Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe
-
Size
454KB
-
MD5
e52ae1b54d854bfa0476d919f52bb450
-
SHA1
50dd5b3a3f836b06a0e85ff3678bbe3498f14acf
-
SHA256
3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4
-
SHA512
7207922407e95427b03d054c4cc5826f04ee9c8da81aa73eaeef24e84bc09bef7af86be72bdfc9d0217306779af451744c14dccb4234b7729720fe07bb4287fb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4768-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-863-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-990-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-1093-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-1269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-1297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4768 60820.exe 4304 8486464.exe 2688 64444.exe 804 0448248.exe 2136 1btnbb.exe 3504 068204.exe 3128 vdpjd.exe 536 00608.exe 3088 64260.exe 2588 ntnhbn.exe 4920 000826.exe 1344 00448.exe 4520 846280.exe 3784 jdvjd.exe 1948 lxrlxxl.exe 3932 vjdpj.exe 1972 c464828.exe 5080 868626.exe 4780 nhhtbt.exe 3120 c408660.exe 992 62260.exe 1532 dvdpd.exe 5028 7fxxxrr.exe 4896 2248264.exe 996 422604.exe 3896 82068.exe 2412 022288.exe 4976 hbbtnn.exe 740 240482.exe 3688 7ppjd.exe 2368 jvjjp.exe 3276 xfxrlfx.exe 4556 00082.exe 1824 hbtbtt.exe 1016 4402848.exe 4384 82824.exe 1128 vddjj.exe 3440 246600.exe 908 jjjvvd.exe 4628 flxxrrr.exe 2796 nthbtt.exe 1360 02882.exe 3712 8626600.exe 2348 6024826.exe 2820 jvjjd.exe 2524 4004484.exe 4452 llrxxxx.exe 4652 rfrxfll.exe 4344 bntttt.exe 2912 2460004.exe 5008 00022.exe 2928 dvpdv.exe 2908 thnhhh.exe 4436 24000.exe 2356 2666000.exe 3160 dvvvd.exe 2624 842280.exe 3504 jdjdv.exe 2024 vddpj.exe 1560 w40848.exe 1512 0882004.exe 4632 8042608.exe 3088 thttnh.exe 4980 w06260.exe -
resource yara_rule behavioral2/memory/4768-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-791-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4848 wrote to memory of 4768 4848 3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe 83 PID 4848 wrote to memory of 4768 4848 3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe 83 PID 4848 wrote to memory of 4768 4848 3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe 83 PID 4768 wrote to memory of 4304 4768 60820.exe 84 PID 4768 wrote to memory of 4304 4768 60820.exe 84 PID 4768 wrote to memory of 4304 4768 60820.exe 84 PID 4304 wrote to memory of 2688 4304 8486464.exe 85 PID 4304 wrote to memory of 2688 4304 8486464.exe 85 PID 4304 wrote to memory of 2688 4304 8486464.exe 85 PID 2688 wrote to memory of 804 2688 64444.exe 86 PID 2688 wrote to memory of 804 2688 64444.exe 86 PID 2688 wrote to memory of 804 2688 64444.exe 86 PID 804 wrote to memory of 2136 804 0448248.exe 87 PID 804 wrote to memory of 2136 804 0448248.exe 87 PID 804 wrote to memory of 2136 804 0448248.exe 87 PID 2136 wrote to memory of 3504 2136 1btnbb.exe 88 PID 2136 wrote to memory of 3504 2136 1btnbb.exe 88 PID 2136 wrote to memory of 3504 2136 1btnbb.exe 88 PID 3504 wrote to memory of 3128 3504 068204.exe 89 PID 3504 wrote to memory of 3128 3504 068204.exe 89 PID 3504 wrote to memory of 3128 3504 068204.exe 89 PID 3128 wrote to memory of 536 3128 vdpjd.exe 90 PID 3128 wrote to memory of 536 3128 vdpjd.exe 90 PID 3128 wrote to memory of 536 3128 vdpjd.exe 90 PID 536 wrote to memory of 3088 536 00608.exe 91 PID 536 wrote to memory of 3088 536 00608.exe 91 PID 536 wrote to memory of 3088 536 00608.exe 91 PID 3088 wrote to memory of 2588 3088 64260.exe 92 PID 3088 wrote to memory of 2588 3088 64260.exe 92 PID 3088 wrote to memory of 2588 3088 64260.exe 92 PID 2588 wrote to memory of 4920 2588 ntnhbn.exe 93 PID 2588 wrote to memory of 4920 2588 ntnhbn.exe 93 PID 2588 wrote to memory of 4920 2588 ntnhbn.exe 93 PID 4920 wrote to memory of 1344 4920 000826.exe 94 PID 4920 wrote to memory of 1344 4920 000826.exe 94 PID 4920 wrote to memory of 1344 4920 000826.exe 94 PID 1344 wrote to memory of 4520 1344 00448.exe 95 PID 1344 wrote to memory of 4520 1344 00448.exe 95 PID 1344 wrote to memory of 4520 1344 00448.exe 95 PID 4520 wrote to memory of 3784 4520 846280.exe 96 PID 4520 wrote to memory of 3784 4520 846280.exe 96 PID 4520 wrote to memory of 3784 4520 846280.exe 96 PID 3784 wrote to memory of 1948 3784 jdvjd.exe 97 PID 3784 wrote to memory of 1948 3784 jdvjd.exe 97 PID 3784 wrote to memory of 1948 3784 jdvjd.exe 97 PID 1948 wrote to memory of 3932 1948 lxrlxxl.exe 98 PID 1948 wrote to memory of 3932 1948 lxrlxxl.exe 98 PID 1948 wrote to memory of 3932 1948 lxrlxxl.exe 98 PID 3932 wrote to memory of 1972 3932 vjdpj.exe 99 PID 3932 wrote to memory of 1972 3932 vjdpj.exe 99 PID 3932 wrote to memory of 1972 3932 vjdpj.exe 99 PID 1972 wrote to memory of 5080 1972 c464828.exe 100 PID 1972 wrote to memory of 5080 1972 c464828.exe 100 PID 1972 wrote to memory of 5080 1972 c464828.exe 100 PID 5080 wrote to memory of 4780 5080 868626.exe 101 PID 5080 wrote to memory of 4780 5080 868626.exe 101 PID 5080 wrote to memory of 4780 5080 868626.exe 101 PID 4780 wrote to memory of 3120 4780 nhhtbt.exe 102 PID 4780 wrote to memory of 3120 4780 nhhtbt.exe 102 PID 4780 wrote to memory of 3120 4780 nhhtbt.exe 102 PID 3120 wrote to memory of 992 3120 c408660.exe 103 PID 3120 wrote to memory of 992 3120 c408660.exe 103 PID 3120 wrote to memory of 992 3120 c408660.exe 103 PID 992 wrote to memory of 1532 992 62260.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe"C:\Users\Admin\AppData\Local\Temp\3cab76eb376d55fb87696161d8c6d83b3ebb2fd7b213ebd32f158a76a99526c4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\60820.exec:\60820.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\8486464.exec:\8486464.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\64444.exec:\64444.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\0448248.exec:\0448248.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\1btnbb.exec:\1btnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\068204.exec:\068204.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\vdpjd.exec:\vdpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\00608.exec:\00608.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\64260.exec:\64260.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\ntnhbn.exec:\ntnhbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\000826.exec:\000826.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\00448.exec:\00448.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\846280.exec:\846280.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\jdvjd.exec:\jdvjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\lxrlxxl.exec:\lxrlxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\vjdpj.exec:\vjdpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\c464828.exec:\c464828.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\868626.exec:\868626.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\nhhtbt.exec:\nhhtbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\c408660.exec:\c408660.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\62260.exec:\62260.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\dvdpd.exec:\dvdpd.exe23⤵
- Executes dropped EXE
PID:1532 -
\??\c:\7fxxxrr.exec:\7fxxxrr.exe24⤵
- Executes dropped EXE
PID:5028 -
\??\c:\2248264.exec:\2248264.exe25⤵
- Executes dropped EXE
PID:4896 -
\??\c:\422604.exec:\422604.exe26⤵
- Executes dropped EXE
PID:996 -
\??\c:\82068.exec:\82068.exe27⤵
- Executes dropped EXE
PID:3896 -
\??\c:\022288.exec:\022288.exe28⤵
- Executes dropped EXE
PID:2412 -
\??\c:\hbbtnn.exec:\hbbtnn.exe29⤵
- Executes dropped EXE
PID:4976 -
\??\c:\240482.exec:\240482.exe30⤵
- Executes dropped EXE
PID:740 -
\??\c:\7ppjd.exec:\7ppjd.exe31⤵
- Executes dropped EXE
PID:3688 -
\??\c:\jvjjp.exec:\jvjjp.exe32⤵
- Executes dropped EXE
PID:2368 -
\??\c:\xfxrlfx.exec:\xfxrlfx.exe33⤵
- Executes dropped EXE
PID:3276 -
\??\c:\00082.exec:\00082.exe34⤵
- Executes dropped EXE
PID:4556 -
\??\c:\hbtbtt.exec:\hbtbtt.exe35⤵
- Executes dropped EXE
PID:1824 -
\??\c:\4402848.exec:\4402848.exe36⤵
- Executes dropped EXE
PID:1016 -
\??\c:\82824.exec:\82824.exe37⤵
- Executes dropped EXE
PID:4384 -
\??\c:\vddjj.exec:\vddjj.exe38⤵
- Executes dropped EXE
PID:1128 -
\??\c:\246600.exec:\246600.exe39⤵
- Executes dropped EXE
PID:3440 -
\??\c:\jjjvvd.exec:\jjjvvd.exe40⤵
- Executes dropped EXE
PID:908 -
\??\c:\flxxrrr.exec:\flxxrrr.exe41⤵
- Executes dropped EXE
PID:4628 -
\??\c:\nthbtt.exec:\nthbtt.exe42⤵
- Executes dropped EXE
PID:2796 -
\??\c:\02882.exec:\02882.exe43⤵
- Executes dropped EXE
PID:1360 -
\??\c:\8626600.exec:\8626600.exe44⤵
- Executes dropped EXE
PID:3712 -
\??\c:\6024826.exec:\6024826.exe45⤵
- Executes dropped EXE
PID:2348 -
\??\c:\jvjjd.exec:\jvjjd.exe46⤵
- Executes dropped EXE
PID:2820 -
\??\c:\4004484.exec:\4004484.exe47⤵
- Executes dropped EXE
PID:2524 -
\??\c:\llrxxxx.exec:\llrxxxx.exe48⤵
- Executes dropped EXE
PID:4452 -
\??\c:\rfrxfll.exec:\rfrxfll.exe49⤵
- Executes dropped EXE
PID:4652 -
\??\c:\bntttt.exec:\bntttt.exe50⤵
- Executes dropped EXE
PID:4344 -
\??\c:\2460004.exec:\2460004.exe51⤵
- Executes dropped EXE
PID:2912 -
\??\c:\00022.exec:\00022.exe52⤵
- Executes dropped EXE
PID:5008 -
\??\c:\dvpdv.exec:\dvpdv.exe53⤵
- Executes dropped EXE
PID:2928 -
\??\c:\thnhhh.exec:\thnhhh.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
\??\c:\24000.exec:\24000.exe55⤵
- Executes dropped EXE
PID:4436 -
\??\c:\2666000.exec:\2666000.exe56⤵
- Executes dropped EXE
PID:2356 -
\??\c:\dvvvd.exec:\dvvvd.exe57⤵
- Executes dropped EXE
PID:3160 -
\??\c:\842280.exec:\842280.exe58⤵
- Executes dropped EXE
PID:2624 -
\??\c:\jdjdv.exec:\jdjdv.exe59⤵
- Executes dropped EXE
PID:3504 -
\??\c:\vddpj.exec:\vddpj.exe60⤵
- Executes dropped EXE
PID:2024 -
\??\c:\w40848.exec:\w40848.exe61⤵
- Executes dropped EXE
PID:1560 -
\??\c:\0882004.exec:\0882004.exe62⤵
- Executes dropped EXE
PID:1512 -
\??\c:\8042608.exec:\8042608.exe63⤵
- Executes dropped EXE
PID:4632 -
\??\c:\thttnh.exec:\thttnh.exe64⤵
- Executes dropped EXE
PID:3088 -
\??\c:\w06260.exec:\w06260.exe65⤵
- Executes dropped EXE
PID:4980 -
\??\c:\62082.exec:\62082.exe66⤵PID:2372
-
\??\c:\hhhtnh.exec:\hhhtnh.exe67⤵PID:2044
-
\??\c:\86624.exec:\86624.exe68⤵PID:4716
-
\??\c:\fflllfx.exec:\fflllfx.exe69⤵PID:1540
-
\??\c:\nnhhbb.exec:\nnhhbb.exe70⤵PID:2916
-
\??\c:\xrfrlfx.exec:\xrfrlfx.exe71⤵PID:3932
-
\??\c:\622648.exec:\622648.exe72⤵PID:2692
-
\??\c:\u444220.exec:\u444220.exe73⤵PID:3152
-
\??\c:\46202.exec:\46202.exe74⤵PID:5080
-
\??\c:\bbbbnt.exec:\bbbbnt.exe75⤵PID:1388
-
\??\c:\hhnnbb.exec:\hhnnbb.exe76⤵PID:4476
-
\??\c:\1lfrlfr.exec:\1lfrlfr.exe77⤵PID:3204
-
\??\c:\84488.exec:\84488.exe78⤵PID:2776
-
\??\c:\a8442.exec:\a8442.exe79⤵PID:1464
-
\??\c:\xffxrff.exec:\xffxrff.exe80⤵PID:384
-
\??\c:\s6608.exec:\s6608.exe81⤵PID:4092
-
\??\c:\jvvjd.exec:\jvvjd.exe82⤵PID:4896
-
\??\c:\60200.exec:\60200.exe83⤵PID:3796
-
\??\c:\thnhhb.exec:\thnhhb.exe84⤵PID:1568
-
\??\c:\48480.exec:\48480.exe85⤵PID:1112
-
\??\c:\1ppvd.exec:\1ppvd.exe86⤵PID:768
-
\??\c:\02280.exec:\02280.exe87⤵PID:884
-
\??\c:\26264.exec:\26264.exe88⤵PID:4284
-
\??\c:\0460482.exec:\0460482.exe89⤵PID:1564
-
\??\c:\04628.exec:\04628.exe90⤵PID:3184
-
\??\c:\2644664.exec:\2644664.exe91⤵PID:2644
-
\??\c:\c626042.exec:\c626042.exe92⤵PID:3880
-
\??\c:\vjjdv.exec:\vjjdv.exe93⤵PID:1844
-
\??\c:\3jpjd.exec:\3jpjd.exe94⤵PID:400
-
\??\c:\9btnbn.exec:\9btnbn.exe95⤵PID:4088
-
\??\c:\640482.exec:\640482.exe96⤵PID:1580
-
\??\c:\vpvdd.exec:\vpvdd.exe97⤵PID:1360
-
\??\c:\xflxlfx.exec:\xflxlfx.exe98⤵PID:4776
-
\??\c:\4266426.exec:\4266426.exe99⤵PID:4924
-
\??\c:\bnntbh.exec:\bnntbh.exe100⤵PID:4460
-
\??\c:\3tnhtn.exec:\3tnhtn.exe101⤵PID:1376
-
\??\c:\044048.exec:\044048.exe102⤵PID:2336
-
\??\c:\jppjd.exec:\jppjd.exe103⤵PID:2592
-
\??\c:\llrlffx.exec:\llrlffx.exe104⤵PID:2248
-
\??\c:\btbtnn.exec:\btbtnn.exe105⤵PID:4844
-
\??\c:\djjvj.exec:\djjvj.exe106⤵PID:2944
-
\??\c:\o608664.exec:\o608664.exe107⤵PID:4304
-
\??\c:\0882284.exec:\0882284.exe108⤵PID:4468
-
\??\c:\9nthth.exec:\9nthth.exe109⤵PID:3076
-
\??\c:\8680600.exec:\8680600.exe110⤵PID:3968
-
\??\c:\rlfrrxr.exec:\rlfrrxr.exe111⤵PID:804
-
\??\c:\jvvjd.exec:\jvvjd.exe112⤵PID:2340
-
\??\c:\tnbbnn.exec:\tnbbnn.exe113⤵PID:2088
-
\??\c:\bhtnbb.exec:\bhtnbb.exe114⤵PID:4280
-
\??\c:\i004822.exec:\i004822.exe115⤵PID:1420
-
\??\c:\602648.exec:\602648.exe116⤵PID:1860
-
\??\c:\vppdp.exec:\vppdp.exe117⤵PID:1864
-
\??\c:\1xrfxrl.exec:\1xrfxrl.exe118⤵PID:4868
-
\??\c:\xlfxrlf.exec:\xlfxrlf.exe119⤵PID:4980
-
\??\c:\0886640.exec:\0886640.exe120⤵PID:4920
-
\??\c:\4604666.exec:\4604666.exe121⤵PID:1460
-
\??\c:\lrfrfxx.exec:\lrfrfxx.exe122⤵PID:3260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-