Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe
-
Size
454KB
-
MD5
878a3e07e54382b2059a998baaec2dd0
-
SHA1
4d549a873687338ab5bb59188e4d51009957535a
-
SHA256
1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4
-
SHA512
cc0bdac47dba100c1ac5f36c5aedf57cec07839a242dc8f49af3d4e6c07adbe0c212f2d7b2f3549856f7e476dd4164a9d81863edbfcf7c717ca76681defe12e6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbePY:q7Tc2NYHUrAwfMp3CDPY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/632-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-1001-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-1035-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-1087-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-1449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1408 680226.exe 1104 8648686.exe 3932 204264.exe 4916 866868.exe 3892 bnhbnh.exe 3988 62042.exe 3748 pdjvp.exe 2420 pjdvv.exe 3928 pvjjd.exe 4616 lrfrfrl.exe 2952 4286008.exe 372 nhttnh.exe 3636 666026.exe 3120 6220882.exe 3904 866424.exe 4892 k06420.exe 320 hnhtht.exe 2536 tbhtnh.exe 2176 82822.exe 4212 6660088.exe 4652 g0420.exe 3796 9rlrfxl.exe 2132 ththtn.exe 1144 3rlrfxr.exe 3848 vjvdv.exe 4804 0004820.exe 4532 4220482.exe 2736 vdpdp.exe 3808 hbbtbn.exe 936 pvpdv.exe 4964 04826.exe 1672 6244260.exe 720 000864.exe 1756 5btnhb.exe 4336 xxrfrlx.exe 1172 28482.exe 4220 u422844.exe 3420 jdvjv.exe 3112 hbthtn.exe 2836 026486.exe 1332 tnnhtt.exe 1572 840860.exe 4392 jppjd.exe 4788 fxxrfxl.exe 1068 8288002.exe 1640 pvppr.exe 5084 202060.exe 4472 rfxrfrf.exe 920 jpjdj.exe 4236 60428.exe 1440 642266.exe 4224 bbbbnh.exe 536 04840.exe 1456 866468.exe 3620 66208.exe 3612 ppvjv.exe 4140 8800044.exe 4868 4222086.exe 2420 jpppd.exe 2392 rxrxlxl.exe 3940 9vjjj.exe 1872 rxfrfrl.exe 2356 28868.exe 3752 8226840.exe -
resource yara_rule behavioral2/memory/632-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-1001-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-1035-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-1087-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-1091-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6000048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8444888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k02204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4822604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4222086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2064488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2802648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i624206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 632 wrote to memory of 1408 632 1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe 83 PID 632 wrote to memory of 1408 632 1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe 83 PID 632 wrote to memory of 1408 632 1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe 83 PID 1408 wrote to memory of 1104 1408 680226.exe 84 PID 1408 wrote to memory of 1104 1408 680226.exe 84 PID 1408 wrote to memory of 1104 1408 680226.exe 84 PID 1104 wrote to memory of 3932 1104 8648686.exe 85 PID 1104 wrote to memory of 3932 1104 8648686.exe 85 PID 1104 wrote to memory of 3932 1104 8648686.exe 85 PID 3932 wrote to memory of 4916 3932 204264.exe 86 PID 3932 wrote to memory of 4916 3932 204264.exe 86 PID 3932 wrote to memory of 4916 3932 204264.exe 86 PID 4916 wrote to memory of 3892 4916 866868.exe 87 PID 4916 wrote to memory of 3892 4916 866868.exe 87 PID 4916 wrote to memory of 3892 4916 866868.exe 87 PID 3892 wrote to memory of 3988 3892 bnhbnh.exe 88 PID 3892 wrote to memory of 3988 3892 bnhbnh.exe 88 PID 3892 wrote to memory of 3988 3892 bnhbnh.exe 88 PID 3988 wrote to memory of 3748 3988 62042.exe 89 PID 3988 wrote to memory of 3748 3988 62042.exe 89 PID 3988 wrote to memory of 3748 3988 62042.exe 89 PID 3748 wrote to memory of 2420 3748 pdjvp.exe 90 PID 3748 wrote to memory of 2420 3748 pdjvp.exe 90 PID 3748 wrote to memory of 2420 3748 pdjvp.exe 90 PID 2420 wrote to memory of 3928 2420 pjdvv.exe 91 PID 2420 wrote to memory of 3928 2420 pjdvv.exe 91 PID 2420 wrote to memory of 3928 2420 pjdvv.exe 91 PID 3928 wrote to memory of 4616 3928 pvjjd.exe 92 PID 3928 wrote to memory of 4616 3928 pvjjd.exe 92 PID 3928 wrote to memory of 4616 3928 pvjjd.exe 92 PID 4616 wrote to memory of 2952 4616 lrfrfrl.exe 93 PID 4616 wrote to memory of 2952 4616 lrfrfrl.exe 93 PID 4616 wrote to memory of 2952 4616 lrfrfrl.exe 93 PID 2952 wrote to memory of 372 2952 4286008.exe 94 PID 2952 wrote to memory of 372 2952 4286008.exe 94 PID 2952 wrote to memory of 372 2952 4286008.exe 94 PID 372 wrote to memory of 3636 372 nhttnh.exe 95 PID 372 wrote to memory of 3636 372 nhttnh.exe 95 PID 372 wrote to memory of 3636 372 nhttnh.exe 95 PID 3636 wrote to memory of 3120 3636 666026.exe 96 PID 3636 wrote to memory of 3120 3636 666026.exe 96 PID 3636 wrote to memory of 3120 3636 666026.exe 96 PID 3120 wrote to memory of 3904 3120 6220882.exe 97 PID 3120 wrote to memory of 3904 3120 6220882.exe 97 PID 3120 wrote to memory of 3904 3120 6220882.exe 97 PID 3904 wrote to memory of 4892 3904 866424.exe 98 PID 3904 wrote to memory of 4892 3904 866424.exe 98 PID 3904 wrote to memory of 4892 3904 866424.exe 98 PID 4892 wrote to memory of 320 4892 k06420.exe 99 PID 4892 wrote to memory of 320 4892 k06420.exe 99 PID 4892 wrote to memory of 320 4892 k06420.exe 99 PID 320 wrote to memory of 2536 320 hnhtht.exe 100 PID 320 wrote to memory of 2536 320 hnhtht.exe 100 PID 320 wrote to memory of 2536 320 hnhtht.exe 100 PID 2536 wrote to memory of 2176 2536 tbhtnh.exe 101 PID 2536 wrote to memory of 2176 2536 tbhtnh.exe 101 PID 2536 wrote to memory of 2176 2536 tbhtnh.exe 101 PID 2176 wrote to memory of 4212 2176 82822.exe 102 PID 2176 wrote to memory of 4212 2176 82822.exe 102 PID 2176 wrote to memory of 4212 2176 82822.exe 102 PID 4212 wrote to memory of 4652 4212 6660088.exe 103 PID 4212 wrote to memory of 4652 4212 6660088.exe 103 PID 4212 wrote to memory of 4652 4212 6660088.exe 103 PID 4652 wrote to memory of 3796 4652 g0420.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe"C:\Users\Admin\AppData\Local\Temp\1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\680226.exec:\680226.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\8648686.exec:\8648686.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\204264.exec:\204264.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\866868.exec:\866868.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\bnhbnh.exec:\bnhbnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\62042.exec:\62042.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\pdjvp.exec:\pdjvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\pjdvv.exec:\pjdvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\pvjjd.exec:\pvjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\lrfrfrl.exec:\lrfrfrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\4286008.exec:\4286008.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\nhttnh.exec:\nhttnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\666026.exec:\666026.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\6220882.exec:\6220882.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\866424.exec:\866424.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\k06420.exec:\k06420.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\hnhtht.exec:\hnhtht.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\tbhtnh.exec:\tbhtnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\82822.exec:\82822.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\6660088.exec:\6660088.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\g0420.exec:\g0420.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\9rlrfxl.exec:\9rlrfxl.exe23⤵
- Executes dropped EXE
PID:3796 -
\??\c:\ththtn.exec:\ththtn.exe24⤵
- Executes dropped EXE
PID:2132 -
\??\c:\3rlrfxr.exec:\3rlrfxr.exe25⤵
- Executes dropped EXE
PID:1144 -
\??\c:\vjvdv.exec:\vjvdv.exe26⤵
- Executes dropped EXE
PID:3848 -
\??\c:\0004820.exec:\0004820.exe27⤵
- Executes dropped EXE
PID:4804 -
\??\c:\4220482.exec:\4220482.exe28⤵
- Executes dropped EXE
PID:4532 -
\??\c:\vdpdp.exec:\vdpdp.exe29⤵
- Executes dropped EXE
PID:2736 -
\??\c:\hbbtbn.exec:\hbbtbn.exe30⤵
- Executes dropped EXE
PID:3808 -
\??\c:\pvpdv.exec:\pvpdv.exe31⤵
- Executes dropped EXE
PID:936 -
\??\c:\04826.exec:\04826.exe32⤵
- Executes dropped EXE
PID:4964 -
\??\c:\6244260.exec:\6244260.exe33⤵
- Executes dropped EXE
PID:1672 -
\??\c:\000864.exec:\000864.exe34⤵
- Executes dropped EXE
PID:720 -
\??\c:\5btnhb.exec:\5btnhb.exe35⤵
- Executes dropped EXE
PID:1756 -
\??\c:\xxrfrlx.exec:\xxrfrlx.exe36⤵
- Executes dropped EXE
PID:4336 -
\??\c:\28482.exec:\28482.exe37⤵
- Executes dropped EXE
PID:1172 -
\??\c:\u422844.exec:\u422844.exe38⤵
- Executes dropped EXE
PID:4220 -
\??\c:\jdvjv.exec:\jdvjv.exe39⤵
- Executes dropped EXE
PID:3420 -
\??\c:\hbthtn.exec:\hbthtn.exe40⤵
- Executes dropped EXE
PID:3112 -
\??\c:\026486.exec:\026486.exe41⤵
- Executes dropped EXE
PID:2836 -
\??\c:\tnnhtt.exec:\tnnhtt.exe42⤵
- Executes dropped EXE
PID:1332 -
\??\c:\840860.exec:\840860.exe43⤵
- Executes dropped EXE
PID:1572 -
\??\c:\jppjd.exec:\jppjd.exe44⤵
- Executes dropped EXE
PID:4392 -
\??\c:\fxxrfxl.exec:\fxxrfxl.exe45⤵
- Executes dropped EXE
PID:4788 -
\??\c:\8288002.exec:\8288002.exe46⤵
- Executes dropped EXE
PID:1068 -
\??\c:\pvppr.exec:\pvppr.exe47⤵
- Executes dropped EXE
PID:1640 -
\??\c:\202060.exec:\202060.exe48⤵
- Executes dropped EXE
PID:5084 -
\??\c:\rfxrfrf.exec:\rfxrfrf.exe49⤵
- Executes dropped EXE
PID:4472 -
\??\c:\jpjdj.exec:\jpjdj.exe50⤵
- Executes dropped EXE
PID:920 -
\??\c:\60428.exec:\60428.exe51⤵
- Executes dropped EXE
PID:4236 -
\??\c:\642266.exec:\642266.exe52⤵
- Executes dropped EXE
PID:1440 -
\??\c:\bbbbnh.exec:\bbbbnh.exe53⤵
- Executes dropped EXE
PID:4224 -
\??\c:\04840.exec:\04840.exe54⤵
- Executes dropped EXE
PID:536 -
\??\c:\866468.exec:\866468.exe55⤵
- Executes dropped EXE
PID:1456 -
\??\c:\66208.exec:\66208.exe56⤵
- Executes dropped EXE
PID:3620 -
\??\c:\ppvjv.exec:\ppvjv.exe57⤵
- Executes dropped EXE
PID:3612 -
\??\c:\8800044.exec:\8800044.exe58⤵
- Executes dropped EXE
PID:4140 -
\??\c:\4222086.exec:\4222086.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4868 -
\??\c:\jpppd.exec:\jpppd.exe60⤵
- Executes dropped EXE
PID:2420 -
\??\c:\rxrxlxl.exec:\rxrxlxl.exe61⤵
- Executes dropped EXE
PID:2392 -
\??\c:\9vjjj.exec:\9vjjj.exe62⤵
- Executes dropped EXE
PID:3940 -
\??\c:\rxfrfrl.exec:\rxfrfrl.exe63⤵
- Executes dropped EXE
PID:1872 -
\??\c:\28868.exec:\28868.exe64⤵
- Executes dropped EXE
PID:2356 -
\??\c:\8226840.exec:\8226840.exe65⤵
- Executes dropped EXE
PID:3752 -
\??\c:\60200.exec:\60200.exe66⤵PID:372
-
\??\c:\xflxfxl.exec:\xflxfxl.exe67⤵PID:1824
-
\??\c:\26228.exec:\26228.exe68⤵PID:4548
-
\??\c:\ttnnnt.exec:\ttnnnt.exe69⤵PID:4956
-
\??\c:\nbthth.exec:\nbthth.exe70⤵PID:3120
-
\??\c:\426028.exec:\426028.exe71⤵PID:4816
-
\??\c:\9vjpv.exec:\9vjpv.exe72⤵PID:5052
-
\??\c:\86260.exec:\86260.exe73⤵PID:4952
-
\??\c:\htnbnb.exec:\htnbnb.exe74⤵PID:2592
-
\??\c:\20086.exec:\20086.exe75⤵PID:2188
-
\??\c:\nbbttt.exec:\nbbttt.exe76⤵PID:4812
-
\??\c:\djpdp.exec:\djpdp.exe77⤵PID:3968
-
\??\c:\462644.exec:\462644.exe78⤵PID:4484
-
\??\c:\jjdvj.exec:\jjdvj.exe79⤵PID:1516
-
\??\c:\a0644.exec:\a0644.exe80⤵PID:5004
-
\??\c:\pvpdj.exec:\pvpdj.exe81⤵PID:4824
-
\??\c:\rrrlrrl.exec:\rrrlrrl.exe82⤵PID:4960
-
\??\c:\jvdvp.exec:\jvdvp.exe83⤵PID:2624
-
\??\c:\hnnhbt.exec:\hnnhbt.exe84⤵PID:2028
-
\??\c:\1ppdv.exec:\1ppdv.exe85⤵PID:2388
-
\??\c:\9lfxrlf.exec:\9lfxrlf.exe86⤵PID:5020
-
\??\c:\jjjvp.exec:\jjjvp.exe87⤵PID:4780
-
\??\c:\g8860.exec:\g8860.exe88⤵PID:4268
-
\??\c:\7bthtn.exec:\7bthtn.exe89⤵PID:900
-
\??\c:\6244226.exec:\6244226.exe90⤵PID:976
-
\??\c:\9tnhbb.exec:\9tnhbb.exe91⤵PID:776
-
\??\c:\402086.exec:\402086.exe92⤵PID:648
-
\??\c:\i826048.exec:\i826048.exe93⤵PID:4964
-
\??\c:\pjvvj.exec:\pjvvj.exe94⤵PID:876
-
\??\c:\840482.exec:\840482.exe95⤵PID:2956
-
\??\c:\00208.exec:\00208.exe96⤵PID:4324
-
\??\c:\vpdvj.exec:\vpdvj.exe97⤵PID:2724
-
\??\c:\42242.exec:\42242.exe98⤵PID:1804
-
\??\c:\m6260.exec:\m6260.exe99⤵PID:2204
-
\??\c:\640882.exec:\640882.exe100⤵PID:3840
-
\??\c:\k60482.exec:\k60482.exe101⤵PID:3436
-
\??\c:\9lfxllf.exec:\9lfxllf.exe102⤵PID:208
-
\??\c:\068600.exec:\068600.exe103⤵PID:2836
-
\??\c:\tbbtnh.exec:\tbbtnh.exe104⤵PID:2440
-
\??\c:\vvddv.exec:\vvddv.exe105⤵PID:1572
-
\??\c:\082644.exec:\082644.exe106⤵PID:1988
-
\??\c:\40882.exec:\40882.exe107⤵PID:3852
-
\??\c:\608602.exec:\608602.exe108⤵PID:4468
-
\??\c:\jdvjv.exec:\jdvjv.exe109⤵PID:3024
-
\??\c:\dvpvv.exec:\dvpvv.exe110⤵PID:1364
-
\??\c:\60448.exec:\60448.exe111⤵PID:4316
-
\??\c:\jdvjd.exec:\jdvjd.exe112⤵PID:4452
-
\??\c:\280822.exec:\280822.exe113⤵PID:1744
-
\??\c:\86046.exec:\86046.exe114⤵PID:1680
-
\??\c:\5nnhbb.exec:\5nnhbb.exe115⤵PID:4320
-
\??\c:\m0222.exec:\m0222.exe116⤵PID:4236
-
\??\c:\06646.exec:\06646.exe117⤵PID:4120
-
\??\c:\644826.exec:\644826.exe118⤵PID:1564
-
\??\c:\464428.exec:\464428.exe119⤵PID:1188
-
\??\c:\vpjdd.exec:\vpjdd.exe120⤵PID:4836
-
\??\c:\4462426.exec:\4462426.exe121⤵PID:4932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-