Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe
-
Size
454KB
-
MD5
76b3947c781fd3e3181d28d91f695ac4
-
SHA1
41932a1675bbce5927dc24ded2eebd8bb9df80cd
-
SHA256
b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937
-
SHA512
41da3b27e70202d02a45d367ba362e2a63bf16763b4eff10ecaa512d32fb89e6c549e286f3e511a80845aa9a3852deb791b64d98af7edb6a0e175c83251e0813
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4864-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-828-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-934-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-1115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-1143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-1254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-1473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4824 a2826.exe 5068 066066.exe 3088 9bhbbb.exe 3448 vvjdv.exe 1896 1jjjd.exe 816 nhtttt.exe 540 q62822.exe 4780 2060482.exe 4700 400866.exe 3020 6620820.exe 3752 jpvvd.exe 3288 bhnbtt.exe 1600 q62082.exe 4816 xllxlxx.exe 3060 08640.exe 3112 4260860.exe 1820 g4426.exe 4732 k42066.exe 2312 g6260.exe 640 802064.exe 924 5fxlxrf.exe 3484 2066442.exe 3884 0620864.exe 3328 0264640.exe 2232 26642.exe 1804 6686820.exe 556 vjpjj.exe 3300 pjpjd.exe 1672 nhtnnn.exe 764 nntttt.exe 1108 03xxlxx.exe 2176 280444.exe 3472 hbhnhn.exe 2732 xlxrffx.exe 1724 rlrlfrr.exe 1332 k00044.exe 4988 lfffxxr.exe 3148 lxffxfx.exe 712 rlxrxrl.exe 1840 864222.exe 2420 26660.exe 2080 s8440.exe 3552 q06040.exe 4292 64666.exe 4900 9xrxrrx.exe 2244 22002.exe 4824 268622.exe 552 8282828.exe 5068 68006.exe 2964 nhhbtt.exe 1380 nnnnhh.exe 4328 hhhbbt.exe 5036 nbbbtt.exe 2376 846004.exe 4044 i420482.exe 3700 8000004.exe 1248 5bnbbn.exe 3916 lfxfrxf.exe 212 20884.exe 4756 c622000.exe 1264 48668.exe 2524 8622046.exe 664 c408822.exe 1844 80288.exe -
resource yara_rule behavioral2/memory/4864-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-828-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-934-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-1115-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2286426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c622000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4026448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2840882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k44482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4864 wrote to memory of 4824 4864 b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe 85 PID 4864 wrote to memory of 4824 4864 b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe 85 PID 4864 wrote to memory of 4824 4864 b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe 85 PID 4824 wrote to memory of 5068 4824 a2826.exe 86 PID 4824 wrote to memory of 5068 4824 a2826.exe 86 PID 4824 wrote to memory of 5068 4824 a2826.exe 86 PID 5068 wrote to memory of 3088 5068 066066.exe 87 PID 5068 wrote to memory of 3088 5068 066066.exe 87 PID 5068 wrote to memory of 3088 5068 066066.exe 87 PID 3088 wrote to memory of 3448 3088 9bhbbb.exe 88 PID 3088 wrote to memory of 3448 3088 9bhbbb.exe 88 PID 3088 wrote to memory of 3448 3088 9bhbbb.exe 88 PID 3448 wrote to memory of 1896 3448 vvjdv.exe 89 PID 3448 wrote to memory of 1896 3448 vvjdv.exe 89 PID 3448 wrote to memory of 1896 3448 vvjdv.exe 89 PID 1896 wrote to memory of 816 1896 1jjjd.exe 90 PID 1896 wrote to memory of 816 1896 1jjjd.exe 90 PID 1896 wrote to memory of 816 1896 1jjjd.exe 90 PID 816 wrote to memory of 540 816 nhtttt.exe 91 PID 816 wrote to memory of 540 816 nhtttt.exe 91 PID 816 wrote to memory of 540 816 nhtttt.exe 91 PID 540 wrote to memory of 4780 540 q62822.exe 92 PID 540 wrote to memory of 4780 540 q62822.exe 92 PID 540 wrote to memory of 4780 540 q62822.exe 92 PID 4780 wrote to memory of 4700 4780 2060482.exe 93 PID 4780 wrote to memory of 4700 4780 2060482.exe 93 PID 4780 wrote to memory of 4700 4780 2060482.exe 93 PID 4700 wrote to memory of 3020 4700 400866.exe 94 PID 4700 wrote to memory of 3020 4700 400866.exe 94 PID 4700 wrote to memory of 3020 4700 400866.exe 94 PID 3020 wrote to memory of 3752 3020 6620820.exe 95 PID 3020 wrote to memory of 3752 3020 6620820.exe 95 PID 3020 wrote to memory of 3752 3020 6620820.exe 95 PID 3752 wrote to memory of 3288 3752 jpvvd.exe 96 PID 3752 wrote to memory of 3288 3752 jpvvd.exe 96 PID 3752 wrote to memory of 3288 3752 jpvvd.exe 96 PID 3288 wrote to memory of 1600 3288 bhnbtt.exe 97 PID 3288 wrote to memory of 1600 3288 bhnbtt.exe 97 PID 3288 wrote to memory of 1600 3288 bhnbtt.exe 97 PID 1600 wrote to memory of 4816 1600 q62082.exe 98 PID 1600 wrote to memory of 4816 1600 q62082.exe 98 PID 1600 wrote to memory of 4816 1600 q62082.exe 98 PID 4816 wrote to memory of 3060 4816 xllxlxx.exe 99 PID 4816 wrote to memory of 3060 4816 xllxlxx.exe 99 PID 4816 wrote to memory of 3060 4816 xllxlxx.exe 99 PID 3060 wrote to memory of 3112 3060 08640.exe 100 PID 3060 wrote to memory of 3112 3060 08640.exe 100 PID 3060 wrote to memory of 3112 3060 08640.exe 100 PID 3112 wrote to memory of 1820 3112 4260860.exe 101 PID 3112 wrote to memory of 1820 3112 4260860.exe 101 PID 3112 wrote to memory of 1820 3112 4260860.exe 101 PID 1820 wrote to memory of 4732 1820 g4426.exe 102 PID 1820 wrote to memory of 4732 1820 g4426.exe 102 PID 1820 wrote to memory of 4732 1820 g4426.exe 102 PID 4732 wrote to memory of 2312 4732 k42066.exe 103 PID 4732 wrote to memory of 2312 4732 k42066.exe 103 PID 4732 wrote to memory of 2312 4732 k42066.exe 103 PID 2312 wrote to memory of 640 2312 g6260.exe 104 PID 2312 wrote to memory of 640 2312 g6260.exe 104 PID 2312 wrote to memory of 640 2312 g6260.exe 104 PID 640 wrote to memory of 924 640 802064.exe 105 PID 640 wrote to memory of 924 640 802064.exe 105 PID 640 wrote to memory of 924 640 802064.exe 105 PID 924 wrote to memory of 3484 924 5fxlxrf.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe"C:\Users\Admin\AppData\Local\Temp\b733597448e76221d528822d03274a483985ee17b09965a0f8a6dc1a981ad937.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\a2826.exec:\a2826.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\066066.exec:\066066.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\9bhbbb.exec:\9bhbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\vvjdv.exec:\vvjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\1jjjd.exec:\1jjjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\nhtttt.exec:\nhtttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\q62822.exec:\q62822.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\2060482.exec:\2060482.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\400866.exec:\400866.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\6620820.exec:\6620820.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\jpvvd.exec:\jpvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\bhnbtt.exec:\bhnbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\q62082.exec:\q62082.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\xllxlxx.exec:\xllxlxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\08640.exec:\08640.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\4260860.exec:\4260860.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\g4426.exec:\g4426.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\k42066.exec:\k42066.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\g6260.exec:\g6260.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\802064.exec:\802064.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\5fxlxrf.exec:\5fxlxrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\2066442.exec:\2066442.exe23⤵
- Executes dropped EXE
PID:3484 -
\??\c:\0620864.exec:\0620864.exe24⤵
- Executes dropped EXE
PID:3884 -
\??\c:\0264640.exec:\0264640.exe25⤵
- Executes dropped EXE
PID:3328 -
\??\c:\26642.exec:\26642.exe26⤵
- Executes dropped EXE
PID:2232 -
\??\c:\6686820.exec:\6686820.exe27⤵
- Executes dropped EXE
PID:1804 -
\??\c:\vjpjj.exec:\vjpjj.exe28⤵
- Executes dropped EXE
PID:556 -
\??\c:\pjpjd.exec:\pjpjd.exe29⤵
- Executes dropped EXE
PID:3300 -
\??\c:\nhtnnn.exec:\nhtnnn.exe30⤵
- Executes dropped EXE
PID:1672 -
\??\c:\nntttt.exec:\nntttt.exe31⤵
- Executes dropped EXE
PID:764 -
\??\c:\03xxlxx.exec:\03xxlxx.exe32⤵
- Executes dropped EXE
PID:1108 -
\??\c:\280444.exec:\280444.exe33⤵
- Executes dropped EXE
PID:2176 -
\??\c:\hbhnhn.exec:\hbhnhn.exe34⤵
- Executes dropped EXE
PID:3472 -
\??\c:\xlxrffx.exec:\xlxrffx.exe35⤵
- Executes dropped EXE
PID:2732 -
\??\c:\rlrlfrr.exec:\rlrlfrr.exe36⤵
- Executes dropped EXE
PID:1724 -
\??\c:\k00044.exec:\k00044.exe37⤵
- Executes dropped EXE
PID:1332 -
\??\c:\lfffxxr.exec:\lfffxxr.exe38⤵
- Executes dropped EXE
PID:4988 -
\??\c:\lxffxfx.exec:\lxffxfx.exe39⤵
- Executes dropped EXE
PID:3148 -
\??\c:\rlxrxrl.exec:\rlxrxrl.exe40⤵
- Executes dropped EXE
PID:712 -
\??\c:\864222.exec:\864222.exe41⤵
- Executes dropped EXE
PID:1840 -
\??\c:\26660.exec:\26660.exe42⤵
- Executes dropped EXE
PID:2420 -
\??\c:\s8440.exec:\s8440.exe43⤵
- Executes dropped EXE
PID:2080 -
\??\c:\q06040.exec:\q06040.exe44⤵
- Executes dropped EXE
PID:3552 -
\??\c:\64666.exec:\64666.exe45⤵
- Executes dropped EXE
PID:4292 -
\??\c:\9xrxrrx.exec:\9xrxrrx.exe46⤵
- Executes dropped EXE
PID:4900 -
\??\c:\22002.exec:\22002.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244 -
\??\c:\268622.exec:\268622.exe48⤵
- Executes dropped EXE
PID:4824 -
\??\c:\8282828.exec:\8282828.exe49⤵
- Executes dropped EXE
PID:552 -
\??\c:\68006.exec:\68006.exe50⤵
- Executes dropped EXE
PID:5068 -
\??\c:\nhhbtt.exec:\nhhbtt.exe51⤵
- Executes dropped EXE
PID:2964 -
\??\c:\nnnnhh.exec:\nnnnhh.exe52⤵
- Executes dropped EXE
PID:1380 -
\??\c:\hhhbbt.exec:\hhhbbt.exe53⤵
- Executes dropped EXE
PID:4328 -
\??\c:\nbbbtt.exec:\nbbbtt.exe54⤵
- Executes dropped EXE
PID:5036 -
\??\c:\846004.exec:\846004.exe55⤵
- Executes dropped EXE
PID:2376 -
\??\c:\i420482.exec:\i420482.exe56⤵
- Executes dropped EXE
PID:4044 -
\??\c:\8000004.exec:\8000004.exe57⤵
- Executes dropped EXE
PID:3700 -
\??\c:\5bnbbn.exec:\5bnbbn.exe58⤵
- Executes dropped EXE
PID:1248 -
\??\c:\lfxfrxf.exec:\lfxfrxf.exe59⤵
- Executes dropped EXE
PID:3916 -
\??\c:\20884.exec:\20884.exe60⤵
- Executes dropped EXE
PID:212 -
\??\c:\c622000.exec:\c622000.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4756 -
\??\c:\48668.exec:\48668.exe62⤵
- Executes dropped EXE
PID:1264 -
\??\c:\8622046.exec:\8622046.exe63⤵
- Executes dropped EXE
PID:2524 -
\??\c:\c408822.exec:\c408822.exe64⤵
- Executes dropped EXE
PID:664 -
\??\c:\80288.exec:\80288.exe65⤵
- Executes dropped EXE
PID:1844 -
\??\c:\428822.exec:\428822.exe66⤵PID:5092
-
\??\c:\846240.exec:\846240.exe67⤵PID:3704
-
\??\c:\bttnnn.exec:\bttnnn.exe68⤵PID:3720
-
\??\c:\q28260.exec:\q28260.exe69⤵PID:5056
-
\??\c:\48626.exec:\48626.exe70⤵PID:3112
-
\??\c:\9lrlrrx.exec:\9lrlrrx.exe71⤵PID:1752
-
\??\c:\rxffxfx.exec:\rxffxfx.exe72⤵PID:4732
-
\??\c:\608844.exec:\608844.exe73⤵PID:3316
-
\??\c:\3hnnnn.exec:\3hnnnn.exe74⤵PID:2820
-
\??\c:\ddpdv.exec:\ddpdv.exe75⤵PID:2016
-
\??\c:\nhhbnn.exec:\nhhbnn.exe76⤵PID:4324
-
\??\c:\246048.exec:\246048.exe77⤵PID:1628
-
\??\c:\lrxlffx.exec:\lrxlffx.exe78⤵PID:1020
-
\??\c:\6648440.exec:\6648440.exe79⤵PID:3176
-
\??\c:\jvddv.exec:\jvddv.exe80⤵PID:4152
-
\??\c:\w62024.exec:\w62024.exe81⤵PID:3968
-
\??\c:\fxfxlll.exec:\fxfxlll.exe82⤵PID:4544
-
\??\c:\200268.exec:\200268.exe83⤵PID:1956
-
\??\c:\040864.exec:\040864.exe84⤵PID:1172
-
\??\c:\82826.exec:\82826.exe85⤵PID:5116
-
\??\c:\pdjpd.exec:\pdjpd.exe86⤵PID:3172
-
\??\c:\8444628.exec:\8444628.exe87⤵PID:1728
-
\??\c:\1xfxrxr.exec:\1xfxrxr.exe88⤵PID:832
-
\??\c:\fxlfllr.exec:\fxlfllr.exe89⤵PID:4100
-
\??\c:\xfllffx.exec:\xfllffx.exe90⤵PID:1136
-
\??\c:\pjddv.exec:\pjddv.exe91⤵PID:3928
-
\??\c:\046044.exec:\046044.exe92⤵PID:4548
-
\??\c:\4800448.exec:\4800448.exe93⤵PID:3472
-
\??\c:\4848226.exec:\4848226.exe94⤵PID:5108
-
\??\c:\e02668.exec:\e02668.exe95⤵PID:4444
-
\??\c:\8400888.exec:\8400888.exe96⤵PID:1332
-
\??\c:\jdppv.exec:\jdppv.exe97⤵PID:2408
-
\??\c:\4088226.exec:\4088226.exe98⤵PID:4176
-
\??\c:\tbnnhn.exec:\tbnnhn.exe99⤵PID:4428
-
\??\c:\nnnhhb.exec:\nnnhhb.exe100⤵PID:3520
-
\??\c:\dvjjp.exec:\dvjjp.exe101⤵PID:5100
-
\??\c:\rfffrrl.exec:\rfffrrl.exe102⤵PID:3988
-
\??\c:\68448.exec:\68448.exe103⤵PID:4352
-
\??\c:\rxfrfxl.exec:\rxfrfxl.exe104⤵PID:4688
-
\??\c:\tnnbtn.exec:\tnnbtn.exe105⤵PID:3080
-
\??\c:\lffxffr.exec:\lffxffr.exe106⤵PID:3532
-
\??\c:\60044.exec:\60044.exe107⤵PID:4944
-
\??\c:\btthnh.exec:\btthnh.exe108⤵PID:4824
-
\??\c:\00420.exec:\00420.exe109⤵PID:552
-
\??\c:\2408206.exec:\2408206.exe110⤵PID:5068
-
\??\c:\u848882.exec:\u848882.exe111⤵PID:2964
-
\??\c:\4048866.exec:\4048866.exe112⤵PID:1380
-
\??\c:\tnhtbb.exec:\tnhtbb.exe113⤵PID:4328
-
\??\c:\02486.exec:\02486.exe114⤵PID:5036
-
\??\c:\04660.exec:\04660.exe115⤵PID:3140
-
\??\c:\400422.exec:\400422.exe116⤵PID:4044
-
\??\c:\lrxrrrr.exec:\lrxrrrr.exe117⤵PID:3528
-
\??\c:\dvpjd.exec:\dvpjd.exe118⤵PID:436
-
\??\c:\28604.exec:\28604.exe119⤵PID:3508
-
\??\c:\48228.exec:\48228.exe120⤵PID:448
-
\??\c:\xffrfxr.exec:\xffrfxr.exe121⤵PID:4476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-