Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:41
Behavioral task
behavioral1
Sample
7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe
-
Size
97KB
-
MD5
5edadfd1abb63bbec55a6853de1eb46d
-
SHA1
00d79841b80e66268f2638d6649708eef273e9f4
-
SHA256
7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e
-
SHA512
74fbaf462fb08cf2e1b528e2d2e6d195153a2c685d836f2582d50e9de2b6938ee4f458072283be35e2ce6967dc9196111e253d5fd189a61190d3bcf7fefcd47a
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgRy:8cm4FmowdHoSgWrXUgs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4276-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2228-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3820-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4924-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3892-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1332-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1028-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1480-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1780-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1752-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3076-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2592-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4624-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2072-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1776-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1868-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2664-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1484-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3408-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3404-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2196-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2956-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2496-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2508-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2396-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3364-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2264-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1528-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3556-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1712-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1656-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3324-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3540-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2256-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2972-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2584-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/460-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3440-490-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4620-501-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3128-516-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-523-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3152-690-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-733-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2352-738-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-905-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1168-1278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4276 220488.exe 2228 088682.exe 3820 fxxrlfx.exe 2516 8444888.exe 4924 vpdvp.exe 3892 htthhb.exe 4316 2060444.exe 3608 hhhtnh.exe 1332 66820.exe 4568 nbnhbb.exe 1028 224886.exe 1360 224600.exe 1480 628604.exe 3248 tbhnth.exe 1780 5djdv.exe 636 40004.exe 2748 ddjjp.exe 1752 022622.exe 3560 a4448.exe 3076 88820.exe 2592 hnbthn.exe 5040 bnnhbt.exe 4624 tbttnn.exe 5116 vpdvp.exe 2072 xfrlxxx.exe 1776 402822.exe 2172 s8820.exe 1868 rfxrfff.exe 5048 jjddv.exe 2664 lfxxllf.exe 740 jdjjv.exe 1844 1lxflrf.exe 1484 3ttnhh.exe 1960 pdvpp.exe 3408 9jjpj.exe 3404 pvpjj.exe 2196 26260.exe 2956 w48226.exe 2496 24626.exe 788 frrlrrr.exe 2508 2246688.exe 1544 3rrlxxl.exe 2396 hnbhhh.exe 4340 m2482.exe 3364 862862.exe 4028 048882.exe 4264 80262.exe 2016 088284.exe 4360 vvvpj.exe 3120 tnnbbb.exe 2228 tnhbnh.exe 928 006048.exe 4932 86264.exe 2736 dpjvd.exe 2264 482604.exe 4924 jdjjd.exe 1528 5ttnhh.exe 5028 fffllll.exe 3556 9hhbtt.exe 1712 64664.exe 1796 624426.exe 1332 dddvv.exe 4568 hthtbh.exe 1656 frxllfr.exe -
resource yara_rule behavioral2/memory/4616-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b15-4.dat upx behavioral2/memory/4276-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b72-9.dat upx behavioral2/memory/4616-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b73-11.dat upx behavioral2/memory/2228-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b74-18.dat upx behavioral2/memory/3820-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b75-23.dat upx behavioral2/memory/2516-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b76-28.dat upx behavioral2/memory/4924-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b77-33.dat upx behavioral2/memory/3892-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b78-38.dat upx behavioral2/memory/4316-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3608-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b79-43.dat upx behavioral2/files/0x000a000000023b7a-48.dat upx behavioral2/memory/1332-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-53.dat upx behavioral2/memory/4568-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7c-58.dat upx behavioral2/memory/1028-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-63.dat upx behavioral2/memory/1360-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-68.dat upx behavioral2/memory/1480-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-73.dat upx behavioral2/memory/3248-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-78.dat upx behavioral2/memory/1780-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b81-83.dat upx behavioral2/files/0x000a000000023b82-87.dat upx behavioral2/memory/1752-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-93.dat upx behavioral2/files/0x000b000000023b6f-96.dat upx behavioral2/files/0x000a000000023b84-100.dat upx behavioral2/memory/3076-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b86-105.dat upx behavioral2/memory/2592-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b87-110.dat upx behavioral2/files/0x000a000000023b75-115.dat upx behavioral2/memory/5116-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4624-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5040-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2072-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-121.dat upx behavioral2/files/0x000e000000023b96-127.dat upx behavioral2/memory/1776-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023b9f-131.dat upx behavioral2/files/0x0009000000023ba4-135.dat upx behavioral2/memory/1868-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023ba5-141.dat upx behavioral2/files/0x0009000000023ba6-145.dat upx behavioral2/files/0x000e000000023baa-149.dat upx behavioral2/memory/2664-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bac-153.dat upx behavioral2/memory/1484-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3408-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3404-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2196-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2956-173-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i622600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 404888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 626666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 666000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62604.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4616 wrote to memory of 4276 4616 7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe 83 PID 4616 wrote to memory of 4276 4616 7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe 83 PID 4616 wrote to memory of 4276 4616 7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe 83 PID 4276 wrote to memory of 2228 4276 220488.exe 84 PID 4276 wrote to memory of 2228 4276 220488.exe 84 PID 4276 wrote to memory of 2228 4276 220488.exe 84 PID 2228 wrote to memory of 3820 2228 088682.exe 85 PID 2228 wrote to memory of 3820 2228 088682.exe 85 PID 2228 wrote to memory of 3820 2228 088682.exe 85 PID 3820 wrote to memory of 2516 3820 fxxrlfx.exe 86 PID 3820 wrote to memory of 2516 3820 fxxrlfx.exe 86 PID 3820 wrote to memory of 2516 3820 fxxrlfx.exe 86 PID 2516 wrote to memory of 4924 2516 8444888.exe 87 PID 2516 wrote to memory of 4924 2516 8444888.exe 87 PID 2516 wrote to memory of 4924 2516 8444888.exe 87 PID 4924 wrote to memory of 3892 4924 vpdvp.exe 88 PID 4924 wrote to memory of 3892 4924 vpdvp.exe 88 PID 4924 wrote to memory of 3892 4924 vpdvp.exe 88 PID 3892 wrote to memory of 4316 3892 htthhb.exe 89 PID 3892 wrote to memory of 4316 3892 htthhb.exe 89 PID 3892 wrote to memory of 4316 3892 htthhb.exe 89 PID 4316 wrote to memory of 3608 4316 2060444.exe 90 PID 4316 wrote to memory of 3608 4316 2060444.exe 90 PID 4316 wrote to memory of 3608 4316 2060444.exe 90 PID 3608 wrote to memory of 1332 3608 hhhtnh.exe 91 PID 3608 wrote to memory of 1332 3608 hhhtnh.exe 91 PID 3608 wrote to memory of 1332 3608 hhhtnh.exe 91 PID 1332 wrote to memory of 4568 1332 66820.exe 92 PID 1332 wrote to memory of 4568 1332 66820.exe 92 PID 1332 wrote to memory of 4568 1332 66820.exe 92 PID 4568 wrote to memory of 1028 4568 nbnhbb.exe 93 PID 4568 wrote to memory of 1028 4568 nbnhbb.exe 93 PID 4568 wrote to memory of 1028 4568 nbnhbb.exe 93 PID 1028 wrote to memory of 1360 1028 224886.exe 94 PID 1028 wrote to memory of 1360 1028 224886.exe 94 PID 1028 wrote to memory of 1360 1028 224886.exe 94 PID 1360 wrote to memory of 1480 1360 224600.exe 95 PID 1360 wrote to memory of 1480 1360 224600.exe 95 PID 1360 wrote to memory of 1480 1360 224600.exe 95 PID 1480 wrote to memory of 3248 1480 628604.exe 96 PID 1480 wrote to memory of 3248 1480 628604.exe 96 PID 1480 wrote to memory of 3248 1480 628604.exe 96 PID 3248 wrote to memory of 1780 3248 tbhnth.exe 97 PID 3248 wrote to memory of 1780 3248 tbhnth.exe 97 PID 3248 wrote to memory of 1780 3248 tbhnth.exe 97 PID 1780 wrote to memory of 636 1780 5djdv.exe 98 PID 1780 wrote to memory of 636 1780 5djdv.exe 98 PID 1780 wrote to memory of 636 1780 5djdv.exe 98 PID 636 wrote to memory of 2748 636 40004.exe 99 PID 636 wrote to memory of 2748 636 40004.exe 99 PID 636 wrote to memory of 2748 636 40004.exe 99 PID 2748 wrote to memory of 1752 2748 ddjjp.exe 100 PID 2748 wrote to memory of 1752 2748 ddjjp.exe 100 PID 2748 wrote to memory of 1752 2748 ddjjp.exe 100 PID 1752 wrote to memory of 3560 1752 022622.exe 101 PID 1752 wrote to memory of 3560 1752 022622.exe 101 PID 1752 wrote to memory of 3560 1752 022622.exe 101 PID 3560 wrote to memory of 3076 3560 a4448.exe 102 PID 3560 wrote to memory of 3076 3560 a4448.exe 102 PID 3560 wrote to memory of 3076 3560 a4448.exe 102 PID 3076 wrote to memory of 2592 3076 88820.exe 103 PID 3076 wrote to memory of 2592 3076 88820.exe 103 PID 3076 wrote to memory of 2592 3076 88820.exe 103 PID 2592 wrote to memory of 5040 2592 hnbthn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe"C:\Users\Admin\AppData\Local\Temp\7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\220488.exec:\220488.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\088682.exec:\088682.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\8444888.exec:\8444888.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\vpdvp.exec:\vpdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\htthhb.exec:\htthhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\2060444.exec:\2060444.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\hhhtnh.exec:\hhhtnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\66820.exec:\66820.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\nbnhbb.exec:\nbnhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\224886.exec:\224886.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\224600.exec:\224600.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\628604.exec:\628604.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\tbhnth.exec:\tbhnth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\5djdv.exec:\5djdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\40004.exec:\40004.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\ddjjp.exec:\ddjjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\022622.exec:\022622.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\a4448.exec:\a4448.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\88820.exec:\88820.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\hnbthn.exec:\hnbthn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\bnnhbt.exec:\bnnhbt.exe23⤵
- Executes dropped EXE
PID:5040 -
\??\c:\tbttnn.exec:\tbttnn.exe24⤵
- Executes dropped EXE
PID:4624 -
\??\c:\vpdvp.exec:\vpdvp.exe25⤵
- Executes dropped EXE
PID:5116 -
\??\c:\xfrlxxx.exec:\xfrlxxx.exe26⤵
- Executes dropped EXE
PID:2072 -
\??\c:\402822.exec:\402822.exe27⤵
- Executes dropped EXE
PID:1776 -
\??\c:\s8820.exec:\s8820.exe28⤵
- Executes dropped EXE
PID:2172 -
\??\c:\rfxrfff.exec:\rfxrfff.exe29⤵
- Executes dropped EXE
PID:1868 -
\??\c:\jjddv.exec:\jjddv.exe30⤵
- Executes dropped EXE
PID:5048 -
\??\c:\lfxxllf.exec:\lfxxllf.exe31⤵
- Executes dropped EXE
PID:2664 -
\??\c:\jdjjv.exec:\jdjjv.exe32⤵
- Executes dropped EXE
PID:740 -
\??\c:\1lxflrf.exec:\1lxflrf.exe33⤵
- Executes dropped EXE
PID:1844 -
\??\c:\3ttnhh.exec:\3ttnhh.exe34⤵
- Executes dropped EXE
PID:1484 -
\??\c:\pdvpp.exec:\pdvpp.exe35⤵
- Executes dropped EXE
PID:1960 -
\??\c:\9jjpj.exec:\9jjpj.exe36⤵
- Executes dropped EXE
PID:3408 -
\??\c:\pvpjj.exec:\pvpjj.exe37⤵
- Executes dropped EXE
PID:3404 -
\??\c:\26260.exec:\26260.exe38⤵
- Executes dropped EXE
PID:2196 -
\??\c:\w48226.exec:\w48226.exe39⤵
- Executes dropped EXE
PID:2956 -
\??\c:\24626.exec:\24626.exe40⤵
- Executes dropped EXE
PID:2496 -
\??\c:\frrlrrr.exec:\frrlrrr.exe41⤵
- Executes dropped EXE
PID:788 -
\??\c:\2246688.exec:\2246688.exe42⤵
- Executes dropped EXE
PID:2508 -
\??\c:\3rrlxxl.exec:\3rrlxxl.exe43⤵
- Executes dropped EXE
PID:1544 -
\??\c:\hnbhhh.exec:\hnbhhh.exe44⤵
- Executes dropped EXE
PID:2396 -
\??\c:\m2482.exec:\m2482.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4340 -
\??\c:\862862.exec:\862862.exe46⤵
- Executes dropped EXE
PID:3364 -
\??\c:\048882.exec:\048882.exe47⤵
- Executes dropped EXE
PID:4028 -
\??\c:\80262.exec:\80262.exe48⤵
- Executes dropped EXE
PID:4264 -
\??\c:\htnbhh.exec:\htnbhh.exe49⤵PID:4368
-
\??\c:\088284.exec:\088284.exe50⤵
- Executes dropped EXE
PID:2016 -
\??\c:\vvvpj.exec:\vvvpj.exe51⤵
- Executes dropped EXE
PID:4360 -
\??\c:\tnnbbb.exec:\tnnbbb.exe52⤵
- Executes dropped EXE
PID:3120 -
\??\c:\tnhbnh.exec:\tnhbnh.exe53⤵
- Executes dropped EXE
PID:2228 -
\??\c:\006048.exec:\006048.exe54⤵
- Executes dropped EXE
PID:928 -
\??\c:\86264.exec:\86264.exe55⤵
- Executes dropped EXE
PID:4932 -
\??\c:\dpjvd.exec:\dpjvd.exe56⤵
- Executes dropped EXE
PID:2736 -
\??\c:\482604.exec:\482604.exe57⤵
- Executes dropped EXE
PID:2264 -
\??\c:\jdjjd.exec:\jdjjd.exe58⤵
- Executes dropped EXE
PID:4924 -
\??\c:\5ttnhh.exec:\5ttnhh.exe59⤵
- Executes dropped EXE
PID:1528 -
\??\c:\fffllll.exec:\fffllll.exe60⤵
- Executes dropped EXE
PID:5028 -
\??\c:\9hhbtt.exec:\9hhbtt.exe61⤵
- Executes dropped EXE
PID:3556 -
\??\c:\64664.exec:\64664.exe62⤵
- Executes dropped EXE
PID:1712 -
\??\c:\624426.exec:\624426.exe63⤵
- Executes dropped EXE
PID:1796 -
\??\c:\dddvv.exec:\dddvv.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1332 -
\??\c:\hthtbh.exec:\hthtbh.exe65⤵
- Executes dropped EXE
PID:4568 -
\??\c:\frxllfr.exec:\frxllfr.exe66⤵
- Executes dropped EXE
PID:1656 -
\??\c:\djvpp.exec:\djvpp.exe67⤵PID:3324
-
\??\c:\btbthn.exec:\btbthn.exe68⤵PID:1604
-
\??\c:\dpdvp.exec:\dpdvp.exe69⤵PID:4308
-
\??\c:\668624.exec:\668624.exe70⤵PID:1864
-
\??\c:\vdpjp.exec:\vdpjp.exe71⤵PID:2916
-
\??\c:\ffxrfxr.exec:\ffxrfxr.exe72⤵PID:2600
-
\??\c:\jjppp.exec:\jjppp.exe73⤵PID:3540
-
\??\c:\w22200.exec:\w22200.exe74⤵PID:4040
-
\??\c:\xxffrrr.exec:\xxffrrr.exe75⤵PID:4004
-
\??\c:\tnhnhn.exec:\tnhnhn.exe76⤵PID:3368
-
\??\c:\844204.exec:\844204.exe77⤵PID:4804
-
\??\c:\jdpjd.exec:\jdpjd.exe78⤵PID:4520
-
\??\c:\44422.exec:\44422.exe79⤵PID:2256
-
\??\c:\084800.exec:\084800.exe80⤵PID:1560
-
\??\c:\84040.exec:\84040.exe81⤵PID:3604
-
\??\c:\6422660.exec:\6422660.exe82⤵PID:2828
-
\??\c:\082422.exec:\082422.exe83⤵PID:2824
-
\??\c:\i006882.exec:\i006882.exe84⤵PID:3528
-
\??\c:\lffxlfx.exec:\lffxlfx.exe85⤵PID:3872
-
\??\c:\dpddj.exec:\dpddj.exe86⤵PID:4012
-
\??\c:\666282.exec:\666282.exe87⤵PID:8
-
\??\c:\9pjvj.exec:\9pjvj.exe88⤵PID:1652
-
\??\c:\q88866.exec:\q88866.exe89⤵PID:1180
-
\??\c:\bbnnnn.exec:\bbnnnn.exe90⤵PID:4344
-
\??\c:\u004822.exec:\u004822.exe91⤵PID:5048
-
\??\c:\vvvjd.exec:\vvvjd.exe92⤵PID:2664
-
\??\c:\7rllffr.exec:\7rllffr.exe93⤵PID:3880
-
\??\c:\g2264.exec:\g2264.exe94⤵PID:464
-
\??\c:\rfrfrrf.exec:\rfrfrrf.exe95⤵PID:2136
-
\??\c:\06604.exec:\06604.exe96⤵PID:4320
-
\??\c:\vdjdd.exec:\vdjdd.exe97⤵PID:1740
-
\??\c:\a8824.exec:\a8824.exe98⤵PID:4152
-
\??\c:\nntttb.exec:\nntttb.exe99⤵PID:5036
-
\??\c:\jvvvp.exec:\jvvvp.exe100⤵PID:3288
-
\??\c:\dpjdv.exec:\dpjdv.exe101⤵PID:1540
-
\??\c:\0826482.exec:\0826482.exe102⤵PID:3640
-
\??\c:\4800828.exec:\4800828.exe103⤵PID:4652
-
\??\c:\rlxllfl.exec:\rlxllfl.exe104⤵PID:5044
-
\??\c:\htnhhh.exec:\htnhhh.exe105⤵PID:2400
-
\??\c:\0622228.exec:\0622228.exe106⤵PID:2272
-
\??\c:\nnbbbh.exec:\nnbbbh.exe107⤵PID:2972
-
\??\c:\66264.exec:\66264.exe108⤵PID:3124
-
\??\c:\440088.exec:\440088.exe109⤵PID:3416
-
\??\c:\jvddj.exec:\jvddj.exe110⤵PID:936
-
\??\c:\2826664.exec:\2826664.exe111⤵PID:1860
-
\??\c:\626666.exec:\626666.exe112⤵
- System Location Discovery: System Language Discovery
PID:4216 -
\??\c:\48886.exec:\48886.exe113⤵PID:1076
-
\??\c:\824404.exec:\824404.exe114⤵PID:2584
-
\??\c:\2604440.exec:\2604440.exe115⤵PID:1616
-
\??\c:\0426226.exec:\0426226.exe116⤵PID:208
-
\??\c:\284040.exec:\284040.exe117⤵PID:3988
-
\??\c:\7tbbtt.exec:\7tbbtt.exe118⤵PID:4616
-
\??\c:\i606446.exec:\i606446.exe119⤵PID:720
-
\??\c:\jpddd.exec:\jpddd.exe120⤵PID:2016
-
\??\c:\jdjjj.exec:\jdjjj.exe121⤵PID:4360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-