Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 02:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cd0d62ec946efe0ce119611d50ede0e6b330ebaef00c5e8c9e539e41452b6f85.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cd0d62ec946efe0ce119611d50ede0e6b330ebaef00c5e8c9e539e41452b6f85.exe
-
Size
454KB
-
MD5
274676bc77b6afcc83d81119fd09c955
-
SHA1
5d5d81c6dc38b9626302e6d089d159b99dc1d34a
-
SHA256
cd0d62ec946efe0ce119611d50ede0e6b330ebaef00c5e8c9e539e41452b6f85
-
SHA512
82cfe97b06cbdfcea1c60780d81d496f099214233936ffde38d891f0a53afeca8b2e47b58af25666f23cbc5e24664e252ddaf6580d2542dc33a873bfcaa66e28
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3944-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-1862-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4672 pjjdv.exe 4528 i642222.exe 4948 8460482.exe 3192 e66040.exe 2096 206626.exe 844 bbbtnn.exe 2928 1bbtnt.exe 2176 vpvpp.exe 3940 3rffxff.exe 448 xflfffx.exe 2740 tbttnh.exe 3004 nhbttb.exe 4572 bntnhh.exe 3384 k80048.exe 5036 4604484.exe 1684 hbbttn.exe 1108 824888.exe 4960 84486.exe 1476 jpvpj.exe 3616 lrxrlll.exe 4380 006048.exe 1912 84048.exe 2024 5xrfrfx.exe 3080 g8022.exe 3848 08482.exe 548 7xrlxrr.exe 2396 5llfxrr.exe 2832 o626060.exe 696 lxxfxlf.exe 1696 nhbttt.exe 620 nbnhhh.exe 4000 xllrlff.exe 1372 u404660.exe 1920 nhhbtt.exe 4508 3fxrlfx.exe 3404 tnnhbh.exe 1768 628822.exe 3444 djjjj.exe 4704 rxlfxfx.exe 1772 42488.exe 4680 m8826.exe 4236 frfxfxf.exe 3600 3ffxrrf.exe 2308 fxxrllf.exe 2208 o426004.exe 216 c060482.exe 2416 bhtnhh.exe 536 jddvp.exe 4368 jpvpj.exe 3756 dvdvp.exe 1968 60048.exe 2892 0626004.exe 4576 4082600.exe 4180 82860.exe 4948 pvdpv.exe 5112 c244440.exe 2116 ddjjd.exe 1516 jddpj.exe 844 xrrlfrl.exe 1944 rllfllf.exe 112 pjjdv.exe 468 602440.exe 3884 djpvj.exe 2740 266888.exe -
resource yara_rule behavioral2/memory/4672-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-868-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6064260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c220484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w86422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4408626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0262840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i444448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3944 wrote to memory of 4672 3944 cd0d62ec946efe0ce119611d50ede0e6b330ebaef00c5e8c9e539e41452b6f85.exe 83 PID 3944 wrote to memory of 4672 3944 cd0d62ec946efe0ce119611d50ede0e6b330ebaef00c5e8c9e539e41452b6f85.exe 83 PID 3944 wrote to memory of 4672 3944 cd0d62ec946efe0ce119611d50ede0e6b330ebaef00c5e8c9e539e41452b6f85.exe 83 PID 4672 wrote to memory of 4528 4672 pjjdv.exe 84 PID 4672 wrote to memory of 4528 4672 pjjdv.exe 84 PID 4672 wrote to memory of 4528 4672 pjjdv.exe 84 PID 4528 wrote to memory of 4948 4528 i642222.exe 85 PID 4528 wrote to memory of 4948 4528 i642222.exe 85 PID 4528 wrote to memory of 4948 4528 i642222.exe 85 PID 4948 wrote to memory of 3192 4948 8460482.exe 86 PID 4948 wrote to memory of 3192 4948 8460482.exe 86 PID 4948 wrote to memory of 3192 4948 8460482.exe 86 PID 3192 wrote to memory of 2096 3192 e66040.exe 87 PID 3192 wrote to memory of 2096 3192 e66040.exe 87 PID 3192 wrote to memory of 2096 3192 e66040.exe 87 PID 2096 wrote to memory of 844 2096 206626.exe 141 PID 2096 wrote to memory of 844 2096 206626.exe 141 PID 2096 wrote to memory of 844 2096 206626.exe 141 PID 844 wrote to memory of 2928 844 bbbtnn.exe 89 PID 844 wrote to memory of 2928 844 bbbtnn.exe 89 PID 844 wrote to memory of 2928 844 bbbtnn.exe 89 PID 2928 wrote to memory of 2176 2928 1bbtnt.exe 90 PID 2928 wrote to memory of 2176 2928 1bbtnt.exe 90 PID 2928 wrote to memory of 2176 2928 1bbtnt.exe 90 PID 2176 wrote to memory of 3940 2176 vpvpp.exe 91 PID 2176 wrote to memory of 3940 2176 vpvpp.exe 91 PID 2176 wrote to memory of 3940 2176 vpvpp.exe 91 PID 3940 wrote to memory of 448 3940 3rffxff.exe 92 PID 3940 wrote to memory of 448 3940 3rffxff.exe 92 PID 3940 wrote to memory of 448 3940 3rffxff.exe 92 PID 448 wrote to memory of 2740 448 xflfffx.exe 93 PID 448 wrote to memory of 2740 448 xflfffx.exe 93 PID 448 wrote to memory of 2740 448 xflfffx.exe 93 PID 2740 wrote to memory of 3004 2740 tbttnh.exe 94 PID 2740 wrote to memory of 3004 2740 tbttnh.exe 94 PID 2740 wrote to memory of 3004 2740 tbttnh.exe 94 PID 3004 wrote to memory of 4572 3004 nhbttb.exe 95 PID 3004 wrote to memory of 4572 3004 nhbttb.exe 95 PID 3004 wrote to memory of 4572 3004 nhbttb.exe 95 PID 4572 wrote to memory of 3384 4572 bntnhh.exe 96 PID 4572 wrote to memory of 3384 4572 bntnhh.exe 96 PID 4572 wrote to memory of 3384 4572 bntnhh.exe 96 PID 3384 wrote to memory of 5036 3384 k80048.exe 97 PID 3384 wrote to memory of 5036 3384 k80048.exe 97 PID 3384 wrote to memory of 5036 3384 k80048.exe 97 PID 5036 wrote to memory of 1684 5036 4604484.exe 98 PID 5036 wrote to memory of 1684 5036 4604484.exe 98 PID 5036 wrote to memory of 1684 5036 4604484.exe 98 PID 1684 wrote to memory of 1108 1684 hbbttn.exe 99 PID 1684 wrote to memory of 1108 1684 hbbttn.exe 99 PID 1684 wrote to memory of 1108 1684 hbbttn.exe 99 PID 1108 wrote to memory of 4960 1108 824888.exe 100 PID 1108 wrote to memory of 4960 1108 824888.exe 100 PID 1108 wrote to memory of 4960 1108 824888.exe 100 PID 4960 wrote to memory of 1476 4960 84486.exe 101 PID 4960 wrote to memory of 1476 4960 84486.exe 101 PID 4960 wrote to memory of 1476 4960 84486.exe 101 PID 1476 wrote to memory of 3616 1476 jpvpj.exe 102 PID 1476 wrote to memory of 3616 1476 jpvpj.exe 102 PID 1476 wrote to memory of 3616 1476 jpvpj.exe 102 PID 3616 wrote to memory of 4380 3616 lrxrlll.exe 103 PID 3616 wrote to memory of 4380 3616 lrxrlll.exe 103 PID 3616 wrote to memory of 4380 3616 lrxrlll.exe 103 PID 4380 wrote to memory of 1912 4380 006048.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd0d62ec946efe0ce119611d50ede0e6b330ebaef00c5e8c9e539e41452b6f85.exe"C:\Users\Admin\AppData\Local\Temp\cd0d62ec946efe0ce119611d50ede0e6b330ebaef00c5e8c9e539e41452b6f85.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\pjjdv.exec:\pjjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\i642222.exec:\i642222.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\8460482.exec:\8460482.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\e66040.exec:\e66040.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\206626.exec:\206626.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\bbbtnn.exec:\bbbtnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\1bbtnt.exec:\1bbtnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\vpvpp.exec:\vpvpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\3rffxff.exec:\3rffxff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\xflfffx.exec:\xflfffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\tbttnh.exec:\tbttnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\nhbttb.exec:\nhbttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\bntnhh.exec:\bntnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\k80048.exec:\k80048.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\4604484.exec:\4604484.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\hbbttn.exec:\hbbttn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\824888.exec:\824888.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\84486.exec:\84486.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\jpvpj.exec:\jpvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\lrxrlll.exec:\lrxrlll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\006048.exec:\006048.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\84048.exec:\84048.exe23⤵
- Executes dropped EXE
PID:1912 -
\??\c:\5xrfrfx.exec:\5xrfrfx.exe24⤵
- Executes dropped EXE
PID:2024 -
\??\c:\g8022.exec:\g8022.exe25⤵
- Executes dropped EXE
PID:3080 -
\??\c:\08482.exec:\08482.exe26⤵
- Executes dropped EXE
PID:3848 -
\??\c:\7xrlxrr.exec:\7xrlxrr.exe27⤵
- Executes dropped EXE
PID:548 -
\??\c:\5llfxrr.exec:\5llfxrr.exe28⤵
- Executes dropped EXE
PID:2396 -
\??\c:\o626060.exec:\o626060.exe29⤵
- Executes dropped EXE
PID:2832 -
\??\c:\lxxfxlf.exec:\lxxfxlf.exe30⤵
- Executes dropped EXE
PID:696 -
\??\c:\nhbttt.exec:\nhbttt.exe31⤵
- Executes dropped EXE
PID:1696 -
\??\c:\nbnhhh.exec:\nbnhhh.exe32⤵
- Executes dropped EXE
PID:620 -
\??\c:\xllrlff.exec:\xllrlff.exe33⤵
- Executes dropped EXE
PID:4000 -
\??\c:\u404660.exec:\u404660.exe34⤵
- Executes dropped EXE
PID:1372 -
\??\c:\nhhbtt.exec:\nhhbtt.exe35⤵
- Executes dropped EXE
PID:1920 -
\??\c:\3fxrlfx.exec:\3fxrlfx.exe36⤵
- Executes dropped EXE
PID:4508 -
\??\c:\tnnhbh.exec:\tnnhbh.exe37⤵
- Executes dropped EXE
PID:3404 -
\??\c:\628822.exec:\628822.exe38⤵
- Executes dropped EXE
PID:1768 -
\??\c:\djjjj.exec:\djjjj.exe39⤵
- Executes dropped EXE
PID:3444 -
\??\c:\rxlfxfx.exec:\rxlfxfx.exe40⤵
- Executes dropped EXE
PID:4704 -
\??\c:\42488.exec:\42488.exe41⤵
- Executes dropped EXE
PID:1772 -
\??\c:\m8826.exec:\m8826.exe42⤵
- Executes dropped EXE
PID:4680 -
\??\c:\frfxfxf.exec:\frfxfxf.exe43⤵
- Executes dropped EXE
PID:4236 -
\??\c:\3ffxrrf.exec:\3ffxrrf.exe44⤵
- Executes dropped EXE
PID:3600 -
\??\c:\fxxrllf.exec:\fxxrllf.exe45⤵
- Executes dropped EXE
PID:2308 -
\??\c:\o426004.exec:\o426004.exe46⤵
- Executes dropped EXE
PID:2208 -
\??\c:\c060482.exec:\c060482.exe47⤵
- Executes dropped EXE
PID:216 -
\??\c:\bhtnhh.exec:\bhtnhh.exe48⤵
- Executes dropped EXE
PID:2416 -
\??\c:\jddvp.exec:\jddvp.exe49⤵
- Executes dropped EXE
PID:536 -
\??\c:\jpvpj.exec:\jpvpj.exe50⤵
- Executes dropped EXE
PID:4368 -
\??\c:\dvdvp.exec:\dvdvp.exe51⤵
- Executes dropped EXE
PID:3756 -
\??\c:\60048.exec:\60048.exe52⤵
- Executes dropped EXE
PID:1968 -
\??\c:\0626004.exec:\0626004.exe53⤵
- Executes dropped EXE
PID:2892 -
\??\c:\4082600.exec:\4082600.exe54⤵
- Executes dropped EXE
PID:4576 -
\??\c:\82860.exec:\82860.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4180 -
\??\c:\pvdpv.exec:\pvdpv.exe56⤵
- Executes dropped EXE
PID:4948 -
\??\c:\c244440.exec:\c244440.exe57⤵
- Executes dropped EXE
PID:5112 -
\??\c:\ddjjd.exec:\ddjjd.exe58⤵
- Executes dropped EXE
PID:2116 -
\??\c:\jddpj.exec:\jddpj.exe59⤵
- Executes dropped EXE
PID:1516 -
\??\c:\xrrlfrl.exec:\xrrlfrl.exe60⤵
- Executes dropped EXE
PID:844 -
\??\c:\rllfllf.exec:\rllfllf.exe61⤵
- Executes dropped EXE
PID:1944 -
\??\c:\pjjdv.exec:\pjjdv.exe62⤵
- Executes dropped EXE
PID:112 -
\??\c:\602440.exec:\602440.exe63⤵
- Executes dropped EXE
PID:468 -
\??\c:\djpvj.exec:\djpvj.exe64⤵
- Executes dropped EXE
PID:3884 -
\??\c:\266888.exec:\266888.exe65⤵
- Executes dropped EXE
PID:2740 -
\??\c:\662600.exec:\662600.exe66⤵PID:1272
-
\??\c:\k62600.exec:\k62600.exe67⤵PID:2456
-
\??\c:\thtntt.exec:\thtntt.exe68⤵PID:1540
-
\??\c:\tnnbtt.exec:\tnnbtt.exe69⤵PID:5052
-
\??\c:\8806660.exec:\8806660.exe70⤵PID:2128
-
\??\c:\64082.exec:\64082.exe71⤵PID:3636
-
\??\c:\84626.exec:\84626.exe72⤵PID:4932
-
\??\c:\202622.exec:\202622.exe73⤵PID:1396
-
\??\c:\m2864.exec:\m2864.exe74⤵PID:4380
-
\??\c:\rlfrfll.exec:\rlfrfll.exe75⤵PID:1060
-
\??\c:\4844488.exec:\4844488.exe76⤵PID:4664
-
\??\c:\fxlllll.exec:\fxlllll.exe77⤵PID:4876
-
\??\c:\m4040.exec:\m4040.exe78⤵PID:452
-
\??\c:\g4600.exec:\g4600.exe79⤵PID:4432
-
\??\c:\1tthbb.exec:\1tthbb.exe80⤵PID:456
-
\??\c:\i444448.exec:\i444448.exe81⤵
- System Location Discovery: System Language Discovery
PID:1756 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe82⤵PID:4324
-
\??\c:\7xxrlll.exec:\7xxrlll.exe83⤵PID:5076
-
\??\c:\pdjdv.exec:\pdjdv.exe84⤵PID:4152
-
\??\c:\bbhtnh.exec:\bbhtnh.exe85⤵PID:2816
-
\??\c:\644044.exec:\644044.exe86⤵PID:876
-
\??\c:\9bhbtt.exec:\9bhbtt.exe87⤵PID:3012
-
\??\c:\5llllrl.exec:\5llllrl.exe88⤵PID:3404
-
\??\c:\ffxrllf.exec:\ffxrllf.exe89⤵PID:1916
-
\??\c:\3jjdv.exec:\3jjdv.exe90⤵PID:5060
-
\??\c:\8848880.exec:\8848880.exe91⤵PID:4532
-
\??\c:\80660.exec:\80660.exe92⤵PID:1640
-
\??\c:\600666.exec:\600666.exe93⤵PID:4236
-
\??\c:\hntbnh.exec:\hntbnh.exe94⤵PID:3108
-
\??\c:\lflfffx.exec:\lflfffx.exe95⤵PID:4844
-
\??\c:\flrlrrx.exec:\flrlrrx.exe96⤵PID:3688
-
\??\c:\rlxxrfl.exec:\rlxxrfl.exe97⤵PID:1012
-
\??\c:\1tnntb.exec:\1tnntb.exe98⤵PID:3528
-
\??\c:\o082288.exec:\o082288.exe99⤵PID:2452
-
\??\c:\ntnhhn.exec:\ntnhhn.exe100⤵PID:1968
-
\??\c:\llxrrrl.exec:\llxrrrl.exe101⤵PID:2448
-
\??\c:\ttbtbb.exec:\ttbtbb.exe102⤵PID:3672
-
\??\c:\1rfrfrf.exec:\1rfrfrf.exe103⤵PID:4712
-
\??\c:\bhthbt.exec:\bhthbt.exe104⤵PID:2848
-
\??\c:\1nbtnb.exec:\1nbtnb.exe105⤵PID:1828
-
\??\c:\9bhtbb.exec:\9bhtbb.exe106⤵PID:2252
-
\??\c:\dppdp.exec:\dppdp.exe107⤵PID:2116
-
\??\c:\86208.exec:\86208.exe108⤵PID:368
-
\??\c:\bbtbnb.exec:\bbtbnb.exe109⤵PID:1820
-
\??\c:\868660.exec:\868660.exe110⤵PID:1876
-
\??\c:\dppvd.exec:\dppvd.exe111⤵PID:2444
-
\??\c:\k02644.exec:\k02644.exe112⤵PID:4900
-
\??\c:\btbbtn.exec:\btbbtn.exe113⤵PID:4140
-
\??\c:\2826082.exec:\2826082.exe114⤵PID:4164
-
\??\c:\g2066.exec:\g2066.exe115⤵PID:2456
-
\??\c:\xrrlfrl.exec:\xrrlfrl.exe116⤵PID:2976
-
\??\c:\g2648.exec:\g2648.exe117⤵PID:2176
-
\??\c:\e20860.exec:\e20860.exe118⤵PID:2128
-
\??\c:\8226226.exec:\8226226.exe119⤵PID:1420
-
\??\c:\fffrfrl.exec:\fffrfrl.exe120⤵PID:4260
-
\??\c:\24660.exec:\24660.exe121⤵PID:2876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-