Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 11:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7eb7a410d6c4723d7baf58864082aa5d9071b7dac070ef315b85746f1e619e8dN.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7eb7a410d6c4723d7baf58864082aa5d9071b7dac070ef315b85746f1e619e8dN.exe
-
Size
453KB
-
MD5
7bed6f0ed67d0bce5f7cf01f8a918230
-
SHA1
95c34ccfcbb467627da92fc3ffeeba14970b0191
-
SHA256
7eb7a410d6c4723d7baf58864082aa5d9071b7dac070ef315b85746f1e619e8d
-
SHA512
b1ed62025f78253e302d2d2d243b7971ff59f078d6b2e5113937a61246967f4782f61df9173749db4eb4a93c4d5dee9d4ab82b483cd1cc96018e91f848b8b902
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeq:q7Tc2NYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2728-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-996-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-1209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-1296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-1834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 572 42482.exe 3616 i848228.exe 4448 5pddj.exe 3608 4804482.exe 4740 86848.exe 2072 tnnnhh.exe 4560 nbnnnn.exe 1864 468222.exe 492 00682.exe 3972 rfffxxx.exe 3388 08662.exe 1636 c286666.exe 1984 jvvvv.exe 2096 fllfxxx.exe 1848 64822.exe 4352 flrfxrf.exe 2688 4882240.exe 2696 5vpjd.exe 1624 86826.exe 1968 868648.exe 1220 7tnhtt.exe 3056 024620.exe 3276 9lfrfxr.exe 2328 40082.exe 2732 48264.exe 2200 rfxlxlx.exe 3816 3rrfrlx.exe 4132 jppjv.exe 2180 6886420.exe 4916 xxxrrlx.exe 1796 thtnhb.exe 3092 6426486.exe 2028 w48668.exe 4496 bnbnbn.exe 1524 s8864.exe 2308 tnhthn.exe 3028 84486.exe 2872 a8402.exe 904 84820.exe 2268 ppvpd.exe 1040 q86848.exe 3848 02264.exe 2764 dddpd.exe 4428 nhnbnh.exe 2316 1nnbbt.exe 3988 4262084.exe 3268 djpdv.exe 3616 dpjvj.exe 3324 rxrlxfx.exe 4616 628648.exe 3940 7rfrfxl.exe 3976 6448820.exe 3864 886448.exe 836 hnnhtn.exe 2280 i008608.exe 3896 22264.exe 3512 468660.exe 4084 e48860.exe 1704 u848604.exe 3568 q88648.exe 492 44608.exe 4444 jdjjd.exe 1932 rrrfrlx.exe 4220 3hbnbt.exe -
resource yara_rule behavioral2/memory/2728-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-775-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c686442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4260864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0826440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c844488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 664820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8806284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2728 wrote to memory of 572 2728 7eb7a410d6c4723d7baf58864082aa5d9071b7dac070ef315b85746f1e619e8dN.exe 83 PID 2728 wrote to memory of 572 2728 7eb7a410d6c4723d7baf58864082aa5d9071b7dac070ef315b85746f1e619e8dN.exe 83 PID 2728 wrote to memory of 572 2728 7eb7a410d6c4723d7baf58864082aa5d9071b7dac070ef315b85746f1e619e8dN.exe 83 PID 572 wrote to memory of 3616 572 42482.exe 84 PID 572 wrote to memory of 3616 572 42482.exe 84 PID 572 wrote to memory of 3616 572 42482.exe 84 PID 3616 wrote to memory of 4448 3616 i848228.exe 85 PID 3616 wrote to memory of 4448 3616 i848228.exe 85 PID 3616 wrote to memory of 4448 3616 i848228.exe 85 PID 4448 wrote to memory of 3608 4448 5pddj.exe 86 PID 4448 wrote to memory of 3608 4448 5pddj.exe 86 PID 4448 wrote to memory of 3608 4448 5pddj.exe 86 PID 3608 wrote to memory of 4740 3608 4804482.exe 87 PID 3608 wrote to memory of 4740 3608 4804482.exe 87 PID 3608 wrote to memory of 4740 3608 4804482.exe 87 PID 4740 wrote to memory of 2072 4740 86848.exe 88 PID 4740 wrote to memory of 2072 4740 86848.exe 88 PID 4740 wrote to memory of 2072 4740 86848.exe 88 PID 2072 wrote to memory of 4560 2072 tnnnhh.exe 89 PID 2072 wrote to memory of 4560 2072 tnnnhh.exe 89 PID 2072 wrote to memory of 4560 2072 tnnnhh.exe 89 PID 4560 wrote to memory of 1864 4560 nbnnnn.exe 90 PID 4560 wrote to memory of 1864 4560 nbnnnn.exe 90 PID 4560 wrote to memory of 1864 4560 nbnnnn.exe 90 PID 1864 wrote to memory of 492 1864 468222.exe 91 PID 1864 wrote to memory of 492 1864 468222.exe 91 PID 1864 wrote to memory of 492 1864 468222.exe 91 PID 492 wrote to memory of 3972 492 00682.exe 92 PID 492 wrote to memory of 3972 492 00682.exe 92 PID 492 wrote to memory of 3972 492 00682.exe 92 PID 3972 wrote to memory of 3388 3972 rfffxxx.exe 93 PID 3972 wrote to memory of 3388 3972 rfffxxx.exe 93 PID 3972 wrote to memory of 3388 3972 rfffxxx.exe 93 PID 3388 wrote to memory of 1636 3388 08662.exe 94 PID 3388 wrote to memory of 1636 3388 08662.exe 94 PID 3388 wrote to memory of 1636 3388 08662.exe 94 PID 1636 wrote to memory of 1984 1636 c286666.exe 95 PID 1636 wrote to memory of 1984 1636 c286666.exe 95 PID 1636 wrote to memory of 1984 1636 c286666.exe 95 PID 1984 wrote to memory of 2096 1984 jvvvv.exe 96 PID 1984 wrote to memory of 2096 1984 jvvvv.exe 96 PID 1984 wrote to memory of 2096 1984 jvvvv.exe 96 PID 2096 wrote to memory of 1848 2096 fllfxxx.exe 97 PID 2096 wrote to memory of 1848 2096 fllfxxx.exe 97 PID 2096 wrote to memory of 1848 2096 fllfxxx.exe 97 PID 1848 wrote to memory of 4352 1848 64822.exe 98 PID 1848 wrote to memory of 4352 1848 64822.exe 98 PID 1848 wrote to memory of 4352 1848 64822.exe 98 PID 4352 wrote to memory of 2688 4352 flrfxrf.exe 99 PID 4352 wrote to memory of 2688 4352 flrfxrf.exe 99 PID 4352 wrote to memory of 2688 4352 flrfxrf.exe 99 PID 2688 wrote to memory of 2696 2688 4882240.exe 100 PID 2688 wrote to memory of 2696 2688 4882240.exe 100 PID 2688 wrote to memory of 2696 2688 4882240.exe 100 PID 2696 wrote to memory of 1624 2696 5vpjd.exe 101 PID 2696 wrote to memory of 1624 2696 5vpjd.exe 101 PID 2696 wrote to memory of 1624 2696 5vpjd.exe 101 PID 1624 wrote to memory of 1968 1624 86826.exe 102 PID 1624 wrote to memory of 1968 1624 86826.exe 102 PID 1624 wrote to memory of 1968 1624 86826.exe 102 PID 1968 wrote to memory of 1220 1968 868648.exe 103 PID 1968 wrote to memory of 1220 1968 868648.exe 103 PID 1968 wrote to memory of 1220 1968 868648.exe 103 PID 1220 wrote to memory of 3056 1220 7tnhtt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7eb7a410d6c4723d7baf58864082aa5d9071b7dac070ef315b85746f1e619e8dN.exe"C:\Users\Admin\AppData\Local\Temp\7eb7a410d6c4723d7baf58864082aa5d9071b7dac070ef315b85746f1e619e8dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\42482.exec:\42482.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\i848228.exec:\i848228.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\5pddj.exec:\5pddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\4804482.exec:\4804482.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\86848.exec:\86848.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\tnnnhh.exec:\tnnnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\nbnnnn.exec:\nbnnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\468222.exec:\468222.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\00682.exec:\00682.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492 -
\??\c:\rfffxxx.exec:\rfffxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\08662.exec:\08662.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\c286666.exec:\c286666.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\jvvvv.exec:\jvvvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\fllfxxx.exec:\fllfxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\64822.exec:\64822.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\flrfxrf.exec:\flrfxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\4882240.exec:\4882240.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\5vpjd.exec:\5vpjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\86826.exec:\86826.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\868648.exec:\868648.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\7tnhtt.exec:\7tnhtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\024620.exec:\024620.exe23⤵
- Executes dropped EXE
PID:3056 -
\??\c:\9lfrfxr.exec:\9lfrfxr.exe24⤵
- Executes dropped EXE
PID:3276 -
\??\c:\40082.exec:\40082.exe25⤵
- Executes dropped EXE
PID:2328 -
\??\c:\48264.exec:\48264.exe26⤵
- Executes dropped EXE
PID:2732 -
\??\c:\rfxlxlx.exec:\rfxlxlx.exe27⤵
- Executes dropped EXE
PID:2200 -
\??\c:\3rrfrlx.exec:\3rrfrlx.exe28⤵
- Executes dropped EXE
PID:3816 -
\??\c:\jppjv.exec:\jppjv.exe29⤵
- Executes dropped EXE
PID:4132 -
\??\c:\6886420.exec:\6886420.exe30⤵
- Executes dropped EXE
PID:2180 -
\??\c:\xxxrrlx.exec:\xxxrrlx.exe31⤵
- Executes dropped EXE
PID:4916 -
\??\c:\thtnhb.exec:\thtnhb.exe32⤵
- Executes dropped EXE
PID:1796 -
\??\c:\6426486.exec:\6426486.exe33⤵
- Executes dropped EXE
PID:3092 -
\??\c:\w48668.exec:\w48668.exe34⤵
- Executes dropped EXE
PID:2028 -
\??\c:\bnbnbn.exec:\bnbnbn.exe35⤵
- Executes dropped EXE
PID:4496 -
\??\c:\s8864.exec:\s8864.exe36⤵
- Executes dropped EXE
PID:1524 -
\??\c:\tnhthn.exec:\tnhthn.exe37⤵
- Executes dropped EXE
PID:2308 -
\??\c:\84486.exec:\84486.exe38⤵
- Executes dropped EXE
PID:3028 -
\??\c:\a8402.exec:\a8402.exe39⤵
- Executes dropped EXE
PID:2872 -
\??\c:\84820.exec:\84820.exe40⤵
- Executes dropped EXE
PID:904 -
\??\c:\ppvpd.exec:\ppvpd.exe41⤵
- Executes dropped EXE
PID:2268 -
\??\c:\q86848.exec:\q86848.exe42⤵
- Executes dropped EXE
PID:1040 -
\??\c:\02264.exec:\02264.exe43⤵
- Executes dropped EXE
PID:3848 -
\??\c:\dddpd.exec:\dddpd.exe44⤵
- Executes dropped EXE
PID:2764 -
\??\c:\nhnbnh.exec:\nhnbnh.exe45⤵
- Executes dropped EXE
PID:4428 -
\??\c:\1nnbbt.exec:\1nnbbt.exe46⤵
- Executes dropped EXE
PID:2316 -
\??\c:\4262084.exec:\4262084.exe47⤵
- Executes dropped EXE
PID:3988 -
\??\c:\djpdv.exec:\djpdv.exe48⤵
- Executes dropped EXE
PID:3268 -
\??\c:\dpjvj.exec:\dpjvj.exe49⤵
- Executes dropped EXE
PID:3616 -
\??\c:\rxrlxfx.exec:\rxrlxfx.exe50⤵
- Executes dropped EXE
PID:3324 -
\??\c:\628648.exec:\628648.exe51⤵
- Executes dropped EXE
PID:4616 -
\??\c:\7rfrfxl.exec:\7rfrfxl.exe52⤵
- Executes dropped EXE
PID:3940 -
\??\c:\6448820.exec:\6448820.exe53⤵
- Executes dropped EXE
PID:3976 -
\??\c:\886448.exec:\886448.exe54⤵
- Executes dropped EXE
PID:3864 -
\??\c:\hnnhtn.exec:\hnnhtn.exe55⤵
- Executes dropped EXE
PID:836 -
\??\c:\i008608.exec:\i008608.exe56⤵
- Executes dropped EXE
PID:2280 -
\??\c:\22264.exec:\22264.exe57⤵
- Executes dropped EXE
PID:3896 -
\??\c:\468660.exec:\468660.exe58⤵
- Executes dropped EXE
PID:3512 -
\??\c:\e48860.exec:\e48860.exe59⤵
- Executes dropped EXE
PID:4084 -
\??\c:\u848604.exec:\u848604.exe60⤵
- Executes dropped EXE
PID:1704 -
\??\c:\q88648.exec:\q88648.exe61⤵
- Executes dropped EXE
PID:3568 -
\??\c:\44608.exec:\44608.exe62⤵
- Executes dropped EXE
PID:492 -
\??\c:\jdjjd.exec:\jdjjd.exe63⤵
- Executes dropped EXE
PID:4444 -
\??\c:\rrrfrlx.exec:\rrrfrlx.exe64⤵
- Executes dropped EXE
PID:1932 -
\??\c:\3hbnbt.exec:\3hbnbt.exe65⤵
- Executes dropped EXE
PID:4220 -
\??\c:\lrxfxfr.exec:\lrxfxfr.exe66⤵PID:4592
-
\??\c:\1nthbb.exec:\1nthbb.exe67⤵PID:1196
-
\??\c:\pjjvj.exec:\pjjvj.exe68⤵PID:2096
-
\??\c:\vpppj.exec:\vpppj.exe69⤵PID:2368
-
\??\c:\62608.exec:\62608.exe70⤵PID:4836
-
\??\c:\jjppv.exec:\jjppv.exe71⤵PID:1324
-
\??\c:\006600.exec:\006600.exe72⤵
- System Location Discovery: System Language Discovery
PID:4884 -
\??\c:\2008208.exec:\2008208.exe73⤵PID:5096
-
\??\c:\o448422.exec:\o448422.exe74⤵PID:2688
-
\??\c:\w46444.exec:\w46444.exe75⤵PID:2956
-
\??\c:\7jdvj.exec:\7jdvj.exe76⤵PID:4800
-
\??\c:\9flfrrl.exec:\9flfrrl.exe77⤵PID:3504
-
\??\c:\vjjdv.exec:\vjjdv.exe78⤵PID:4164
-
\??\c:\48864.exec:\48864.exe79⤵PID:1268
-
\??\c:\llrlxxx.exec:\llrlxxx.exe80⤵PID:2552
-
\??\c:\464200.exec:\464200.exe81⤵PID:3448
-
\??\c:\064826.exec:\064826.exe82⤵PID:2636
-
\??\c:\dddvj.exec:\dddvj.exe83⤵PID:2444
-
\??\c:\fxllllf.exec:\fxllllf.exe84⤵PID:3056
-
\??\c:\jpdpd.exec:\jpdpd.exe85⤵PID:792
-
\??\c:\9ffrfrr.exec:\9ffrfrr.exe86⤵PID:772
-
\??\c:\bnhhtt.exec:\bnhhtt.exe87⤵PID:656
-
\??\c:\1rxlrlx.exec:\1rxlrlx.exe88⤵PID:4768
-
\??\c:\djdvj.exec:\djdvj.exe89⤵PID:4792
-
\??\c:\btnnbn.exec:\btnnbn.exe90⤵PID:2576
-
\??\c:\44260.exec:\44260.exe91⤵
- System Location Discovery: System Language Discovery
PID:3264 -
\??\c:\xrrrllf.exec:\xrrrllf.exe92⤵PID:1400
-
\??\c:\5vdpp.exec:\5vdpp.exe93⤵PID:2812
-
\??\c:\pdjdv.exec:\pdjdv.exe94⤵PID:3312
-
\??\c:\866468.exec:\866468.exe95⤵PID:3344
-
\??\c:\hnnttt.exec:\hnnttt.exe96⤵PID:528
-
\??\c:\7xlxxrl.exec:\7xlxxrl.exe97⤵PID:4188
-
\??\c:\djjdd.exec:\djjdd.exe98⤵PID:2396
-
\??\c:\86240.exec:\86240.exe99⤵PID:2068
-
\??\c:\48004.exec:\48004.exe100⤵PID:3828
-
\??\c:\6282044.exec:\6282044.exe101⤵PID:4688
-
\??\c:\bbnntt.exec:\bbnntt.exe102⤵PID:2864
-
\??\c:\82604.exec:\82604.exe103⤵PID:1904
-
\??\c:\frrfrlr.exec:\frrfrlr.exe104⤵PID:116
-
\??\c:\xlfxrlx.exec:\xlfxrlx.exe105⤵PID:4680
-
\??\c:\5ddvp.exec:\5ddvp.exe106⤵PID:3232
-
\??\c:\llrlxxl.exec:\llrlxxl.exe107⤵PID:2972
-
\??\c:\nbhbbt.exec:\nbhbbt.exe108⤵PID:3848
-
\??\c:\6804826.exec:\6804826.exe109⤵PID:4968
-
\??\c:\vjdvp.exec:\vjdvp.exe110⤵PID:4960
-
\??\c:\u020482.exec:\u020482.exe111⤵PID:3428
-
\??\c:\6464822.exec:\6464822.exe112⤵PID:500
-
\??\c:\6842260.exec:\6842260.exe113⤵PID:3820
-
\??\c:\64084.exec:\64084.exe114⤵PID:1300
-
\??\c:\o886820.exec:\o886820.exe115⤵PID:4500
-
\??\c:\2020448.exec:\2020448.exe116⤵PID:3324
-
\??\c:\4826460.exec:\4826460.exe117⤵PID:4616
-
\??\c:\8404286.exec:\8404286.exe118⤵PID:3940
-
\??\c:\1fxxlxr.exec:\1fxxlxr.exe119⤵PID:3976
-
\??\c:\k48860.exec:\k48860.exe120⤵PID:4740
-
\??\c:\vpvpj.exec:\vpvpj.exe121⤵PID:3460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-