Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 06:52
Behavioral task
behavioral1
Sample
628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe
-
Size
332KB
-
MD5
e9c6aba882f31d4522e21764a9ab93e0
-
SHA1
f596e5f869e4afeaa07e75a8575f501dc2a72ec6
-
SHA256
628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845
-
SHA512
5ea78b7e4b42439b3c937e8793cd33cbc702a5bedbb1e1797b39512bae9515a2b25015971bc6c88d0dd520ef7bfadddbed36f12393450c9e4fa44bee55c90c1b
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeO:R4wFHoSHYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4500-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3268-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2352-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3352-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1324-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1132-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2424-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2004-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2556-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/676-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4924-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4304-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1440-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2388-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1628-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1648-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3684-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3044-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1484-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2820-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1888-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1676-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/660-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1124-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1568-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1912-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1584-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3504-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1532-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2876-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1560-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1484-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1944-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-380-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4900-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2912-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4308-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2460-465-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1740-487-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-580-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4516-595-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2672-600-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2324-673-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-1127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5088-1187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4940 pjjdd.exe 4420 o200884.exe 3268 k84046.exe 5012 xxrlffx.exe 1324 484288.exe 2352 826680.exe 3352 xlxxxll.exe 4316 8084466.exe 1132 ppppp.exe 2004 064484.exe 2424 086680.exe 676 xxllffx.exe 5076 64004.exe 2556 202262.exe 4272 vddvp.exe 5000 nnbtnn.exe 4304 826000.exe 3964 4022222.exe 4924 hnbbtt.exe 1440 6808226.exe 5104 82460.exe 3252 q08222.exe 2388 1jvvp.exe 180 o628266.exe 1648 lxlffff.exe 1628 6402884.exe 1528 44402.exe 3684 vpvpj.exe 4356 8444006.exe 3044 244888.exe 2564 0682882.exe 836 884826.exe 4992 608828.exe 3772 btnhtb.exe 4188 vjppd.exe 884 vvpjj.exe 4380 2404882.exe 2592 480404.exe 1484 46442.exe 2820 xflfxxx.exe 1888 7bnhnn.exe 2932 802288.exe 1676 vppjd.exe 912 6244882.exe 1728 04826.exe 3612 bntnnn.exe 660 1tnbbt.exe 1124 u200022.exe 2940 24628.exe 3264 ppjpp.exe 1544 66006.exe 3676 846044.exe 1924 i422240.exe 3656 640488.exe 3332 020486.exe 4880 0448224.exe 4408 6888222.exe 2676 i062222.exe 1840 9pvpj.exe 1104 rxlfxxf.exe 3084 42828.exe 2252 846604.exe 2908 6084440.exe 4756 064422.exe -
resource yara_rule behavioral2/memory/4500-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c52-3.dat upx behavioral2/memory/4500-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4940-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-9.dat upx behavioral2/files/0x0007000000023cb2-11.dat upx behavioral2/memory/4420-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-18.dat upx behavioral2/memory/3268-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-24.dat upx behavioral2/memory/5012-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-29.dat upx behavioral2/memory/2352-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-35.dat upx behavioral2/memory/2352-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3352-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1324-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-40.dat upx behavioral2/files/0x0007000000023cb8-44.dat upx behavioral2/memory/4316-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-49.dat upx behavioral2/memory/1132-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-54.dat upx behavioral2/memory/2424-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2004-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cae-60.dat upx behavioral2/files/0x0007000000023cbb-64.dat upx behavioral2/files/0x0007000000023cbc-71.dat upx behavioral2/memory/2556-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/676-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5076-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-75.dat upx behavioral2/files/0x0007000000023cbe-79.dat upx behavioral2/memory/4272-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-84.dat upx behavioral2/files/0x0007000000023cc0-90.dat upx behavioral2/files/0x0007000000023cc1-94.dat upx behavioral2/files/0x0007000000023cc2-99.dat upx behavioral2/memory/4924-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3964-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4304-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1440-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-104.dat upx behavioral2/files/0x0007000000023cc4-108.dat upx behavioral2/files/0x0007000000023cc5-112.dat upx behavioral2/memory/3252-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-118.dat upx behavioral2/memory/2388-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc8-122.dat upx behavioral2/files/0x0007000000023cc9-127.dat upx behavioral2/memory/1628-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1648-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-132.dat upx behavioral2/memory/3684-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-142.dat upx behavioral2/files/0x0007000000023ccd-146.dat upx behavioral2/memory/3044-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccb-137.dat upx behavioral2/files/0x0007000000023cce-150.dat upx behavioral2/files/0x0007000000023ccf-155.dat upx behavioral2/memory/4992-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4188-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1484-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2820-177-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k84046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvju.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4822280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0664864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4500 wrote to memory of 4940 4500 628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe 83 PID 4500 wrote to memory of 4940 4500 628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe 83 PID 4500 wrote to memory of 4940 4500 628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe 83 PID 4940 wrote to memory of 4420 4940 pjjdd.exe 84 PID 4940 wrote to memory of 4420 4940 pjjdd.exe 84 PID 4940 wrote to memory of 4420 4940 pjjdd.exe 84 PID 4420 wrote to memory of 3268 4420 o200884.exe 85 PID 4420 wrote to memory of 3268 4420 o200884.exe 85 PID 4420 wrote to memory of 3268 4420 o200884.exe 85 PID 3268 wrote to memory of 5012 3268 k84046.exe 86 PID 3268 wrote to memory of 5012 3268 k84046.exe 86 PID 3268 wrote to memory of 5012 3268 k84046.exe 86 PID 5012 wrote to memory of 1324 5012 xxrlffx.exe 87 PID 5012 wrote to memory of 1324 5012 xxrlffx.exe 87 PID 5012 wrote to memory of 1324 5012 xxrlffx.exe 87 PID 1324 wrote to memory of 2352 1324 484288.exe 88 PID 1324 wrote to memory of 2352 1324 484288.exe 88 PID 1324 wrote to memory of 2352 1324 484288.exe 88 PID 2352 wrote to memory of 3352 2352 826680.exe 89 PID 2352 wrote to memory of 3352 2352 826680.exe 89 PID 2352 wrote to memory of 3352 2352 826680.exe 89 PID 3352 wrote to memory of 4316 3352 xlxxxll.exe 90 PID 3352 wrote to memory of 4316 3352 xlxxxll.exe 90 PID 3352 wrote to memory of 4316 3352 xlxxxll.exe 90 PID 4316 wrote to memory of 1132 4316 8084466.exe 91 PID 4316 wrote to memory of 1132 4316 8084466.exe 91 PID 4316 wrote to memory of 1132 4316 8084466.exe 91 PID 1132 wrote to memory of 2004 1132 ppppp.exe 92 PID 1132 wrote to memory of 2004 1132 ppppp.exe 92 PID 1132 wrote to memory of 2004 1132 ppppp.exe 92 PID 2004 wrote to memory of 2424 2004 064484.exe 93 PID 2004 wrote to memory of 2424 2004 064484.exe 93 PID 2004 wrote to memory of 2424 2004 064484.exe 93 PID 2424 wrote to memory of 676 2424 086680.exe 94 PID 2424 wrote to memory of 676 2424 086680.exe 94 PID 2424 wrote to memory of 676 2424 086680.exe 94 PID 676 wrote to memory of 5076 676 xxllffx.exe 95 PID 676 wrote to memory of 5076 676 xxllffx.exe 95 PID 676 wrote to memory of 5076 676 xxllffx.exe 95 PID 5076 wrote to memory of 2556 5076 64004.exe 96 PID 5076 wrote to memory of 2556 5076 64004.exe 96 PID 5076 wrote to memory of 2556 5076 64004.exe 96 PID 2556 wrote to memory of 4272 2556 202262.exe 97 PID 2556 wrote to memory of 4272 2556 202262.exe 97 PID 2556 wrote to memory of 4272 2556 202262.exe 97 PID 4272 wrote to memory of 5000 4272 vddvp.exe 98 PID 4272 wrote to memory of 5000 4272 vddvp.exe 98 PID 4272 wrote to memory of 5000 4272 vddvp.exe 98 PID 5000 wrote to memory of 4304 5000 nnbtnn.exe 99 PID 5000 wrote to memory of 4304 5000 nnbtnn.exe 99 PID 5000 wrote to memory of 4304 5000 nnbtnn.exe 99 PID 4304 wrote to memory of 3964 4304 826000.exe 100 PID 4304 wrote to memory of 3964 4304 826000.exe 100 PID 4304 wrote to memory of 3964 4304 826000.exe 100 PID 3964 wrote to memory of 4924 3964 4022222.exe 101 PID 3964 wrote to memory of 4924 3964 4022222.exe 101 PID 3964 wrote to memory of 4924 3964 4022222.exe 101 PID 4924 wrote to memory of 1440 4924 hnbbtt.exe 102 PID 4924 wrote to memory of 1440 4924 hnbbtt.exe 102 PID 4924 wrote to memory of 1440 4924 hnbbtt.exe 102 PID 1440 wrote to memory of 5104 1440 6808226.exe 103 PID 1440 wrote to memory of 5104 1440 6808226.exe 103 PID 1440 wrote to memory of 5104 1440 6808226.exe 103 PID 5104 wrote to memory of 3252 5104 82460.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe"C:\Users\Admin\AppData\Local\Temp\628a548e4acfc3e0ddbc3f856cbc72dc43f4cdf2f04445c5508a35582a7cf845N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\pjjdd.exec:\pjjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\o200884.exec:\o200884.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\k84046.exec:\k84046.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\xxrlffx.exec:\xxrlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\484288.exec:\484288.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\826680.exec:\826680.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\xlxxxll.exec:\xlxxxll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\8084466.exec:\8084466.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\ppppp.exec:\ppppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\064484.exec:\064484.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\086680.exec:\086680.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\xxllffx.exec:\xxllffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\64004.exec:\64004.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\202262.exec:\202262.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\vddvp.exec:\vddvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\nnbtnn.exec:\nnbtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\826000.exec:\826000.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\4022222.exec:\4022222.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\hnbbtt.exec:\hnbbtt.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\6808226.exec:\6808226.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\82460.exec:\82460.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\q08222.exec:\q08222.exe23⤵
- Executes dropped EXE
PID:3252 -
\??\c:\1jvvp.exec:\1jvvp.exe24⤵
- Executes dropped EXE
PID:2388 -
\??\c:\o628266.exec:\o628266.exe25⤵
- Executes dropped EXE
PID:180 -
\??\c:\lxlffff.exec:\lxlffff.exe26⤵
- Executes dropped EXE
PID:1648 -
\??\c:\6402884.exec:\6402884.exe27⤵
- Executes dropped EXE
PID:1628 -
\??\c:\44402.exec:\44402.exe28⤵
- Executes dropped EXE
PID:1528 -
\??\c:\vpvpj.exec:\vpvpj.exe29⤵
- Executes dropped EXE
PID:3684 -
\??\c:\8444006.exec:\8444006.exe30⤵
- Executes dropped EXE
PID:4356 -
\??\c:\244888.exec:\244888.exe31⤵
- Executes dropped EXE
PID:3044 -
\??\c:\0682882.exec:\0682882.exe32⤵
- Executes dropped EXE
PID:2564 -
\??\c:\884826.exec:\884826.exe33⤵
- Executes dropped EXE
PID:836 -
\??\c:\608828.exec:\608828.exe34⤵
- Executes dropped EXE
PID:4992 -
\??\c:\btnhtb.exec:\btnhtb.exe35⤵
- Executes dropped EXE
PID:3772 -
\??\c:\vjppd.exec:\vjppd.exe36⤵
- Executes dropped EXE
PID:4188 -
\??\c:\vvpjj.exec:\vvpjj.exe37⤵
- Executes dropped EXE
PID:884 -
\??\c:\2404882.exec:\2404882.exe38⤵
- Executes dropped EXE
PID:4380 -
\??\c:\480404.exec:\480404.exe39⤵
- Executes dropped EXE
PID:2592 -
\??\c:\46442.exec:\46442.exe40⤵
- Executes dropped EXE
PID:1484 -
\??\c:\xflfxxx.exec:\xflfxxx.exe41⤵
- Executes dropped EXE
PID:2820 -
\??\c:\7bnhnn.exec:\7bnhnn.exe42⤵
- Executes dropped EXE
PID:1888 -
\??\c:\802288.exec:\802288.exe43⤵
- Executes dropped EXE
PID:2932 -
\??\c:\vppjd.exec:\vppjd.exe44⤵
- Executes dropped EXE
PID:1676 -
\??\c:\6244882.exec:\6244882.exe45⤵
- Executes dropped EXE
PID:912 -
\??\c:\04826.exec:\04826.exe46⤵
- Executes dropped EXE
PID:1728 -
\??\c:\bntnnn.exec:\bntnnn.exe47⤵
- Executes dropped EXE
PID:3612 -
\??\c:\1tnbbt.exec:\1tnbbt.exe48⤵
- Executes dropped EXE
PID:660 -
\??\c:\u200022.exec:\u200022.exe49⤵
- Executes dropped EXE
PID:1124 -
\??\c:\24628.exec:\24628.exe50⤵
- Executes dropped EXE
PID:2940 -
\??\c:\ppjpp.exec:\ppjpp.exe51⤵
- Executes dropped EXE
PID:3264 -
\??\c:\66006.exec:\66006.exe52⤵
- Executes dropped EXE
PID:1544 -
\??\c:\846044.exec:\846044.exe53⤵
- Executes dropped EXE
PID:3676 -
\??\c:\i422240.exec:\i422240.exe54⤵
- Executes dropped EXE
PID:1924 -
\??\c:\640488.exec:\640488.exe55⤵
- Executes dropped EXE
PID:3656 -
\??\c:\020486.exec:\020486.exe56⤵
- Executes dropped EXE
PID:3332 -
\??\c:\0448224.exec:\0448224.exe57⤵
- Executes dropped EXE
PID:4880 -
\??\c:\6888222.exec:\6888222.exe58⤵
- Executes dropped EXE
PID:4408 -
\??\c:\i062222.exec:\i062222.exe59⤵
- Executes dropped EXE
PID:2676 -
\??\c:\9pvpj.exec:\9pvpj.exe60⤵
- Executes dropped EXE
PID:1840 -
\??\c:\rxlfxxf.exec:\rxlfxxf.exe61⤵
- Executes dropped EXE
PID:1104 -
\??\c:\42828.exec:\42828.exe62⤵
- Executes dropped EXE
PID:3084 -
\??\c:\846604.exec:\846604.exe63⤵
- Executes dropped EXE
PID:2252 -
\??\c:\6084440.exec:\6084440.exe64⤵
- Executes dropped EXE
PID:2908 -
\??\c:\064422.exec:\064422.exe65⤵
- Executes dropped EXE
PID:4756 -
\??\c:\nthbbb.exec:\nthbbb.exe66⤵PID:1568
-
\??\c:\nnhbtt.exec:\nnhbtt.exe67⤵PID:1912
-
\??\c:\06444.exec:\06444.exe68⤵PID:2028
-
\??\c:\xxfxxxx.exec:\xxfxxxx.exe69⤵PID:3864
-
\??\c:\6688222.exec:\6688222.exe70⤵PID:320
-
\??\c:\w40004.exec:\w40004.exe71⤵PID:4492
-
\??\c:\82220.exec:\82220.exe72⤵PID:4316
-
\??\c:\66062.exec:\66062.exe73⤵PID:2496
-
\??\c:\1hbbth.exec:\1hbbth.exe74⤵PID:1588
-
\??\c:\dvvvv.exec:\dvvvv.exe75⤵PID:1824
-
\??\c:\jddvp.exec:\jddvp.exe76⤵PID:3688
-
\??\c:\pjvvv.exec:\pjvvv.exe77⤵PID:4612
-
\??\c:\bttnnh.exec:\bttnnh.exe78⤵PID:2344
-
\??\c:\ntbthh.exec:\ntbthh.exe79⤵PID:2552
-
\??\c:\nhtntn.exec:\nhtntn.exe80⤵PID:1584
-
\??\c:\84066.exec:\84066.exe81⤵PID:2712
-
\??\c:\vppdv.exec:\vppdv.exe82⤵PID:4820
-
\??\c:\ttthbn.exec:\ttthbn.exe83⤵PID:5096
-
\??\c:\228882.exec:\228882.exe84⤵PID:4616
-
\??\c:\60262.exec:\60262.exe85⤵PID:540
-
\??\c:\2400420.exec:\2400420.exe86⤵PID:2020
-
\??\c:\846082.exec:\846082.exe87⤵PID:3644
-
\??\c:\e00460.exec:\e00460.exe88⤵PID:2068
-
\??\c:\htttnn.exec:\htttnn.exe89⤵PID:5016
-
\??\c:\266042.exec:\266042.exe90⤵PID:3504
-
\??\c:\lxfffff.exec:\lxfffff.exe91⤵PID:1532
-
\??\c:\4060660.exec:\4060660.exe92⤵PID:5080
-
\??\c:\84660.exec:\84660.exe93⤵PID:2388
-
\??\c:\3rrlffx.exec:\3rrlffx.exe94⤵PID:3308
-
\??\c:\lrfrfxl.exec:\lrfrfxl.exe95⤵PID:2460
-
\??\c:\480066.exec:\480066.exe96⤵PID:2876
-
\??\c:\bbbthb.exec:\bbbthb.exe97⤵PID:1560
-
\??\c:\nthhhh.exec:\nthhhh.exe98⤵PID:1112
-
\??\c:\flrlffx.exec:\flrlffx.exe99⤵PID:4008
-
\??\c:\htthbn.exec:\htthbn.exe100⤵PID:4196
-
\??\c:\40602.exec:\40602.exe101⤵PID:2588
-
\??\c:\80600.exec:\80600.exe102⤵PID:4064
-
\??\c:\44008.exec:\44008.exe103⤵PID:4948
-
\??\c:\6408260.exec:\6408260.exe104⤵PID:2860
-
\??\c:\jppdj.exec:\jppdj.exe105⤵PID:2724
-
\??\c:\nhhbnh.exec:\nhhbnh.exe106⤵PID:1740
-
\??\c:\1lfrffl.exec:\1lfrffl.exe107⤵PID:1384
-
\??\c:\8626660.exec:\8626660.exe108⤵PID:4640
-
\??\c:\xflllff.exec:\xflllff.exe109⤵PID:4952
-
\??\c:\vpjjp.exec:\vpjjp.exe110⤵PID:1256
-
\??\c:\22848.exec:\22848.exe111⤵PID:4024
-
\??\c:\s6860.exec:\s6860.exe112⤵PID:1644
-
\??\c:\jvvpd.exec:\jvvpd.exe113⤵PID:1484
-
\??\c:\2404882.exec:\2404882.exe114⤵PID:2820
-
\??\c:\dvvdd.exec:\dvvdd.exe115⤵PID:1944
-
\??\c:\rxxxxxr.exec:\rxxxxxr.exe116⤵PID:3272
-
\??\c:\5bhbbb.exec:\5bhbbb.exe117⤵PID:1676
-
\??\c:\1vpdp.exec:\1vpdp.exe118⤵PID:3884
-
\??\c:\48482.exec:\48482.exe119⤵PID:4772
-
\??\c:\6840042.exec:\6840042.exe120⤵PID:8
-
\??\c:\jdpjd.exec:\jdpjd.exe121⤵PID:2012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-