Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
afc524e773e3dd2de0fefa7796b77a19e2b041368e94677cb5a6bb2bd2d26a70.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
afc524e773e3dd2de0fefa7796b77a19e2b041368e94677cb5a6bb2bd2d26a70.exe
-
Size
455KB
-
MD5
748482d0d8d90b3230548294f5fc4984
-
SHA1
67ceb87dd41febb17cc35dde03af287f27123f3f
-
SHA256
afc524e773e3dd2de0fefa7796b77a19e2b041368e94677cb5a6bb2bd2d26a70
-
SHA512
7627ced0915c419ac85b6ea52bab4ea884d7ec0343c6b2a0d6f55989011e67703d200dcb5d2f7396251e206449139b8754a7cd06b0e1c4f5c6f065f1faf7019d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4324-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/508-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-774-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-802-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-1140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 628 220022.exe 2912 m0662.exe 4544 2262888.exe 2736 448468.exe 4932 vvddv.exe 4536 488084.exe 1440 66666.exe 4552 c448882.exe 4396 9ppjd.exe 1692 0804048.exe 4752 pdvjd.exe 2848 2888226.exe 1688 htnbtn.exe 636 8286828.exe 3256 46042.exe 3552 866280.exe 4004 bttnbt.exe 3236 9nnbbt.exe 5096 w66048.exe 4828 jjvpv.exe 220 482226.exe 4452 bhhbbb.exe 2172 26826.exe 1180 pjpjv.exe 4808 602264.exe 4112 lrrlfrl.exe 4484 828822.exe 4824 8260624.exe 5100 24044.exe 5092 g8048.exe 4036 vpvpv.exe 2956 nhthtt.exe 5084 620488.exe 4148 rfxxrlf.exe 4792 fllfrff.exe 2356 jdppj.exe 2396 482266.exe 3888 xxlflrx.exe 4028 5thbhn.exe 4336 rlllflf.exe 720 024488.exe 1528 ththbb.exe 544 a0660.exe 3912 62826.exe 928 k86600.exe 2968 rlxxxff.exe 1164 068222.exe 3704 8226622.exe 5028 flrrlll.exe 1796 402602.exe 2444 4000046.exe 2616 jpppv.exe 3140 jjjvp.exe 1376 vdpdp.exe 3812 w08200.exe 1308 7xrrfxr.exe 5108 vjvpj.exe 2552 djjjd.exe 2924 406644.exe 3248 7tttbb.exe 1816 86006.exe 4420 1ffrfxr.exe 1540 rlfxflr.exe 4556 pvddv.exe -
resource yara_rule behavioral2/memory/4324-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/508-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-670-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6088262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i448664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k26648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4324 wrote to memory of 628 4324 afc524e773e3dd2de0fefa7796b77a19e2b041368e94677cb5a6bb2bd2d26a70.exe 83 PID 4324 wrote to memory of 628 4324 afc524e773e3dd2de0fefa7796b77a19e2b041368e94677cb5a6bb2bd2d26a70.exe 83 PID 4324 wrote to memory of 628 4324 afc524e773e3dd2de0fefa7796b77a19e2b041368e94677cb5a6bb2bd2d26a70.exe 83 PID 628 wrote to memory of 2912 628 220022.exe 84 PID 628 wrote to memory of 2912 628 220022.exe 84 PID 628 wrote to memory of 2912 628 220022.exe 84 PID 2912 wrote to memory of 4544 2912 m0662.exe 85 PID 2912 wrote to memory of 4544 2912 m0662.exe 85 PID 2912 wrote to memory of 4544 2912 m0662.exe 85 PID 4544 wrote to memory of 2736 4544 2262888.exe 86 PID 4544 wrote to memory of 2736 4544 2262888.exe 86 PID 4544 wrote to memory of 2736 4544 2262888.exe 86 PID 2736 wrote to memory of 4932 2736 448468.exe 87 PID 2736 wrote to memory of 4932 2736 448468.exe 87 PID 2736 wrote to memory of 4932 2736 448468.exe 87 PID 4932 wrote to memory of 4536 4932 vvddv.exe 88 PID 4932 wrote to memory of 4536 4932 vvddv.exe 88 PID 4932 wrote to memory of 4536 4932 vvddv.exe 88 PID 4536 wrote to memory of 1440 4536 488084.exe 89 PID 4536 wrote to memory of 1440 4536 488084.exe 89 PID 4536 wrote to memory of 1440 4536 488084.exe 89 PID 1440 wrote to memory of 4552 1440 66666.exe 90 PID 1440 wrote to memory of 4552 1440 66666.exe 90 PID 1440 wrote to memory of 4552 1440 66666.exe 90 PID 4552 wrote to memory of 4396 4552 c448882.exe 91 PID 4552 wrote to memory of 4396 4552 c448882.exe 91 PID 4552 wrote to memory of 4396 4552 c448882.exe 91 PID 4396 wrote to memory of 1692 4396 9ppjd.exe 92 PID 4396 wrote to memory of 1692 4396 9ppjd.exe 92 PID 4396 wrote to memory of 1692 4396 9ppjd.exe 92 PID 1692 wrote to memory of 4752 1692 0804048.exe 93 PID 1692 wrote to memory of 4752 1692 0804048.exe 93 PID 1692 wrote to memory of 4752 1692 0804048.exe 93 PID 4752 wrote to memory of 2848 4752 pdvjd.exe 94 PID 4752 wrote to memory of 2848 4752 pdvjd.exe 94 PID 4752 wrote to memory of 2848 4752 pdvjd.exe 94 PID 2848 wrote to memory of 1688 2848 2888226.exe 95 PID 2848 wrote to memory of 1688 2848 2888226.exe 95 PID 2848 wrote to memory of 1688 2848 2888226.exe 95 PID 1688 wrote to memory of 636 1688 htnbtn.exe 96 PID 1688 wrote to memory of 636 1688 htnbtn.exe 96 PID 1688 wrote to memory of 636 1688 htnbtn.exe 96 PID 636 wrote to memory of 3256 636 8286828.exe 97 PID 636 wrote to memory of 3256 636 8286828.exe 97 PID 636 wrote to memory of 3256 636 8286828.exe 97 PID 3256 wrote to memory of 3552 3256 46042.exe 98 PID 3256 wrote to memory of 3552 3256 46042.exe 98 PID 3256 wrote to memory of 3552 3256 46042.exe 98 PID 3552 wrote to memory of 4004 3552 866280.exe 99 PID 3552 wrote to memory of 4004 3552 866280.exe 99 PID 3552 wrote to memory of 4004 3552 866280.exe 99 PID 4004 wrote to memory of 3236 4004 bttnbt.exe 100 PID 4004 wrote to memory of 3236 4004 bttnbt.exe 100 PID 4004 wrote to memory of 3236 4004 bttnbt.exe 100 PID 3236 wrote to memory of 5096 3236 9nnbbt.exe 101 PID 3236 wrote to memory of 5096 3236 9nnbbt.exe 101 PID 3236 wrote to memory of 5096 3236 9nnbbt.exe 101 PID 5096 wrote to memory of 4828 5096 w66048.exe 102 PID 5096 wrote to memory of 4828 5096 w66048.exe 102 PID 5096 wrote to memory of 4828 5096 w66048.exe 102 PID 4828 wrote to memory of 220 4828 jjvpv.exe 103 PID 4828 wrote to memory of 220 4828 jjvpv.exe 103 PID 4828 wrote to memory of 220 4828 jjvpv.exe 103 PID 220 wrote to memory of 4452 220 482226.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\afc524e773e3dd2de0fefa7796b77a19e2b041368e94677cb5a6bb2bd2d26a70.exe"C:\Users\Admin\AppData\Local\Temp\afc524e773e3dd2de0fefa7796b77a19e2b041368e94677cb5a6bb2bd2d26a70.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\220022.exec:\220022.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\m0662.exec:\m0662.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\2262888.exec:\2262888.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\448468.exec:\448468.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\vvddv.exec:\vvddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\488084.exec:\488084.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\66666.exec:\66666.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\c448882.exec:\c448882.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\9ppjd.exec:\9ppjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\0804048.exec:\0804048.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\pdvjd.exec:\pdvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\2888226.exec:\2888226.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\htnbtn.exec:\htnbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\8286828.exec:\8286828.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\46042.exec:\46042.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\866280.exec:\866280.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\bttnbt.exec:\bttnbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\9nnbbt.exec:\9nnbbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\w66048.exec:\w66048.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\jjvpv.exec:\jjvpv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\482226.exec:\482226.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\bhhbbb.exec:\bhhbbb.exe23⤵
- Executes dropped EXE
PID:4452 -
\??\c:\26826.exec:\26826.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172 -
\??\c:\pjpjv.exec:\pjpjv.exe25⤵
- Executes dropped EXE
PID:1180 -
\??\c:\602264.exec:\602264.exe26⤵
- Executes dropped EXE
PID:4808 -
\??\c:\lrrlfrl.exec:\lrrlfrl.exe27⤵
- Executes dropped EXE
PID:4112 -
\??\c:\828822.exec:\828822.exe28⤵
- Executes dropped EXE
PID:4484 -
\??\c:\8260624.exec:\8260624.exe29⤵
- Executes dropped EXE
PID:4824 -
\??\c:\24044.exec:\24044.exe30⤵
- Executes dropped EXE
PID:5100 -
\??\c:\g8048.exec:\g8048.exe31⤵
- Executes dropped EXE
PID:5092 -
\??\c:\vpvpv.exec:\vpvpv.exe32⤵
- Executes dropped EXE
PID:4036 -
\??\c:\nhthtt.exec:\nhthtt.exe33⤵
- Executes dropped EXE
PID:2956 -
\??\c:\620488.exec:\620488.exe34⤵
- Executes dropped EXE
PID:5084 -
\??\c:\rfxxrlf.exec:\rfxxrlf.exe35⤵
- Executes dropped EXE
PID:4148 -
\??\c:\fllfrff.exec:\fllfrff.exe36⤵
- Executes dropped EXE
PID:4792 -
\??\c:\jdppj.exec:\jdppj.exe37⤵
- Executes dropped EXE
PID:2356 -
\??\c:\482266.exec:\482266.exe38⤵
- Executes dropped EXE
PID:2396 -
\??\c:\xxlflrx.exec:\xxlflrx.exe39⤵
- Executes dropped EXE
PID:3888 -
\??\c:\5thbhn.exec:\5thbhn.exe40⤵
- Executes dropped EXE
PID:4028 -
\??\c:\rlllflf.exec:\rlllflf.exe41⤵
- Executes dropped EXE
PID:4336 -
\??\c:\024488.exec:\024488.exe42⤵
- Executes dropped EXE
PID:720 -
\??\c:\ththbb.exec:\ththbb.exe43⤵
- Executes dropped EXE
PID:1528 -
\??\c:\a0660.exec:\a0660.exe44⤵
- Executes dropped EXE
PID:544 -
\??\c:\62826.exec:\62826.exe45⤵
- Executes dropped EXE
PID:3912 -
\??\c:\k86600.exec:\k86600.exe46⤵
- Executes dropped EXE
PID:928 -
\??\c:\rlxxxff.exec:\rlxxxff.exe47⤵
- Executes dropped EXE
PID:2968 -
\??\c:\068222.exec:\068222.exe48⤵
- Executes dropped EXE
PID:1164 -
\??\c:\8226622.exec:\8226622.exe49⤵
- Executes dropped EXE
PID:3704 -
\??\c:\flrrlll.exec:\flrrlll.exe50⤵
- Executes dropped EXE
PID:5028 -
\??\c:\402602.exec:\402602.exe51⤵
- Executes dropped EXE
PID:1796 -
\??\c:\4000046.exec:\4000046.exe52⤵
- Executes dropped EXE
PID:2444 -
\??\c:\jpppv.exec:\jpppv.exe53⤵
- Executes dropped EXE
PID:2616 -
\??\c:\jjjvp.exec:\jjjvp.exe54⤵
- Executes dropped EXE
PID:3140 -
\??\c:\vdpdp.exec:\vdpdp.exe55⤵
- Executes dropped EXE
PID:1376 -
\??\c:\w08200.exec:\w08200.exe56⤵
- Executes dropped EXE
PID:3812 -
\??\c:\7xrrfxr.exec:\7xrrfxr.exe57⤵
- Executes dropped EXE
PID:1308 -
\??\c:\vjvpj.exec:\vjvpj.exe58⤵
- Executes dropped EXE
PID:5108 -
\??\c:\djjjd.exec:\djjjd.exe59⤵
- Executes dropped EXE
PID:2552 -
\??\c:\406644.exec:\406644.exe60⤵
- Executes dropped EXE
PID:2924 -
\??\c:\7tttbb.exec:\7tttbb.exe61⤵
- Executes dropped EXE
PID:3248 -
\??\c:\86006.exec:\86006.exe62⤵
- Executes dropped EXE
PID:1816 -
\??\c:\1ffrfxr.exec:\1ffrfxr.exe63⤵
- Executes dropped EXE
PID:4420 -
\??\c:\rlfxflr.exec:\rlfxflr.exe64⤵
- Executes dropped EXE
PID:1540 -
\??\c:\pvddv.exec:\pvddv.exe65⤵
- Executes dropped EXE
PID:4556 -
\??\c:\frxrrrl.exec:\frxrrrl.exe66⤵PID:3724
-
\??\c:\648260.exec:\648260.exe67⤵PID:1016
-
\??\c:\86004.exec:\86004.exe68⤵PID:1552
-
\??\c:\26484.exec:\26484.exe69⤵PID:4920
-
\??\c:\dpppj.exec:\dpppj.exe70⤵PID:3124
-
\??\c:\e62040.exec:\e62040.exe71⤵PID:4004
-
\??\c:\88260.exec:\88260.exe72⤵PID:4800
-
\??\c:\6622048.exec:\6622048.exe73⤵PID:2920
-
\??\c:\228606.exec:\228606.exe74⤵PID:3616
-
\??\c:\3vvpj.exec:\3vvpj.exe75⤵PID:2304
-
\??\c:\jdjdp.exec:\jdjdp.exe76⤵PID:2660
-
\??\c:\g8486.exec:\g8486.exe77⤵PID:1560
-
\??\c:\c220826.exec:\c220826.exe78⤵PID:2856
-
\??\c:\u666480.exec:\u666480.exe79⤵PID:3312
-
\??\c:\888042.exec:\888042.exe80⤵PID:4960
-
\??\c:\hnthtn.exec:\hnthtn.exe81⤵PID:2708
-
\??\c:\nnhthh.exec:\nnhthh.exe82⤵PID:2192
-
\??\c:\260828.exec:\260828.exe83⤵PID:3152
-
\??\c:\8442482.exec:\8442482.exe84⤵PID:1180
-
\??\c:\1hbntn.exec:\1hbntn.exe85⤵PID:740
-
\??\c:\262282.exec:\262282.exe86⤵PID:460
-
\??\c:\4608666.exec:\4608666.exe87⤵PID:1844
-
\??\c:\3jppj.exec:\3jppj.exe88⤵PID:1960
-
\??\c:\btnhbt.exec:\btnhbt.exe89⤵PID:2416
-
\??\c:\bhnnhh.exec:\bhnnhh.exe90⤵PID:4824
-
\??\c:\7nhhtn.exec:\7nhhtn.exe91⤵PID:4656
-
\??\c:\q22266.exec:\q22266.exe92⤵PID:4000
-
\??\c:\86266.exec:\86266.exe93⤵PID:768
-
\??\c:\rlxrrrr.exec:\rlxrrrr.exe94⤵PID:2672
-
\??\c:\o006484.exec:\o006484.exe95⤵PID:5008
-
\??\c:\2662624.exec:\2662624.exe96⤵PID:1612
-
\??\c:\644060.exec:\644060.exe97⤵PID:4148
-
\??\c:\0220820.exec:\0220820.exe98⤵PID:1640
-
\??\c:\088268.exec:\088268.exe99⤵PID:2356
-
\??\c:\vdjdj.exec:\vdjdj.exe100⤵PID:4768
-
\??\c:\1jpjd.exec:\1jpjd.exe101⤵PID:3492
-
\??\c:\rxxlfff.exec:\rxxlfff.exe102⤵PID:4372
-
\??\c:\0448882.exec:\0448882.exe103⤵PID:3988
-
\??\c:\5jvpj.exec:\5jvpj.exe104⤵PID:2016
-
\??\c:\20046.exec:\20046.exe105⤵PID:4324
-
\??\c:\vjjvj.exec:\vjjvj.exe106⤵PID:1992
-
\??\c:\244466.exec:\244466.exe107⤵PID:4572
-
\??\c:\bttnhh.exec:\bttnhh.exe108⤵PID:3820
-
\??\c:\02482.exec:\02482.exe109⤵PID:1564
-
\??\c:\tntnhh.exec:\tntnhh.exe110⤵PID:4872
-
\??\c:\tnnbnt.exec:\tnnbnt.exe111⤵PID:2308
-
\??\c:\84020.exec:\84020.exe112⤵PID:3588
-
\??\c:\20604.exec:\20604.exe113⤵PID:2688
-
\??\c:\886060.exec:\886060.exe114⤵PID:4816
-
\??\c:\hthtnt.exec:\hthtnt.exe115⤵PID:1700
-
\??\c:\rfrfxxr.exec:\rfrfxxr.exe116⤵PID:2444
-
\??\c:\jjvpp.exec:\jjvpp.exe117⤵PID:3108
-
\??\c:\rfffxxf.exec:\rfffxxf.exe118⤵PID:4472
-
\??\c:\08426.exec:\08426.exe119⤵PID:2012
-
\??\c:\i622042.exec:\i622042.exe120⤵PID:2668
-
\??\c:\flrfrlx.exec:\flrfrlx.exe121⤵
- System Location Discovery: System Language Discovery
PID:1152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-