Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe
-
Size
456KB
-
MD5
0b9d47010907aa23bb213bf9aaf30f76
-
SHA1
dcf41e7fbfdd76ccb95e3085359639c39cf32880
-
SHA256
07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a
-
SHA512
2571deece4daef21daab81d472009c7dfc1b1ce97ffc876c379eac5512936c6a1b51c6d522a538323965e00bd94ccc25a871600f8a9bafc6ff67172a2dc27698
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRS:q7Tc2NYHUrAwfMp3CDRS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/740-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-982-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-1118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2148 0008604.exe 3860 460444.exe 3052 660246.exe 4232 60222.exe 3500 82224.exe 3340 806426.exe 2448 6440088.exe 3988 200822.exe 5084 648648.exe 2428 hhhnbt.exe 4488 0068004.exe 2276 rrfxffr.exe 5028 68664.exe 4248 884204.exe 4456 20060.exe 4908 86020.exe 2012 1ppdp.exe 100 9rlxlfr.exe 1380 s4204.exe 1120 888204.exe 4808 a4482.exe 1876 5djdp.exe 2864 i260820.exe 3124 xlffrlf.exe 1744 hnhhhn.exe 4020 lxxxlff.exe 4772 dddpj.exe 4012 u664204.exe 4712 0820820.exe 4744 thnbbt.exe 1504 28820.exe 4244 1tbhtb.exe 1460 bbhttn.exe 3548 86826.exe 3316 82208.exe 1672 rrfrlfx.exe 2640 nhhbnh.exe 4216 o280820.exe 1480 288208.exe 2180 8604264.exe 3584 3fxlxrf.exe 4940 g8264.exe 1656 c042086.exe 3408 xrrfrfr.exe 4960 o820486.exe 4388 2088664.exe 4972 1thtnh.exe 1808 9nhntn.exe 1272 lrrfrrf.exe 4380 hbtbnh.exe 4552 86826.exe 456 ddvpp.exe 3836 642048.exe 2232 jdjdp.exe 1812 lxrlxlx.exe 4516 xllxlfx.exe 4232 bhhbnh.exe 2464 c620264.exe 2432 4408604.exe 4736 448204.exe 1136 djjdp.exe 3460 2682200.exe 1636 9hnbtn.exe 4332 9tnbnb.exe -
resource yara_rule behavioral2/memory/740-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-735-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c888226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2604086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6426226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6082440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4886440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4004882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0804680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 066044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266600.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 740 wrote to memory of 2148 740 07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe 83 PID 740 wrote to memory of 2148 740 07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe 83 PID 740 wrote to memory of 2148 740 07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe 83 PID 2148 wrote to memory of 3860 2148 0008604.exe 84 PID 2148 wrote to memory of 3860 2148 0008604.exe 84 PID 2148 wrote to memory of 3860 2148 0008604.exe 84 PID 3860 wrote to memory of 3052 3860 460444.exe 85 PID 3860 wrote to memory of 3052 3860 460444.exe 85 PID 3860 wrote to memory of 3052 3860 460444.exe 85 PID 3052 wrote to memory of 4232 3052 660246.exe 86 PID 3052 wrote to memory of 4232 3052 660246.exe 86 PID 3052 wrote to memory of 4232 3052 660246.exe 86 PID 4232 wrote to memory of 3500 4232 60222.exe 87 PID 4232 wrote to memory of 3500 4232 60222.exe 87 PID 4232 wrote to memory of 3500 4232 60222.exe 87 PID 3500 wrote to memory of 3340 3500 82224.exe 88 PID 3500 wrote to memory of 3340 3500 82224.exe 88 PID 3500 wrote to memory of 3340 3500 82224.exe 88 PID 3340 wrote to memory of 2448 3340 806426.exe 89 PID 3340 wrote to memory of 2448 3340 806426.exe 89 PID 3340 wrote to memory of 2448 3340 806426.exe 89 PID 2448 wrote to memory of 3988 2448 6440088.exe 90 PID 2448 wrote to memory of 3988 2448 6440088.exe 90 PID 2448 wrote to memory of 3988 2448 6440088.exe 90 PID 3988 wrote to memory of 5084 3988 200822.exe 91 PID 3988 wrote to memory of 5084 3988 200822.exe 91 PID 3988 wrote to memory of 5084 3988 200822.exe 91 PID 5084 wrote to memory of 2428 5084 648648.exe 92 PID 5084 wrote to memory of 2428 5084 648648.exe 92 PID 5084 wrote to memory of 2428 5084 648648.exe 92 PID 2428 wrote to memory of 4488 2428 hhhnbt.exe 93 PID 2428 wrote to memory of 4488 2428 hhhnbt.exe 93 PID 2428 wrote to memory of 4488 2428 hhhnbt.exe 93 PID 4488 wrote to memory of 2276 4488 0068004.exe 94 PID 4488 wrote to memory of 2276 4488 0068004.exe 94 PID 4488 wrote to memory of 2276 4488 0068004.exe 94 PID 2276 wrote to memory of 5028 2276 rrfxffr.exe 95 PID 2276 wrote to memory of 5028 2276 rrfxffr.exe 95 PID 2276 wrote to memory of 5028 2276 rrfxffr.exe 95 PID 5028 wrote to memory of 4248 5028 68664.exe 96 PID 5028 wrote to memory of 4248 5028 68664.exe 96 PID 5028 wrote to memory of 4248 5028 68664.exe 96 PID 4248 wrote to memory of 4456 4248 884204.exe 97 PID 4248 wrote to memory of 4456 4248 884204.exe 97 PID 4248 wrote to memory of 4456 4248 884204.exe 97 PID 4456 wrote to memory of 4908 4456 20060.exe 98 PID 4456 wrote to memory of 4908 4456 20060.exe 98 PID 4456 wrote to memory of 4908 4456 20060.exe 98 PID 4908 wrote to memory of 2012 4908 86020.exe 99 PID 4908 wrote to memory of 2012 4908 86020.exe 99 PID 4908 wrote to memory of 2012 4908 86020.exe 99 PID 2012 wrote to memory of 100 2012 1ppdp.exe 100 PID 2012 wrote to memory of 100 2012 1ppdp.exe 100 PID 2012 wrote to memory of 100 2012 1ppdp.exe 100 PID 100 wrote to memory of 1380 100 9rlxlfr.exe 101 PID 100 wrote to memory of 1380 100 9rlxlfr.exe 101 PID 100 wrote to memory of 1380 100 9rlxlfr.exe 101 PID 1380 wrote to memory of 1120 1380 s4204.exe 102 PID 1380 wrote to memory of 1120 1380 s4204.exe 102 PID 1380 wrote to memory of 1120 1380 s4204.exe 102 PID 1120 wrote to memory of 4808 1120 888204.exe 103 PID 1120 wrote to memory of 4808 1120 888204.exe 103 PID 1120 wrote to memory of 4808 1120 888204.exe 103 PID 4808 wrote to memory of 1876 4808 a4482.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe"C:\Users\Admin\AppData\Local\Temp\07ec6869ed8b07e3a393aab9726f9978990bccc7ce88b1c1610ceccac7fda50a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\0008604.exec:\0008604.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\460444.exec:\460444.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\660246.exec:\660246.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\60222.exec:\60222.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\82224.exec:\82224.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\806426.exec:\806426.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\6440088.exec:\6440088.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\200822.exec:\200822.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\648648.exec:\648648.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\hhhnbt.exec:\hhhnbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\0068004.exec:\0068004.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\rrfxffr.exec:\rrfxffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\68664.exec:\68664.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\884204.exec:\884204.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\20060.exec:\20060.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\86020.exec:\86020.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\1ppdp.exec:\1ppdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\9rlxlfr.exec:\9rlxlfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\s4204.exec:\s4204.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\888204.exec:\888204.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\a4482.exec:\a4482.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\5djdp.exec:\5djdp.exe23⤵
- Executes dropped EXE
PID:1876 -
\??\c:\i260820.exec:\i260820.exe24⤵
- Executes dropped EXE
PID:2864 -
\??\c:\xlffrlf.exec:\xlffrlf.exe25⤵
- Executes dropped EXE
PID:3124 -
\??\c:\hnhhhn.exec:\hnhhhn.exe26⤵
- Executes dropped EXE
PID:1744 -
\??\c:\lxxxlff.exec:\lxxxlff.exe27⤵
- Executes dropped EXE
PID:4020 -
\??\c:\dddpj.exec:\dddpj.exe28⤵
- Executes dropped EXE
PID:4772 -
\??\c:\u664204.exec:\u664204.exe29⤵
- Executes dropped EXE
PID:4012 -
\??\c:\0820820.exec:\0820820.exe30⤵
- Executes dropped EXE
PID:4712 -
\??\c:\thnbbt.exec:\thnbbt.exe31⤵
- Executes dropped EXE
PID:4744 -
\??\c:\28820.exec:\28820.exe32⤵
- Executes dropped EXE
PID:1504 -
\??\c:\1tbhtb.exec:\1tbhtb.exe33⤵
- Executes dropped EXE
PID:4244 -
\??\c:\bbhttn.exec:\bbhttn.exe34⤵
- Executes dropped EXE
PID:1460 -
\??\c:\86826.exec:\86826.exe35⤵
- Executes dropped EXE
PID:3548 -
\??\c:\82208.exec:\82208.exe36⤵
- Executes dropped EXE
PID:3316 -
\??\c:\rrfrlfx.exec:\rrfrlfx.exe37⤵
- Executes dropped EXE
PID:1672 -
\??\c:\nhhbnh.exec:\nhhbnh.exe38⤵
- Executes dropped EXE
PID:2640 -
\??\c:\o280820.exec:\o280820.exe39⤵
- Executes dropped EXE
PID:4216 -
\??\c:\288208.exec:\288208.exe40⤵
- Executes dropped EXE
PID:1480 -
\??\c:\8604264.exec:\8604264.exe41⤵
- Executes dropped EXE
PID:2180 -
\??\c:\3fxlxrf.exec:\3fxlxrf.exe42⤵
- Executes dropped EXE
PID:3584 -
\??\c:\g8264.exec:\g8264.exe43⤵
- Executes dropped EXE
PID:4940 -
\??\c:\c042086.exec:\c042086.exe44⤵
- Executes dropped EXE
PID:1656 -
\??\c:\xrrfrfr.exec:\xrrfrfr.exe45⤵
- Executes dropped EXE
PID:3408 -
\??\c:\o820486.exec:\o820486.exe46⤵
- Executes dropped EXE
PID:4960 -
\??\c:\2088664.exec:\2088664.exe47⤵
- Executes dropped EXE
PID:4388 -
\??\c:\1thtnh.exec:\1thtnh.exe48⤵
- Executes dropped EXE
PID:4972 -
\??\c:\9nhntn.exec:\9nhntn.exe49⤵
- Executes dropped EXE
PID:1808 -
\??\c:\lrrfrrf.exec:\lrrfrrf.exe50⤵
- Executes dropped EXE
PID:1272 -
\??\c:\hbtbnh.exec:\hbtbnh.exe51⤵
- Executes dropped EXE
PID:4380 -
\??\c:\86826.exec:\86826.exe52⤵
- Executes dropped EXE
PID:4552 -
\??\c:\ddvpp.exec:\ddvpp.exe53⤵
- Executes dropped EXE
PID:456 -
\??\c:\642048.exec:\642048.exe54⤵
- Executes dropped EXE
PID:3836 -
\??\c:\jdjdp.exec:\jdjdp.exe55⤵
- Executes dropped EXE
PID:2232 -
\??\c:\lxrlxlx.exec:\lxrlxlx.exe56⤵
- Executes dropped EXE
PID:1812 -
\??\c:\xllxlfx.exec:\xllxlfx.exe57⤵
- Executes dropped EXE
PID:4516 -
\??\c:\bhhbnh.exec:\bhhbnh.exe58⤵
- Executes dropped EXE
PID:4232 -
\??\c:\c620264.exec:\c620264.exe59⤵
- Executes dropped EXE
PID:2464 -
\??\c:\4408604.exec:\4408604.exe60⤵
- Executes dropped EXE
PID:2432 -
\??\c:\448204.exec:\448204.exe61⤵
- Executes dropped EXE
PID:4736 -
\??\c:\djjdp.exec:\djjdp.exe62⤵
- Executes dropped EXE
PID:1136 -
\??\c:\2682200.exec:\2682200.exe63⤵
- Executes dropped EXE
PID:3460 -
\??\c:\9hnbtn.exec:\9hnbtn.exe64⤵
- Executes dropped EXE
PID:1636 -
\??\c:\9tnbnb.exec:\9tnbnb.exe65⤵
- Executes dropped EXE
PID:4332 -
\??\c:\6624204.exec:\6624204.exe66⤵PID:640
-
\??\c:\g2860.exec:\g2860.exe67⤵PID:4080
-
\??\c:\022682.exec:\022682.exe68⤵PID:4296
-
\??\c:\rlfxrfx.exec:\rlfxrfx.exe69⤵PID:796
-
\??\c:\vppjj.exec:\vppjj.exe70⤵PID:1756
-
\??\c:\rrrflfr.exec:\rrrflfr.exe71⤵PID:1780
-
\??\c:\8408640.exec:\8408640.exe72⤵PID:1696
-
\??\c:\3rfrlfr.exec:\3rfrlfr.exe73⤵PID:4184
-
\??\c:\hhnnfx.exec:\hhnnfx.exe74⤵PID:3380
-
\??\c:\dpjdp.exec:\dpjdp.exe75⤵PID:4576
-
\??\c:\thhthb.exec:\thhthb.exe76⤵PID:4572
-
\??\c:\2886464.exec:\2886464.exe77⤵PID:432
-
\??\c:\nhhtht.exec:\nhhtht.exe78⤵PID:4860
-
\??\c:\644220.exec:\644220.exe79⤵PID:1536
-
\??\c:\vdjpj.exec:\vdjpj.exe80⤵PID:4680
-
\??\c:\lxxllfr.exec:\lxxllfr.exe81⤵PID:656
-
\??\c:\vppvp.exec:\vppvp.exe82⤵PID:3044
-
\??\c:\26664.exec:\26664.exe83⤵PID:1712
-
\??\c:\k22682.exec:\k22682.exe84⤵PID:3604
-
\??\c:\20486.exec:\20486.exe85⤵PID:2676
-
\??\c:\tntthb.exec:\tntthb.exe86⤵PID:1464
-
\??\c:\866842.exec:\866842.exe87⤵PID:2524
-
\??\c:\4002864.exec:\4002864.exe88⤵PID:880
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe89⤵PID:4716
-
\??\c:\bnnbnh.exec:\bnnbnh.exe90⤵PID:4508
-
\??\c:\42204.exec:\42204.exe91⤵PID:2392
-
\??\c:\88000.exec:\88000.exe92⤵PID:624
-
\??\c:\6440442.exec:\6440442.exe93⤵PID:3548
-
\??\c:\404264.exec:\404264.exe94⤵PID:628
-
\??\c:\nhtthb.exec:\nhtthb.exe95⤵PID:4740
-
\??\c:\200440.exec:\200440.exe96⤵PID:2640
-
\??\c:\dpjvp.exec:\dpjvp.exe97⤵PID:4404
-
\??\c:\rrxlrll.exec:\rrxlrll.exe98⤵PID:1480
-
\??\c:\nbbnbt.exec:\nbbnbt.exe99⤵PID:4916
-
\??\c:\pppdp.exec:\pppdp.exe100⤵PID:2844
-
\??\c:\w26244.exec:\w26244.exe101⤵PID:2772
-
\??\c:\hntntn.exec:\hntntn.exe102⤵PID:3100
-
\??\c:\3nnhtt.exec:\3nnhtt.exe103⤵PID:3024
-
\??\c:\3frfrxl.exec:\3frfrxl.exe104⤵PID:1804
-
\??\c:\840426.exec:\840426.exe105⤵PID:5000
-
\??\c:\i826482.exec:\i826482.exe106⤵PID:2656
-
\??\c:\82606.exec:\82606.exe107⤵PID:320
-
\??\c:\u444820.exec:\u444820.exe108⤵PID:2948
-
\??\c:\0882042.exec:\0882042.exe109⤵PID:4272
-
\??\c:\00260.exec:\00260.exe110⤵PID:1808
-
\??\c:\m6260.exec:\m6260.exe111⤵PID:1860
-
\??\c:\20040.exec:\20040.exe112⤵PID:4792
-
\??\c:\xrrlfxx.exec:\xrrlfxx.exe113⤵PID:3348
-
\??\c:\428226.exec:\428226.exe114⤵PID:1128
-
\??\c:\e44804.exec:\e44804.exe115⤵PID:876
-
\??\c:\pppdv.exec:\pppdv.exe116⤵
- System Location Discovery: System Language Discovery
PID:4756 -
\??\c:\448880.exec:\448880.exe117⤵PID:2184
-
\??\c:\42828.exec:\42828.exe118⤵PID:1888
-
\??\c:\u486482.exec:\u486482.exe119⤵PID:1948
-
\??\c:\vvdvp.exec:\vvdvp.exe120⤵PID:3640
-
\??\c:\ddjjp.exec:\ddjjp.exe121⤵PID:4340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-