Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 09:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a474a395de4e37cf4578809426f6b3129cd3f87b4c51b601c7b02bad05ae5683N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a474a395de4e37cf4578809426f6b3129cd3f87b4c51b601c7b02bad05ae5683N.exe
-
Size
456KB
-
MD5
9648ae7111ea1879ef32de44eafd5ca0
-
SHA1
e6251d50ee54b0b86ceb015d6ab3d0b6f13d4e2c
-
SHA256
a474a395de4e37cf4578809426f6b3129cd3f87b4c51b601c7b02bad05ae5683
-
SHA512
808bccc5fe38d2de0e8166add7fe658d8a8c16ff379acbda031b3dea2d9ccce788572a02eacbcccdcd19e729df61f8fb6c1d93538c86c58ad089091a254c8b45
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRi:q7Tc2NYHUrAwfMp3CDRi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2012-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-766-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-829-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-1083-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-1111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-1940-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5060 7dvpd.exe 2228 2086820.exe 4864 pdjdv.exe 4872 8466444.exe 3564 hntnhb.exe 5028 260426.exe 2656 bntnbt.exe 2444 a2648.exe 2124 666426.exe 1028 q44448.exe 1360 jjjpd.exe 4968 26402.exe 3432 026420.exe 1824 40482.exe 4420 xrfrxrl.exe 1156 rrrlfxl.exe 2332 flfxllx.exe 816 402044.exe 4800 e60442.exe 4404 5hhthb.exe 5040 vppdd.exe 4624 jdjdd.exe 3604 848282.exe 2460 hbthtn.exe 1776 c220848.exe 2172 444260.exe 1868 0826486.exe 2192 024400.exe 4024 824886.exe 3784 tnhbhh.exe 2136 0008260.exe 4212 w00826.exe 4044 a4266.exe 2760 3hhthh.exe 4036 xflxlrl.exe 4652 ttthnh.exe 848 002226.exe 2672 e24262.exe 4148 k80044.exe 2684 08888.exe 4528 822266.exe 4576 e20246.exe 2584 48222.exe 1044 bbnhbb.exe 2376 84660.exe 4352 nthnhh.exe 720 028266.exe 628 8882666.exe 4276 tnttbb.exe 3820 3thbtt.exe 1184 686600.exe 2736 9ffxrrr.exe 532 c848226.exe 4784 8400000.exe 3588 84060.exe 5028 48848.exe 724 8260488.exe 4608 xfrfxlx.exe 1656 9bntnt.exe 436 c466284.exe 1360 4622622.exe 4968 i824006.exe 1480 5tbbhn.exe 4664 vddvp.exe -
resource yara_rule behavioral2/memory/2012-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/616-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-1083-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i060660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 666426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2244444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6262248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 5060 2012 a474a395de4e37cf4578809426f6b3129cd3f87b4c51b601c7b02bad05ae5683N.exe 83 PID 2012 wrote to memory of 5060 2012 a474a395de4e37cf4578809426f6b3129cd3f87b4c51b601c7b02bad05ae5683N.exe 83 PID 2012 wrote to memory of 5060 2012 a474a395de4e37cf4578809426f6b3129cd3f87b4c51b601c7b02bad05ae5683N.exe 83 PID 5060 wrote to memory of 2228 5060 7dvpd.exe 84 PID 5060 wrote to memory of 2228 5060 7dvpd.exe 84 PID 5060 wrote to memory of 2228 5060 7dvpd.exe 84 PID 2228 wrote to memory of 4864 2228 2086820.exe 85 PID 2228 wrote to memory of 4864 2228 2086820.exe 85 PID 2228 wrote to memory of 4864 2228 2086820.exe 85 PID 4864 wrote to memory of 4872 4864 pdjdv.exe 86 PID 4864 wrote to memory of 4872 4864 pdjdv.exe 86 PID 4864 wrote to memory of 4872 4864 pdjdv.exe 86 PID 4872 wrote to memory of 3564 4872 8466444.exe 87 PID 4872 wrote to memory of 3564 4872 8466444.exe 87 PID 4872 wrote to memory of 3564 4872 8466444.exe 87 PID 3564 wrote to memory of 5028 3564 hntnhb.exe 88 PID 3564 wrote to memory of 5028 3564 hntnhb.exe 88 PID 3564 wrote to memory of 5028 3564 hntnhb.exe 88 PID 5028 wrote to memory of 2656 5028 260426.exe 89 PID 5028 wrote to memory of 2656 5028 260426.exe 89 PID 5028 wrote to memory of 2656 5028 260426.exe 89 PID 2656 wrote to memory of 2444 2656 bntnbt.exe 90 PID 2656 wrote to memory of 2444 2656 bntnbt.exe 90 PID 2656 wrote to memory of 2444 2656 bntnbt.exe 90 PID 2444 wrote to memory of 2124 2444 a2648.exe 91 PID 2444 wrote to memory of 2124 2444 a2648.exe 91 PID 2444 wrote to memory of 2124 2444 a2648.exe 91 PID 2124 wrote to memory of 1028 2124 666426.exe 92 PID 2124 wrote to memory of 1028 2124 666426.exe 92 PID 2124 wrote to memory of 1028 2124 666426.exe 92 PID 1028 wrote to memory of 1360 1028 q44448.exe 93 PID 1028 wrote to memory of 1360 1028 q44448.exe 93 PID 1028 wrote to memory of 1360 1028 q44448.exe 93 PID 1360 wrote to memory of 4968 1360 jjjpd.exe 94 PID 1360 wrote to memory of 4968 1360 jjjpd.exe 94 PID 1360 wrote to memory of 4968 1360 jjjpd.exe 94 PID 4968 wrote to memory of 3432 4968 26402.exe 95 PID 4968 wrote to memory of 3432 4968 26402.exe 95 PID 4968 wrote to memory of 3432 4968 26402.exe 95 PID 3432 wrote to memory of 1824 3432 026420.exe 96 PID 3432 wrote to memory of 1824 3432 026420.exe 96 PID 3432 wrote to memory of 1824 3432 026420.exe 96 PID 1824 wrote to memory of 4420 1824 40482.exe 97 PID 1824 wrote to memory of 4420 1824 40482.exe 97 PID 1824 wrote to memory of 4420 1824 40482.exe 97 PID 4420 wrote to memory of 1156 4420 xrfrxrl.exe 98 PID 4420 wrote to memory of 1156 4420 xrfrxrl.exe 98 PID 4420 wrote to memory of 1156 4420 xrfrxrl.exe 98 PID 1156 wrote to memory of 2332 1156 rrrlfxl.exe 99 PID 1156 wrote to memory of 2332 1156 rrrlfxl.exe 99 PID 1156 wrote to memory of 2332 1156 rrrlfxl.exe 99 PID 2332 wrote to memory of 816 2332 flfxllx.exe 100 PID 2332 wrote to memory of 816 2332 flfxllx.exe 100 PID 2332 wrote to memory of 816 2332 flfxllx.exe 100 PID 816 wrote to memory of 4800 816 402044.exe 101 PID 816 wrote to memory of 4800 816 402044.exe 101 PID 816 wrote to memory of 4800 816 402044.exe 101 PID 4800 wrote to memory of 4404 4800 e60442.exe 102 PID 4800 wrote to memory of 4404 4800 e60442.exe 102 PID 4800 wrote to memory of 4404 4800 e60442.exe 102 PID 4404 wrote to memory of 5040 4404 5hhthb.exe 103 PID 4404 wrote to memory of 5040 4404 5hhthb.exe 103 PID 4404 wrote to memory of 5040 4404 5hhthb.exe 103 PID 5040 wrote to memory of 4624 5040 vppdd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a474a395de4e37cf4578809426f6b3129cd3f87b4c51b601c7b02bad05ae5683N.exe"C:\Users\Admin\AppData\Local\Temp\a474a395de4e37cf4578809426f6b3129cd3f87b4c51b601c7b02bad05ae5683N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\7dvpd.exec:\7dvpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\2086820.exec:\2086820.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\pdjdv.exec:\pdjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\8466444.exec:\8466444.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\hntnhb.exec:\hntnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\260426.exec:\260426.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\bntnbt.exec:\bntnbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\a2648.exec:\a2648.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\666426.exec:\666426.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\q44448.exec:\q44448.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\jjjpd.exec:\jjjpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\26402.exec:\26402.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\026420.exec:\026420.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\40482.exec:\40482.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\xrfrxrl.exec:\xrfrxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\rrrlfxl.exec:\rrrlfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\flfxllx.exec:\flfxllx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\402044.exec:\402044.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\e60442.exec:\e60442.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\5hhthb.exec:\5hhthb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\vppdd.exec:\vppdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\jdjdd.exec:\jdjdd.exe23⤵
- Executes dropped EXE
PID:4624 -
\??\c:\848282.exec:\848282.exe24⤵
- Executes dropped EXE
PID:3604 -
\??\c:\hbthtn.exec:\hbthtn.exe25⤵
- Executes dropped EXE
PID:2460 -
\??\c:\c220848.exec:\c220848.exe26⤵
- Executes dropped EXE
PID:1776 -
\??\c:\444260.exec:\444260.exe27⤵
- Executes dropped EXE
PID:2172 -
\??\c:\0826486.exec:\0826486.exe28⤵
- Executes dropped EXE
PID:1868 -
\??\c:\024400.exec:\024400.exe29⤵
- Executes dropped EXE
PID:2192 -
\??\c:\824886.exec:\824886.exe30⤵
- Executes dropped EXE
PID:4024 -
\??\c:\tnhbhh.exec:\tnhbhh.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3784 -
\??\c:\0008260.exec:\0008260.exe32⤵
- Executes dropped EXE
PID:2136 -
\??\c:\w00826.exec:\w00826.exe33⤵
- Executes dropped EXE
PID:4212 -
\??\c:\a4266.exec:\a4266.exe34⤵
- Executes dropped EXE
PID:4044 -
\??\c:\3hhthh.exec:\3hhthh.exe35⤵
- Executes dropped EXE
PID:2760 -
\??\c:\xflxlrl.exec:\xflxlrl.exe36⤵
- Executes dropped EXE
PID:4036 -
\??\c:\ttthnh.exec:\ttthnh.exe37⤵
- Executes dropped EXE
PID:4652 -
\??\c:\002226.exec:\002226.exe38⤵
- Executes dropped EXE
PID:848 -
\??\c:\e24262.exec:\e24262.exe39⤵
- Executes dropped EXE
PID:2672 -
\??\c:\k80044.exec:\k80044.exe40⤵
- Executes dropped EXE
PID:4148 -
\??\c:\08888.exec:\08888.exe41⤵
- Executes dropped EXE
PID:2684 -
\??\c:\822266.exec:\822266.exe42⤵
- Executes dropped EXE
PID:4528 -
\??\c:\e20246.exec:\e20246.exe43⤵
- Executes dropped EXE
PID:4576 -
\??\c:\48222.exec:\48222.exe44⤵
- Executes dropped EXE
PID:2584 -
\??\c:\bbnhbb.exec:\bbnhbb.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1044 -
\??\c:\84660.exec:\84660.exe46⤵
- Executes dropped EXE
PID:2376 -
\??\c:\nthnhh.exec:\nthnhh.exe47⤵
- Executes dropped EXE
PID:4352 -
\??\c:\028266.exec:\028266.exe48⤵
- Executes dropped EXE
PID:720 -
\??\c:\8882666.exec:\8882666.exe49⤵
- Executes dropped EXE
PID:628 -
\??\c:\tnttbb.exec:\tnttbb.exe50⤵
- Executes dropped EXE
PID:4276 -
\??\c:\3thbtt.exec:\3thbtt.exe51⤵
- Executes dropped EXE
PID:3820 -
\??\c:\686600.exec:\686600.exe52⤵
- Executes dropped EXE
PID:1184 -
\??\c:\9ffxrrr.exec:\9ffxrrr.exe53⤵
- Executes dropped EXE
PID:2736 -
\??\c:\c848226.exec:\c848226.exe54⤵
- Executes dropped EXE
PID:532 -
\??\c:\8400000.exec:\8400000.exe55⤵
- Executes dropped EXE
PID:4784 -
\??\c:\84060.exec:\84060.exe56⤵
- Executes dropped EXE
PID:3588 -
\??\c:\48848.exec:\48848.exe57⤵
- Executes dropped EXE
PID:5028 -
\??\c:\8260488.exec:\8260488.exe58⤵
- Executes dropped EXE
PID:724 -
\??\c:\xfrfxlx.exec:\xfrfxlx.exe59⤵
- Executes dropped EXE
PID:4608 -
\??\c:\9bntnt.exec:\9bntnt.exe60⤵
- Executes dropped EXE
PID:1656 -
\??\c:\c466284.exec:\c466284.exe61⤵
- Executes dropped EXE
PID:436 -
\??\c:\4622622.exec:\4622622.exe62⤵
- Executes dropped EXE
PID:1360 -
\??\c:\i824006.exec:\i824006.exe63⤵
- Executes dropped EXE
PID:4968 -
\??\c:\5tbbhn.exec:\5tbbhn.exe64⤵
- Executes dropped EXE
PID:1480 -
\??\c:\vddvp.exec:\vddvp.exe65⤵
- Executes dropped EXE
PID:4664 -
\??\c:\06226.exec:\06226.exe66⤵PID:448
-
\??\c:\rxfxrxr.exec:\rxfxrxr.exe67⤵PID:3628
-
\??\c:\rflflxr.exec:\rflflxr.exe68⤵PID:2600
-
\??\c:\dpddp.exec:\dpddp.exe69⤵PID:3368
-
\??\c:\0288288.exec:\0288288.exe70⤵PID:3892
-
\??\c:\hhnhhn.exec:\hhnhhn.exe71⤵PID:4068
-
\??\c:\c622660.exec:\c622660.exe72⤵PID:4092
-
\??\c:\xxxxxxf.exec:\xxxxxxf.exe73⤵PID:3136
-
\??\c:\jvdvd.exec:\jvdvd.exe74⤵PID:2176
-
\??\c:\1nnnhn.exec:\1nnnhn.exe75⤵PID:2920
-
\??\c:\m0222.exec:\m0222.exe76⤵PID:4520
-
\??\c:\82224.exec:\82224.exe77⤵PID:1964
-
\??\c:\6882448.exec:\6882448.exe78⤵PID:3964
-
\??\c:\g4482.exec:\g4482.exe79⤵PID:2756
-
\??\c:\rflfxxf.exec:\rflfxxf.exe80⤵PID:2664
-
\??\c:\fxlfxlr.exec:\fxlfxlr.exe81⤵PID:2136
-
\??\c:\26448.exec:\26448.exe82⤵PID:4212
-
\??\c:\btnhnt.exec:\btnhnt.exe83⤵PID:616
-
\??\c:\vjjvd.exec:\vjjvd.exe84⤵PID:2760
-
\??\c:\q44826.exec:\q44826.exe85⤵PID:3540
-
\??\c:\xlxlxxr.exec:\xlxlxxr.exe86⤵PID:2612
-
\??\c:\3rfxrlx.exec:\3rfxrlx.exe87⤵PID:4040
-
\??\c:\64860.exec:\64860.exe88⤵PID:3288
-
\??\c:\0224848.exec:\0224848.exe89⤵PID:1544
-
\??\c:\a8048.exec:\a8048.exe90⤵PID:4528
-
\??\c:\0846402.exec:\0846402.exe91⤵PID:768
-
\??\c:\00200.exec:\00200.exe92⤵PID:3592
-
\??\c:\nnbthb.exec:\nnbthb.exe93⤵PID:2376
-
\??\c:\vjjvp.exec:\vjjvp.exe94⤵PID:1612
-
\??\c:\868826.exec:\868826.exe95⤵PID:4792
-
\??\c:\tnhbtn.exec:\tnhbtn.exe96⤵PID:4276
-
\??\c:\9hnbbb.exec:\9hnbbb.exe97⤵PID:1888
-
\??\c:\448200.exec:\448200.exe98⤵PID:2504
-
\??\c:\thhtnn.exec:\thhtnn.exe99⤵PID:4220
-
\??\c:\28486.exec:\28486.exe100⤵PID:532
-
\??\c:\60448.exec:\60448.exe101⤵PID:2308
-
\??\c:\46068.exec:\46068.exe102⤵PID:4132
-
\??\c:\i448260.exec:\i448260.exe103⤵PID:5068
-
\??\c:\46448.exec:\46448.exe104⤵PID:4816
-
\??\c:\7xrrrff.exec:\7xrrrff.exe105⤵PID:4884
-
\??\c:\e80888.exec:\e80888.exe106⤵PID:4608
-
\??\c:\3hbnnh.exec:\3hbnnh.exe107⤵PID:1656
-
\??\c:\s8264.exec:\s8264.exe108⤵PID:2616
-
\??\c:\28004.exec:\28004.exe109⤵PID:956
-
\??\c:\22848.exec:\22848.exe110⤵PID:4008
-
\??\c:\k02264.exec:\k02264.exe111⤵PID:4664
-
\??\c:\q28660.exec:\q28660.exe112⤵PID:448
-
\??\c:\pddjp.exec:\pddjp.exe113⤵PID:744
-
\??\c:\42208.exec:\42208.exe114⤵PID:4472
-
\??\c:\440860.exec:\440860.exe115⤵PID:4940
-
\??\c:\bhnnbt.exec:\bhnnbt.exe116⤵PID:4876
-
\??\c:\44860.exec:\44860.exe117⤵PID:4844
-
\??\c:\284800.exec:\284800.exe118⤵PID:5096
-
\??\c:\860826.exec:\860826.exe119⤵PID:4832
-
\??\c:\jddvd.exec:\jddvd.exe120⤵PID:2368
-
\??\c:\426480.exec:\426480.exe121⤵
- System Location Discovery: System Language Discovery
PID:3136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-