Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 19:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe
-
Size
456KB
-
MD5
aa11e7d4cfcd5c995438fa4704ece465
-
SHA1
014c94e41baabb3f428f36c2d502bfde3607f73b
-
SHA256
49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01
-
SHA512
9d1dc841aa7c01670ab0982c2ee00575bf97114b99704bb906319e28a37e38bd5ea631f6f15d820b7377a0681b3ed289a064a2654ceed3331cac3235a20740e5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4784-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/596-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-935-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-1002-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-1021-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-1254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-1885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 512 3ddvj.exe 2488 i626448.exe 3272 82482.exe 3692 0242042.exe 3612 bnttnn.exe 3096 vddpv.exe 3952 9lfxxff.exe 2832 2062262.exe 3332 dvpjp.exe 4736 rflfrlf.exe 2432 flrflxl.exe 4724 1nthhh.exe 4832 262822.exe 4964 8682066.exe 4588 2804888.exe 3868 82680.exe 2316 44040.exe 1624 ntbttt.exe 4124 tnnbtt.exe 4900 u282048.exe 3068 ttnbtt.exe 1396 7bbntb.exe 5088 3btnnn.exe 2504 1dddv.exe 4132 20008.exe 536 o460448.exe 4172 3vddv.exe 2784 8424226.exe 2584 7btnhh.exe 4844 88208.exe 3984 240482.exe 3248 jvjpv.exe 4784 i848260.exe 2580 7nnbhb.exe 948 rxrfrfr.exe 2528 44606.exe 1848 hththt.exe 3204 hbnhtn.exe 2608 xrxffxl.exe 1416 22200.exe 760 thhnbt.exe 5096 c842266.exe 2064 hnnbnh.exe 1784 3lxlfrl.exe 3948 68828.exe 2848 pddpd.exe 2824 jjdpv.exe 4980 6264264.exe 4832 a0420.exe 3496 044682.exe 1228 hbhtbh.exe 620 jvvpv.exe 2100 dpvjj.exe 3144 22208.exe 3344 20046.exe 756 rfxxllx.exe 3852 vjdvj.exe 704 o060088.exe 2996 8404882.exe 4532 vpjvj.exe 1392 420420.exe 2672 20604.exe 5088 bhhnbt.exe 3960 o004604.exe -
resource yara_rule behavioral2/memory/4784-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/596-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-733-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u442008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 848004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2000448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k48282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w02200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4784 wrote to memory of 512 4784 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 87 PID 4784 wrote to memory of 512 4784 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 87 PID 4784 wrote to memory of 512 4784 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 87 PID 512 wrote to memory of 2488 512 3ddvj.exe 88 PID 512 wrote to memory of 2488 512 3ddvj.exe 88 PID 512 wrote to memory of 2488 512 3ddvj.exe 88 PID 2488 wrote to memory of 3272 2488 i626448.exe 89 PID 2488 wrote to memory of 3272 2488 i626448.exe 89 PID 2488 wrote to memory of 3272 2488 i626448.exe 89 PID 3272 wrote to memory of 3692 3272 82482.exe 90 PID 3272 wrote to memory of 3692 3272 82482.exe 90 PID 3272 wrote to memory of 3692 3272 82482.exe 90 PID 3692 wrote to memory of 3612 3692 0242042.exe 91 PID 3692 wrote to memory of 3612 3692 0242042.exe 91 PID 3692 wrote to memory of 3612 3692 0242042.exe 91 PID 3612 wrote to memory of 3096 3612 bnttnn.exe 92 PID 3612 wrote to memory of 3096 3612 bnttnn.exe 92 PID 3612 wrote to memory of 3096 3612 bnttnn.exe 92 PID 3096 wrote to memory of 3952 3096 vddpv.exe 93 PID 3096 wrote to memory of 3952 3096 vddpv.exe 93 PID 3096 wrote to memory of 3952 3096 vddpv.exe 93 PID 3952 wrote to memory of 2832 3952 9lfxxff.exe 94 PID 3952 wrote to memory of 2832 3952 9lfxxff.exe 94 PID 3952 wrote to memory of 2832 3952 9lfxxff.exe 94 PID 2832 wrote to memory of 3332 2832 2062262.exe 96 PID 2832 wrote to memory of 3332 2832 2062262.exe 96 PID 2832 wrote to memory of 3332 2832 2062262.exe 96 PID 3332 wrote to memory of 4736 3332 dvpjp.exe 97 PID 3332 wrote to memory of 4736 3332 dvpjp.exe 97 PID 3332 wrote to memory of 4736 3332 dvpjp.exe 97 PID 4736 wrote to memory of 2432 4736 rflfrlf.exe 98 PID 4736 wrote to memory of 2432 4736 rflfrlf.exe 98 PID 4736 wrote to memory of 2432 4736 rflfrlf.exe 98 PID 2432 wrote to memory of 4724 2432 flrflxl.exe 99 PID 2432 wrote to memory of 4724 2432 flrflxl.exe 99 PID 2432 wrote to memory of 4724 2432 flrflxl.exe 99 PID 4724 wrote to memory of 4832 4724 1nthhh.exe 101 PID 4724 wrote to memory of 4832 4724 1nthhh.exe 101 PID 4724 wrote to memory of 4832 4724 1nthhh.exe 101 PID 4832 wrote to memory of 4964 4832 262822.exe 102 PID 4832 wrote to memory of 4964 4832 262822.exe 102 PID 4832 wrote to memory of 4964 4832 262822.exe 102 PID 4964 wrote to memory of 4588 4964 8682066.exe 103 PID 4964 wrote to memory of 4588 4964 8682066.exe 103 PID 4964 wrote to memory of 4588 4964 8682066.exe 103 PID 4588 wrote to memory of 3868 4588 2804888.exe 104 PID 4588 wrote to memory of 3868 4588 2804888.exe 104 PID 4588 wrote to memory of 3868 4588 2804888.exe 104 PID 3868 wrote to memory of 2316 3868 82680.exe 106 PID 3868 wrote to memory of 2316 3868 82680.exe 106 PID 3868 wrote to memory of 2316 3868 82680.exe 106 PID 2316 wrote to memory of 1624 2316 44040.exe 107 PID 2316 wrote to memory of 1624 2316 44040.exe 107 PID 2316 wrote to memory of 1624 2316 44040.exe 107 PID 1624 wrote to memory of 4124 1624 ntbttt.exe 108 PID 1624 wrote to memory of 4124 1624 ntbttt.exe 108 PID 1624 wrote to memory of 4124 1624 ntbttt.exe 108 PID 4124 wrote to memory of 4900 4124 tnnbtt.exe 109 PID 4124 wrote to memory of 4900 4124 tnnbtt.exe 109 PID 4124 wrote to memory of 4900 4124 tnnbtt.exe 109 PID 4900 wrote to memory of 3068 4900 u282048.exe 110 PID 4900 wrote to memory of 3068 4900 u282048.exe 110 PID 4900 wrote to memory of 3068 4900 u282048.exe 110 PID 3068 wrote to memory of 1396 3068 ttnbtt.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe"C:\Users\Admin\AppData\Local\Temp\49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\3ddvj.exec:\3ddvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\i626448.exec:\i626448.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\82482.exec:\82482.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\0242042.exec:\0242042.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\bnttnn.exec:\bnttnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\vddpv.exec:\vddpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\9lfxxff.exec:\9lfxxff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\2062262.exec:\2062262.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\dvpjp.exec:\dvpjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\rflfrlf.exec:\rflfrlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\flrflxl.exec:\flrflxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\1nthhh.exec:\1nthhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\262822.exec:\262822.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\8682066.exec:\8682066.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\2804888.exec:\2804888.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\82680.exec:\82680.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\44040.exec:\44040.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\ntbttt.exec:\ntbttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\tnnbtt.exec:\tnnbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\u282048.exec:\u282048.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\ttnbtt.exec:\ttnbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\7bbntb.exec:\7bbntb.exe23⤵
- Executes dropped EXE
PID:1396 -
\??\c:\3btnnn.exec:\3btnnn.exe24⤵
- Executes dropped EXE
PID:5088 -
\??\c:\1dddv.exec:\1dddv.exe25⤵
- Executes dropped EXE
PID:2504 -
\??\c:\20008.exec:\20008.exe26⤵
- Executes dropped EXE
PID:4132 -
\??\c:\o460448.exec:\o460448.exe27⤵
- Executes dropped EXE
PID:536 -
\??\c:\3vddv.exec:\3vddv.exe28⤵
- Executes dropped EXE
PID:4172 -
\??\c:\8424226.exec:\8424226.exe29⤵
- Executes dropped EXE
PID:2784 -
\??\c:\7btnhh.exec:\7btnhh.exe30⤵
- Executes dropped EXE
PID:2584 -
\??\c:\88208.exec:\88208.exe31⤵
- Executes dropped EXE
PID:4844 -
\??\c:\240482.exec:\240482.exe32⤵
- Executes dropped EXE
PID:3984 -
\??\c:\jvjpv.exec:\jvjpv.exe33⤵
- Executes dropped EXE
PID:3248 -
\??\c:\i848260.exec:\i848260.exe34⤵
- Executes dropped EXE
PID:4784 -
\??\c:\7nnbhb.exec:\7nnbhb.exe35⤵
- Executes dropped EXE
PID:2580 -
\??\c:\rxrfrfr.exec:\rxrfrfr.exe36⤵
- Executes dropped EXE
PID:948 -
\??\c:\44606.exec:\44606.exe37⤵
- Executes dropped EXE
PID:2528 -
\??\c:\hththt.exec:\hththt.exe38⤵
- Executes dropped EXE
PID:1848 -
\??\c:\hbnhtn.exec:\hbnhtn.exe39⤵
- Executes dropped EXE
PID:3204 -
\??\c:\xrxffxl.exec:\xrxffxl.exe40⤵
- Executes dropped EXE
PID:2608 -
\??\c:\22200.exec:\22200.exe41⤵
- Executes dropped EXE
PID:1416 -
\??\c:\thhnbt.exec:\thhnbt.exe42⤵
- Executes dropped EXE
PID:760 -
\??\c:\c842266.exec:\c842266.exe43⤵
- Executes dropped EXE
PID:5096 -
\??\c:\hnnbnh.exec:\hnnbnh.exe44⤵
- Executes dropped EXE
PID:2064 -
\??\c:\3lxlfrl.exec:\3lxlfrl.exe45⤵
- Executes dropped EXE
PID:1784 -
\??\c:\68828.exec:\68828.exe46⤵
- Executes dropped EXE
PID:3948 -
\??\c:\pddpd.exec:\pddpd.exe47⤵
- Executes dropped EXE
PID:2848 -
\??\c:\jjdpv.exec:\jjdpv.exe48⤵
- Executes dropped EXE
PID:2824 -
\??\c:\6264264.exec:\6264264.exe49⤵
- Executes dropped EXE
PID:4980 -
\??\c:\a0420.exec:\a0420.exe50⤵
- Executes dropped EXE
PID:4832 -
\??\c:\044682.exec:\044682.exe51⤵
- Executes dropped EXE
PID:3496 -
\??\c:\hbhtbh.exec:\hbhtbh.exe52⤵
- Executes dropped EXE
PID:1228 -
\??\c:\jvvpv.exec:\jvvpv.exe53⤵
- Executes dropped EXE
PID:620 -
\??\c:\dpvjj.exec:\dpvjj.exe54⤵
- Executes dropped EXE
PID:2100 -
\??\c:\22208.exec:\22208.exe55⤵
- Executes dropped EXE
PID:3144 -
\??\c:\20046.exec:\20046.exe56⤵
- Executes dropped EXE
PID:3344 -
\??\c:\rfxxllx.exec:\rfxxllx.exe57⤵
- Executes dropped EXE
PID:756 -
\??\c:\vjdvj.exec:\vjdvj.exe58⤵
- Executes dropped EXE
PID:3852 -
\??\c:\o060088.exec:\o060088.exe59⤵
- Executes dropped EXE
PID:704 -
\??\c:\8404882.exec:\8404882.exe60⤵
- Executes dropped EXE
PID:2996 -
\??\c:\vpjvj.exec:\vpjvj.exe61⤵
- Executes dropped EXE
PID:4532 -
\??\c:\420420.exec:\420420.exe62⤵
- Executes dropped EXE
PID:1392 -
\??\c:\20604.exec:\20604.exe63⤵
- Executes dropped EXE
PID:2672 -
\??\c:\bhhnbt.exec:\bhhnbt.exe64⤵
- Executes dropped EXE
PID:5088 -
\??\c:\o004604.exec:\o004604.exe65⤵
- Executes dropped EXE
PID:3960 -
\??\c:\rllxrfx.exec:\rllxrfx.exe66⤵
- System Location Discovery: System Language Discovery
PID:3020 -
\??\c:\0008608.exec:\0008608.exe67⤵PID:2844
-
\??\c:\9tnbhb.exec:\9tnbhb.exe68⤵PID:5012
-
\??\c:\048082.exec:\048082.exe69⤵PID:4148
-
\??\c:\288208.exec:\288208.exe70⤵PID:2948
-
\??\c:\82208.exec:\82208.exe71⤵PID:2124
-
\??\c:\5tnbnh.exec:\5tnbnh.exe72⤵PID:4216
-
\??\c:\866426.exec:\866426.exe73⤵PID:1028
-
\??\c:\48804.exec:\48804.exe74⤵PID:4400
-
\??\c:\ppdpv.exec:\ppdpv.exe75⤵PID:1932
-
\??\c:\jjjpd.exec:\jjjpd.exe76⤵PID:1956
-
\??\c:\426648.exec:\426648.exe77⤵PID:2184
-
\??\c:\pdvpv.exec:\pdvpv.exe78⤵PID:4240
-
\??\c:\bbhtbt.exec:\bbhtbt.exe79⤵PID:3604
-
\??\c:\e84860.exec:\e84860.exe80⤵PID:2036
-
\??\c:\jpvjp.exec:\jpvjp.exe81⤵PID:2424
-
\??\c:\5xrfrlx.exec:\5xrfrlx.exe82⤵PID:3696
-
\??\c:\u220820.exec:\u220820.exe83⤵PID:4968
-
\??\c:\9rlfxrr.exec:\9rlfxrr.exe84⤵PID:3712
-
\??\c:\vppdp.exec:\vppdp.exe85⤵PID:3612
-
\??\c:\xfxlxlx.exec:\xfxlxlx.exe86⤵PID:2832
-
\??\c:\o608642.exec:\o608642.exe87⤵PID:5080
-
\??\c:\rllrfxx.exec:\rllrfxx.exe88⤵PID:1372
-
\??\c:\02060.exec:\02060.exe89⤵
- System Location Discovery: System Language Discovery
PID:4772 -
\??\c:\vddpd.exec:\vddpd.exe90⤵PID:2352
-
\??\c:\nbthth.exec:\nbthth.exe91⤵PID:3644
-
\??\c:\644260.exec:\644260.exe92⤵PID:2480
-
\??\c:\204240.exec:\204240.exe93⤵PID:4964
-
\??\c:\k60426.exec:\k60426.exe94⤵PID:2200
-
\??\c:\vvvjv.exec:\vvvjv.exe95⤵PID:4688
-
\??\c:\xffxllx.exec:\xffxllx.exe96⤵PID:3308
-
\??\c:\9frfxrf.exec:\9frfxrf.exe97⤵PID:3148
-
\??\c:\ttthhb.exec:\ttthhb.exe98⤵PID:5104
-
\??\c:\fxfrlfr.exec:\fxfrlfr.exe99⤵PID:736
-
\??\c:\422204.exec:\422204.exe100⤵PID:704
-
\??\c:\4224260.exec:\4224260.exe101⤵PID:3492
-
\??\c:\840860.exec:\840860.exe102⤵PID:1460
-
\??\c:\q08866.exec:\q08866.exe103⤵PID:4132
-
\??\c:\888600.exec:\888600.exe104⤵PID:3276
-
\??\c:\dvjpd.exec:\dvjpd.exe105⤵PID:4864
-
\??\c:\xxxlrlx.exec:\xxxlrlx.exe106⤵PID:532
-
\??\c:\vpjdp.exec:\vpjdp.exe107⤵PID:1632
-
\??\c:\640886.exec:\640886.exe108⤵PID:2124
-
\??\c:\460648.exec:\460648.exe109⤵PID:596
-
\??\c:\xlfxllx.exec:\xlfxllx.exe110⤵PID:3184
-
\??\c:\20480.exec:\20480.exe111⤵PID:1556
-
\??\c:\8448082.exec:\8448082.exe112⤵PID:512
-
\??\c:\jvvjv.exec:\jvvjv.exe113⤵PID:948
-
\??\c:\8000266.exec:\8000266.exe114⤵PID:1364
-
\??\c:\9vvpj.exec:\9vvpj.exe115⤵PID:1848
-
\??\c:\0068648.exec:\0068648.exe116⤵PID:3604
-
\??\c:\26642.exec:\26642.exe117⤵PID:4856
-
\??\c:\dpvpd.exec:\dpvpd.exe118⤵PID:2424
-
\??\c:\28204.exec:\28204.exe119⤵PID:3696
-
\??\c:\i620486.exec:\i620486.exe120⤵PID:4968
-
\??\c:\484464.exec:\484464.exe121⤵PID:3712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-