Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 07:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe
-
Size
456KB
-
MD5
8f178be0ca9f752e558bd8b9d85b64a0
-
SHA1
47d9337a31b23dae5f5f2ffe9fa700b13a82ab9f
-
SHA256
071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51
-
SHA512
eaab9f75dce5cf924748dd3e5a908272adddd1db731b8ff67e9f227df233dc5feadfb642807ffc7900b23b7b9081d90940419d40c7f359b88046bb2fe31d9a41
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3400-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-874-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-1090-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-1250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-1347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-1525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-1779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2712 6048484.exe 4604 htnhbb.exe 2552 22860.exe 2024 djpjd.exe 4712 2048260.exe 4408 84404.exe 244 xllfxff.exe 632 0482222.exe 2392 lllrlrl.exe 4548 28482.exe 2320 5jjpj.exe 2992 tnbtnb.exe 2936 llxrrrl.exe 2540 2840626.exe 2888 dddvp.exe 4808 828240.exe 2116 pjjdv.exe 4904 hthttt.exe 3928 204488.exe 2716 xrrlffx.exe 3828 864404.exe 4536 0462660.exe 1152 jjpjv.exe 232 btbbtt.exe 1008 w62200.exe 5040 7rlfffx.exe 2904 btthbb.exe 4740 464482.exe 3076 ppddj.exe 2836 g2426.exe 3556 dppjv.exe 4628 vjppp.exe 2016 2286042.exe 3708 w28220.exe 724 44200.exe 1240 088260.exe 3168 8420488.exe 2340 xrrlxrl.exe 5008 66622.exe 3720 4020044.exe 1388 bnttnn.exe 2564 djpjj.exe 2752 pvvpj.exe 432 608400.exe 4456 thnbtb.exe 3596 btthtt.exe 3696 082600.exe 3468 868882.exe 2040 86822.exe 808 w88822.exe 3132 httnbt.exe 228 rlfrrll.exe 2112 046644.exe 4576 tnhhtn.exe 1036 pvdvj.exe 708 lffxlff.exe 3884 3nthnh.exe 3948 ppdvp.exe 4564 46426.exe 3712 pjjdv.exe 2276 8048604.exe 2912 pjvpp.exe 4120 nnnbnn.exe 3868 0860222.exe -
resource yara_rule behavioral2/memory/3400-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-1025-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-1086-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-1090-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-1250-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0448266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o282060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e44422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6682004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e22620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 026020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6006060.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3400 wrote to memory of 2712 3400 071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe 83 PID 3400 wrote to memory of 2712 3400 071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe 83 PID 3400 wrote to memory of 2712 3400 071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe 83 PID 2712 wrote to memory of 4604 2712 6048484.exe 84 PID 2712 wrote to memory of 4604 2712 6048484.exe 84 PID 2712 wrote to memory of 4604 2712 6048484.exe 84 PID 4604 wrote to memory of 2552 4604 htnhbb.exe 85 PID 4604 wrote to memory of 2552 4604 htnhbb.exe 85 PID 4604 wrote to memory of 2552 4604 htnhbb.exe 85 PID 2552 wrote to memory of 2024 2552 22860.exe 86 PID 2552 wrote to memory of 2024 2552 22860.exe 86 PID 2552 wrote to memory of 2024 2552 22860.exe 86 PID 2024 wrote to memory of 4712 2024 djpjd.exe 87 PID 2024 wrote to memory of 4712 2024 djpjd.exe 87 PID 2024 wrote to memory of 4712 2024 djpjd.exe 87 PID 4712 wrote to memory of 4408 4712 2048260.exe 88 PID 4712 wrote to memory of 4408 4712 2048260.exe 88 PID 4712 wrote to memory of 4408 4712 2048260.exe 88 PID 4408 wrote to memory of 244 4408 84404.exe 89 PID 4408 wrote to memory of 244 4408 84404.exe 89 PID 4408 wrote to memory of 244 4408 84404.exe 89 PID 244 wrote to memory of 632 244 xllfxff.exe 90 PID 244 wrote to memory of 632 244 xllfxff.exe 90 PID 244 wrote to memory of 632 244 xllfxff.exe 90 PID 632 wrote to memory of 2392 632 0482222.exe 91 PID 632 wrote to memory of 2392 632 0482222.exe 91 PID 632 wrote to memory of 2392 632 0482222.exe 91 PID 2392 wrote to memory of 4548 2392 lllrlrl.exe 92 PID 2392 wrote to memory of 4548 2392 lllrlrl.exe 92 PID 2392 wrote to memory of 4548 2392 lllrlrl.exe 92 PID 4548 wrote to memory of 2320 4548 28482.exe 93 PID 4548 wrote to memory of 2320 4548 28482.exe 93 PID 4548 wrote to memory of 2320 4548 28482.exe 93 PID 2320 wrote to memory of 2992 2320 5jjpj.exe 94 PID 2320 wrote to memory of 2992 2320 5jjpj.exe 94 PID 2320 wrote to memory of 2992 2320 5jjpj.exe 94 PID 2992 wrote to memory of 2936 2992 tnbtnb.exe 95 PID 2992 wrote to memory of 2936 2992 tnbtnb.exe 95 PID 2992 wrote to memory of 2936 2992 tnbtnb.exe 95 PID 2936 wrote to memory of 2540 2936 llxrrrl.exe 96 PID 2936 wrote to memory of 2540 2936 llxrrrl.exe 96 PID 2936 wrote to memory of 2540 2936 llxrrrl.exe 96 PID 2540 wrote to memory of 2888 2540 2840626.exe 97 PID 2540 wrote to memory of 2888 2540 2840626.exe 97 PID 2540 wrote to memory of 2888 2540 2840626.exe 97 PID 2888 wrote to memory of 4808 2888 dddvp.exe 98 PID 2888 wrote to memory of 4808 2888 dddvp.exe 98 PID 2888 wrote to memory of 4808 2888 dddvp.exe 98 PID 4808 wrote to memory of 2116 4808 828240.exe 99 PID 4808 wrote to memory of 2116 4808 828240.exe 99 PID 4808 wrote to memory of 2116 4808 828240.exe 99 PID 2116 wrote to memory of 4904 2116 pjjdv.exe 100 PID 2116 wrote to memory of 4904 2116 pjjdv.exe 100 PID 2116 wrote to memory of 4904 2116 pjjdv.exe 100 PID 4904 wrote to memory of 3928 4904 hthttt.exe 101 PID 4904 wrote to memory of 3928 4904 hthttt.exe 101 PID 4904 wrote to memory of 3928 4904 hthttt.exe 101 PID 3928 wrote to memory of 2716 3928 204488.exe 102 PID 3928 wrote to memory of 2716 3928 204488.exe 102 PID 3928 wrote to memory of 2716 3928 204488.exe 102 PID 2716 wrote to memory of 3828 2716 xrrlffx.exe 103 PID 2716 wrote to memory of 3828 2716 xrrlffx.exe 103 PID 2716 wrote to memory of 3828 2716 xrrlffx.exe 103 PID 3828 wrote to memory of 4536 3828 864404.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe"C:\Users\Admin\AppData\Local\Temp\071cdcb23fab9c80ceca53ad879630159ec9c9386e4e69acbda99e5355629e51.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\6048484.exec:\6048484.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\htnhbb.exec:\htnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\22860.exec:\22860.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\djpjd.exec:\djpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\2048260.exec:\2048260.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\84404.exec:\84404.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\xllfxff.exec:\xllfxff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\0482222.exec:\0482222.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\lllrlrl.exec:\lllrlrl.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\28482.exec:\28482.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\5jjpj.exec:\5jjpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\tnbtnb.exec:\tnbtnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\llxrrrl.exec:\llxrrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\2840626.exec:\2840626.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\dddvp.exec:\dddvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\828240.exec:\828240.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\pjjdv.exec:\pjjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\hthttt.exec:\hthttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\204488.exec:\204488.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\xrrlffx.exec:\xrrlffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\864404.exec:\864404.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\0462660.exec:\0462660.exe23⤵
- Executes dropped EXE
PID:4536 -
\??\c:\jjpjv.exec:\jjpjv.exe24⤵
- Executes dropped EXE
PID:1152 -
\??\c:\btbbtt.exec:\btbbtt.exe25⤵
- Executes dropped EXE
PID:232 -
\??\c:\w62200.exec:\w62200.exe26⤵
- Executes dropped EXE
PID:1008 -
\??\c:\7rlfffx.exec:\7rlfffx.exe27⤵
- Executes dropped EXE
PID:5040 -
\??\c:\btthbb.exec:\btthbb.exe28⤵
- Executes dropped EXE
PID:2904 -
\??\c:\464482.exec:\464482.exe29⤵
- Executes dropped EXE
PID:4740 -
\??\c:\ppddj.exec:\ppddj.exe30⤵
- Executes dropped EXE
PID:3076 -
\??\c:\g2426.exec:\g2426.exe31⤵
- Executes dropped EXE
PID:2836 -
\??\c:\dppjv.exec:\dppjv.exe32⤵
- Executes dropped EXE
PID:3556 -
\??\c:\vjppp.exec:\vjppp.exe33⤵
- Executes dropped EXE
PID:4628 -
\??\c:\2286042.exec:\2286042.exe34⤵
- Executes dropped EXE
PID:2016 -
\??\c:\w28220.exec:\w28220.exe35⤵
- Executes dropped EXE
PID:3708 -
\??\c:\44200.exec:\44200.exe36⤵
- Executes dropped EXE
PID:724 -
\??\c:\088260.exec:\088260.exe37⤵
- Executes dropped EXE
PID:1240 -
\??\c:\8420488.exec:\8420488.exe38⤵
- Executes dropped EXE
PID:3168 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe39⤵
- Executes dropped EXE
PID:2340 -
\??\c:\66622.exec:\66622.exe40⤵
- Executes dropped EXE
PID:5008 -
\??\c:\4020044.exec:\4020044.exe41⤵
- Executes dropped EXE
PID:3720 -
\??\c:\bnttnn.exec:\bnttnn.exe42⤵
- Executes dropped EXE
PID:1388 -
\??\c:\djpjj.exec:\djpjj.exe43⤵
- Executes dropped EXE
PID:2564 -
\??\c:\pvvpj.exec:\pvvpj.exe44⤵
- Executes dropped EXE
PID:2752 -
\??\c:\608400.exec:\608400.exe45⤵
- Executes dropped EXE
PID:432 -
\??\c:\thnbtb.exec:\thnbtb.exe46⤵
- Executes dropped EXE
PID:4456 -
\??\c:\btthtt.exec:\btthtt.exe47⤵
- Executes dropped EXE
PID:3596 -
\??\c:\082600.exec:\082600.exe48⤵
- Executes dropped EXE
PID:3696 -
\??\c:\868882.exec:\868882.exe49⤵
- Executes dropped EXE
PID:3468 -
\??\c:\86822.exec:\86822.exe50⤵
- Executes dropped EXE
PID:2040 -
\??\c:\w88822.exec:\w88822.exe51⤵
- Executes dropped EXE
PID:808 -
\??\c:\httnbt.exec:\httnbt.exe52⤵
- Executes dropped EXE
PID:3132 -
\??\c:\rlfrrll.exec:\rlfrrll.exe53⤵
- Executes dropped EXE
PID:228 -
\??\c:\046644.exec:\046644.exe54⤵
- Executes dropped EXE
PID:2112 -
\??\c:\tnhhtn.exec:\tnhhtn.exe55⤵
- Executes dropped EXE
PID:4576 -
\??\c:\pvdvj.exec:\pvdvj.exe56⤵
- Executes dropped EXE
PID:1036 -
\??\c:\lffxlff.exec:\lffxlff.exe57⤵
- Executes dropped EXE
PID:708 -
\??\c:\3nthnh.exec:\3nthnh.exe58⤵
- Executes dropped EXE
PID:3884 -
\??\c:\ppdvp.exec:\ppdvp.exe59⤵
- Executes dropped EXE
PID:3948 -
\??\c:\46426.exec:\46426.exe60⤵
- Executes dropped EXE
PID:4564 -
\??\c:\pjjdv.exec:\pjjdv.exe61⤵
- Executes dropped EXE
PID:3712 -
\??\c:\8048604.exec:\8048604.exe62⤵
- Executes dropped EXE
PID:2276 -
\??\c:\pjvpp.exec:\pjvpp.exe63⤵
- Executes dropped EXE
PID:2912 -
\??\c:\nnnbnn.exec:\nnnbnn.exe64⤵
- Executes dropped EXE
PID:4120 -
\??\c:\0860222.exec:\0860222.exe65⤵
- Executes dropped EXE
PID:3868 -
\??\c:\vjdvp.exec:\vjdvp.exe66⤵PID:4080
-
\??\c:\rrxxxxf.exec:\rrxxxxf.exe67⤵PID:1600
-
\??\c:\6006060.exec:\6006060.exe68⤵
- System Location Discovery: System Language Discovery
PID:2860 -
\??\c:\pddvv.exec:\pddvv.exe69⤵PID:2684
-
\??\c:\8248828.exec:\8248828.exe70⤵PID:2328
-
\??\c:\880422.exec:\880422.exe71⤵PID:2796
-
\??\c:\88886.exec:\88886.exe72⤵PID:3580
-
\??\c:\dvpjv.exec:\dvpjv.exe73⤵PID:3452
-
\??\c:\pvjdv.exec:\pvjdv.exe74⤵PID:3112
-
\??\c:\1bbthb.exec:\1bbthb.exe75⤵PID:2976
-
\??\c:\3hbnbb.exec:\3hbnbb.exe76⤵PID:5084
-
\??\c:\rffxxlf.exec:\rffxxlf.exe77⤵PID:4808
-
\??\c:\402644.exec:\402644.exe78⤵PID:764
-
\??\c:\6864882.exec:\6864882.exe79⤵PID:1536
-
\??\c:\840482.exec:\840482.exe80⤵PID:2716
-
\??\c:\xflxrlf.exec:\xflxrlf.exe81⤵PID:2200
-
\??\c:\lrxrffr.exec:\lrxrffr.exe82⤵PID:4536
-
\??\c:\1xfxffl.exec:\1xfxffl.exe83⤵PID:780
-
\??\c:\fxfrlfx.exec:\fxfrlfx.exe84⤵PID:1632
-
\??\c:\2066004.exec:\2066004.exe85⤵PID:5040
-
\??\c:\202044.exec:\202044.exe86⤵PID:2524
-
\??\c:\lflfxfx.exec:\lflfxfx.exe87⤵PID:408
-
\??\c:\lxlflfl.exec:\lxlflfl.exe88⤵PID:4244
-
\??\c:\82604.exec:\82604.exe89⤵PID:1500
-
\??\c:\dddvd.exec:\dddvd.exe90⤵PID:112
-
\??\c:\e84860.exec:\e84860.exe91⤵PID:4572
-
\??\c:\nhhthh.exec:\nhhthh.exe92⤵PID:2016
-
\??\c:\bnnnbh.exec:\bnnnbh.exe93⤵PID:952
-
\??\c:\dvpjd.exec:\dvpjd.exe94⤵PID:1068
-
\??\c:\868882.exec:\868882.exe95⤵PID:1240
-
\??\c:\rlllfff.exec:\rlllfff.exe96⤵PID:4624
-
\??\c:\428600.exec:\428600.exe97⤵PID:4692
-
\??\c:\44048.exec:\44048.exe98⤵PID:2784
-
\??\c:\o226448.exec:\o226448.exe99⤵PID:4928
-
\??\c:\5jpjv.exec:\5jpjv.exe100⤵PID:2140
-
\??\c:\622644.exec:\622644.exe101⤵PID:4076
-
\??\c:\5ddpj.exec:\5ddpj.exe102⤵PID:4324
-
\??\c:\8488822.exec:\8488822.exe103⤵PID:432
-
\??\c:\8604260.exec:\8604260.exe104⤵PID:2220
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe105⤵PID:4888
-
\??\c:\66864.exec:\66864.exe106⤵PID:2136
-
\??\c:\hnnhbb.exec:\hnnhbb.exe107⤵PID:3172
-
\??\c:\8664648.exec:\8664648.exe108⤵PID:2640
-
\??\c:\flrfrfr.exec:\flrfrfr.exe109⤵PID:5000
-
\??\c:\9fffxrr.exec:\9fffxrr.exe110⤵PID:4860
-
\??\c:\82820.exec:\82820.exe111⤵PID:1148
-
\??\c:\c042486.exec:\c042486.exe112⤵PID:2440
-
\??\c:\42860.exec:\42860.exe113⤵PID:4672
-
\??\c:\rfrrxrx.exec:\rfrrxrx.exe114⤵PID:2100
-
\??\c:\vjdjv.exec:\vjdjv.exe115⤵PID:2472
-
\??\c:\lxfrfxr.exec:\lxfrfxr.exe116⤵PID:4544
-
\??\c:\5vjvp.exec:\5vjvp.exe117⤵PID:1764
-
\??\c:\2060444.exec:\2060444.exe118⤵PID:4576
-
\??\c:\jvjdv.exec:\jvjdv.exe119⤵PID:1648
-
\??\c:\rxrflff.exec:\rxrflff.exe120⤵PID:4136
-
\??\c:\0260820.exec:\0260820.exe121⤵PID:5080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-