Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8667bac38c9ae32c2273b9e6899acd2cf1378c77a45846d1b77ae631fd2d5cd0N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8667bac38c9ae32c2273b9e6899acd2cf1378c77a45846d1b77ae631fd2d5cd0N.exe
-
Size
454KB
-
MD5
e0ffaedc42e91881c178e7eecb5d04e0
-
SHA1
3152584cc11edbf79a2b3d66f3c24ab6c6eedea7
-
SHA256
8667bac38c9ae32c2273b9e6899acd2cf1378c77a45846d1b77ae631fd2d5cd0
-
SHA512
45771315fdcf50f06620d1a83d010e1dbfc38a73bc94e896cc63e8a2a8f747e824f03b7c01fdceaa974a34cb9682148fb6da80431f058e26d93371e199d71d02
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/632-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-948-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-1037-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-1943-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4356 24060.exe 632 1frlflf.exe 2644 9hhhbh.exe 2060 xlxxfrf.exe 4884 868688.exe 3760 3pddv.exe 4128 jppjj.exe 1728 vpvpp.exe 3076 282648.exe 3648 864208.exe 3952 44424.exe 3744 080860.exe 2696 46664.exe 4292 9dpjv.exe 3272 vvpdp.exe 1564 822088.exe 2412 6664264.exe 5028 0088828.exe 3884 nhbttt.exe 3896 24004.exe 5036 82444.exe 3940 e82086.exe 4248 0664408.exe 1844 7pvdp.exe 2792 jpjdp.exe 2352 08646.exe 4908 c660822.exe 1760 c408042.exe 1964 6088686.exe 1876 9vvjj.exe 3644 484860.exe 4124 864648.exe 3704 pvdvj.exe 3960 rlfrfrl.exe 5100 84820.exe 4268 6264820.exe 4592 q28664.exe 4412 8646806.exe 3308 626048.exe 1200 0200048.exe 2900 7dvjv.exe 4348 42664.exe 2616 88000.exe 4356 w04800.exe 2712 7lfxrlf.exe 800 7xlxrlf.exe 3236 3rrfrlx.exe 4696 46482.exe 3156 06086.exe 1596 q48244.exe 2232 644242.exe 2292 00020.exe 4380 86822.exe 1668 6460228.exe 2104 3fffxxr.exe 2652 1rllllf.exe 4776 5pjvp.exe 3380 5jdvj.exe 3336 8642266.exe 2376 ntntbn.exe 4784 62408.exe 1124 006426.exe 5108 9bhbbb.exe 4276 dpjvd.exe -
resource yara_rule behavioral2/memory/4356-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-988-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8282226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q24266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2660004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 682606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6442082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6626888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u244222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4884066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4208 wrote to memory of 4356 4208 8667bac38c9ae32c2273b9e6899acd2cf1378c77a45846d1b77ae631fd2d5cd0N.exe 83 PID 4208 wrote to memory of 4356 4208 8667bac38c9ae32c2273b9e6899acd2cf1378c77a45846d1b77ae631fd2d5cd0N.exe 83 PID 4208 wrote to memory of 4356 4208 8667bac38c9ae32c2273b9e6899acd2cf1378c77a45846d1b77ae631fd2d5cd0N.exe 83 PID 4356 wrote to memory of 632 4356 24060.exe 84 PID 4356 wrote to memory of 632 4356 24060.exe 84 PID 4356 wrote to memory of 632 4356 24060.exe 84 PID 632 wrote to memory of 2644 632 1frlflf.exe 85 PID 632 wrote to memory of 2644 632 1frlflf.exe 85 PID 632 wrote to memory of 2644 632 1frlflf.exe 85 PID 2644 wrote to memory of 2060 2644 9hhhbh.exe 86 PID 2644 wrote to memory of 2060 2644 9hhhbh.exe 86 PID 2644 wrote to memory of 2060 2644 9hhhbh.exe 86 PID 2060 wrote to memory of 4884 2060 xlxxfrf.exe 87 PID 2060 wrote to memory of 4884 2060 xlxxfrf.exe 87 PID 2060 wrote to memory of 4884 2060 xlxxfrf.exe 87 PID 4884 wrote to memory of 3760 4884 868688.exe 88 PID 4884 wrote to memory of 3760 4884 868688.exe 88 PID 4884 wrote to memory of 3760 4884 868688.exe 88 PID 3760 wrote to memory of 4128 3760 3pddv.exe 89 PID 3760 wrote to memory of 4128 3760 3pddv.exe 89 PID 3760 wrote to memory of 4128 3760 3pddv.exe 89 PID 4128 wrote to memory of 1728 4128 jppjj.exe 90 PID 4128 wrote to memory of 1728 4128 jppjj.exe 90 PID 4128 wrote to memory of 1728 4128 jppjj.exe 90 PID 1728 wrote to memory of 3076 1728 vpvpp.exe 91 PID 1728 wrote to memory of 3076 1728 vpvpp.exe 91 PID 1728 wrote to memory of 3076 1728 vpvpp.exe 91 PID 3076 wrote to memory of 3648 3076 282648.exe 92 PID 3076 wrote to memory of 3648 3076 282648.exe 92 PID 3076 wrote to memory of 3648 3076 282648.exe 92 PID 3648 wrote to memory of 3952 3648 864208.exe 93 PID 3648 wrote to memory of 3952 3648 864208.exe 93 PID 3648 wrote to memory of 3952 3648 864208.exe 93 PID 3952 wrote to memory of 3744 3952 44424.exe 94 PID 3952 wrote to memory of 3744 3952 44424.exe 94 PID 3952 wrote to memory of 3744 3952 44424.exe 94 PID 3744 wrote to memory of 2696 3744 080860.exe 95 PID 3744 wrote to memory of 2696 3744 080860.exe 95 PID 3744 wrote to memory of 2696 3744 080860.exe 95 PID 2696 wrote to memory of 4292 2696 46664.exe 96 PID 2696 wrote to memory of 4292 2696 46664.exe 96 PID 2696 wrote to memory of 4292 2696 46664.exe 96 PID 4292 wrote to memory of 3272 4292 9dpjv.exe 97 PID 4292 wrote to memory of 3272 4292 9dpjv.exe 97 PID 4292 wrote to memory of 3272 4292 9dpjv.exe 97 PID 3272 wrote to memory of 1564 3272 vvpdp.exe 98 PID 3272 wrote to memory of 1564 3272 vvpdp.exe 98 PID 3272 wrote to memory of 1564 3272 vvpdp.exe 98 PID 1564 wrote to memory of 2412 1564 822088.exe 99 PID 1564 wrote to memory of 2412 1564 822088.exe 99 PID 1564 wrote to memory of 2412 1564 822088.exe 99 PID 2412 wrote to memory of 5028 2412 6664264.exe 100 PID 2412 wrote to memory of 5028 2412 6664264.exe 100 PID 2412 wrote to memory of 5028 2412 6664264.exe 100 PID 5028 wrote to memory of 3884 5028 0088828.exe 101 PID 5028 wrote to memory of 3884 5028 0088828.exe 101 PID 5028 wrote to memory of 3884 5028 0088828.exe 101 PID 3884 wrote to memory of 3896 3884 nhbttt.exe 102 PID 3884 wrote to memory of 3896 3884 nhbttt.exe 102 PID 3884 wrote to memory of 3896 3884 nhbttt.exe 102 PID 3896 wrote to memory of 5036 3896 24004.exe 103 PID 3896 wrote to memory of 5036 3896 24004.exe 103 PID 3896 wrote to memory of 5036 3896 24004.exe 103 PID 5036 wrote to memory of 3940 5036 82444.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8667bac38c9ae32c2273b9e6899acd2cf1378c77a45846d1b77ae631fd2d5cd0N.exe"C:\Users\Admin\AppData\Local\Temp\8667bac38c9ae32c2273b9e6899acd2cf1378c77a45846d1b77ae631fd2d5cd0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\24060.exec:\24060.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\1frlflf.exec:\1frlflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\9hhhbh.exec:\9hhhbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\xlxxfrf.exec:\xlxxfrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\868688.exec:\868688.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\3pddv.exec:\3pddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\jppjj.exec:\jppjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\vpvpp.exec:\vpvpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\282648.exec:\282648.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\864208.exec:\864208.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\44424.exec:\44424.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\080860.exec:\080860.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\46664.exec:\46664.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\9dpjv.exec:\9dpjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\vvpdp.exec:\vvpdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\822088.exec:\822088.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\6664264.exec:\6664264.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\0088828.exec:\0088828.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\nhbttt.exec:\nhbttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\24004.exec:\24004.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\82444.exec:\82444.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\e82086.exec:\e82086.exe23⤵
- Executes dropped EXE
PID:3940 -
\??\c:\0664408.exec:\0664408.exe24⤵
- Executes dropped EXE
PID:4248 -
\??\c:\7pvdp.exec:\7pvdp.exe25⤵
- Executes dropped EXE
PID:1844 -
\??\c:\jpjdp.exec:\jpjdp.exe26⤵
- Executes dropped EXE
PID:2792 -
\??\c:\08646.exec:\08646.exe27⤵
- Executes dropped EXE
PID:2352 -
\??\c:\c660822.exec:\c660822.exe28⤵
- Executes dropped EXE
PID:4908 -
\??\c:\c408042.exec:\c408042.exe29⤵
- Executes dropped EXE
PID:1760 -
\??\c:\6088686.exec:\6088686.exe30⤵
- Executes dropped EXE
PID:1964 -
\??\c:\9vvjj.exec:\9vvjj.exe31⤵
- Executes dropped EXE
PID:1876 -
\??\c:\484860.exec:\484860.exe32⤵
- Executes dropped EXE
PID:3644 -
\??\c:\864648.exec:\864648.exe33⤵
- Executes dropped EXE
PID:4124 -
\??\c:\pvdvj.exec:\pvdvj.exe34⤵
- Executes dropped EXE
PID:3704 -
\??\c:\rlfrfrl.exec:\rlfrfrl.exe35⤵
- Executes dropped EXE
PID:3960 -
\??\c:\84820.exec:\84820.exe36⤵
- Executes dropped EXE
PID:5100 -
\??\c:\6264820.exec:\6264820.exe37⤵
- Executes dropped EXE
PID:4268 -
\??\c:\q28664.exec:\q28664.exe38⤵
- Executes dropped EXE
PID:4592 -
\??\c:\8646806.exec:\8646806.exe39⤵
- Executes dropped EXE
PID:4412 -
\??\c:\626048.exec:\626048.exe40⤵
- Executes dropped EXE
PID:3308 -
\??\c:\0200048.exec:\0200048.exe41⤵
- Executes dropped EXE
PID:1200 -
\??\c:\7dvjv.exec:\7dvjv.exe42⤵
- Executes dropped EXE
PID:2900 -
\??\c:\42664.exec:\42664.exe43⤵
- Executes dropped EXE
PID:4348 -
\??\c:\88000.exec:\88000.exe44⤵
- Executes dropped EXE
PID:2616 -
\??\c:\5vvjd.exec:\5vvjd.exe45⤵PID:4208
-
\??\c:\w04800.exec:\w04800.exe46⤵
- Executes dropped EXE
PID:4356 -
\??\c:\7lfxrlf.exec:\7lfxrlf.exe47⤵
- Executes dropped EXE
PID:2712 -
\??\c:\7xlxrlf.exec:\7xlxrlf.exe48⤵
- Executes dropped EXE
PID:800 -
\??\c:\3rrfrlx.exec:\3rrfrlx.exe49⤵
- Executes dropped EXE
PID:3236 -
\??\c:\46482.exec:\46482.exe50⤵
- Executes dropped EXE
PID:4696 -
\??\c:\06086.exec:\06086.exe51⤵
- Executes dropped EXE
PID:3156 -
\??\c:\q48244.exec:\q48244.exe52⤵
- Executes dropped EXE
PID:1596 -
\??\c:\644242.exec:\644242.exe53⤵
- Executes dropped EXE
PID:2232 -
\??\c:\00020.exec:\00020.exe54⤵
- Executes dropped EXE
PID:2292 -
\??\c:\86822.exec:\86822.exe55⤵
- Executes dropped EXE
PID:4380 -
\??\c:\6460228.exec:\6460228.exe56⤵
- Executes dropped EXE
PID:1668 -
\??\c:\3fffxxr.exec:\3fffxxr.exe57⤵
- Executes dropped EXE
PID:2104 -
\??\c:\1rllllf.exec:\1rllllf.exe58⤵
- Executes dropped EXE
PID:2652 -
\??\c:\5pjvp.exec:\5pjvp.exe59⤵
- Executes dropped EXE
PID:4776 -
\??\c:\5jdvj.exec:\5jdvj.exe60⤵
- Executes dropped EXE
PID:3380 -
\??\c:\8642266.exec:\8642266.exe61⤵
- Executes dropped EXE
PID:3336 -
\??\c:\ntntbn.exec:\ntntbn.exe62⤵
- Executes dropped EXE
PID:2376 -
\??\c:\62408.exec:\62408.exe63⤵
- Executes dropped EXE
PID:4784 -
\??\c:\006426.exec:\006426.exe64⤵
- Executes dropped EXE
PID:1124 -
\??\c:\9bhbbb.exec:\9bhbbb.exe65⤵
- Executes dropped EXE
PID:5108 -
\??\c:\dpjvd.exec:\dpjvd.exe66⤵
- Executes dropped EXE
PID:4276 -
\??\c:\vjpdd.exec:\vjpdd.exe67⤵PID:3808
-
\??\c:\djddv.exec:\djddv.exe68⤵PID:1000
-
\??\c:\824682.exec:\824682.exe69⤵PID:2424
-
\??\c:\rxxxrrl.exec:\rxxxrrl.exe70⤵PID:2472
-
\??\c:\pddvp.exec:\pddvp.exe71⤵PID:2912
-
\??\c:\4466682.exec:\4466682.exe72⤵PID:3208
-
\??\c:\86828.exec:\86828.exe73⤵PID:3376
-
\??\c:\tnhhhh.exec:\tnhhhh.exe74⤵PID:3984
-
\??\c:\02642.exec:\02642.exe75⤵PID:3548
-
\??\c:\422600.exec:\422600.exe76⤵PID:3904
-
\??\c:\6226004.exec:\6226004.exe77⤵PID:3292
-
\??\c:\bbtnht.exec:\bbtnht.exe78⤵PID:4576
-
\??\c:\rffrxrx.exec:\rffrxrx.exe79⤵PID:4136
-
\??\c:\42486.exec:\42486.exe80⤵PID:3352
-
\??\c:\260266.exec:\260266.exe81⤵PID:4812
-
\??\c:\68260.exec:\68260.exe82⤵PID:2248
-
\??\c:\djvpv.exec:\djvpv.exe83⤵PID:940
-
\??\c:\22402.exec:\22402.exe84⤵PID:2396
-
\??\c:\084828.exec:\084828.exe85⤵PID:3408
-
\??\c:\42648.exec:\42648.exe86⤵PID:4560
-
\??\c:\7thhtn.exec:\7thhtn.exe87⤵PID:2892
-
\??\c:\20462.exec:\20462.exe88⤵PID:212
-
\??\c:\4822660.exec:\4822660.exe89⤵PID:2836
-
\??\c:\a2264.exec:\a2264.exe90⤵PID:2380
-
\??\c:\6420044.exec:\6420044.exe91⤵PID:3736
-
\??\c:\jdvpd.exec:\jdvpd.exe92⤵PID:5100
-
\??\c:\pjpdp.exec:\pjpdp.exe93⤵PID:1516
-
\??\c:\5lfflfx.exec:\5lfflfx.exe94⤵PID:1056
-
\??\c:\fxffffr.exec:\fxffffr.exe95⤵PID:4412
-
\??\c:\ppjvp.exec:\ppjvp.exe96⤵PID:4832
-
\??\c:\k84826.exec:\k84826.exe97⤵PID:4144
-
\??\c:\600482.exec:\600482.exe98⤵PID:2900
-
\??\c:\nnnhbt.exec:\nnnhbt.exe99⤵PID:4600
-
\??\c:\8644264.exec:\8644264.exe100⤵PID:1796
-
\??\c:\68044.exec:\68044.exe101⤵PID:4208
-
\??\c:\g4086.exec:\g4086.exe102⤵PID:1648
-
\??\c:\ffrlrlf.exec:\ffrlrlf.exe103⤵PID:968
-
\??\c:\4220404.exec:\4220404.exe104⤵PID:1020
-
\??\c:\6086048.exec:\6086048.exe105⤵PID:3236
-
\??\c:\htbnnh.exec:\htbnnh.exe106⤵PID:4696
-
\??\c:\xrrflll.exec:\xrrflll.exe107⤵PID:3156
-
\??\c:\nttnbt.exec:\nttnbt.exe108⤵PID:3572
-
\??\c:\nhbnbt.exec:\nhbnbt.exe109⤵PID:1184
-
\??\c:\m6486.exec:\m6486.exe110⤵PID:2232
-
\??\c:\9lrffxr.exec:\9lrffxr.exe111⤵PID:1772
-
\??\c:\nnthhb.exec:\nnthhb.exe112⤵PID:3340
-
\??\c:\04426.exec:\04426.exe113⤵PID:3416
-
\??\c:\406004.exec:\406004.exe114⤵PID:1524
-
\??\c:\ppvdd.exec:\ppvdd.exe115⤵PID:5096
-
\??\c:\bnnhtt.exec:\bnnhtt.exe116⤵PID:4548
-
\??\c:\2844488.exec:\2844488.exe117⤵PID:3044
-
\??\c:\hbhbbt.exec:\hbhbbt.exe118⤵PID:1884
-
\??\c:\0660820.exec:\0660820.exe119⤵PID:4916
-
\??\c:\vpjdp.exec:\vpjdp.exe120⤵PID:3804
-
\??\c:\k06428.exec:\k06428.exe121⤵PID:4924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-