Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
395e956c1a07cb14c77ed9eb3541fc31c51a38a2d3e378a2155a42030b50308c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
395e956c1a07cb14c77ed9eb3541fc31c51a38a2d3e378a2155a42030b50308c.exe
-
Size
455KB
-
MD5
e2eaeed2f8c74985496c64f341384f52
-
SHA1
c2153162ca33589e4eaa168bfc25c31516f5897a
-
SHA256
395e956c1a07cb14c77ed9eb3541fc31c51a38a2d3e378a2155a42030b50308c
-
SHA512
375333c3c02801aaa569b5ff5e14bc0d13b6ee7453719220c7c31dcc775ff3c847c748cd54e129491d5132790928998a0b7c04cdb2ae0050ee2d73ee0ca5fcef
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/408-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-1054-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-1158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3744 g4486.exe 900 jjjvd.exe 4984 6024446.exe 5052 2426666.exe 852 4044604.exe 3856 g0086.exe 5080 2060006.exe 824 6404044.exe 2816 lxxrrlf.exe 3920 0242402.exe 2624 c888204.exe 2160 840826.exe 5004 nhbhbb.exe 1016 9lxrlfx.exe 376 c282648.exe 5104 2060826.exe 4696 680800.exe 3884 ppjdp.exe 4252 64028.exe 2608 28484.exe 4136 k40260.exe 3616 486888.exe 3288 c662604.exe 1524 0664826.exe 2400 bbnhbh.exe 3640 60864.exe 2204 3xfrlfr.exe 4628 082480.exe 2412 806444.exe 4664 0808444.exe 3060 c464422.exe 1676 frxxfrl.exe 3948 jdjjj.exe 1484 u848604.exe 1544 bnttnh.exe 4992 g8208.exe 2904 5bhbnn.exe 4928 426066.exe 2916 60884.exe 2844 i286486.exe 768 462648.exe 4768 a0086.exe 3216 48484.exe 3832 m4688.exe 1160 ttnhtn.exe 2244 xlrrffr.exe 1708 xrlxlfr.exe 3660 662648.exe 3224 jjjdp.exe 1780 lxrfxrl.exe 4608 3pjjd.exe 4908 jvpdv.exe 3988 pppjv.exe 4700 1pjdp.exe 4376 80826.exe 5028 jppdp.exe 1248 866066.exe 4536 lxxrrll.exe 3644 w86600.exe 3024 080626.exe 4912 2004888.exe 1840 9xfrflx.exe 1404 s6286.exe 2500 xffrlxr.exe -
resource yara_rule behavioral2/memory/408-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-731-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 664860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxlfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e84288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o626488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c248226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 408 wrote to memory of 3744 408 395e956c1a07cb14c77ed9eb3541fc31c51a38a2d3e378a2155a42030b50308c.exe 83 PID 408 wrote to memory of 3744 408 395e956c1a07cb14c77ed9eb3541fc31c51a38a2d3e378a2155a42030b50308c.exe 83 PID 408 wrote to memory of 3744 408 395e956c1a07cb14c77ed9eb3541fc31c51a38a2d3e378a2155a42030b50308c.exe 83 PID 3744 wrote to memory of 900 3744 g4486.exe 84 PID 3744 wrote to memory of 900 3744 g4486.exe 84 PID 3744 wrote to memory of 900 3744 g4486.exe 84 PID 900 wrote to memory of 4984 900 jjjvd.exe 85 PID 900 wrote to memory of 4984 900 jjjvd.exe 85 PID 900 wrote to memory of 4984 900 jjjvd.exe 85 PID 4984 wrote to memory of 5052 4984 6024446.exe 86 PID 4984 wrote to memory of 5052 4984 6024446.exe 86 PID 4984 wrote to memory of 5052 4984 6024446.exe 86 PID 5052 wrote to memory of 852 5052 2426666.exe 87 PID 5052 wrote to memory of 852 5052 2426666.exe 87 PID 5052 wrote to memory of 852 5052 2426666.exe 87 PID 852 wrote to memory of 3856 852 4044604.exe 88 PID 852 wrote to memory of 3856 852 4044604.exe 88 PID 852 wrote to memory of 3856 852 4044604.exe 88 PID 3856 wrote to memory of 5080 3856 g0086.exe 89 PID 3856 wrote to memory of 5080 3856 g0086.exe 89 PID 3856 wrote to memory of 5080 3856 g0086.exe 89 PID 5080 wrote to memory of 824 5080 2060006.exe 90 PID 5080 wrote to memory of 824 5080 2060006.exe 90 PID 5080 wrote to memory of 824 5080 2060006.exe 90 PID 824 wrote to memory of 2816 824 6404044.exe 91 PID 824 wrote to memory of 2816 824 6404044.exe 91 PID 824 wrote to memory of 2816 824 6404044.exe 91 PID 2816 wrote to memory of 3920 2816 lxxrrlf.exe 92 PID 2816 wrote to memory of 3920 2816 lxxrrlf.exe 92 PID 2816 wrote to memory of 3920 2816 lxxrrlf.exe 92 PID 3920 wrote to memory of 2624 3920 0242402.exe 93 PID 3920 wrote to memory of 2624 3920 0242402.exe 93 PID 3920 wrote to memory of 2624 3920 0242402.exe 93 PID 2624 wrote to memory of 2160 2624 c888204.exe 94 PID 2624 wrote to memory of 2160 2624 c888204.exe 94 PID 2624 wrote to memory of 2160 2624 c888204.exe 94 PID 2160 wrote to memory of 5004 2160 840826.exe 95 PID 2160 wrote to memory of 5004 2160 840826.exe 95 PID 2160 wrote to memory of 5004 2160 840826.exe 95 PID 5004 wrote to memory of 1016 5004 nhbhbb.exe 96 PID 5004 wrote to memory of 1016 5004 nhbhbb.exe 96 PID 5004 wrote to memory of 1016 5004 nhbhbb.exe 96 PID 1016 wrote to memory of 376 1016 9lxrlfx.exe 97 PID 1016 wrote to memory of 376 1016 9lxrlfx.exe 97 PID 1016 wrote to memory of 376 1016 9lxrlfx.exe 97 PID 376 wrote to memory of 5104 376 c282648.exe 98 PID 376 wrote to memory of 5104 376 c282648.exe 98 PID 376 wrote to memory of 5104 376 c282648.exe 98 PID 5104 wrote to memory of 4696 5104 2060826.exe 99 PID 5104 wrote to memory of 4696 5104 2060826.exe 99 PID 5104 wrote to memory of 4696 5104 2060826.exe 99 PID 4696 wrote to memory of 3884 4696 680800.exe 100 PID 4696 wrote to memory of 3884 4696 680800.exe 100 PID 4696 wrote to memory of 3884 4696 680800.exe 100 PID 3884 wrote to memory of 4252 3884 ppjdp.exe 101 PID 3884 wrote to memory of 4252 3884 ppjdp.exe 101 PID 3884 wrote to memory of 4252 3884 ppjdp.exe 101 PID 4252 wrote to memory of 2608 4252 64028.exe 102 PID 4252 wrote to memory of 2608 4252 64028.exe 102 PID 4252 wrote to memory of 2608 4252 64028.exe 102 PID 2608 wrote to memory of 4136 2608 28484.exe 103 PID 2608 wrote to memory of 4136 2608 28484.exe 103 PID 2608 wrote to memory of 4136 2608 28484.exe 103 PID 4136 wrote to memory of 3616 4136 k40260.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\395e956c1a07cb14c77ed9eb3541fc31c51a38a2d3e378a2155a42030b50308c.exe"C:\Users\Admin\AppData\Local\Temp\395e956c1a07cb14c77ed9eb3541fc31c51a38a2d3e378a2155a42030b50308c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\g4486.exec:\g4486.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\jjjvd.exec:\jjjvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\6024446.exec:\6024446.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\2426666.exec:\2426666.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\4044604.exec:\4044604.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\g0086.exec:\g0086.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\2060006.exec:\2060006.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\6404044.exec:\6404044.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\lxxrrlf.exec:\lxxrrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\0242402.exec:\0242402.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\c888204.exec:\c888204.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\840826.exec:\840826.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\nhbhbb.exec:\nhbhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\9lxrlfx.exec:\9lxrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\c282648.exec:\c282648.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\2060826.exec:\2060826.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\680800.exec:\680800.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\ppjdp.exec:\ppjdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\64028.exec:\64028.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\28484.exec:\28484.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\k40260.exec:\k40260.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\486888.exec:\486888.exe23⤵
- Executes dropped EXE
PID:3616 -
\??\c:\c662604.exec:\c662604.exe24⤵
- Executes dropped EXE
PID:3288 -
\??\c:\0664826.exec:\0664826.exe25⤵
- Executes dropped EXE
PID:1524 -
\??\c:\bbnhbh.exec:\bbnhbh.exe26⤵
- Executes dropped EXE
PID:2400 -
\??\c:\60864.exec:\60864.exe27⤵
- Executes dropped EXE
PID:3640 -
\??\c:\3xfrlfr.exec:\3xfrlfr.exe28⤵
- Executes dropped EXE
PID:2204 -
\??\c:\082480.exec:\082480.exe29⤵
- Executes dropped EXE
PID:4628 -
\??\c:\806444.exec:\806444.exe30⤵
- Executes dropped EXE
PID:2412 -
\??\c:\0808444.exec:\0808444.exe31⤵
- Executes dropped EXE
PID:4664 -
\??\c:\c464422.exec:\c464422.exe32⤵
- Executes dropped EXE
PID:3060 -
\??\c:\frxxfrl.exec:\frxxfrl.exe33⤵
- Executes dropped EXE
PID:1676 -
\??\c:\jdjjj.exec:\jdjjj.exe34⤵
- Executes dropped EXE
PID:3948 -
\??\c:\u848604.exec:\u848604.exe35⤵
- Executes dropped EXE
PID:1484 -
\??\c:\bnttnh.exec:\bnttnh.exe36⤵
- Executes dropped EXE
PID:1544 -
\??\c:\g8208.exec:\g8208.exe37⤵
- Executes dropped EXE
PID:4992 -
\??\c:\5bhbnn.exec:\5bhbnn.exe38⤵
- Executes dropped EXE
PID:2904 -
\??\c:\426066.exec:\426066.exe39⤵
- Executes dropped EXE
PID:4928 -
\??\c:\60884.exec:\60884.exe40⤵
- Executes dropped EXE
PID:2916 -
\??\c:\i286486.exec:\i286486.exe41⤵
- Executes dropped EXE
PID:2844 -
\??\c:\462648.exec:\462648.exe42⤵
- Executes dropped EXE
PID:768 -
\??\c:\a0086.exec:\a0086.exe43⤵
- Executes dropped EXE
PID:4768 -
\??\c:\48484.exec:\48484.exe44⤵
- Executes dropped EXE
PID:3216 -
\??\c:\m4688.exec:\m4688.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3832 -
\??\c:\ttnhtn.exec:\ttnhtn.exe46⤵
- Executes dropped EXE
PID:1160 -
\??\c:\xlrrffr.exec:\xlrrffr.exe47⤵
- Executes dropped EXE
PID:2244 -
\??\c:\xrlxlfr.exec:\xrlxlfr.exe48⤵
- Executes dropped EXE
PID:1708 -
\??\c:\662648.exec:\662648.exe49⤵
- Executes dropped EXE
PID:3660 -
\??\c:\jjjdp.exec:\jjjdp.exe50⤵
- Executes dropped EXE
PID:3224 -
\??\c:\lxrfxrl.exec:\lxrfxrl.exe51⤵
- Executes dropped EXE
PID:1780 -
\??\c:\3pjjd.exec:\3pjjd.exe52⤵
- Executes dropped EXE
PID:4608 -
\??\c:\jvpdv.exec:\jvpdv.exe53⤵
- Executes dropped EXE
PID:4908 -
\??\c:\pppjv.exec:\pppjv.exe54⤵
- Executes dropped EXE
PID:3988 -
\??\c:\1pjdp.exec:\1pjdp.exe55⤵
- Executes dropped EXE
PID:4700 -
\??\c:\80826.exec:\80826.exe56⤵
- Executes dropped EXE
PID:4376 -
\??\c:\jppdp.exec:\jppdp.exe57⤵
- Executes dropped EXE
PID:5028 -
\??\c:\866066.exec:\866066.exe58⤵
- Executes dropped EXE
PID:1248 -
\??\c:\lxxrrll.exec:\lxxrrll.exe59⤵
- Executes dropped EXE
PID:4536 -
\??\c:\w86600.exec:\w86600.exe60⤵
- Executes dropped EXE
PID:3644 -
\??\c:\080626.exec:\080626.exe61⤵
- Executes dropped EXE
PID:3024 -
\??\c:\2004888.exec:\2004888.exe62⤵
- Executes dropped EXE
PID:4912 -
\??\c:\9xfrflx.exec:\9xfrflx.exe63⤵
- Executes dropped EXE
PID:1840 -
\??\c:\s6286.exec:\s6286.exe64⤵
- Executes dropped EXE
PID:1404 -
\??\c:\xffrlxr.exec:\xffrlxr.exe65⤵
- Executes dropped EXE
PID:2500 -
\??\c:\nbtnbt.exec:\nbtnbt.exe66⤵PID:1272
-
\??\c:\vjvjv.exec:\vjvjv.exe67⤵PID:2860
-
\??\c:\xlrlffx.exec:\xlrlffx.exe68⤵PID:4756
-
\??\c:\2422822.exec:\2422822.exe69⤵PID:100
-
\??\c:\xrrrlll.exec:\xrrrlll.exe70⤵PID:1284
-
\??\c:\rxlllll.exec:\rxlllll.exe71⤵PID:212
-
\??\c:\vpvjp.exec:\vpvjp.exe72⤵PID:376
-
\??\c:\rrrllll.exec:\rrrllll.exe73⤵PID:4760
-
\??\c:\266026.exec:\266026.exe74⤵PID:5104
-
\??\c:\c244006.exec:\c244006.exe75⤵PID:3492
-
\??\c:\7pvdv.exec:\7pvdv.exe76⤵PID:4288
-
\??\c:\420246.exec:\420246.exe77⤵PID:3132
-
\??\c:\0404448.exec:\0404448.exe78⤵PID:3348
-
\??\c:\nthbtt.exec:\nthbtt.exe79⤵PID:4832
-
\??\c:\u028222.exec:\u028222.exe80⤵PID:2328
-
\??\c:\1bhbbb.exec:\1bhbbb.exe81⤵PID:2164
-
\??\c:\i666000.exec:\i666000.exe82⤵PID:5084
-
\??\c:\82826.exec:\82826.exe83⤵PID:4192
-
\??\c:\pppjv.exec:\pppjv.exe84⤵PID:3668
-
\??\c:\1tnbhh.exec:\1tnbhh.exe85⤵PID:3800
-
\??\c:\c282666.exec:\c282666.exe86⤵PID:364
-
\??\c:\hhtnbh.exec:\hhtnbh.exe87⤵PID:1476
-
\??\c:\606000.exec:\606000.exe88⤵PID:4604
-
\??\c:\dpvpj.exec:\dpvpj.exe89⤵PID:2204
-
\??\c:\66824.exec:\66824.exe90⤵PID:2440
-
\??\c:\22688.exec:\22688.exe91⤵PID:4628
-
\??\c:\i244400.exec:\i244400.exe92⤵PID:4112
-
\??\c:\04840.exec:\04840.exe93⤵PID:1084
-
\??\c:\c828042.exec:\c828042.exe94⤵PID:1184
-
\??\c:\82408.exec:\82408.exe95⤵PID:4764
-
\??\c:\7rxxlxf.exec:\7rxxlxf.exe96⤵PID:4668
-
\??\c:\fxrxxxl.exec:\fxrxxxl.exe97⤵PID:4284
-
\??\c:\04606.exec:\04606.exe98⤵PID:3948
-
\??\c:\6808666.exec:\6808666.exe99⤵PID:3556
-
\??\c:\lrlrxxf.exec:\lrlrxxf.exe100⤵PID:1544
-
\??\c:\dvjvd.exec:\dvjvd.exe101⤵PID:4992
-
\??\c:\086048.exec:\086048.exe102⤵PID:1908
-
\??\c:\pvdvd.exec:\pvdvd.exe103⤵PID:4928
-
\??\c:\620866.exec:\620866.exe104⤵PID:3952
-
\??\c:\8620600.exec:\8620600.exe105⤵PID:2640
-
\??\c:\1lfxrxr.exec:\1lfxrxr.exe106⤵PID:4380
-
\??\c:\5xlxxlr.exec:\5xlxxlr.exe107⤵PID:3756
-
\??\c:\62860.exec:\62860.exe108⤵PID:4988
-
\??\c:\8646606.exec:\8646606.exe109⤵PID:3588
-
\??\c:\64488.exec:\64488.exe110⤵PID:960
-
\??\c:\0680808.exec:\0680808.exe111⤵PID:2688
-
\??\c:\pjddv.exec:\pjddv.exe112⤵PID:4672
-
\??\c:\bnhhtn.exec:\bnhhtn.exe113⤵PID:4356
-
\??\c:\rflfrxr.exec:\rflfrxr.exe114⤵PID:1972
-
\??\c:\80042.exec:\80042.exe115⤵PID:408
-
\??\c:\4422844.exec:\4422844.exe116⤵PID:4020
-
\??\c:\1hnhbh.exec:\1hnhbh.exe117⤵PID:3368
-
\??\c:\7pjdp.exec:\7pjdp.exe118⤵PID:3988
-
\??\c:\4486060.exec:\4486060.exe119⤵PID:4700
-
\??\c:\thhhhh.exec:\thhhhh.exe120⤵
- System Location Discovery: System Language Discovery
PID:4384 -
\??\c:\htbnnn.exec:\htbnnn.exe121⤵PID:3692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-