Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 06:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8e38ba3f3700941d0191775024cefc262c22997983c8814eff1ef6794c8a96c7N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8e38ba3f3700941d0191775024cefc262c22997983c8814eff1ef6794c8a96c7N.exe
-
Size
453KB
-
MD5
10d047651ae5299be43fd05ccba3d280
-
SHA1
b9e007bb07584c2b47c91aa9db0d713df8b14e6f
-
SHA256
8e38ba3f3700941d0191775024cefc262c22997983c8814eff1ef6794c8a96c7
-
SHA512
6e4cf923241b9cce7e3a6c3503103b38a9128f8bc98962d098fe85d92dd9e024aea7ad8effb9427508b563c4d36043e6be9bfe0f7a4f36ff8b75bdf5b1cd3a5e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1892-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-992-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-1221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4156 22648.exe 456 8086480.exe 2712 q88642.exe 4664 s8406.exe 4572 5flxlfr.exe 4520 btthht.exe 4760 460020.exe 1524 5tbntn.exe 3076 206404.exe 316 8640822.exe 5000 pddpj.exe 3232 68024.exe 4488 jppjv.exe 4784 httnbt.exe 2240 jvvjp.exe 2508 9pdpd.exe 2272 m6208.exe 5028 62604.exe 1000 hthbbt.exe 3728 220820.exe 5048 dvdvj.exe 5036 0820820.exe 2492 2020044.exe 748 e84822.exe 2044 w48483.exe 928 vvdvj.exe 2944 pvppd.exe 2924 bnbthb.exe 3144 9bhtbt.exe 1964 dppdp.exe 2612 ththbt.exe 4560 vpvpj.exe 4648 flrllff.exe 4656 djjdp.exe 2836 a6882.exe 5100 7rllffx.exe 3736 4860662.exe 1736 rllfrrx.exe 1200 04848.exe 1360 6226662.exe 2120 8288200.exe 3740 a6206.exe 4348 06482.exe 4936 w20444.exe 4484 40882.exe 1120 lflfxxr.exe 3452 4008260.exe 1560 26228.exe 1404 g0228.exe 804 9bhbbb.exe 4076 vpvdv.exe 4040 bnbbbt.exe 3760 rllffxx.exe 2000 a2826.exe 528 hbhhtb.exe 4580 fxxffxx.exe 3700 5dvvp.exe 3844 hhthth.exe 4264 5hhbnn.exe 3336 8062660.exe 3044 vvdvp.exe 2348 g8220.exe 4660 o666444.exe 4200 c288222.exe -
resource yara_rule behavioral2/memory/1892-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-703-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4042042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w06060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k86600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4800848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1892 wrote to memory of 4156 1892 8e38ba3f3700941d0191775024cefc262c22997983c8814eff1ef6794c8a96c7N.exe 83 PID 1892 wrote to memory of 4156 1892 8e38ba3f3700941d0191775024cefc262c22997983c8814eff1ef6794c8a96c7N.exe 83 PID 1892 wrote to memory of 4156 1892 8e38ba3f3700941d0191775024cefc262c22997983c8814eff1ef6794c8a96c7N.exe 83 PID 4156 wrote to memory of 456 4156 22648.exe 84 PID 4156 wrote to memory of 456 4156 22648.exe 84 PID 4156 wrote to memory of 456 4156 22648.exe 84 PID 456 wrote to memory of 2712 456 8086480.exe 85 PID 456 wrote to memory of 2712 456 8086480.exe 85 PID 456 wrote to memory of 2712 456 8086480.exe 85 PID 2712 wrote to memory of 4664 2712 q88642.exe 86 PID 2712 wrote to memory of 4664 2712 q88642.exe 86 PID 2712 wrote to memory of 4664 2712 q88642.exe 86 PID 4664 wrote to memory of 4572 4664 s8406.exe 87 PID 4664 wrote to memory of 4572 4664 s8406.exe 87 PID 4664 wrote to memory of 4572 4664 s8406.exe 87 PID 4572 wrote to memory of 4520 4572 5flxlfr.exe 88 PID 4572 wrote to memory of 4520 4572 5flxlfr.exe 88 PID 4572 wrote to memory of 4520 4572 5flxlfr.exe 88 PID 4520 wrote to memory of 4760 4520 btthht.exe 89 PID 4520 wrote to memory of 4760 4520 btthht.exe 89 PID 4520 wrote to memory of 4760 4520 btthht.exe 89 PID 4760 wrote to memory of 1524 4760 460020.exe 90 PID 4760 wrote to memory of 1524 4760 460020.exe 90 PID 4760 wrote to memory of 1524 4760 460020.exe 90 PID 1524 wrote to memory of 3076 1524 5tbntn.exe 91 PID 1524 wrote to memory of 3076 1524 5tbntn.exe 91 PID 1524 wrote to memory of 3076 1524 5tbntn.exe 91 PID 3076 wrote to memory of 316 3076 206404.exe 92 PID 3076 wrote to memory of 316 3076 206404.exe 92 PID 3076 wrote to memory of 316 3076 206404.exe 92 PID 316 wrote to memory of 5000 316 8640822.exe 93 PID 316 wrote to memory of 5000 316 8640822.exe 93 PID 316 wrote to memory of 5000 316 8640822.exe 93 PID 5000 wrote to memory of 3232 5000 pddpj.exe 94 PID 5000 wrote to memory of 3232 5000 pddpj.exe 94 PID 5000 wrote to memory of 3232 5000 pddpj.exe 94 PID 3232 wrote to memory of 4488 3232 68024.exe 95 PID 3232 wrote to memory of 4488 3232 68024.exe 95 PID 3232 wrote to memory of 4488 3232 68024.exe 95 PID 4488 wrote to memory of 4784 4488 jppjv.exe 96 PID 4488 wrote to memory of 4784 4488 jppjv.exe 96 PID 4488 wrote to memory of 4784 4488 jppjv.exe 96 PID 4784 wrote to memory of 2240 4784 httnbt.exe 97 PID 4784 wrote to memory of 2240 4784 httnbt.exe 97 PID 4784 wrote to memory of 2240 4784 httnbt.exe 97 PID 2240 wrote to memory of 2508 2240 jvvjp.exe 98 PID 2240 wrote to memory of 2508 2240 jvvjp.exe 98 PID 2240 wrote to memory of 2508 2240 jvvjp.exe 98 PID 2508 wrote to memory of 2272 2508 9pdpd.exe 99 PID 2508 wrote to memory of 2272 2508 9pdpd.exe 99 PID 2508 wrote to memory of 2272 2508 9pdpd.exe 99 PID 2272 wrote to memory of 5028 2272 m6208.exe 100 PID 2272 wrote to memory of 5028 2272 m6208.exe 100 PID 2272 wrote to memory of 5028 2272 m6208.exe 100 PID 5028 wrote to memory of 1000 5028 62604.exe 101 PID 5028 wrote to memory of 1000 5028 62604.exe 101 PID 5028 wrote to memory of 1000 5028 62604.exe 101 PID 1000 wrote to memory of 3728 1000 hthbbt.exe 102 PID 1000 wrote to memory of 3728 1000 hthbbt.exe 102 PID 1000 wrote to memory of 3728 1000 hthbbt.exe 102 PID 3728 wrote to memory of 5048 3728 220820.exe 103 PID 3728 wrote to memory of 5048 3728 220820.exe 103 PID 3728 wrote to memory of 5048 3728 220820.exe 103 PID 5048 wrote to memory of 5036 5048 dvdvj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e38ba3f3700941d0191775024cefc262c22997983c8814eff1ef6794c8a96c7N.exe"C:\Users\Admin\AppData\Local\Temp\8e38ba3f3700941d0191775024cefc262c22997983c8814eff1ef6794c8a96c7N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\22648.exec:\22648.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\8086480.exec:\8086480.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\q88642.exec:\q88642.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\s8406.exec:\s8406.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\5flxlfr.exec:\5flxlfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\btthht.exec:\btthht.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\460020.exec:\460020.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\5tbntn.exec:\5tbntn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\206404.exec:\206404.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\8640822.exec:\8640822.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\pddpj.exec:\pddpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\68024.exec:\68024.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\jppjv.exec:\jppjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\httnbt.exec:\httnbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\jvvjp.exec:\jvvjp.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\9pdpd.exec:\9pdpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\m6208.exec:\m6208.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\62604.exec:\62604.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\hthbbt.exec:\hthbbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\220820.exec:\220820.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\dvdvj.exec:\dvdvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\0820820.exec:\0820820.exe23⤵
- Executes dropped EXE
PID:5036 -
\??\c:\2020044.exec:\2020044.exe24⤵
- Executes dropped EXE
PID:2492 -
\??\c:\e84822.exec:\e84822.exe25⤵
- Executes dropped EXE
PID:748 -
\??\c:\w48483.exec:\w48483.exe26⤵
- Executes dropped EXE
PID:2044 -
\??\c:\vvdvj.exec:\vvdvj.exe27⤵
- Executes dropped EXE
PID:928 -
\??\c:\pvppd.exec:\pvppd.exe28⤵
- Executes dropped EXE
PID:2944 -
\??\c:\bnbthb.exec:\bnbthb.exe29⤵
- Executes dropped EXE
PID:2924 -
\??\c:\9bhtbt.exec:\9bhtbt.exe30⤵
- Executes dropped EXE
PID:3144 -
\??\c:\dppdp.exec:\dppdp.exe31⤵
- Executes dropped EXE
PID:1964 -
\??\c:\ththbt.exec:\ththbt.exe32⤵
- Executes dropped EXE
PID:2612 -
\??\c:\vpvpj.exec:\vpvpj.exe33⤵
- Executes dropped EXE
PID:4560 -
\??\c:\flrllff.exec:\flrllff.exe34⤵
- Executes dropped EXE
PID:4648 -
\??\c:\djjdp.exec:\djjdp.exe35⤵
- Executes dropped EXE
PID:4656 -
\??\c:\a6882.exec:\a6882.exe36⤵
- Executes dropped EXE
PID:2836 -
\??\c:\7rllffx.exec:\7rllffx.exe37⤵
- Executes dropped EXE
PID:5100 -
\??\c:\4860662.exec:\4860662.exe38⤵
- Executes dropped EXE
PID:3736 -
\??\c:\rllfrrx.exec:\rllfrrx.exe39⤵
- Executes dropped EXE
PID:1736 -
\??\c:\04848.exec:\04848.exe40⤵
- Executes dropped EXE
PID:1200 -
\??\c:\6226662.exec:\6226662.exe41⤵
- Executes dropped EXE
PID:1360 -
\??\c:\8288200.exec:\8288200.exe42⤵
- Executes dropped EXE
PID:2120 -
\??\c:\a6206.exec:\a6206.exe43⤵
- Executes dropped EXE
PID:3740 -
\??\c:\06482.exec:\06482.exe44⤵
- Executes dropped EXE
PID:4348 -
\??\c:\w20444.exec:\w20444.exe45⤵
- Executes dropped EXE
PID:4936 -
\??\c:\40882.exec:\40882.exe46⤵
- Executes dropped EXE
PID:4484 -
\??\c:\lflfxxr.exec:\lflfxxr.exe47⤵
- Executes dropped EXE
PID:1120 -
\??\c:\4008260.exec:\4008260.exe48⤵
- Executes dropped EXE
PID:3452 -
\??\c:\26228.exec:\26228.exe49⤵
- Executes dropped EXE
PID:1560 -
\??\c:\g0228.exec:\g0228.exe50⤵
- Executes dropped EXE
PID:1404 -
\??\c:\9bhbbb.exec:\9bhbbb.exe51⤵
- Executes dropped EXE
PID:804 -
\??\c:\vpvdv.exec:\vpvdv.exe52⤵
- Executes dropped EXE
PID:4076 -
\??\c:\bnbbbt.exec:\bnbbbt.exe53⤵
- Executes dropped EXE
PID:4040 -
\??\c:\rllffxx.exec:\rllffxx.exe54⤵
- Executes dropped EXE
PID:3760 -
\??\c:\a2826.exec:\a2826.exe55⤵
- Executes dropped EXE
PID:2000 -
\??\c:\hbhhtb.exec:\hbhhtb.exe56⤵
- Executes dropped EXE
PID:528 -
\??\c:\fxxffxx.exec:\fxxffxx.exe57⤵
- Executes dropped EXE
PID:4580 -
\??\c:\5dvvp.exec:\5dvvp.exe58⤵
- Executes dropped EXE
PID:3700 -
\??\c:\hhthth.exec:\hhthth.exe59⤵
- Executes dropped EXE
PID:3844 -
\??\c:\5hhbnn.exec:\5hhbnn.exe60⤵
- Executes dropped EXE
PID:4264 -
\??\c:\8062660.exec:\8062660.exe61⤵
- Executes dropped EXE
PID:3336 -
\??\c:\vvdvp.exec:\vvdvp.exe62⤵
- Executes dropped EXE
PID:3044 -
\??\c:\g8220.exec:\g8220.exe63⤵
- Executes dropped EXE
PID:2348 -
\??\c:\o666444.exec:\o666444.exe64⤵
- Executes dropped EXE
PID:4660 -
\??\c:\c288222.exec:\c288222.exe65⤵
- Executes dropped EXE
PID:4200 -
\??\c:\vpvpv.exec:\vpvpv.exe66⤵PID:3440
-
\??\c:\28044.exec:\28044.exe67⤵PID:1764
-
\??\c:\088624.exec:\088624.exe68⤵PID:5028
-
\??\c:\bnthhh.exec:\bnthhh.exe69⤵PID:4300
-
\??\c:\m8262.exec:\m8262.exe70⤵PID:4888
-
\??\c:\22024.exec:\22024.exe71⤵PID:8
-
\??\c:\8884848.exec:\8884848.exe72⤵PID:3608
-
\??\c:\5lxrxxf.exec:\5lxrxxf.exe73⤵PID:2580
-
\??\c:\4060482.exec:\4060482.exe74⤵PID:3636
-
\??\c:\w46426.exec:\w46426.exe75⤵PID:3376
-
\??\c:\xfxllfl.exec:\xfxllfl.exe76⤵PID:4652
-
\??\c:\06882.exec:\06882.exe77⤵PID:3548
-
\??\c:\828266.exec:\828266.exe78⤵PID:5020
-
\??\c:\684088.exec:\684088.exe79⤵PID:5008
-
\??\c:\a2866.exec:\a2866.exe80⤵PID:928
-
\??\c:\djpjp.exec:\djpjp.exe81⤵PID:3352
-
\??\c:\28020.exec:\28020.exe82⤵PID:3312
-
\??\c:\42822.exec:\42822.exe83⤵PID:640
-
\??\c:\2622002.exec:\2622002.exe84⤵PID:3356
-
\??\c:\842204.exec:\842204.exe85⤵PID:940
-
\??\c:\bnhthb.exec:\bnhthb.exe86⤵PID:1440
-
\??\c:\422048.exec:\422048.exe87⤵
- System Location Discovery: System Language Discovery
PID:1888 -
\??\c:\m4848.exec:\m4848.exe88⤵PID:5044
-
\??\c:\846600.exec:\846600.exe89⤵PID:4124
-
\??\c:\tbbtnn.exec:\tbbtnn.exe90⤵PID:3620
-
\??\c:\u486004.exec:\u486004.exe91⤵PID:3148
-
\??\c:\s6824.exec:\s6824.exe92⤵PID:2820
-
\??\c:\pdjdd.exec:\pdjdd.exe93⤵PID:4448
-
\??\c:\g4626.exec:\g4626.exe94⤵PID:2316
-
\??\c:\7xxrrrl.exec:\7xxrrrl.exe95⤵PID:5024
-
\??\c:\2082884.exec:\2082884.exe96⤵PID:3712
-
\??\c:\nhhttn.exec:\nhhttn.exe97⤵PID:2780
-
\??\c:\2048608.exec:\2048608.exe98⤵PID:4368
-
\??\c:\u248440.exec:\u248440.exe99⤵PID:4364
-
\??\c:\fffflff.exec:\fffflff.exe100⤵PID:1652
-
\??\c:\5ddvp.exec:\5ddvp.exe101⤵PID:3964
-
\??\c:\nnbbnt.exec:\nnbbnt.exe102⤵PID:2404
-
\??\c:\3pdpj.exec:\3pdpj.exe103⤵PID:3460
-
\??\c:\444244.exec:\444244.exe104⤵PID:3452
-
\??\c:\a2264.exec:\a2264.exe105⤵PID:1560
-
\??\c:\06824.exec:\06824.exe106⤵PID:1924
-
\??\c:\ppjvp.exec:\ppjvp.exe107⤵PID:800
-
\??\c:\hbhhbh.exec:\hbhhbh.exe108⤵PID:1648
-
\??\c:\5llfflr.exec:\5llfflr.exe109⤵PID:440
-
\??\c:\jvpjv.exec:\jvpjv.exe110⤵PID:3760
-
\??\c:\nhbnbt.exec:\nhbnbt.exe111⤵PID:4520
-
\??\c:\6448664.exec:\6448664.exe112⤵PID:4476
-
\??\c:\i620486.exec:\i620486.exe113⤵PID:1524
-
\??\c:\hnnhbb.exec:\hnnhbb.exe114⤵PID:2152
-
\??\c:\jdjjv.exec:\jdjjv.exe115⤵PID:3648
-
\??\c:\nhbntn.exec:\nhbntn.exe116⤵PID:5000
-
\??\c:\288644.exec:\288644.exe117⤵PID:1176
-
\??\c:\1llxlrl.exec:\1llxlrl.exe118⤵PID:2104
-
\??\c:\vpjvj.exec:\vpjvj.exe119⤵PID:2376
-
\??\c:\q02044.exec:\q02044.exe120⤵PID:3744
-
\??\c:\pdvpv.exec:\pdvpv.exe121⤵PID:4660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-