Analysis
-
max time kernel
120s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cbd7e4dc9fce8ead7ef06577369f7dc8312eb0b4be5e5ee8c5f31d1a40f34851N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cbd7e4dc9fce8ead7ef06577369f7dc8312eb0b4be5e5ee8c5f31d1a40f34851N.exe
-
Size
454KB
-
MD5
c8350c48b19812dc7c994dce49753b00
-
SHA1
e479572e2670a909868e281214cccce689355ace
-
SHA256
cbd7e4dc9fce8ead7ef06577369f7dc8312eb0b4be5e5ee8c5f31d1a40f34851
-
SHA512
ae2f2d3cb4f7398c6f1999722d12c873c0817b7a3231a54387a44e19e67f14a95c0705e0b27b5023c8f2f297dcd18a71bf801b492d7d4e5de7236c4813de0961
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/3644-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-1358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 228 06042.exe 3144 k88626.exe 1056 ppjvj.exe 4396 60420.exe 4416 8486862.exe 2368 a8642.exe 4124 6486442.exe 2812 rxxfrff.exe 2928 9rlxrlr.exe 2912 dvddd.exe 2628 vppjv.exe 4924 626426.exe 1172 nbhtnt.exe 3080 42086.exe 3652 0886200.exe 4700 8820864.exe 4916 7rfrlfx.exe 1668 bbbnbt.exe 2152 vpjdp.exe 5024 a0046.exe 4028 pddpv.exe 1096 6864208.exe 1612 a2820.exe 1624 xlxlxxl.exe 5100 4842642.exe 1428 o826262.exe 2108 g8424.exe 1588 624642.exe 648 644208.exe 4392 424244.exe 4820 hbtnnn.exe 1792 htbnhb.exe 3512 648648.exe 844 0404246.exe 3684 pvpdp.exe 3260 20222.exe 1688 hhhtbt.exe 2648 jpvjp.exe 772 tnnthb.exe 620 44468.exe 3084 w66084.exe 1232 nhnhhh.exe 4376 vjdjj.exe 4684 djdpj.exe 1340 flrxrfr.exe 2444 nntnbt.exe 2576 dvpdd.exe 2376 s8864.exe 1056 3bhtnb.exe 2460 bbhbnh.exe 1132 dppdv.exe 1900 9bthtn.exe 1784 1ppvj.exe 3608 2482420.exe 3328 jjppp.exe 3808 tnthhb.exe 3996 xlrfxrf.exe 4288 4226466.exe 1860 062646.exe 3876 066082.exe 4372 ddvpj.exe 3520 86286.exe 1408 5rrlrlf.exe 3592 jdpdj.exe -
resource yara_rule behavioral2/memory/3644-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-1246-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 400882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6660482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e00864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c886486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8884282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k84882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3644 wrote to memory of 228 3644 cbd7e4dc9fce8ead7ef06577369f7dc8312eb0b4be5e5ee8c5f31d1a40f34851N.exe 85 PID 3644 wrote to memory of 228 3644 cbd7e4dc9fce8ead7ef06577369f7dc8312eb0b4be5e5ee8c5f31d1a40f34851N.exe 85 PID 3644 wrote to memory of 228 3644 cbd7e4dc9fce8ead7ef06577369f7dc8312eb0b4be5e5ee8c5f31d1a40f34851N.exe 85 PID 228 wrote to memory of 3144 228 06042.exe 86 PID 228 wrote to memory of 3144 228 06042.exe 86 PID 228 wrote to memory of 3144 228 06042.exe 86 PID 3144 wrote to memory of 1056 3144 k88626.exe 87 PID 3144 wrote to memory of 1056 3144 k88626.exe 87 PID 3144 wrote to memory of 1056 3144 k88626.exe 87 PID 1056 wrote to memory of 4396 1056 ppjvj.exe 88 PID 1056 wrote to memory of 4396 1056 ppjvj.exe 88 PID 1056 wrote to memory of 4396 1056 ppjvj.exe 88 PID 4396 wrote to memory of 4416 4396 60420.exe 89 PID 4396 wrote to memory of 4416 4396 60420.exe 89 PID 4396 wrote to memory of 4416 4396 60420.exe 89 PID 4416 wrote to memory of 2368 4416 8486862.exe 90 PID 4416 wrote to memory of 2368 4416 8486862.exe 90 PID 4416 wrote to memory of 2368 4416 8486862.exe 90 PID 2368 wrote to memory of 4124 2368 a8642.exe 91 PID 2368 wrote to memory of 4124 2368 a8642.exe 91 PID 2368 wrote to memory of 4124 2368 a8642.exe 91 PID 4124 wrote to memory of 2812 4124 6486442.exe 92 PID 4124 wrote to memory of 2812 4124 6486442.exe 92 PID 4124 wrote to memory of 2812 4124 6486442.exe 92 PID 2812 wrote to memory of 2928 2812 rxxfrff.exe 93 PID 2812 wrote to memory of 2928 2812 rxxfrff.exe 93 PID 2812 wrote to memory of 2928 2812 rxxfrff.exe 93 PID 2928 wrote to memory of 2912 2928 9rlxrlr.exe 94 PID 2928 wrote to memory of 2912 2928 9rlxrlr.exe 94 PID 2928 wrote to memory of 2912 2928 9rlxrlr.exe 94 PID 2912 wrote to memory of 2628 2912 dvddd.exe 95 PID 2912 wrote to memory of 2628 2912 dvddd.exe 95 PID 2912 wrote to memory of 2628 2912 dvddd.exe 95 PID 2628 wrote to memory of 4924 2628 vppjv.exe 96 PID 2628 wrote to memory of 4924 2628 vppjv.exe 96 PID 2628 wrote to memory of 4924 2628 vppjv.exe 96 PID 4924 wrote to memory of 1172 4924 626426.exe 97 PID 4924 wrote to memory of 1172 4924 626426.exe 97 PID 4924 wrote to memory of 1172 4924 626426.exe 97 PID 1172 wrote to memory of 3080 1172 nbhtnt.exe 98 PID 1172 wrote to memory of 3080 1172 nbhtnt.exe 98 PID 1172 wrote to memory of 3080 1172 nbhtnt.exe 98 PID 3080 wrote to memory of 3652 3080 42086.exe 99 PID 3080 wrote to memory of 3652 3080 42086.exe 99 PID 3080 wrote to memory of 3652 3080 42086.exe 99 PID 3652 wrote to memory of 4700 3652 0886200.exe 100 PID 3652 wrote to memory of 4700 3652 0886200.exe 100 PID 3652 wrote to memory of 4700 3652 0886200.exe 100 PID 4700 wrote to memory of 4916 4700 8820864.exe 101 PID 4700 wrote to memory of 4916 4700 8820864.exe 101 PID 4700 wrote to memory of 4916 4700 8820864.exe 101 PID 4916 wrote to memory of 1668 4916 7rfrlfx.exe 102 PID 4916 wrote to memory of 1668 4916 7rfrlfx.exe 102 PID 4916 wrote to memory of 1668 4916 7rfrlfx.exe 102 PID 1668 wrote to memory of 2152 1668 bbbnbt.exe 103 PID 1668 wrote to memory of 2152 1668 bbbnbt.exe 103 PID 1668 wrote to memory of 2152 1668 bbbnbt.exe 103 PID 2152 wrote to memory of 5024 2152 vpjdp.exe 104 PID 2152 wrote to memory of 5024 2152 vpjdp.exe 104 PID 2152 wrote to memory of 5024 2152 vpjdp.exe 104 PID 5024 wrote to memory of 4028 5024 a0046.exe 105 PID 5024 wrote to memory of 4028 5024 a0046.exe 105 PID 5024 wrote to memory of 4028 5024 a0046.exe 105 PID 4028 wrote to memory of 1096 4028 pddpv.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbd7e4dc9fce8ead7ef06577369f7dc8312eb0b4be5e5ee8c5f31d1a40f34851N.exe"C:\Users\Admin\AppData\Local\Temp\cbd7e4dc9fce8ead7ef06577369f7dc8312eb0b4be5e5ee8c5f31d1a40f34851N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\06042.exec:\06042.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\k88626.exec:\k88626.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\ppjvj.exec:\ppjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\60420.exec:\60420.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\8486862.exec:\8486862.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\a8642.exec:\a8642.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\6486442.exec:\6486442.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\rxxfrff.exec:\rxxfrff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\9rlxrlr.exec:\9rlxrlr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\dvddd.exec:\dvddd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\vppjv.exec:\vppjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\626426.exec:\626426.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\nbhtnt.exec:\nbhtnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\42086.exec:\42086.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\0886200.exec:\0886200.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\8820864.exec:\8820864.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\7rfrlfx.exec:\7rfrlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\bbbnbt.exec:\bbbnbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\vpjdp.exec:\vpjdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\a0046.exec:\a0046.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\pddpv.exec:\pddpv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\6864208.exec:\6864208.exe23⤵
- Executes dropped EXE
PID:1096 -
\??\c:\a2820.exec:\a2820.exe24⤵
- Executes dropped EXE
PID:1612 -
\??\c:\xlxlxxl.exec:\xlxlxxl.exe25⤵
- Executes dropped EXE
PID:1624 -
\??\c:\4842642.exec:\4842642.exe26⤵
- Executes dropped EXE
PID:5100 -
\??\c:\o826262.exec:\o826262.exe27⤵
- Executes dropped EXE
PID:1428 -
\??\c:\g8424.exec:\g8424.exe28⤵
- Executes dropped EXE
PID:2108 -
\??\c:\624642.exec:\624642.exe29⤵
- Executes dropped EXE
PID:1588 -
\??\c:\644208.exec:\644208.exe30⤵
- Executes dropped EXE
PID:648 -
\??\c:\424244.exec:\424244.exe31⤵
- Executes dropped EXE
PID:4392 -
\??\c:\hbtnnn.exec:\hbtnnn.exe32⤵
- Executes dropped EXE
PID:4820 -
\??\c:\htbnhb.exec:\htbnhb.exe33⤵
- Executes dropped EXE
PID:1792 -
\??\c:\648648.exec:\648648.exe34⤵
- Executes dropped EXE
PID:3512 -
\??\c:\0404246.exec:\0404246.exe35⤵
- Executes dropped EXE
PID:844 -
\??\c:\pvpdp.exec:\pvpdp.exe36⤵
- Executes dropped EXE
PID:3684 -
\??\c:\20222.exec:\20222.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3260 -
\??\c:\hhhtbt.exec:\hhhtbt.exe38⤵
- Executes dropped EXE
PID:1688 -
\??\c:\jpvjp.exec:\jpvjp.exe39⤵
- Executes dropped EXE
PID:2648 -
\??\c:\tnnthb.exec:\tnnthb.exe40⤵
- Executes dropped EXE
PID:772 -
\??\c:\44468.exec:\44468.exe41⤵
- Executes dropped EXE
PID:620 -
\??\c:\w66084.exec:\w66084.exe42⤵
- Executes dropped EXE
PID:3084 -
\??\c:\nhnhhh.exec:\nhnhhh.exe43⤵
- Executes dropped EXE
PID:1232 -
\??\c:\vjdjj.exec:\vjdjj.exe44⤵
- Executes dropped EXE
PID:4376 -
\??\c:\djdpj.exec:\djdpj.exe45⤵
- Executes dropped EXE
PID:4684 -
\??\c:\flrxrfr.exec:\flrxrfr.exe46⤵
- Executes dropped EXE
PID:1340 -
\??\c:\nntnbt.exec:\nntnbt.exe47⤵
- Executes dropped EXE
PID:2444 -
\??\c:\dvpdd.exec:\dvpdd.exe48⤵
- Executes dropped EXE
PID:2576 -
\??\c:\s8864.exec:\s8864.exe49⤵
- Executes dropped EXE
PID:2376 -
\??\c:\3bhtnb.exec:\3bhtnb.exe50⤵
- Executes dropped EXE
PID:1056 -
\??\c:\bbhbnh.exec:\bbhbnh.exe51⤵
- Executes dropped EXE
PID:2460 -
\??\c:\dppdv.exec:\dppdv.exe52⤵
- Executes dropped EXE
PID:1132 -
\??\c:\9bthtn.exec:\9bthtn.exe53⤵
- Executes dropped EXE
PID:1900 -
\??\c:\1ppvj.exec:\1ppvj.exe54⤵
- Executes dropped EXE
PID:1784 -
\??\c:\2482420.exec:\2482420.exe55⤵
- Executes dropped EXE
PID:3608 -
\??\c:\jjppp.exec:\jjppp.exe56⤵
- Executes dropped EXE
PID:3328 -
\??\c:\tnthhb.exec:\tnthhb.exe57⤵
- Executes dropped EXE
PID:3808 -
\??\c:\xlrfxrf.exec:\xlrfxrf.exe58⤵
- Executes dropped EXE
PID:3996 -
\??\c:\4226466.exec:\4226466.exe59⤵
- Executes dropped EXE
PID:4288 -
\??\c:\062646.exec:\062646.exe60⤵
- Executes dropped EXE
PID:1860 -
\??\c:\066082.exec:\066082.exe61⤵
- Executes dropped EXE
PID:3876 -
\??\c:\ddvpj.exec:\ddvpj.exe62⤵
- Executes dropped EXE
PID:4372 -
\??\c:\86286.exec:\86286.exe63⤵
- Executes dropped EXE
PID:3520 -
\??\c:\5rrlrlf.exec:\5rrlrlf.exe64⤵
- Executes dropped EXE
PID:1408 -
\??\c:\jdpdj.exec:\jdpdj.exe65⤵
- Executes dropped EXE
PID:3592 -
\??\c:\4048042.exec:\4048042.exe66⤵PID:2664
-
\??\c:\vjdpd.exec:\vjdpd.exe67⤵PID:5092
-
\??\c:\8664260.exec:\8664260.exe68⤵PID:4252
-
\??\c:\02248.exec:\02248.exe69⤵PID:1604
-
\??\c:\4042226.exec:\4042226.exe70⤵PID:2624
-
\??\c:\884820.exec:\884820.exe71⤵PID:3624
-
\??\c:\44602.exec:\44602.exe72⤵PID:3580
-
\??\c:\q62026.exec:\q62026.exe73⤵PID:912
-
\??\c:\022464.exec:\022464.exe74⤵PID:1932
-
\??\c:\xxrfrlf.exec:\xxrfrlf.exe75⤵PID:4360
-
\??\c:\628864.exec:\628864.exe76⤵PID:5116
-
\??\c:\nbbthb.exec:\nbbthb.exe77⤵PID:1188
-
\??\c:\7llxlxl.exec:\7llxlxl.exe78⤵PID:1612
-
\??\c:\jjjpd.exec:\jjjpd.exe79⤵PID:3152
-
\??\c:\6660482.exec:\6660482.exe80⤵
- System Location Discovery: System Language Discovery
PID:4908 -
\??\c:\bntbbt.exec:\bntbbt.exe81⤵PID:4500
-
\??\c:\1hhbnh.exec:\1hhbnh.exe82⤵PID:700
-
\??\c:\e00864.exec:\e00864.exe83⤵
- System Location Discovery: System Language Discovery
PID:5088 -
\??\c:\28886.exec:\28886.exe84⤵PID:2108
-
\??\c:\7ntthb.exec:\7ntthb.exe85⤵PID:1524
-
\??\c:\vppdp.exec:\vppdp.exe86⤵PID:3172
-
\??\c:\a2802.exec:\a2802.exe87⤵PID:2408
-
\??\c:\8226864.exec:\8226864.exe88⤵PID:3364
-
\??\c:\c046420.exec:\c046420.exe89⤵PID:4820
-
\??\c:\u042084.exec:\u042084.exe90⤵PID:3968
-
\??\c:\9frfrfl.exec:\9frfrfl.exe91⤵PID:3620
-
\??\c:\dvvdv.exec:\dvvdv.exe92⤵PID:1128
-
\??\c:\82040.exec:\82040.exe93⤵PID:2908
-
\??\c:\240264.exec:\240264.exe94⤵PID:1944
-
\??\c:\xfxxrll.exec:\xfxxrll.exe95⤵PID:2148
-
\??\c:\ntthth.exec:\ntthth.exe96⤵PID:2424
-
\??\c:\6820208.exec:\6820208.exe97⤵PID:2352
-
\??\c:\288260.exec:\288260.exe98⤵PID:2080
-
\??\c:\xxrlxxr.exec:\xxrlxxr.exe99⤵PID:4016
-
\??\c:\w66486.exec:\w66486.exe100⤵PID:920
-
\??\c:\hthtbt.exec:\hthtbt.exe101⤵PID:1116
-
\??\c:\602288.exec:\602288.exe102⤵PID:1052
-
\??\c:\xlfxfxl.exec:\xlfxfxl.exe103⤵PID:216
-
\??\c:\dpdjd.exec:\dpdjd.exe104⤵PID:4752
-
\??\c:\htthbn.exec:\htthbn.exe105⤵PID:3144
-
\??\c:\9bthbn.exec:\9bthbn.exe106⤵PID:4508
-
\??\c:\2468866.exec:\2468866.exe107⤵PID:2488
-
\??\c:\hbbnbb.exec:\hbbnbb.exe108⤵PID:2952
-
\??\c:\480208.exec:\480208.exe109⤵PID:2548
-
\??\c:\040842.exec:\040842.exe110⤵PID:2560
-
\??\c:\5jjdp.exec:\5jjdp.exe111⤵PID:3780
-
\??\c:\w88242.exec:\w88242.exe112⤵PID:1900
-
\??\c:\20864.exec:\20864.exe113⤵PID:968
-
\??\c:\rrrlxrl.exec:\rrrlxrl.exe114⤵PID:2812
-
\??\c:\htthnh.exec:\htthnh.exe115⤵PID:2640
-
\??\c:\o042486.exec:\o042486.exe116⤵PID:2620
-
\??\c:\flflfrf.exec:\flflfrf.exe117⤵PID:3248
-
\??\c:\486420.exec:\486420.exe118⤵PID:3808
-
\??\c:\1xrlffx.exec:\1xrlffx.exe119⤵PID:400
-
\??\c:\dpjpd.exec:\dpjpd.exe120⤵PID:1516
-
\??\c:\00480.exec:\00480.exe121⤵PID:4512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-