Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 00:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cc35d69c6dbfb0fb0a7967e31c0a5f4f9dee3329039012b8b6271bdb416feddcN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cc35d69c6dbfb0fb0a7967e31c0a5f4f9dee3329039012b8b6271bdb416feddcN.exe
-
Size
454KB
-
MD5
b0e5c87b20d70086fea853c98b9e9790
-
SHA1
18184d94a3f353918a8a7860fa2725dcda561624
-
SHA256
cc35d69c6dbfb0fb0a7967e31c0a5f4f9dee3329039012b8b6271bdb416feddc
-
SHA512
63e743f1d6b03d9851f6662078cfb269b02fd3124eb389e55e4c5cfd313c7ae16afce9d4d50dbc294debd52ac43212454509f741584fb9d1aa1e4e0f1abc6ec5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2428-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-871-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-959-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-1482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4960 jpdvv.exe 1112 0404848.exe 2908 4282026.exe 2444 hbhbbt.exe 4032 w46488.exe 3616 402260.exe 3644 600444.exe 664 040482.exe 3856 rxfxrrl.exe 1524 080826.exe 4680 rfxxlfl.exe 3656 8404448.exe 4732 4224440.exe 2372 c460640.exe 3180 466604.exe 5080 264200.exe 2952 jvdvv.exe 3664 xxlffff.exe 4580 2006248.exe 4516 26042.exe 5056 lflffxf.exe 2720 42266.exe 2812 bthbbt.exe 3232 ppjvv.exe 1356 0826082.exe 1048 8242086.exe 5112 7ppdd.exe 2676 dvjdd.exe 4780 lxrfrll.exe 4860 jjjvj.exe 3924 pjpjj.exe 60 3nnhnn.exe 1572 8060088.exe 388 20426.exe 3168 7pvjv.exe 1388 xfrlfxl.exe 5076 i482048.exe 5048 m2204.exe 3684 g6086.exe 644 406482.exe 4300 hnnhbb.exe 5100 84604.exe 1808 hnnbnb.exe 3060 xlfrxrf.exe 3988 082004.exe 1164 428608.exe 2856 0404428.exe 2168 3hhbtt.exe 2668 848608.exe 1948 3llxllx.exe 4072 lrfxrlf.exe 5116 208660.exe 2348 c280486.exe 2476 82428.exe 708 thbnbn.exe 2428 w02082.exe 2596 4400220.exe 2132 nnnnhb.exe 1740 2848288.exe 3440 rrfffxr.exe 4032 lrxrrll.exe 1336 jppvj.exe 3652 c066004.exe 2948 882006.exe -
resource yara_rule behavioral2/memory/2428-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-707-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 408262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8282042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 848608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8808264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbhb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 4960 2428 cc35d69c6dbfb0fb0a7967e31c0a5f4f9dee3329039012b8b6271bdb416feddcN.exe 83 PID 2428 wrote to memory of 4960 2428 cc35d69c6dbfb0fb0a7967e31c0a5f4f9dee3329039012b8b6271bdb416feddcN.exe 83 PID 2428 wrote to memory of 4960 2428 cc35d69c6dbfb0fb0a7967e31c0a5f4f9dee3329039012b8b6271bdb416feddcN.exe 83 PID 4960 wrote to memory of 1112 4960 jpdvv.exe 84 PID 4960 wrote to memory of 1112 4960 jpdvv.exe 84 PID 4960 wrote to memory of 1112 4960 jpdvv.exe 84 PID 1112 wrote to memory of 2908 1112 0404848.exe 85 PID 1112 wrote to memory of 2908 1112 0404848.exe 85 PID 1112 wrote to memory of 2908 1112 0404848.exe 85 PID 2908 wrote to memory of 2444 2908 4282026.exe 86 PID 2908 wrote to memory of 2444 2908 4282026.exe 86 PID 2908 wrote to memory of 2444 2908 4282026.exe 86 PID 2444 wrote to memory of 4032 2444 hbhbbt.exe 87 PID 2444 wrote to memory of 4032 2444 hbhbbt.exe 87 PID 2444 wrote to memory of 4032 2444 hbhbbt.exe 87 PID 4032 wrote to memory of 3616 4032 w46488.exe 88 PID 4032 wrote to memory of 3616 4032 w46488.exe 88 PID 4032 wrote to memory of 3616 4032 w46488.exe 88 PID 3616 wrote to memory of 3644 3616 402260.exe 89 PID 3616 wrote to memory of 3644 3616 402260.exe 89 PID 3616 wrote to memory of 3644 3616 402260.exe 89 PID 3644 wrote to memory of 664 3644 600444.exe 90 PID 3644 wrote to memory of 664 3644 600444.exe 90 PID 3644 wrote to memory of 664 3644 600444.exe 90 PID 664 wrote to memory of 3856 664 040482.exe 91 PID 664 wrote to memory of 3856 664 040482.exe 91 PID 664 wrote to memory of 3856 664 040482.exe 91 PID 3856 wrote to memory of 1524 3856 rxfxrrl.exe 92 PID 3856 wrote to memory of 1524 3856 rxfxrrl.exe 92 PID 3856 wrote to memory of 1524 3856 rxfxrrl.exe 92 PID 1524 wrote to memory of 4680 1524 080826.exe 93 PID 1524 wrote to memory of 4680 1524 080826.exe 93 PID 1524 wrote to memory of 4680 1524 080826.exe 93 PID 4680 wrote to memory of 3656 4680 rfxxlfl.exe 94 PID 4680 wrote to memory of 3656 4680 rfxxlfl.exe 94 PID 4680 wrote to memory of 3656 4680 rfxxlfl.exe 94 PID 3656 wrote to memory of 4732 3656 8404448.exe 95 PID 3656 wrote to memory of 4732 3656 8404448.exe 95 PID 3656 wrote to memory of 4732 3656 8404448.exe 95 PID 4732 wrote to memory of 2372 4732 4224440.exe 96 PID 4732 wrote to memory of 2372 4732 4224440.exe 96 PID 4732 wrote to memory of 2372 4732 4224440.exe 96 PID 2372 wrote to memory of 3180 2372 c460640.exe 97 PID 2372 wrote to memory of 3180 2372 c460640.exe 97 PID 2372 wrote to memory of 3180 2372 c460640.exe 97 PID 3180 wrote to memory of 5080 3180 466604.exe 98 PID 3180 wrote to memory of 5080 3180 466604.exe 98 PID 3180 wrote to memory of 5080 3180 466604.exe 98 PID 5080 wrote to memory of 2952 5080 264200.exe 99 PID 5080 wrote to memory of 2952 5080 264200.exe 99 PID 5080 wrote to memory of 2952 5080 264200.exe 99 PID 2952 wrote to memory of 3664 2952 jvdvv.exe 100 PID 2952 wrote to memory of 3664 2952 jvdvv.exe 100 PID 2952 wrote to memory of 3664 2952 jvdvv.exe 100 PID 3664 wrote to memory of 4580 3664 xxlffff.exe 101 PID 3664 wrote to memory of 4580 3664 xxlffff.exe 101 PID 3664 wrote to memory of 4580 3664 xxlffff.exe 101 PID 4580 wrote to memory of 4516 4580 2006248.exe 102 PID 4580 wrote to memory of 4516 4580 2006248.exe 102 PID 4580 wrote to memory of 4516 4580 2006248.exe 102 PID 4516 wrote to memory of 5056 4516 26042.exe 103 PID 4516 wrote to memory of 5056 4516 26042.exe 103 PID 4516 wrote to memory of 5056 4516 26042.exe 103 PID 5056 wrote to memory of 2720 5056 lflffxf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc35d69c6dbfb0fb0a7967e31c0a5f4f9dee3329039012b8b6271bdb416feddcN.exe"C:\Users\Admin\AppData\Local\Temp\cc35d69c6dbfb0fb0a7967e31c0a5f4f9dee3329039012b8b6271bdb416feddcN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\jpdvv.exec:\jpdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\0404848.exec:\0404848.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\4282026.exec:\4282026.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\hbhbbt.exec:\hbhbbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\w46488.exec:\w46488.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\402260.exec:\402260.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\600444.exec:\600444.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\040482.exec:\040482.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\080826.exec:\080826.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\rfxxlfl.exec:\rfxxlfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\8404448.exec:\8404448.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\4224440.exec:\4224440.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\c460640.exec:\c460640.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\466604.exec:\466604.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\264200.exec:\264200.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\jvdvv.exec:\jvdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\xxlffff.exec:\xxlffff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\2006248.exec:\2006248.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\26042.exec:\26042.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\lflffxf.exec:\lflffxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\42266.exec:\42266.exe23⤵
- Executes dropped EXE
PID:2720 -
\??\c:\bthbbt.exec:\bthbbt.exe24⤵
- Executes dropped EXE
PID:2812 -
\??\c:\ppjvv.exec:\ppjvv.exe25⤵
- Executes dropped EXE
PID:3232 -
\??\c:\0826082.exec:\0826082.exe26⤵
- Executes dropped EXE
PID:1356 -
\??\c:\8242086.exec:\8242086.exe27⤵
- Executes dropped EXE
PID:1048 -
\??\c:\7ppdd.exec:\7ppdd.exe28⤵
- Executes dropped EXE
PID:5112 -
\??\c:\dvjdd.exec:\dvjdd.exe29⤵
- Executes dropped EXE
PID:2676 -
\??\c:\lxrfrll.exec:\lxrfrll.exe30⤵
- Executes dropped EXE
PID:4780 -
\??\c:\jjjvj.exec:\jjjvj.exe31⤵
- Executes dropped EXE
PID:4860 -
\??\c:\pjpjj.exec:\pjpjj.exe32⤵
- Executes dropped EXE
PID:3924 -
\??\c:\3nnhnn.exec:\3nnhnn.exe33⤵
- Executes dropped EXE
PID:60 -
\??\c:\8060088.exec:\8060088.exe34⤵
- Executes dropped EXE
PID:1572 -
\??\c:\20426.exec:\20426.exe35⤵
- Executes dropped EXE
PID:388 -
\??\c:\7pvjv.exec:\7pvjv.exe36⤵
- Executes dropped EXE
PID:3168 -
\??\c:\xfrlfxl.exec:\xfrlfxl.exe37⤵
- Executes dropped EXE
PID:1388 -
\??\c:\i482048.exec:\i482048.exe38⤵
- Executes dropped EXE
PID:5076 -
\??\c:\m2204.exec:\m2204.exe39⤵
- Executes dropped EXE
PID:5048 -
\??\c:\g6086.exec:\g6086.exe40⤵
- Executes dropped EXE
PID:3684 -
\??\c:\406482.exec:\406482.exe41⤵
- Executes dropped EXE
PID:644 -
\??\c:\hnnhbb.exec:\hnnhbb.exe42⤵
- Executes dropped EXE
PID:4300 -
\??\c:\84604.exec:\84604.exe43⤵
- Executes dropped EXE
PID:5100 -
\??\c:\hnnbnb.exec:\hnnbnb.exe44⤵
- Executes dropped EXE
PID:1808 -
\??\c:\xlfrxrf.exec:\xlfrxrf.exe45⤵
- Executes dropped EXE
PID:3060 -
\??\c:\082004.exec:\082004.exe46⤵
- Executes dropped EXE
PID:3988 -
\??\c:\428608.exec:\428608.exe47⤵
- Executes dropped EXE
PID:1164 -
\??\c:\0404428.exec:\0404428.exe48⤵
- Executes dropped EXE
PID:2856 -
\??\c:\3hhbtt.exec:\3hhbtt.exe49⤵
- Executes dropped EXE
PID:2168 -
\??\c:\848608.exec:\848608.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668 -
\??\c:\3llxllx.exec:\3llxllx.exe51⤵
- Executes dropped EXE
PID:1948 -
\??\c:\lrfxrlf.exec:\lrfxrlf.exe52⤵
- Executes dropped EXE
PID:4072 -
\??\c:\208660.exec:\208660.exe53⤵
- Executes dropped EXE
PID:5116 -
\??\c:\c280486.exec:\c280486.exe54⤵
- Executes dropped EXE
PID:2348 -
\??\c:\82428.exec:\82428.exe55⤵
- Executes dropped EXE
PID:2476 -
\??\c:\thbnbn.exec:\thbnbn.exe56⤵
- Executes dropped EXE
PID:708 -
\??\c:\w02082.exec:\w02082.exe57⤵
- Executes dropped EXE
PID:2428 -
\??\c:\4400220.exec:\4400220.exe58⤵
- Executes dropped EXE
PID:2596 -
\??\c:\nnnnhb.exec:\nnnnhb.exe59⤵
- Executes dropped EXE
PID:2132 -
\??\c:\2848288.exec:\2848288.exe60⤵
- Executes dropped EXE
PID:1740 -
\??\c:\rrfffxr.exec:\rrfffxr.exe61⤵
- Executes dropped EXE
PID:3440 -
\??\c:\lrxrrll.exec:\lrxrrll.exe62⤵
- Executes dropped EXE
PID:4032 -
\??\c:\jppvj.exec:\jppvj.exe63⤵
- Executes dropped EXE
PID:1336 -
\??\c:\c066004.exec:\c066004.exe64⤵
- Executes dropped EXE
PID:3652 -
\??\c:\882006.exec:\882006.exe65⤵
- Executes dropped EXE
PID:2948 -
\??\c:\bttnnn.exec:\bttnnn.exe66⤵PID:1196
-
\??\c:\8062666.exec:\8062666.exe67⤵PID:4900
-
\??\c:\vddjj.exec:\vddjj.exe68⤵PID:4644
-
\??\c:\hbhhbb.exec:\hbhhbb.exe69⤵PID:1936
-
\??\c:\6044848.exec:\6044848.exe70⤵PID:4680
-
\??\c:\bhbnhh.exec:\bhbnhh.exe71⤵PID:5060
-
\??\c:\206044.exec:\206044.exe72⤵PID:1784
-
\??\c:\60200.exec:\60200.exe73⤵PID:3900
-
\??\c:\hbhbnh.exec:\hbhbnh.exe74⤵PID:2460
-
\??\c:\tnnhbb.exec:\tnnhbb.exe75⤵PID:3052
-
\??\c:\66264.exec:\66264.exe76⤵PID:4544
-
\??\c:\26608.exec:\26608.exe77⤵PID:3864
-
\??\c:\2280000.exec:\2280000.exe78⤵PID:404
-
\??\c:\5xlffff.exec:\5xlffff.exe79⤵PID:2952
-
\??\c:\04266.exec:\04266.exe80⤵PID:1992
-
\??\c:\084866.exec:\084866.exe81⤵PID:2536
-
\??\c:\m0222.exec:\m0222.exe82⤵PID:5040
-
\??\c:\btnhhb.exec:\btnhhb.exe83⤵PID:4516
-
\??\c:\48826.exec:\48826.exe84⤵PID:348
-
\??\c:\flxxrrl.exec:\flxxrrl.exe85⤵PID:1560
-
\??\c:\22484.exec:\22484.exe86⤵PID:2316
-
\??\c:\46866.exec:\46866.exe87⤵PID:440
-
\??\c:\lxrrllf.exec:\lxrrllf.exe88⤵PID:412
-
\??\c:\flxxrrl.exec:\flxxrrl.exe89⤵PID:780
-
\??\c:\fllrllf.exec:\fllrllf.exe90⤵PID:1924
-
\??\c:\6482260.exec:\6482260.exe91⤵PID:3552
-
\??\c:\ffxrrxf.exec:\ffxrrxf.exe92⤵PID:3692
-
\??\c:\tbhhhn.exec:\tbhhhn.exe93⤵PID:648
-
\??\c:\jvjpd.exec:\jvjpd.exe94⤵PID:4932
-
\??\c:\jvdvv.exec:\jvdvv.exe95⤵PID:388
-
\??\c:\jdpjd.exec:\jdpjd.exe96⤵PID:1972
-
\??\c:\60604.exec:\60604.exe97⤵PID:3480
-
\??\c:\828866.exec:\828866.exe98⤵PID:4896
-
\??\c:\880826.exec:\880826.exe99⤵PID:1464
-
\??\c:\rrrfrrl.exec:\rrrfrrl.exe100⤵PID:4456
-
\??\c:\442488.exec:\442488.exe101⤵PID:1528
-
\??\c:\rfffxxr.exec:\rfffxxr.exe102⤵PID:1140
-
\??\c:\646660.exec:\646660.exe103⤵PID:4452
-
\??\c:\2844826.exec:\2844826.exe104⤵PID:552
-
\??\c:\6026606.exec:\6026606.exe105⤵PID:4128
-
\??\c:\nthbtt.exec:\nthbtt.exe106⤵PID:3980
-
\??\c:\btbttt.exec:\btbttt.exe107⤵PID:3660
-
\??\c:\808260.exec:\808260.exe108⤵PID:3036
-
\??\c:\5llxrrl.exec:\5llxrrl.exe109⤵PID:4904
-
\??\c:\62822.exec:\62822.exe110⤵PID:1948
-
\??\c:\4404822.exec:\4404822.exe111⤵PID:3612
-
\??\c:\84626.exec:\84626.exe112⤵PID:244
-
\??\c:\dpvpj.exec:\dpvpj.exe113⤵PID:2308
-
\??\c:\hbbthh.exec:\hbbthh.exe114⤵PID:2348
-
\??\c:\4842804.exec:\4842804.exe115⤵PID:2476
-
\??\c:\nhhbtt.exec:\nhhbtt.exe116⤵PID:2624
-
\??\c:\884482.exec:\884482.exe117⤵PID:1968
-
\??\c:\48266.exec:\48266.exe118⤵PID:1564
-
\??\c:\bthbhh.exec:\bthbhh.exe119⤵PID:460
-
\??\c:\u060486.exec:\u060486.exe120⤵PID:1516
-
\??\c:\tbtnbb.exec:\tbtnbb.exe121⤵PID:2596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-