36ec46
-
SHA256
ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8
-
SHA512
d6130a9c5496181423b107f6177695ee1fbc0e7625d2c811de46da75f094bec476e14962137240e1e12b4dd010f37f4d8b9bbe1c987b05db2ae6dc3bf89a5403
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRg:q7Tc2NYHUrAwfMp3CDRg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1176-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/500-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-996-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-1247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-1602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4768 2268424.exe 4032 02886.exe 2232 3tnhtt.exe 2132 pdpdp.exe 2944 4066266.exe 2076 2220426.exe 3092 u664264.exe 3256 4244640.exe 700 086048.exe 2340 pjdvj.exe 2152 86206.exe 116 0068608.exe 4724 646082.exe 684 64640.exe 1836 c626026.exe 4156 tnntnn.exe 2788 fllxlfr.exe 4368 42608.exe 4992 9xxfxxf.exe 5028 222042.exe 4564 8422068.exe 1252 jvdpj.exe 1724 600420.exe 4352 pvjvj.exe 2856 6442644.exe 1352 0260482.exe 3384 8620040.exe 3588 rxxrxxr.exe 560 86660.exe 3496 xrlffff.exe 868 48260.exe 2712 rfxffrl.exe 1500 i842684.exe 3860 dpjdj.exe 4788 lfxlxrf.exe 3452 84046.exe 1916 a4482.exe 1392 646004.exe 2452 1hnnhb.exe 4036 40044.exe 1604 ttbntb.exe 1692 xrlfrrl.exe 4080 vpdjd.exe 2580 jdpjv.exe 4772 xxrrrxr.exe 5044 62260.exe 1140 80848.exe 2480 0460826.exe 864 808402.exe 4308 nnhthb.exe 3988 hbnttb.exe 3676 44860.exe 4916 vddpd.exe 532 jppjv.exe 3812 066464.exe 4356 004684.exe 372 4204040.exe 1072 06826.exe 4532 pdvjj.exe 840 0448200.exe 2160 8822662.exe 2720 w28648.exe 2816 08442.exe 3100 628482.exe -
resource yara_rule behavioral2/memory/1176-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/500-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-890-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-996-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 662644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q28266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4626448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4620482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8024882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4826660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q08244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1176 wrote to memory of 4768 1176 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 83 PID 1176 wrote to memory of 4768 1176 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 83 PID 1176 wrote to memory of 4768 1176 ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe 83 PID 4768 wrote to memory of 4032 4768 2268424.exe 84 PID 4768 wrote to memory of 4032 4768 2268424.exe 84 PID 4768 wrote to memory of 4032 4768 2268424.exe 84 PID 4032 wrote to memory of 2232 4032 02886.exe 85 PID 4032 wrote to memory of 2232 4032 02886.exe 85 PID 4032 wrote to memory of 2232 4032 02886.exe 85 PID 2232 wrote to memory of 2132 2232 3tnhtt.exe 86 PID 2232 wrote to memory of 2132 2232 3tnhtt.exe 86 PID 2232 wrote to memory of 2132 2232 3tnhtt.exe 86 PID 2132 wrote to memory of 2944 2132 pdpdp.exe 87 PID 2132 wrote to memory of 2944 2132 pdpdp.exe 87 PID 2132 wrote to memory of 2944 2132 pdpdp.exe 87 PID 2944 wrote to memory of 2076 2944 4066266.exe 88 PID 2944 wrote to memory of 2076 2944 4066266.exe 88 PID 2944 wrote to memory of 2076 2944 4066266.exe 88 PID 2076 wrote to memory of 3092 2076 2220426.exe 89 PID 2076 wrote to memory of 3092 2076 2220426.exe 89 PID 2076 wrote to memory of 3092 2076 2220426.exe 89 PID 3092 wrote to memory of 3256 3092 u664264.exe 90 PID 3092 wrote to memory of 3256 3092 u664264.exe 90 PID 3092 wrote to memory of 3256 3092 u664264.exe 90 PID 3256 wrote to memory of 700 3256 4244640.exe 91 PID 3256 wrote to memory of 700 3256 4244640.exe 91 PID 3256 wrote to memory of 700 3256 4244640.exe 91 PID 700 wrote to memory of 2340 700 086048.exe 92 PID 700 wrote to memory of 2340 700 086048.exe 92 PID 700 wrote to memory of 2340 700 086048.exe 92 PID 2340 wrote to memory of 2152 2340 pjdvj.exe 93 PID 2340 wrote to memory of 2152 2340 pjdvj.exe 93 PID 2340 wrote to memory of 2152 2340 pjdvj.exe 93 PID 2152 wrote to memory of 116 2152 86206.exe 94 PID 2152 wrote to memory of 116 2152 86206.exe 94 PID 2152 wrote to memory of 116 2152 86206.exe 94 PID 116 wrote to memory of 4724 116 0068608.exe 95 PID 116 wrote to memory of 4724 116 0068608.exe 95 PID 116 wrote to memory of 4724 116 0068608.exe 95 PID 4724 wrote to memory of 684 4724 646082.exe 96 PID 4724 wrote to memory of 684 4724 646082.exe 96 PID 4724 wrote to memory of 684 4724 646082.exe 96 PID 684 wrote to memory of 1836 684 64640.exe 97 PID 684 wrote to memory of 1836 684 64640.exe 97 PID 684 wrote to memory of 1836 684 64640.exe 97 PID 1836 wrote to memory of 4156 1836 c626026.exe 98 PID 1836 wrote to memory of 4156 1836 c626026.exe 98 PID 1836 wrote to memory of 4156 1836 c626026.exe 98 PID 4156 wrote to memory of 2788 4156 tnntnn.exe 99 PID 4156 wrote to memory of 2788 4156 tnntnn.exe 99 PID 4156 wrote to memory of 2788 4156 tnntnn.exe 99 PID 2788 wrote to memory of 4368 2788 fllxlfr.exe 100 PID 2788 wrote to memory of 4368 2788 fllxlfr.exe 100 PID 2788 wrote to memory of 4368 2788 fllxlfr.exe 100 PID 4368 wrote to memory of 4992 4368 42608.exe 101 PID 4368 wrote to memory of 4992 4368 42608.exe 101 PID 4368 wrote to memory of 4992 4368 42608.exe 101 PID 4992 wrote to memory of 5028 4992 9xxfxxf.exe 102 PID 4992 wrote to memory of 5028 4992 9xxfxxf.exe 102 PID 4992 wrote to memory of 5028 4992 9xxfxxf.exe 102 PID 5028 wrote to memory of 4564 5028 222042.exe 103 PID 5028 wrote to memory of 4564 5028 222042.exe 103 PID 5028 wrote to memory of 4564 5028 222042.exe 103 PID 4564 wrote to memory of 1252 4564 8422068.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe"C:\Users\Admin\AppData\Local\Temp\ac0847143d6ddbd7a293b980f9644b581cf60d112a795d30370e09d25cea6fe8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\2268424.exec:\2268424.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\02886.exec:\02886.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\3tnhtt.exec:\3tnhtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\pdpdp.exec:\pdpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\4066266.exec:\4066266.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\2220426.exec:\2220426.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\u664264.exec:\u664264.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\4244640.exec:\4244640.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\086048.exec:\086048.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
\??\c:\pjdvj.exec:\pjdvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\86206.exec:\86206.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\0068608.exec:\0068608.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\646082.exec:\646082.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\64640.exec:\64640.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\c626026.exec:\c626026.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\tnntnn.exec:\tnntnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\fllxlfr.exec:\fllxlfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\42608.exec:\42608.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\9xxfxxf.exec:\9xxfxxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\222042.exec:\222042.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\8422068.exec:\8422068.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\jvdpj.exec:\jvdpj.exe23⤵
- Executes dropped EXE
PID:1252 -
\??\c:\600420.exec:\600420.exe24⤵
- Executes dropped EXE
PID:1724 -
\??\c:\pvjvj.exec:\pvjvj.exe25⤵
- Executes dropped EXE
PID:4352 -
\??\c:\6442644.exec:\6442644.exe26⤵
- Executes dropped EXE
PID:2856 -
\??\c:\0260482.exec:\0260482.exe27⤵
- Executes dropped EXE
PID:1352 -
\??\c:\8620040.exec:\8620040.exe28⤵
- Executes dropped EXE
PID:3384 -
\??\c:\rxxrxxr.exec:\rxxrxxr.exe29⤵
- Executes dropped EXE
PID:3588 -
\??\c:\86660.exec:\86660.exe30⤵
- Executes dropped EXE
PID:560 -
\??\c:\xrlffff.exec:\xrlffff.exe31⤵
- Executes dropped EXE
PID:3496 -
\??\c:\48260.exec:\48260.exe32⤵
- Executes dropped EXE
PID:868 -
\??\c:\rfxffrl.exec:\rfxffrl.exe33⤵
- Executes dropped EXE
PID:2712 -
\??\c:\i842684.exec:\i842684.exe34⤵
- Executes dropped EXE
PID:1500 -
\??\c:\dpjdj.exec:\dpjdj.exe35⤵
- Executes dropped EXE
PID:3860 -
\??\c:\lfxlxrf.exec:\lfxlxrf.exe36⤵
- Executes dropped EXE
PID:4788 -
\??\c:\84046.exec:\84046.exe37⤵
- Executes dropped EXE
PID:3452 -
\??\c:\a4482.exec:\a4482.exe38⤵
- Executes dropped EXE
PID:1916 -
\??\c:\646004.exec:\646004.exe39⤵
- Executes dropped EXE
PID:1392 -
\??\c:\1hnnhb.exec:\1hnnhb.exe40⤵
- Executes dropped EXE
PID:2452 -
\??\c:\40044.exec:\40044.exe41⤵
- Executes dropped EXE
PID:4036 -
\??\c:\ttbntb.exec:\ttbntb.exe42⤵
- Executes dropped EXE
PID:1604 -
\??\c:\xrlfrrl.exec:\xrlfrrl.exe43⤵
- Executes dropped EXE
PID:1692 -
\??\c:\vpdjd.exec:\vpdjd.exe44⤵
- Executes dropped EXE
PID:4080 -
\??\c:\jdpjv.exec:\jdpjv.exe45⤵
- Executes dropped EXE
PID:2580 -
\??\c:\xxrrrxr.exec:\xxrrrxr.exe46⤵
- Executes dropped EXE
PID:4772 -
\??\c:\62260.exec:\62260.exe47⤵
- Executes dropped EXE
PID:5044 -
\??\c:\80848.exec:\80848.exe48⤵
- Executes dropped EXE
PID:1140 -
\??\c:\0460826.exec:\0460826.exe49⤵
- Executes dropped EXE
PID:2480 -
\??\c:\808402.exec:\808402.exe50⤵
- Executes dropped EXE
PID:864 -
\??\c:\nnhthb.exec:\nnhthb.exe51⤵
- Executes dropped EXE
PID:4308 -
\??\c:\hbnttb.exec:\hbnttb.exe52⤵
- Executes dropped EXE
PID:3988 -
\??\c:\44860.exec:\44860.exe53⤵
- Executes dropped EXE
PID:3676 -
\??\c:\vddpd.exec:\vddpd.exe54⤵
- Executes dropped EXE
PID:4916 -
\??\c:\jppjv.exec:\jppjv.exe55⤵
- Executes dropped EXE
PID:532 -
\??\c:\066464.exec:\066464.exe56⤵
- Executes dropped EXE
PID:3812 -
\??\c:\004684.exec:\004684.exe57⤵
- Executes dropped EXE
PID:4356 -
\??\c:\4204040.exec:\4204040.exe58⤵
- Executes dropped EXE
PID:372 -
\??\c:\06826.exec:\06826.exe59⤵
- Executes dropped EXE
PID:1072 -
\??\c:\pdvjj.exec:\pdvjj.exe60⤵
- Executes dropped EXE
PID:4532 -
\??\c:\0448200.exec:\0448200.exe61⤵
- Executes dropped EXE
PID:840 -
\??\c:\8822662.exec:\8822662.exe62⤵
- Executes dropped EXE
PID:2160 -
\??\c:\w28648.exec:\w28648.exe63⤵
- Executes dropped EXE
PID:2720 -
\??\c:\08442.exec:\08442.exe64⤵
- Executes dropped EXE
PID:2816 -
\??\c:\628482.exec:\628482.exe65⤵
- Executes dropped EXE
PID:3100 -
\??\c:\0026646.exec:\0026646.exe66⤵PID:700
-
\??\c:\lxlrrrl.exec:\lxlrrrl.exe67⤵PID:2140
-
\??\c:\vppjv.exec:\vppjv.exe68⤵PID:3592
-
\??\c:\4660044.exec:\4660044.exe69⤵PID:2792
-
\??\c:\u248488.exec:\u248488.exe70⤵PID:1416
-
\??\c:\6420420.exec:\6420420.exe71⤵PID:3036
-
\??\c:\68220.exec:\68220.exe72⤵PID:752
-
\??\c:\hthbth.exec:\hthbth.exe73⤵PID:244
-
\??\c:\fllxrfx.exec:\fllxrfx.exe74⤵PID:4856
-
\??\c:\rxxfffx.exec:\rxxfffx.exe75⤵PID:2872
-
\??\c:\66864.exec:\66864.exe76⤵PID:4156
-
\??\c:\0600426.exec:\0600426.exe77⤵PID:456
-
\??\c:\o288822.exec:\o288822.exe78⤵PID:2892
-
\??\c:\bnhbnh.exec:\bnhbnh.exe79⤵PID:2820
-
\??\c:\4064860.exec:\4064860.exe80⤵PID:2012
-
\??\c:\042266.exec:\042266.exe81⤵PID:4696
-
\??\c:\280860.exec:\280860.exe82⤵PID:1564
-
\??\c:\pvddd.exec:\pvddd.exe83⤵PID:380
-
\??\c:\6008608.exec:\6008608.exe84⤵PID:2508
-
\??\c:\488226.exec:\488226.exe85⤵PID:1264
-
\??\c:\424660.exec:\424660.exe86⤵PID:2148
-
\??\c:\xxffxxf.exec:\xxffxxf.exe87⤵PID:4952
-
\??\c:\btnhbt.exec:\btnhbt.exe88⤵PID:2084
-
\??\c:\2660000.exec:\2660000.exe89⤵PID:3512
-
\??\c:\028682.exec:\028682.exe90⤵PID:3588
-
\??\c:\fxrrxfl.exec:\fxrrxfl.exe91⤵PID:2988
-
\??\c:\nhnntn.exec:\nhnntn.exe92⤵PID:4112
-
\??\c:\thbtnh.exec:\thbtnh.exe93⤵PID:2332
-
\??\c:\vpdpj.exec:\vpdpj.exe94⤵PID:4876
-
\??\c:\q08604.exec:\q08604.exe95⤵PID:868
-
\??\c:\nbttnh.exec:\nbttnh.exe96⤵PID:4072
-
\??\c:\q86622.exec:\q86622.exe97⤵PID:1436
-
\??\c:\8626062.exec:\8626062.exe98⤵PID:1696
-
\??\c:\088088.exec:\088088.exe99⤵PID:3712
-
\??\c:\9hhhbb.exec:\9hhhbb.exe100⤵PID:2240
-
\??\c:\6004006.exec:\6004006.exe101⤵PID:1228
-
\??\c:\5rxrrrr.exec:\5rxrrrr.exe102⤵PID:1820
-
\??\c:\hbnhnn.exec:\hbnhnn.exe103⤵PID:5060
-
\??\c:\8644066.exec:\8644066.exe104⤵PID:2452
-
\??\c:\20262.exec:\20262.exe105⤵PID:3360
-
\??\c:\262824.exec:\262824.exe106⤵PID:572
-
\??\c:\g0600.exec:\g0600.exe107⤵PID:2312
-
\??\c:\hbbthh.exec:\hbbthh.exe108⤵PID:1464
-
\??\c:\6268660.exec:\6268660.exe109⤵PID:3320
-
\??\c:\660044.exec:\660044.exe110⤵PID:4736
-
\??\c:\40462.exec:\40462.exe111⤵PID:1912
-
\??\c:\tnhthb.exec:\tnhthb.exe112⤵PID:4688
-
\??\c:\862084.exec:\862084.exe113⤵PID:2328
-
\??\c:\nthbhb.exec:\nthbhb.exe114⤵PID:1512
-
\??\c:\06660.exec:\06660.exe115⤵PID:4300
-
\??\c:\tbthbn.exec:\tbthbn.exe116⤵PID:2844
-
\??\c:\g4426.exec:\g4426.exe117⤵PID:500
-
\??\c:\thnhhn.exec:\thnhhn.exe118⤵PID:4032
-
\??\c:\ntthtn.exec:\ntthtn.exe119⤵PID:2608
-
\??\c:\5vddv.exec:\5vddv.exe120⤵PID:4784
-
\??\c:\06204.exec:\06204.exe121⤵PID:2132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-