Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe
-
Size
454KB
-
MD5
e1473e5734be6a27bf7f719d14252403
-
SHA1
62da54c9ae9f7e2ff0073fbb5088f63fc1de5cd8
-
SHA256
7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98
-
SHA512
602791707ff71ea3a2463aae4f6fe030ecb0cdfdf0ea155506e0a92388b18a83fda4abae5f0c31f90ea83c3d77a293a7ae39ba4f9eb3d4cbac1e9f19f6dc170d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4068-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-957-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1808 662648.exe 4656 flrrxlr.exe 2044 00622.exe 3344 42088.exe 2716 a8848.exe 5008 jpvpd.exe 4744 022488.exe 3192 2628884.exe 1716 ppppp.exe 5012 bntnnn.exe 3376 q02006.exe 1424 jpvjd.exe 1096 ddpjd.exe 2440 7nnbtn.exe 4640 nhbnbt.exe 3648 btbnhb.exe 3408 284248.exe 2316 6262608.exe 1028 0664820.exe 3356 pjddp.exe 1852 4686802.exe 4008 c826608.exe 1820 hnnhhh.exe 2248 nhhtnh.exe 680 u060804.exe 1136 822622.exe 4360 282608.exe 3624 8808606.exe 4700 frffrxl.exe 3572 1nbthh.exe 4712 20486.exe 4924 0800480.exe 4572 i620426.exe 2972 bnnnhb.exe 3896 djpdd.exe 4132 40482.exe 4544 ppvjv.exe 4180 3llfrlf.exe 1564 c204826.exe 5064 nnnbnh.exe 3468 s8860.exe 4560 4004822.exe 3908 4408664.exe 8 lllfrrf.exe 1496 400422.exe 4816 ddppp.exe 3840 1vpdd.exe 3000 406082.exe 3344 bhbnhb.exe 4012 2822000.exe 1184 xllfxlx.exe 3612 7ntbtn.exe 5112 jddpd.exe 2708 448828.exe 3100 flrfxrl.exe 964 828244.exe 5056 02206.exe 2092 3vvjd.exe 5012 242000.exe 4764 662200.exe 976 rfffxrl.exe 1388 9rxxlrl.exe 2304 xllfrfx.exe 948 llrlfxr.exe -
resource yara_rule behavioral2/memory/4068-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-743-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4404282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6820808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8844826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q82648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2826000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4026820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0802626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64040.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4068 wrote to memory of 1808 4068 7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe 83 PID 4068 wrote to memory of 1808 4068 7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe 83 PID 4068 wrote to memory of 1808 4068 7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe 83 PID 1808 wrote to memory of 4656 1808 662648.exe 84 PID 1808 wrote to memory of 4656 1808 662648.exe 84 PID 1808 wrote to memory of 4656 1808 662648.exe 84 PID 4656 wrote to memory of 2044 4656 flrrxlr.exe 85 PID 4656 wrote to memory of 2044 4656 flrrxlr.exe 85 PID 4656 wrote to memory of 2044 4656 flrrxlr.exe 85 PID 2044 wrote to memory of 3344 2044 00622.exe 86 PID 2044 wrote to memory of 3344 2044 00622.exe 86 PID 2044 wrote to memory of 3344 2044 00622.exe 86 PID 3344 wrote to memory of 2716 3344 42088.exe 87 PID 3344 wrote to memory of 2716 3344 42088.exe 87 PID 3344 wrote to memory of 2716 3344 42088.exe 87 PID 2716 wrote to memory of 5008 2716 a8848.exe 88 PID 2716 wrote to memory of 5008 2716 a8848.exe 88 PID 2716 wrote to memory of 5008 2716 a8848.exe 88 PID 5008 wrote to memory of 4744 5008 jpvpd.exe 89 PID 5008 wrote to memory of 4744 5008 jpvpd.exe 89 PID 5008 wrote to memory of 4744 5008 jpvpd.exe 89 PID 4744 wrote to memory of 3192 4744 022488.exe 90 PID 4744 wrote to memory of 3192 4744 022488.exe 90 PID 4744 wrote to memory of 3192 4744 022488.exe 90 PID 3192 wrote to memory of 1716 3192 2628884.exe 91 PID 3192 wrote to memory of 1716 3192 2628884.exe 91 PID 3192 wrote to memory of 1716 3192 2628884.exe 91 PID 1716 wrote to memory of 5012 1716 ppppp.exe 92 PID 1716 wrote to memory of 5012 1716 ppppp.exe 92 PID 1716 wrote to memory of 5012 1716 ppppp.exe 92 PID 5012 wrote to memory of 3376 5012 bntnnn.exe 93 PID 5012 wrote to memory of 3376 5012 bntnnn.exe 93 PID 5012 wrote to memory of 3376 5012 bntnnn.exe 93 PID 3376 wrote to memory of 1424 3376 q02006.exe 94 PID 3376 wrote to memory of 1424 3376 q02006.exe 94 PID 3376 wrote to memory of 1424 3376 q02006.exe 94 PID 1424 wrote to memory of 1096 1424 jpvjd.exe 95 PID 1424 wrote to memory of 1096 1424 jpvjd.exe 95 PID 1424 wrote to memory of 1096 1424 jpvjd.exe 95 PID 1096 wrote to memory of 2440 1096 ddpjd.exe 96 PID 1096 wrote to memory of 2440 1096 ddpjd.exe 96 PID 1096 wrote to memory of 2440 1096 ddpjd.exe 96 PID 2440 wrote to memory of 4640 2440 7nnbtn.exe 97 PID 2440 wrote to memory of 4640 2440 7nnbtn.exe 97 PID 2440 wrote to memory of 4640 2440 7nnbtn.exe 97 PID 4640 wrote to memory of 3648 4640 nhbnbt.exe 98 PID 4640 wrote to memory of 3648 4640 nhbnbt.exe 98 PID 4640 wrote to memory of 3648 4640 nhbnbt.exe 98 PID 3648 wrote to memory of 3408 3648 btbnhb.exe 99 PID 3648 wrote to memory of 3408 3648 btbnhb.exe 99 PID 3648 wrote to memory of 3408 3648 btbnhb.exe 99 PID 3408 wrote to memory of 2316 3408 284248.exe 100 PID 3408 wrote to memory of 2316 3408 284248.exe 100 PID 3408 wrote to memory of 2316 3408 284248.exe 100 PID 2316 wrote to memory of 1028 2316 6262608.exe 101 PID 2316 wrote to memory of 1028 2316 6262608.exe 101 PID 2316 wrote to memory of 1028 2316 6262608.exe 101 PID 1028 wrote to memory of 3356 1028 0664820.exe 102 PID 1028 wrote to memory of 3356 1028 0664820.exe 102 PID 1028 wrote to memory of 3356 1028 0664820.exe 102 PID 3356 wrote to memory of 1852 3356 pjddp.exe 103 PID 3356 wrote to memory of 1852 3356 pjddp.exe 103 PID 3356 wrote to memory of 1852 3356 pjddp.exe 103 PID 1852 wrote to memory of 4008 1852 4686802.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe"C:\Users\Admin\AppData\Local\Temp\7c0dbb445b38c199f4e0b4c1afd77813f2b203c2b1b4db837b1f6d07f01e0a98.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\662648.exec:\662648.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\flrrxlr.exec:\flrrxlr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\00622.exec:\00622.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\42088.exec:\42088.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\a8848.exec:\a8848.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\jpvpd.exec:\jpvpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\022488.exec:\022488.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\2628884.exec:\2628884.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\ppppp.exec:\ppppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\bntnnn.exec:\bntnnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\q02006.exec:\q02006.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\jpvjd.exec:\jpvjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\ddpjd.exec:\ddpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\7nnbtn.exec:\7nnbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\nhbnbt.exec:\nhbnbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\btbnhb.exec:\btbnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\284248.exec:\284248.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\6262608.exec:\6262608.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\0664820.exec:\0664820.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\pjddp.exec:\pjddp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\4686802.exec:\4686802.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\c826608.exec:\c826608.exe23⤵
- Executes dropped EXE
PID:4008 -
\??\c:\hnnhhh.exec:\hnnhhh.exe24⤵
- Executes dropped EXE
PID:1820 -
\??\c:\nhhtnh.exec:\nhhtnh.exe25⤵
- Executes dropped EXE
PID:2248 -
\??\c:\u060804.exec:\u060804.exe26⤵
- Executes dropped EXE
PID:680 -
\??\c:\822622.exec:\822622.exe27⤵
- Executes dropped EXE
PID:1136 -
\??\c:\282608.exec:\282608.exe28⤵
- Executes dropped EXE
PID:4360 -
\??\c:\8808606.exec:\8808606.exe29⤵
- Executes dropped EXE
PID:3624 -
\??\c:\frffrxl.exec:\frffrxl.exe30⤵
- Executes dropped EXE
PID:4700 -
\??\c:\1nbthh.exec:\1nbthh.exe31⤵
- Executes dropped EXE
PID:3572 -
\??\c:\20486.exec:\20486.exe32⤵
- Executes dropped EXE
PID:4712 -
\??\c:\0800480.exec:\0800480.exe33⤵
- Executes dropped EXE
PID:4924 -
\??\c:\i620426.exec:\i620426.exe34⤵
- Executes dropped EXE
PID:4572 -
\??\c:\bnnnhb.exec:\bnnnhb.exe35⤵
- Executes dropped EXE
PID:2972 -
\??\c:\djpdd.exec:\djpdd.exe36⤵
- Executes dropped EXE
PID:3896 -
\??\c:\40482.exec:\40482.exe37⤵
- Executes dropped EXE
PID:4132 -
\??\c:\ppvjv.exec:\ppvjv.exe38⤵
- Executes dropped EXE
PID:4544 -
\??\c:\3llfrlf.exec:\3llfrlf.exe39⤵
- Executes dropped EXE
PID:4180 -
\??\c:\c204826.exec:\c204826.exe40⤵
- Executes dropped EXE
PID:1564 -
\??\c:\nnnbnh.exec:\nnnbnh.exe41⤵
- Executes dropped EXE
PID:5064 -
\??\c:\s8860.exec:\s8860.exe42⤵
- Executes dropped EXE
PID:3468 -
\??\c:\4004822.exec:\4004822.exe43⤵
- Executes dropped EXE
PID:4560 -
\??\c:\4408664.exec:\4408664.exe44⤵
- Executes dropped EXE
PID:3908 -
\??\c:\lllfrrf.exec:\lllfrrf.exe45⤵
- Executes dropped EXE
PID:8 -
\??\c:\400422.exec:\400422.exe46⤵
- Executes dropped EXE
PID:1496 -
\??\c:\ddppp.exec:\ddppp.exe47⤵
- Executes dropped EXE
PID:4816 -
\??\c:\1vpdd.exec:\1vpdd.exe48⤵
- Executes dropped EXE
PID:3840 -
\??\c:\406082.exec:\406082.exe49⤵
- Executes dropped EXE
PID:3000 -
\??\c:\bhbnhb.exec:\bhbnhb.exe50⤵
- Executes dropped EXE
PID:3344 -
\??\c:\2822000.exec:\2822000.exe51⤵
- Executes dropped EXE
PID:4012 -
\??\c:\xllfxlx.exec:\xllfxlx.exe52⤵
- Executes dropped EXE
PID:1184 -
\??\c:\7ntbtn.exec:\7ntbtn.exe53⤵
- Executes dropped EXE
PID:3612 -
\??\c:\jddpd.exec:\jddpd.exe54⤵
- Executes dropped EXE
PID:5112 -
\??\c:\448828.exec:\448828.exe55⤵
- Executes dropped EXE
PID:2708 -
\??\c:\flrfxrl.exec:\flrfxrl.exe56⤵
- Executes dropped EXE
PID:3100 -
\??\c:\828244.exec:\828244.exe57⤵
- Executes dropped EXE
PID:964 -
\??\c:\02206.exec:\02206.exe58⤵
- Executes dropped EXE
PID:5056 -
\??\c:\3vvjd.exec:\3vvjd.exe59⤵
- Executes dropped EXE
PID:2092 -
\??\c:\242000.exec:\242000.exe60⤵
- Executes dropped EXE
PID:5012 -
\??\c:\662200.exec:\662200.exe61⤵
- Executes dropped EXE
PID:4764 -
\??\c:\rfffxrl.exec:\rfffxrl.exe62⤵
- Executes dropped EXE
PID:976 -
\??\c:\9rxxlrl.exec:\9rxxlrl.exe63⤵
- Executes dropped EXE
PID:1388 -
\??\c:\xllfrfx.exec:\xllfrfx.exe64⤵
- Executes dropped EXE
PID:2304 -
\??\c:\llrlfxr.exec:\llrlfxr.exe65⤵
- Executes dropped EXE
PID:948 -
\??\c:\644826.exec:\644826.exe66⤵PID:880
-
\??\c:\862228.exec:\862228.exe67⤵PID:1940
-
\??\c:\2048604.exec:\2048604.exe68⤵PID:2220
-
\??\c:\4404282.exec:\4404282.exe69⤵
- System Location Discovery: System Language Discovery
PID:3652 -
\??\c:\3hnhtt.exec:\3hnhtt.exe70⤵
- System Location Discovery: System Language Discovery
PID:4220 -
\??\c:\dpdpd.exec:\dpdpd.exe71⤵PID:1996
-
\??\c:\frrflfx.exec:\frrflfx.exe72⤵PID:2684
-
\??\c:\84260.exec:\84260.exe73⤵PID:2084
-
\??\c:\vjjdd.exec:\vjjdd.exe74⤵PID:400
-
\??\c:\3vdpj.exec:\3vdpj.exe75⤵PID:684
-
\??\c:\nttbbt.exec:\nttbbt.exe76⤵PID:4008
-
\??\c:\i000044.exec:\i000044.exe77⤵PID:2760
-
\??\c:\o244484.exec:\o244484.exe78⤵PID:5116
-
\??\c:\5ntnhh.exec:\5ntnhh.exe79⤵PID:2948
-
\??\c:\jdpdj.exec:\jdpdj.exe80⤵PID:2056
-
\??\c:\2660820.exec:\2660820.exe81⤵PID:4512
-
\??\c:\btnbtt.exec:\btnbtt.exe82⤵PID:3660
-
\??\c:\vpjvj.exec:\vpjvj.exe83⤵PID:1528
-
\??\c:\lxlxlxx.exec:\lxlxlxx.exe84⤵PID:4360
-
\??\c:\3hbthh.exec:\3hbthh.exe85⤵PID:4232
-
\??\c:\68882.exec:\68882.exe86⤵PID:540
-
\??\c:\602204.exec:\602204.exe87⤵PID:4508
-
\??\c:\62460.exec:\62460.exe88⤵PID:1632
-
\??\c:\628262.exec:\628262.exe89⤵PID:3572
-
\??\c:\jppjd.exec:\jppjd.exe90⤵PID:5020
-
\??\c:\406600.exec:\406600.exe91⤵PID:4268
-
\??\c:\840644.exec:\840644.exe92⤵PID:4804
-
\??\c:\pvdvp.exec:\pvdvp.exe93⤵PID:1400
-
\??\c:\9vjpv.exec:\9vjpv.exe94⤵PID:2820
-
\??\c:\s0682.exec:\s0682.exe95⤵PID:2836
-
\??\c:\i000826.exec:\i000826.exe96⤵PID:4628
-
\??\c:\24048.exec:\24048.exe97⤵PID:4280
-
\??\c:\422604.exec:\422604.exe98⤵PID:3852
-
\??\c:\02888.exec:\02888.exe99⤵PID:2208
-
\??\c:\5rxrlll.exec:\5rxrlll.exe100⤵PID:4544
-
\??\c:\66600.exec:\66600.exe101⤵PID:4180
-
\??\c:\26660.exec:\26660.exe102⤵PID:1624
-
\??\c:\9dddv.exec:\9dddv.exe103⤵PID:1860
-
\??\c:\44448.exec:\44448.exe104⤵PID:2252
-
\??\c:\88626.exec:\88626.exe105⤵PID:1212
-
\??\c:\1ttnnn.exec:\1ttnnn.exe106⤵PID:4320
-
\??\c:\7tbbhn.exec:\7tbbhn.exe107⤵PID:1128
-
\??\c:\hnbttt.exec:\hnbttt.exe108⤵PID:4672
-
\??\c:\8648888.exec:\8648888.exe109⤵PID:5096
-
\??\c:\jjjdv.exec:\jjjdv.exe110⤵PID:4800
-
\??\c:\tthbnn.exec:\tthbnn.exe111⤵PID:1640
-
\??\c:\62226.exec:\62226.exe112⤵PID:2136
-
\??\c:\6022484.exec:\6022484.exe113⤵PID:3608
-
\??\c:\8060040.exec:\8060040.exe114⤵PID:3592
-
\??\c:\xrrlflf.exec:\xrrlflf.exe115⤵PID:2816
-
\??\c:\xrfxrrr.exec:\xrfxrrr.exe116⤵PID:3156
-
\??\c:\ppppv.exec:\ppppv.exe117⤵PID:4356
-
\??\c:\02222.exec:\02222.exe118⤵PID:2964
-
\??\c:\rllrfff.exec:\rllrfff.exe119⤵PID:2592
-
\??\c:\600480.exec:\600480.exe120⤵PID:4344
-
\??\c:\m8480.exec:\m8480.exe121⤵PID:5040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-