Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 10:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe
-
Size
454KB
-
MD5
3e63920f65e02eeda6e3fb37d9ce7930
-
SHA1
047d1f29d261976cf92c50d29146f8f38d9e4ac0
-
SHA256
de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974
-
SHA512
a3bc8b732ce1021eb546a333e2cce966c6f7ba27b84f7cd03cd8743c869ff216b28add77ee1992cc317a416e7fb5337adce26a9d28dc2ac2b8fd8576696df35a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4060-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-941-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-1092-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2472 280222.exe 2192 u620442.exe 4232 5jpjd.exe 2852 bbbbtb.exe 3036 nttnhh.exe 1488 8282622.exe 1664 6000606.exe 3140 jvvvp.exe 3292 frxrrrl.exe 3052 462044.exe 1412 bntnnh.exe 2572 44482.exe 2280 068600.exe 3668 6404882.exe 1984 04460.exe 3396 246004.exe 2024 64048.exe 1720 e80404.exe 3856 nnnhhb.exe 1052 628264.exe 3760 44820.exe 2084 420882.exe 2620 7rfrlll.exe 4156 thnnhh.exe 3448 608222.exe 4920 20604.exe 1064 m4082.exe 4128 ttttnh.exe 4988 tbnhbh.exe 208 8020482.exe 3948 4626004.exe 1812 thnnnn.exe 4416 88482.exe 3560 vdjdv.exe 1672 662600.exe 2968 9hnhbb.exe 3520 o026482.exe 4316 2404826.exe 3592 tnhbtt.exe 2680 8666822.exe 3388 0464282.exe 2388 6026004.exe 1644 046488.exe 1776 jddvv.exe 2040 8648226.exe 4468 48826.exe 3192 262844.exe 2716 tnbttn.exe 3092 nhhbnn.exe 4644 llxlfxr.exe 4052 9htntt.exe 3920 60822.exe 2196 06426.exe 4436 lffllff.exe 368 0060882.exe 4828 04086.exe 4808 lxxxrrr.exe 2728 888484.exe 2700 828606.exe 1448 btnhbh.exe 1316 48006.exe 772 66864.exe 3996 0448226.exe 2228 s4048.exe -
resource yara_rule behavioral2/memory/4060-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-695-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0882604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0626060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e06060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0886442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6406286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q88042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w88888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nththn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4060 wrote to memory of 2472 4060 de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe 83 PID 4060 wrote to memory of 2472 4060 de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe 83 PID 4060 wrote to memory of 2472 4060 de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe 83 PID 2472 wrote to memory of 2192 2472 280222.exe 84 PID 2472 wrote to memory of 2192 2472 280222.exe 84 PID 2472 wrote to memory of 2192 2472 280222.exe 84 PID 2192 wrote to memory of 4232 2192 u620442.exe 85 PID 2192 wrote to memory of 4232 2192 u620442.exe 85 PID 2192 wrote to memory of 4232 2192 u620442.exe 85 PID 4232 wrote to memory of 2852 4232 5jpjd.exe 86 PID 4232 wrote to memory of 2852 4232 5jpjd.exe 86 PID 4232 wrote to memory of 2852 4232 5jpjd.exe 86 PID 2852 wrote to memory of 3036 2852 bbbbtb.exe 87 PID 2852 wrote to memory of 3036 2852 bbbbtb.exe 87 PID 2852 wrote to memory of 3036 2852 bbbbtb.exe 87 PID 3036 wrote to memory of 1488 3036 nttnhh.exe 88 PID 3036 wrote to memory of 1488 3036 nttnhh.exe 88 PID 3036 wrote to memory of 1488 3036 nttnhh.exe 88 PID 1488 wrote to memory of 1664 1488 8282622.exe 89 PID 1488 wrote to memory of 1664 1488 8282622.exe 89 PID 1488 wrote to memory of 1664 1488 8282622.exe 89 PID 1664 wrote to memory of 3140 1664 6000606.exe 90 PID 1664 wrote to memory of 3140 1664 6000606.exe 90 PID 1664 wrote to memory of 3140 1664 6000606.exe 90 PID 3140 wrote to memory of 3292 3140 jvvvp.exe 91 PID 3140 wrote to memory of 3292 3140 jvvvp.exe 91 PID 3140 wrote to memory of 3292 3140 jvvvp.exe 91 PID 3292 wrote to memory of 3052 3292 frxrrrl.exe 92 PID 3292 wrote to memory of 3052 3292 frxrrrl.exe 92 PID 3292 wrote to memory of 3052 3292 frxrrrl.exe 92 PID 3052 wrote to memory of 1412 3052 462044.exe 93 PID 3052 wrote to memory of 1412 3052 462044.exe 93 PID 3052 wrote to memory of 1412 3052 462044.exe 93 PID 1412 wrote to memory of 2572 1412 bntnnh.exe 155 PID 1412 wrote to memory of 2572 1412 bntnnh.exe 155 PID 1412 wrote to memory of 2572 1412 bntnnh.exe 155 PID 2572 wrote to memory of 2280 2572 44482.exe 95 PID 2572 wrote to memory of 2280 2572 44482.exe 95 PID 2572 wrote to memory of 2280 2572 44482.exe 95 PID 2280 wrote to memory of 3668 2280 068600.exe 96 PID 2280 wrote to memory of 3668 2280 068600.exe 96 PID 2280 wrote to memory of 3668 2280 068600.exe 96 PID 3668 wrote to memory of 1984 3668 6404882.exe 97 PID 3668 wrote to memory of 1984 3668 6404882.exe 97 PID 3668 wrote to memory of 1984 3668 6404882.exe 97 PID 1984 wrote to memory of 3396 1984 04460.exe 98 PID 1984 wrote to memory of 3396 1984 04460.exe 98 PID 1984 wrote to memory of 3396 1984 04460.exe 98 PID 3396 wrote to memory of 2024 3396 246004.exe 99 PID 3396 wrote to memory of 2024 3396 246004.exe 99 PID 3396 wrote to memory of 2024 3396 246004.exe 99 PID 2024 wrote to memory of 1720 2024 64048.exe 100 PID 2024 wrote to memory of 1720 2024 64048.exe 100 PID 2024 wrote to memory of 1720 2024 64048.exe 100 PID 1720 wrote to memory of 3856 1720 e80404.exe 101 PID 1720 wrote to memory of 3856 1720 e80404.exe 101 PID 1720 wrote to memory of 3856 1720 e80404.exe 101 PID 3856 wrote to memory of 1052 3856 nnnhhb.exe 102 PID 3856 wrote to memory of 1052 3856 nnnhhb.exe 102 PID 3856 wrote to memory of 1052 3856 nnnhhb.exe 102 PID 1052 wrote to memory of 3760 1052 628264.exe 103 PID 1052 wrote to memory of 3760 1052 628264.exe 103 PID 1052 wrote to memory of 3760 1052 628264.exe 103 PID 3760 wrote to memory of 2084 3760 44820.exe 164
Processes
-
C:\Users\Admin\AppData\Local\Temp\de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe"C:\Users\Admin\AppData\Local\Temp\de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\280222.exec:\280222.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\u620442.exec:\u620442.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\5jpjd.exec:\5jpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\bbbbtb.exec:\bbbbtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\nttnhh.exec:\nttnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\8282622.exec:\8282622.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\6000606.exec:\6000606.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\jvvvp.exec:\jvvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\frxrrrl.exec:\frxrrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\462044.exec:\462044.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\bntnnh.exec:\bntnnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\44482.exec:\44482.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\068600.exec:\068600.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\6404882.exec:\6404882.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\04460.exec:\04460.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\246004.exec:\246004.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\64048.exec:\64048.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\e80404.exec:\e80404.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\nnnhhb.exec:\nnnhhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\628264.exec:\628264.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\44820.exec:\44820.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\420882.exec:\420882.exe23⤵
- Executes dropped EXE
PID:2084 -
\??\c:\7rfrlll.exec:\7rfrlll.exe24⤵
- Executes dropped EXE
PID:2620 -
\??\c:\thnnhh.exec:\thnnhh.exe25⤵
- Executes dropped EXE
PID:4156 -
\??\c:\608222.exec:\608222.exe26⤵
- Executes dropped EXE
PID:3448 -
\??\c:\20604.exec:\20604.exe27⤵
- Executes dropped EXE
PID:4920 -
\??\c:\m4082.exec:\m4082.exe28⤵
- Executes dropped EXE
PID:1064 -
\??\c:\ttttnh.exec:\ttttnh.exe29⤵
- Executes dropped EXE
PID:4128 -
\??\c:\tbnhbh.exec:\tbnhbh.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4988 -
\??\c:\8020482.exec:\8020482.exe31⤵
- Executes dropped EXE
PID:208 -
\??\c:\4626004.exec:\4626004.exe32⤵
- Executes dropped EXE
PID:3948 -
\??\c:\thnnnn.exec:\thnnnn.exe33⤵
- Executes dropped EXE
PID:1812 -
\??\c:\88482.exec:\88482.exe34⤵
- Executes dropped EXE
PID:4416 -
\??\c:\vdjdv.exec:\vdjdv.exe35⤵
- Executes dropped EXE
PID:3560 -
\??\c:\662600.exec:\662600.exe36⤵
- Executes dropped EXE
PID:1672 -
\??\c:\9hnhbb.exec:\9hnhbb.exe37⤵
- Executes dropped EXE
PID:2968 -
\??\c:\o026482.exec:\o026482.exe38⤵
- Executes dropped EXE
PID:3520 -
\??\c:\2404826.exec:\2404826.exe39⤵
- Executes dropped EXE
PID:4316 -
\??\c:\tnhbtt.exec:\tnhbtt.exe40⤵
- Executes dropped EXE
PID:3592 -
\??\c:\8666822.exec:\8666822.exe41⤵
- Executes dropped EXE
PID:2680 -
\??\c:\0464282.exec:\0464282.exe42⤵
- Executes dropped EXE
PID:3388 -
\??\c:\6026004.exec:\6026004.exe43⤵
- Executes dropped EXE
PID:2388 -
\??\c:\046488.exec:\046488.exe44⤵
- Executes dropped EXE
PID:1644 -
\??\c:\jddvv.exec:\jddvv.exe45⤵
- Executes dropped EXE
PID:1776 -
\??\c:\8648226.exec:\8648226.exe46⤵
- Executes dropped EXE
PID:2040 -
\??\c:\48826.exec:\48826.exe47⤵
- Executes dropped EXE
PID:4468 -
\??\c:\262844.exec:\262844.exe48⤵
- Executes dropped EXE
PID:3192 -
\??\c:\tnbttn.exec:\tnbttn.exe49⤵
- Executes dropped EXE
PID:2716 -
\??\c:\nhhbnn.exec:\nhhbnn.exe50⤵
- Executes dropped EXE
PID:3092 -
\??\c:\llxlfxr.exec:\llxlfxr.exe51⤵
- Executes dropped EXE
PID:4644 -
\??\c:\9htntt.exec:\9htntt.exe52⤵
- Executes dropped EXE
PID:4052 -
\??\c:\60822.exec:\60822.exe53⤵
- Executes dropped EXE
PID:3920 -
\??\c:\06426.exec:\06426.exe54⤵
- Executes dropped EXE
PID:2196 -
\??\c:\484822.exec:\484822.exe55⤵PID:4412
-
\??\c:\lffllff.exec:\lffllff.exe56⤵
- Executes dropped EXE
PID:4436 -
\??\c:\0060882.exec:\0060882.exe57⤵
- Executes dropped EXE
PID:368 -
\??\c:\04086.exec:\04086.exe58⤵
- Executes dropped EXE
PID:4828 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe59⤵
- Executes dropped EXE
PID:4808 -
\??\c:\888484.exec:\888484.exe60⤵
- Executes dropped EXE
PID:2728 -
\??\c:\828606.exec:\828606.exe61⤵
- Executes dropped EXE
PID:2700 -
\??\c:\btnhbh.exec:\btnhbh.exe62⤵
- Executes dropped EXE
PID:1448 -
\??\c:\48006.exec:\48006.exe63⤵
- Executes dropped EXE
PID:1316 -
\??\c:\66864.exec:\66864.exe64⤵
- Executes dropped EXE
PID:772 -
\??\c:\0448226.exec:\0448226.exe65⤵
- Executes dropped EXE
PID:3996 -
\??\c:\s4048.exec:\s4048.exe66⤵
- Executes dropped EXE
PID:2228 -
\??\c:\4082226.exec:\4082226.exe67⤵PID:5112
-
\??\c:\o066000.exec:\o066000.exe68⤵PID:3340
-
\??\c:\44044.exec:\44044.exe69⤵PID:2100
-
\??\c:\dpppj.exec:\dpppj.exe70⤵PID:4404
-
\??\c:\fllffff.exec:\fllffff.exe71⤵PID:1356
-
\??\c:\0060088.exec:\0060088.exe72⤵PID:4980
-
\??\c:\ppvvv.exec:\ppvvv.exe73⤵PID:4892
-
\??\c:\tntnnb.exec:\tntnnb.exe74⤵PID:2572
-
\??\c:\g8422.exec:\g8422.exe75⤵PID:1516
-
\??\c:\5ttthh.exec:\5ttthh.exe76⤵PID:4336
-
\??\c:\3rxrffx.exec:\3rxrffx.exe77⤵PID:552
-
\??\c:\vvjdv.exec:\vvjdv.exe78⤵PID:3640
-
\??\c:\200484.exec:\200484.exe79⤵PID:3644
-
\??\c:\62264.exec:\62264.exe80⤵PID:1404
-
\??\c:\vjvjd.exec:\vjvjd.exe81⤵PID:1808
-
\??\c:\00660.exec:\00660.exe82⤵PID:3924
-
\??\c:\2064488.exec:\2064488.exe83⤵PID:2084
-
\??\c:\lfrfxrf.exec:\lfrfxrf.exe84⤵PID:2620
-
\??\c:\4828228.exec:\4828228.exe85⤵PID:2144
-
\??\c:\pdpdp.exec:\pdpdp.exe86⤵PID:4844
-
\??\c:\3vvpp.exec:\3vvpp.exe87⤵PID:2576
-
\??\c:\o848648.exec:\o848648.exe88⤵PID:4004
-
\??\c:\a6862.exec:\a6862.exe89⤵PID:316
-
\??\c:\jdpdp.exec:\jdpdp.exe90⤵PID:208
-
\??\c:\068600.exec:\068600.exe91⤵PID:3412
-
\??\c:\9llrlxx.exec:\9llrlxx.exe92⤵PID:2588
-
\??\c:\o020044.exec:\o020044.exe93⤵PID:712
-
\??\c:\8840280.exec:\8840280.exe94⤵PID:3496
-
\??\c:\bbhbtb.exec:\bbhbtb.exe95⤵PID:2612
-
\??\c:\848826.exec:\848826.exe96⤵PID:5028
-
\??\c:\3xllfff.exec:\3xllfff.exe97⤵PID:1180
-
\??\c:\6664882.exec:\6664882.exe98⤵PID:3840
-
\??\c:\862048.exec:\862048.exe99⤵PID:4228
-
\??\c:\862266.exec:\862266.exe100⤵PID:740
-
\??\c:\fxxrlfl.exec:\fxxrlfl.exe101⤵PID:5036
-
\??\c:\pjppp.exec:\pjppp.exe102⤵PID:3208
-
\??\c:\rrrlfff.exec:\rrrlfff.exe103⤵PID:3508
-
\??\c:\nbhbnh.exec:\nbhbnh.exe104⤵PID:3192
-
\??\c:\640082.exec:\640082.exe105⤵PID:4556
-
\??\c:\xllfrlf.exec:\xllfrlf.exe106⤵
- System Location Discovery: System Language Discovery
PID:1596 -
\??\c:\48264.exec:\48264.exe107⤵PID:4580
-
\??\c:\tnthtt.exec:\tnthtt.exe108⤵PID:4360
-
\??\c:\lrxrfll.exec:\lrxrfll.exe109⤵PID:4312
-
\??\c:\lfxxfll.exec:\lfxxfll.exe110⤵PID:1520
-
\??\c:\4248266.exec:\4248266.exe111⤵PID:2288
-
\??\c:\vdjpd.exec:\vdjpd.exe112⤵PID:3812
-
\??\c:\8268606.exec:\8268606.exe113⤵PID:3648
-
\??\c:\ppdvp.exec:\ppdvp.exe114⤵PID:3624
-
\??\c:\284448.exec:\284448.exe115⤵PID:3584
-
\??\c:\m8006.exec:\m8006.exe116⤵PID:3892
-
\??\c:\6444000.exec:\6444000.exe117⤵PID:2192
-
\??\c:\o404882.exec:\o404882.exe118⤵PID:5008
-
\??\c:\vdjdd.exec:\vdjdd.exe119⤵PID:2796
-
\??\c:\i466626.exec:\i466626.exe120⤵PID:3460
-
\??\c:\0882604.exec:\0882604.exe121⤵
- System Location Discovery: System Language Discovery
PID:4588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-