Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 08:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe
-
Size
455KB
-
MD5
cbf08cd84d56825d88ef5811a63a1c30
-
SHA1
cef66491447a17ee2a67fae8c5c02ffc4f882887
-
SHA256
7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0f
-
SHA512
77fb4aa7436083fd72983bdf25397013a0a9170bb3741cadd7a47aa29c3713b43a671a2323408d90e6b5788c355df326c115a6af59d8884958b96d0bd496e107
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4356-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-872-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-1789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1224 2666844.exe 4552 rxfxxff.exe 2996 3jpjp.exe 3968 vjpjd.exe 672 bhntbb.exe 4744 vjjjd.exe 4340 66446.exe 2764 g4602.exe 1992 bhtnnn.exe 1908 82404.exe 1592 246666.exe 524 806484.exe 2220 c626600.exe 3032 48484.exe 4436 tnhbnh.exe 3560 5bhbtt.exe 3520 hhtbnb.exe 2880 i226486.exe 1372 202802.exe 4896 fxffrxr.exe 4220 u008648.exe 1124 3pddp.exe 5104 5hhtnh.exe 1020 22648.exe 4836 6448826.exe 1828 20060.exe 100 thhtnb.exe 1956 i842604.exe 3160 bhnnbn.exe 2136 8282266.exe 884 c668204.exe 5004 7jdvj.exe 2708 fxxlxlf.exe 3088 8660488.exe 2740 htthtn.exe 3624 xrrflff.exe 4876 02286.exe 4548 vpdpv.exe 2336 644860.exe 3420 tththt.exe 432 04486.exe 1572 rffxrlx.exe 2644 ddjjj.exe 2040 62642.exe 5096 w06408.exe 620 jjjvj.exe 4812 lllxlfr.exe 3164 284826.exe 2900 xrxrrlr.exe 2132 vdjdd.exe 1160 66264.exe 1360 9ththb.exe 4040 bbbnnh.exe 4872 htnhnh.exe 2276 nhnnnb.exe 2812 bthbtb.exe 3908 nbhbnn.exe 3476 rrrxrxr.exe 3292 hnhbhh.exe 672 3ttnbb.exe 2700 rxrlxlr.exe 2104 68488.exe 2852 nhhnhh.exe 2864 1vdvd.exe -
resource yara_rule behavioral2/memory/4356-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-821-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-832-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6244888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6448260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u826044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8286604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4282648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0060488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i664264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4356 wrote to memory of 1224 4356 7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe 83 PID 4356 wrote to memory of 1224 4356 7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe 83 PID 4356 wrote to memory of 1224 4356 7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe 83 PID 1224 wrote to memory of 4552 1224 2666844.exe 84 PID 1224 wrote to memory of 4552 1224 2666844.exe 84 PID 1224 wrote to memory of 4552 1224 2666844.exe 84 PID 4552 wrote to memory of 2996 4552 rxfxxff.exe 85 PID 4552 wrote to memory of 2996 4552 rxfxxff.exe 85 PID 4552 wrote to memory of 2996 4552 rxfxxff.exe 85 PID 2996 wrote to memory of 3968 2996 3jpjp.exe 86 PID 2996 wrote to memory of 3968 2996 3jpjp.exe 86 PID 2996 wrote to memory of 3968 2996 3jpjp.exe 86 PID 3968 wrote to memory of 672 3968 vjpjd.exe 142 PID 3968 wrote to memory of 672 3968 vjpjd.exe 142 PID 3968 wrote to memory of 672 3968 vjpjd.exe 142 PID 672 wrote to memory of 4744 672 bhntbb.exe 88 PID 672 wrote to memory of 4744 672 bhntbb.exe 88 PID 672 wrote to memory of 4744 672 bhntbb.exe 88 PID 4744 wrote to memory of 4340 4744 vjjjd.exe 89 PID 4744 wrote to memory of 4340 4744 vjjjd.exe 89 PID 4744 wrote to memory of 4340 4744 vjjjd.exe 89 PID 4340 wrote to memory of 2764 4340 66446.exe 90 PID 4340 wrote to memory of 2764 4340 66446.exe 90 PID 4340 wrote to memory of 2764 4340 66446.exe 90 PID 2764 wrote to memory of 1992 2764 g4602.exe 91 PID 2764 wrote to memory of 1992 2764 g4602.exe 91 PID 2764 wrote to memory of 1992 2764 g4602.exe 91 PID 1992 wrote to memory of 1908 1992 bhtnnn.exe 92 PID 1992 wrote to memory of 1908 1992 bhtnnn.exe 92 PID 1992 wrote to memory of 1908 1992 bhtnnn.exe 92 PID 1908 wrote to memory of 1592 1908 82404.exe 93 PID 1908 wrote to memory of 1592 1908 82404.exe 93 PID 1908 wrote to memory of 1592 1908 82404.exe 93 PID 1592 wrote to memory of 524 1592 246666.exe 151 PID 1592 wrote to memory of 524 1592 246666.exe 151 PID 1592 wrote to memory of 524 1592 246666.exe 151 PID 524 wrote to memory of 2220 524 806484.exe 95 PID 524 wrote to memory of 2220 524 806484.exe 95 PID 524 wrote to memory of 2220 524 806484.exe 95 PID 2220 wrote to memory of 3032 2220 c626600.exe 96 PID 2220 wrote to memory of 3032 2220 c626600.exe 96 PID 2220 wrote to memory of 3032 2220 c626600.exe 96 PID 3032 wrote to memory of 4436 3032 48484.exe 97 PID 3032 wrote to memory of 4436 3032 48484.exe 97 PID 3032 wrote to memory of 4436 3032 48484.exe 97 PID 4436 wrote to memory of 3560 4436 tnhbnh.exe 98 PID 4436 wrote to memory of 3560 4436 tnhbnh.exe 98 PID 4436 wrote to memory of 3560 4436 tnhbnh.exe 98 PID 3560 wrote to memory of 3520 3560 5bhbtt.exe 99 PID 3560 wrote to memory of 3520 3560 5bhbtt.exe 99 PID 3560 wrote to memory of 3520 3560 5bhbtt.exe 99 PID 3520 wrote to memory of 2880 3520 hhtbnb.exe 100 PID 3520 wrote to memory of 2880 3520 hhtbnb.exe 100 PID 3520 wrote to memory of 2880 3520 hhtbnb.exe 100 PID 2880 wrote to memory of 1372 2880 i226486.exe 101 PID 2880 wrote to memory of 1372 2880 i226486.exe 101 PID 2880 wrote to memory of 1372 2880 i226486.exe 101 PID 1372 wrote to memory of 4896 1372 202802.exe 102 PID 1372 wrote to memory of 4896 1372 202802.exe 102 PID 1372 wrote to memory of 4896 1372 202802.exe 102 PID 4896 wrote to memory of 4220 4896 fxffrxr.exe 103 PID 4896 wrote to memory of 4220 4896 fxffrxr.exe 103 PID 4896 wrote to memory of 4220 4896 fxffrxr.exe 103 PID 4220 wrote to memory of 1124 4220 u008648.exe 163
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe"C:\Users\Admin\AppData\Local\Temp\7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\2666844.exec:\2666844.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\rxfxxff.exec:\rxfxxff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\3jpjp.exec:\3jpjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\vjpjd.exec:\vjpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\bhntbb.exec:\bhntbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\vjjjd.exec:\vjjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\66446.exec:\66446.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\g4602.exec:\g4602.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\bhtnnn.exec:\bhtnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\82404.exec:\82404.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\246666.exec:\246666.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\806484.exec:\806484.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
\??\c:\c626600.exec:\c626600.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\48484.exec:\48484.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\tnhbnh.exec:\tnhbnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\5bhbtt.exec:\5bhbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\hhtbnb.exec:\hhtbnb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\i226486.exec:\i226486.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\202802.exec:\202802.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\fxffrxr.exec:\fxffrxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\u008648.exec:\u008648.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\3pddp.exec:\3pddp.exe23⤵
- Executes dropped EXE
PID:1124 -
\??\c:\5hhtnh.exec:\5hhtnh.exe24⤵
- Executes dropped EXE
PID:5104 -
\??\c:\22648.exec:\22648.exe25⤵
- Executes dropped EXE
PID:1020 -
\??\c:\6448826.exec:\6448826.exe26⤵
- Executes dropped EXE
PID:4836 -
\??\c:\20060.exec:\20060.exe27⤵
- Executes dropped EXE
PID:1828 -
\??\c:\thhtnb.exec:\thhtnb.exe28⤵
- Executes dropped EXE
PID:100 -
\??\c:\i842604.exec:\i842604.exe29⤵
- Executes dropped EXE
PID:1956 -
\??\c:\bhnnbn.exec:\bhnnbn.exe30⤵
- Executes dropped EXE
PID:3160 -
\??\c:\8282266.exec:\8282266.exe31⤵
- Executes dropped EXE
PID:2136 -
\??\c:\c668204.exec:\c668204.exe32⤵
- Executes dropped EXE
PID:884 -
\??\c:\7jdvj.exec:\7jdvj.exe33⤵
- Executes dropped EXE
PID:5004 -
\??\c:\fxxlxlf.exec:\fxxlxlf.exe34⤵
- Executes dropped EXE
PID:2708 -
\??\c:\8660488.exec:\8660488.exe35⤵
- Executes dropped EXE
PID:3088 -
\??\c:\htthtn.exec:\htthtn.exe36⤵
- Executes dropped EXE
PID:2740 -
\??\c:\xrrflff.exec:\xrrflff.exe37⤵
- Executes dropped EXE
PID:3624 -
\??\c:\02286.exec:\02286.exe38⤵
- Executes dropped EXE
PID:4876 -
\??\c:\vpdpv.exec:\vpdpv.exe39⤵
- Executes dropped EXE
PID:4548 -
\??\c:\644860.exec:\644860.exe40⤵
- Executes dropped EXE
PID:2336 -
\??\c:\tththt.exec:\tththt.exe41⤵
- Executes dropped EXE
PID:3420 -
\??\c:\04486.exec:\04486.exe42⤵
- Executes dropped EXE
PID:432 -
\??\c:\rffxrlx.exec:\rffxrlx.exe43⤵
- Executes dropped EXE
PID:1572 -
\??\c:\ddjjj.exec:\ddjjj.exe44⤵
- Executes dropped EXE
PID:2644 -
\??\c:\62642.exec:\62642.exe45⤵
- Executes dropped EXE
PID:2040 -
\??\c:\w06408.exec:\w06408.exe46⤵
- Executes dropped EXE
PID:5096 -
\??\c:\jjjvj.exec:\jjjvj.exe47⤵
- Executes dropped EXE
PID:620 -
\??\c:\lllxlfr.exec:\lllxlfr.exe48⤵
- Executes dropped EXE
PID:4812 -
\??\c:\284826.exec:\284826.exe49⤵
- Executes dropped EXE
PID:3164 -
\??\c:\xrxrrlr.exec:\xrxrrlr.exe50⤵
- Executes dropped EXE
PID:2900 -
\??\c:\vdjdd.exec:\vdjdd.exe51⤵
- Executes dropped EXE
PID:2132 -
\??\c:\66264.exec:\66264.exe52⤵
- Executes dropped EXE
PID:1160 -
\??\c:\9ththb.exec:\9ththb.exe53⤵
- Executes dropped EXE
PID:1360 -
\??\c:\bbbnnh.exec:\bbbnnh.exe54⤵
- Executes dropped EXE
PID:4040 -
\??\c:\htnhnh.exec:\htnhnh.exe55⤵
- Executes dropped EXE
PID:4872 -
\??\c:\nhnnnb.exec:\nhnnnb.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
\??\c:\bthbtb.exec:\bthbtb.exe57⤵
- Executes dropped EXE
PID:2812 -
\??\c:\nbhbnn.exec:\nbhbnn.exe58⤵
- Executes dropped EXE
PID:3908 -
\??\c:\rrrxrxr.exec:\rrrxrxr.exe59⤵
- Executes dropped EXE
PID:3476 -
\??\c:\hnhbhh.exec:\hnhbhh.exe60⤵
- Executes dropped EXE
PID:3292 -
\??\c:\3ttnbb.exec:\3ttnbb.exe61⤵
- Executes dropped EXE
PID:672 -
\??\c:\rxrlxlr.exec:\rxrlxlr.exe62⤵
- Executes dropped EXE
PID:2700 -
\??\c:\68488.exec:\68488.exe63⤵
- Executes dropped EXE
PID:2104 -
\??\c:\nhhnhh.exec:\nhhnhh.exe64⤵
- Executes dropped EXE
PID:2852 -
\??\c:\1vdvd.exec:\1vdvd.exe65⤵
- Executes dropped EXE
PID:2864 -
\??\c:\5lxrxxx.exec:\5lxrxxx.exe66⤵PID:4948
-
\??\c:\ppdvv.exec:\ppdvv.exe67⤵PID:760
-
\??\c:\60266.exec:\60266.exe68⤵PID:1656
-
\??\c:\04626.exec:\04626.exe69⤵PID:4288
-
\??\c:\fxxrllx.exec:\fxxrllx.exe70⤵PID:524
-
\??\c:\bhnhbb.exec:\bhnhbb.exe71⤵PID:3956
-
\??\c:\06822.exec:\06822.exe72⤵PID:416
-
\??\c:\04602.exec:\04602.exe73⤵PID:4668
-
\??\c:\vvjjp.exec:\vvjjp.exe74⤵PID:2228
-
\??\c:\jddvp.exec:\jddvp.exe75⤵PID:1652
-
\??\c:\xfllfrl.exec:\xfllfrl.exe76⤵PID:4136
-
\??\c:\00260.exec:\00260.exe77⤵PID:660
-
\??\c:\fxrfxrx.exec:\fxrfxrx.exe78⤵PID:4636
-
\??\c:\2026004.exec:\2026004.exe79⤵PID:4604
-
\??\c:\60860.exec:\60860.exe80⤵PID:2696
-
\??\c:\7flfxxf.exec:\7flfxxf.exe81⤵PID:3176
-
\??\c:\844204.exec:\844204.exe82⤵PID:1124
-
\??\c:\0626666.exec:\0626666.exe83⤵PID:3696
-
\??\c:\9flflrx.exec:\9flflrx.exe84⤵PID:3604
-
\??\c:\xlfrxrx.exec:\xlfrxrx.exe85⤵PID:372
-
\??\c:\606004.exec:\606004.exe86⤵PID:4456
-
\??\c:\5xffrxf.exec:\5xffrxf.exe87⤵PID:2056
-
\??\c:\68026.exec:\68026.exe88⤵PID:912
-
\??\c:\frrrrxr.exec:\frrrrxr.exe89⤵PID:2136
-
\??\c:\ttbthh.exec:\ttbthh.exe90⤵PID:884
-
\??\c:\xrxfrfr.exec:\xrxfrfr.exe91⤵PID:5004
-
\??\c:\vddpj.exec:\vddpj.exe92⤵PID:1104
-
\??\c:\vpjdd.exec:\vpjdd.exe93⤵PID:400
-
\??\c:\jjjdd.exec:\jjjdd.exe94⤵PID:4960
-
\??\c:\nthtnh.exec:\nthtnh.exe95⤵PID:1716
-
\??\c:\lffxxff.exec:\lffxxff.exe96⤵PID:2892
-
\??\c:\24006.exec:\24006.exe97⤵PID:540
-
\??\c:\bttntn.exec:\bttntn.exe98⤵PID:1416
-
\??\c:\2666004.exec:\2666004.exe99⤵PID:2688
-
\??\c:\204464.exec:\204464.exe100⤵PID:4252
-
\??\c:\428600.exec:\428600.exe101⤵PID:1984
-
\??\c:\rxrlffx.exec:\rxrlffx.exe102⤵PID:5028
-
\??\c:\28442.exec:\28442.exe103⤵PID:3824
-
\??\c:\3hbhhh.exec:\3hbhhh.exe104⤵PID:3208
-
\??\c:\82282.exec:\82282.exe105⤵PID:548
-
\??\c:\06044.exec:\06044.exe106⤵PID:4844
-
\??\c:\hntnbb.exec:\hntnbb.exe107⤵PID:3556
-
\??\c:\022886.exec:\022886.exe108⤵PID:3056
-
\??\c:\u622662.exec:\u622662.exe109⤵PID:1152
-
\??\c:\26404.exec:\26404.exe110⤵PID:3356
-
\??\c:\fflflrl.exec:\fflflrl.exe111⤵PID:5068
-
\??\c:\btbhtn.exec:\btbhtn.exe112⤵PID:3928
-
\??\c:\vvvpp.exec:\vvvpp.exe113⤵PID:3368
-
\??\c:\bhtnhh.exec:\bhtnhh.exe114⤵PID:984
-
\??\c:\w06044.exec:\w06044.exe115⤵PID:4356
-
\??\c:\jpppj.exec:\jpppj.exe116⤵PID:4756
-
\??\c:\006044.exec:\006044.exe117⤵PID:1168
-
\??\c:\hthtnb.exec:\hthtnb.exe118⤵PID:1896
-
\??\c:\rlllflf.exec:\rlllflf.exe119⤵PID:3476
-
\??\c:\02488.exec:\02488.exe120⤵PID:4736
-
\??\c:\xfrlffx.exec:\xfrlffx.exe121⤵PID:3968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-