Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 13:51
Behavioral task
behavioral1
Sample
990baa0992d59a4e80f072d9b0940b60N.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
120 seconds
General
-
Target
990baa0992d59a4e80f072d9b0940b60N.exe
-
Size
120KB
-
MD5
990baa0992d59a4e80f072d9b0940b60
-
SHA1
4016971635c47a629d8adcfd9b5313b14552ea54
-
SHA256
d2736c3002498c2a19a49773829563ef210ba9acf61638001ea5bf4362c0d2d8
-
SHA512
5814874f6ff13638580e0120778e24531b5d56e696c3bc98fd946dc2818e0b42a3d10b4aa50b4435394c44e5e867ba2b7e0851d9b61453c6e5f1d1f6bc9691cf
-
SSDEEP
3072:9hOmTsF93UYfwC6GIoutz5yLpcgDE49IIoO:9cm4FmowdHoS0IIoO
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4832-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3168-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3360-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1764-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1556-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2740-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2104-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1316-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4648-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2000-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1204-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5008-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/416-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3700-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1896-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1896-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1764-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4308-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3308-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3464-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2136-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4324-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1084-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1648-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2064-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4628-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3116-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3484-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2740-365-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3300-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1296-413-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-417-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2080-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2508-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1992-494-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-514-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2784-521-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/760-530-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2836-532-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-780-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-851-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-880-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-992-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-1063-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4928 86004.exe 1796 pdjpj.exe 3168 hbhthh.exe 3360 dvjvd.exe 4116 66288.exe 3092 04048.exe 1996 lfllllf.exe 3832 pvdvp.exe 3616 a0260.exe 1832 m4604.exe 1764 1hbbth.exe 1556 20406.exe 4260 pjdpp.exe 2740 xlxxxxr.exe 1948 ddjjv.exe 2104 hhtnnn.exe 3632 64682.exe 2236 k22082.exe 1316 vvddd.exe 4648 lfflllf.exe 2000 jvdjd.exe 1204 246862.exe 3864 00226.exe 4876 pjjdj.exe 5008 e26222.exe 2064 086088.exe 2040 02800.exe 4416 624066.exe 416 btbthn.exe 3500 lxxxrrr.exe 1952 7rfxlfr.exe 2892 402600.exe 3168 3dvpj.exe 212 44408.exe 4352 vpjjd.exe 4116 rxxflrx.exe 1504 w44888.exe 3700 tthbnn.exe 3652 802266.exe 1896 xrlfxxr.exe 4664 ntbhhb.exe 2540 llflxll.exe 2952 8460004.exe 1764 280044.exe 904 444882.exe 3696 82060.exe 4308 28448.exe 3308 44004.exe 3464 042480.exe 2244 dpvjp.exe 5056 htbbnb.exe 3888 hntttt.exe 2136 llxrllr.exe 4324 xxrrfff.exe 3428 bbbhhh.exe 1084 vpdpp.exe 2844 xfxxrll.exe 1228 468440.exe 1648 6026602.exe 5008 420000.exe 1296 o204406.exe 2064 024486.exe 4548 jdpdp.exe 4456 hhhbtt.exe -
resource yara_rule behavioral2/memory/4832-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023651-3.dat upx behavioral2/memory/4832-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023657-9.dat upx behavioral2/memory/4928-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1796-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023658-14.dat upx behavioral2/memory/1796-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023659-22.dat upx behavioral2/memory/3168-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002365a-28.dat upx behavioral2/memory/3360-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4116-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002365b-35.dat upx behavioral2/memory/3092-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002365c-42.dat upx behavioral2/memory/1996-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3092-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002365d-48.dat upx behavioral2/files/0x000700000002365e-54.dat upx behavioral2/files/0x000700000002365f-58.dat upx behavioral2/memory/3616-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023660-64.dat upx behavioral2/files/0x0007000000023661-69.dat upx behavioral2/memory/1764-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023662-75.dat upx behavioral2/memory/1556-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023663-81.dat upx behavioral2/files/0x0007000000023664-86.dat upx behavioral2/memory/2740-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023665-92.dat upx behavioral2/files/0x0007000000023666-97.dat upx behavioral2/memory/3632-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2104-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023667-105.dat upx behavioral2/files/0x0007000000023668-110.dat upx behavioral2/memory/2236-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023669-115.dat upx behavioral2/memory/1316-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023655-121.dat upx behavioral2/memory/4648-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002366a-127.dat upx behavioral2/memory/2000-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002366b-133.dat upx behavioral2/memory/1204-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002366c-141.dat upx behavioral2/memory/3864-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002366d-145.dat upx behavioral2/memory/4876-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5008-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002366e-152.dat upx behavioral2/files/0x000700000002366f-157.dat upx behavioral2/files/0x0007000000023670-162.dat upx behavioral2/files/0x0007000000023671-169.dat upx behavioral2/memory/4416-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/416-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023672-174.dat upx behavioral2/files/0x0007000000023673-179.dat upx behavioral2/files/0x0007000000023674-185.dat upx behavioral2/memory/212-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3700-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3652-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1896-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1896-218-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u648288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c066000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2826666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 402600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w00062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8204040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2626482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4832 wrote to memory of 4928 4832 990baa0992d59a4e80f072d9b0940b60N.exe 90 PID 4832 wrote to memory of 4928 4832 990baa0992d59a4e80f072d9b0940b60N.exe 90 PID 4832 wrote to memory of 4928 4832 990baa0992d59a4e80f072d9b0940b60N.exe 90 PID 4928 wrote to memory of 1796 4928 86004.exe 91 PID 4928 wrote to memory of 1796 4928 86004.exe 91 PID 4928 wrote to memory of 1796 4928 86004.exe 91 PID 1796 wrote to memory of 3168 1796 pdjpj.exe 92 PID 1796 wrote to memory of 3168 1796 pdjpj.exe 92 PID 1796 wrote to memory of 3168 1796 pdjpj.exe 92 PID 3168 wrote to memory of 3360 3168 hbhthh.exe 93 PID 3168 wrote to memory of 3360 3168 hbhthh.exe 93 PID 3168 wrote to memory of 3360 3168 hbhthh.exe 93 PID 3360 wrote to memory of 4116 3360 dvjvd.exe 95 PID 3360 wrote to memory of 4116 3360 dvjvd.exe 95 PID 3360 wrote to memory of 4116 3360 dvjvd.exe 95 PID 4116 wrote to memory of 3092 4116 66288.exe 96 PID 4116 wrote to memory of 3092 4116 66288.exe 96 PID 4116 wrote to memory of 3092 4116 66288.exe 96 PID 3092 wrote to memory of 1996 3092 04048.exe 97 PID 3092 wrote to memory of 1996 3092 04048.exe 97 PID 3092 wrote to memory of 1996 3092 04048.exe 97 PID 1996 wrote to memory of 3832 1996 lfllllf.exe 98 PID 1996 wrote to memory of 3832 1996 lfllllf.exe 98 PID 1996 wrote to memory of 3832 1996 lfllllf.exe 98 PID 3832 wrote to memory of 3616 3832 pvdvp.exe 99 PID 3832 wrote to memory of 3616 3832 pvdvp.exe 99 PID 3832 wrote to memory of 3616 3832 pvdvp.exe 99 PID 3616 wrote to memory of 1832 3616 a0260.exe 101 PID 3616 wrote to memory of 1832 3616 a0260.exe 101 PID 3616 wrote to memory of 1832 3616 a0260.exe 101 PID 1832 wrote to memory of 1764 1832 m4604.exe 102 PID 1832 wrote to memory of 1764 1832 m4604.exe 102 PID 1832 wrote to memory of 1764 1832 m4604.exe 102 PID 1764 wrote to memory of 1556 1764 1hbbth.exe 103 PID 1764 wrote to memory of 1556 1764 1hbbth.exe 103 PID 1764 wrote to memory of 1556 1764 1hbbth.exe 103 PID 1556 wrote to memory of 4260 1556 20406.exe 104 PID 1556 wrote to memory of 4260 1556 20406.exe 104 PID 1556 wrote to memory of 4260 1556 20406.exe 104 PID 4260 wrote to memory of 2740 4260 pjdpp.exe 105 PID 4260 wrote to memory of 2740 4260 pjdpp.exe 105 PID 4260 wrote to memory of 2740 4260 pjdpp.exe 105 PID 2740 wrote to memory of 1948 2740 xlxxxxr.exe 106 PID 2740 wrote to memory of 1948 2740 xlxxxxr.exe 106 PID 2740 wrote to memory of 1948 2740 xlxxxxr.exe 106 PID 1948 wrote to memory of 2104 1948 ddjjv.exe 107 PID 1948 wrote to memory of 2104 1948 ddjjv.exe 107 PID 1948 wrote to memory of 2104 1948 ddjjv.exe 107 PID 2104 wrote to memory of 3632 2104 hhtnnn.exe 108 PID 2104 wrote to memory of 3632 2104 hhtnnn.exe 108 PID 2104 wrote to memory of 3632 2104 hhtnnn.exe 108 PID 3632 wrote to memory of 2236 3632 64682.exe 110 PID 3632 wrote to memory of 2236 3632 64682.exe 110 PID 3632 wrote to memory of 2236 3632 64682.exe 110 PID 2236 wrote to memory of 1316 2236 k22082.exe 111 PID 2236 wrote to memory of 1316 2236 k22082.exe 111 PID 2236 wrote to memory of 1316 2236 k22082.exe 111 PID 1316 wrote to memory of 4648 1316 vvddd.exe 112 PID 1316 wrote to memory of 4648 1316 vvddd.exe 112 PID 1316 wrote to memory of 4648 1316 vvddd.exe 112 PID 4648 wrote to memory of 2000 4648 lfflllf.exe 113 PID 4648 wrote to memory of 2000 4648 lfflllf.exe 113 PID 4648 wrote to memory of 2000 4648 lfflllf.exe 113 PID 2000 wrote to memory of 1204 2000 jvdjd.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\990baa0992d59a4e80f072d9b0940b60N.exe"C:\Users\Admin\AppData\Local\Temp\990baa0992d59a4e80f072d9b0940b60N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\86004.exec:\86004.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\pdjpj.exec:\pdjpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\hbhthh.exec:\hbhthh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\dvjvd.exec:\dvjvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\66288.exec:\66288.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\04048.exec:\04048.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\lfllllf.exec:\lfllllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\pvdvp.exec:\pvdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\a0260.exec:\a0260.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\m4604.exec:\m4604.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\1hbbth.exec:\1hbbth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\20406.exec:\20406.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\pjdpp.exec:\pjdpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\xlxxxxr.exec:\xlxxxxr.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\ddjjv.exec:\ddjjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\hhtnnn.exec:\hhtnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\64682.exec:\64682.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\k22082.exec:\k22082.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\vvddd.exec:\vvddd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\lfflllf.exec:\lfflllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\jvdjd.exec:\jvdjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\246862.exec:\246862.exe23⤵
- Executes dropped EXE
PID:1204 -
\??\c:\00226.exec:\00226.exe24⤵
- Executes dropped EXE
PID:3864 -
\??\c:\pjjdj.exec:\pjjdj.exe25⤵
- Executes dropped EXE
PID:4876 -
\??\c:\e26222.exec:\e26222.exe26⤵
- Executes dropped EXE
PID:5008 -
\??\c:\086088.exec:\086088.exe27⤵
- Executes dropped EXE
PID:2064 -
\??\c:\02800.exec:\02800.exe28⤵
- Executes dropped EXE
PID:2040 -
\??\c:\624066.exec:\624066.exe29⤵
- Executes dropped EXE
PID:4416 -
\??\c:\btbthn.exec:\btbthn.exe30⤵
- Executes dropped EXE
PID:416 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe31⤵
- Executes dropped EXE
PID:3500 -
\??\c:\7rfxlfr.exec:\7rfxlfr.exe32⤵
- Executes dropped EXE
PID:1952 -
\??\c:\402600.exec:\402600.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
\??\c:\3dvpj.exec:\3dvpj.exe34⤵
- Executes dropped EXE
PID:3168 -
\??\c:\44408.exec:\44408.exe35⤵
- Executes dropped EXE
PID:212 -
\??\c:\vpjjd.exec:\vpjjd.exe36⤵
- Executes dropped EXE
PID:4352 -
\??\c:\rxxflrx.exec:\rxxflrx.exe37⤵
- Executes dropped EXE
PID:4116 -
\??\c:\w44888.exec:\w44888.exe38⤵
- Executes dropped EXE
PID:1504 -
\??\c:\tthbnn.exec:\tthbnn.exe39⤵
- Executes dropped EXE
PID:3700 -
\??\c:\802266.exec:\802266.exe40⤵
- Executes dropped EXE
PID:3652 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe41⤵
- Executes dropped EXE
PID:1896 -
\??\c:\ntbhhb.exec:\ntbhhb.exe42⤵
- Executes dropped EXE
PID:4664 -
\??\c:\llflxll.exec:\llflxll.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540 -
\??\c:\8460004.exec:\8460004.exe44⤵
- Executes dropped EXE
PID:2952 -
\??\c:\280044.exec:\280044.exe45⤵
- Executes dropped EXE
PID:1764 -
\??\c:\444882.exec:\444882.exe46⤵
- Executes dropped EXE
PID:904 -
\??\c:\82060.exec:\82060.exe47⤵
- Executes dropped EXE
PID:3696 -
\??\c:\28448.exec:\28448.exe48⤵
- Executes dropped EXE
PID:4308 -
\??\c:\44004.exec:\44004.exe49⤵
- Executes dropped EXE
PID:3308 -
\??\c:\042480.exec:\042480.exe50⤵
- Executes dropped EXE
PID:3464 -
\??\c:\dpvjp.exec:\dpvjp.exe51⤵
- Executes dropped EXE
PID:2244 -
\??\c:\htbbnb.exec:\htbbnb.exe52⤵
- Executes dropped EXE
PID:5056 -
\??\c:\hntttt.exec:\hntttt.exe53⤵
- Executes dropped EXE
PID:3888 -
\??\c:\llxrllr.exec:\llxrllr.exe54⤵
- Executes dropped EXE
PID:2136 -
\??\c:\xxrrfff.exec:\xxrrfff.exe55⤵
- Executes dropped EXE
PID:4324 -
\??\c:\bbbhhh.exec:\bbbhhh.exe56⤵
- Executes dropped EXE
PID:3428 -
\??\c:\vpdpp.exec:\vpdpp.exe57⤵
- Executes dropped EXE
PID:1084 -
\??\c:\xfxxrll.exec:\xfxxrll.exe58⤵
- Executes dropped EXE
PID:2844 -
\??\c:\468440.exec:\468440.exe59⤵
- Executes dropped EXE
PID:1228 -
\??\c:\6026602.exec:\6026602.exe60⤵
- Executes dropped EXE
PID:1648 -
\??\c:\420000.exec:\420000.exe61⤵
- Executes dropped EXE
PID:5008 -
\??\c:\o204406.exec:\o204406.exe62⤵
- Executes dropped EXE
PID:1296 -
\??\c:\024486.exec:\024486.exe63⤵
- Executes dropped EXE
PID:2064 -
\??\c:\jdpdp.exec:\jdpdp.exe64⤵
- Executes dropped EXE
PID:4548 -
\??\c:\hhhbtt.exec:\hhhbtt.exe65⤵
- Executes dropped EXE
PID:4456 -
\??\c:\lffffxr.exec:\lffffxr.exe66⤵PID:2080
-
\??\c:\0448848.exec:\0448848.exe67⤵PID:4952
-
\??\c:\ttbtbt.exec:\ttbtbt.exe68⤵PID:1796
-
\??\c:\48046.exec:\48046.exe69⤵PID:4232
-
\??\c:\dvvpd.exec:\dvvpd.exe70⤵
- System Location Discovery: System Language Discovery
PID:3188 -
\??\c:\00682.exec:\00682.exe71⤵PID:2908
-
\??\c:\lfxxrrl.exec:\lfxxrrl.exe72⤵PID:4628
-
\??\c:\nhntnn.exec:\nhntnn.exe73⤵PID:4252
-
\??\c:\e80088.exec:\e80088.exe74⤵PID:3116
-
\??\c:\6840002.exec:\6840002.exe75⤵PID:2676
-
\??\c:\vjpjj.exec:\vjpjj.exe76⤵PID:3832
-
\??\c:\046604.exec:\046604.exe77⤵PID:1528
-
\??\c:\646604.exec:\646604.exe78⤵PID:1832
-
\??\c:\lrlxfff.exec:\lrlxfff.exe79⤵PID:3484
-
\??\c:\048284.exec:\048284.exe80⤵PID:820
-
\??\c:\3vvpj.exec:\3vvpj.exe81⤵PID:4300
-
\??\c:\0082222.exec:\0082222.exe82⤵PID:4104
-
\??\c:\80284.exec:\80284.exe83⤵PID:4396
-
\??\c:\ttthbn.exec:\ttthbn.exe84⤵PID:2740
-
\??\c:\002626.exec:\002626.exe85⤵PID:3300
-
\??\c:\nntthh.exec:\nntthh.exe86⤵PID:3424
-
\??\c:\66220.exec:\66220.exe87⤵PID:3632
-
\??\c:\48820.exec:\48820.exe88⤵PID:4112
-
\??\c:\jpvpv.exec:\jpvpv.exe89⤵PID:1932
-
\??\c:\7vpjj.exec:\7vpjj.exe90⤵PID:2136
-
\??\c:\tnhbbb.exec:\tnhbbb.exe91⤵PID:2448
-
\??\c:\8022240.exec:\8022240.exe92⤵PID:4852
-
\??\c:\046000.exec:\046000.exe93⤵PID:832
-
\??\c:\vpvpp.exec:\vpvpp.exe94⤵PID:3748
-
\??\c:\2240426.exec:\2240426.exe95⤵PID:4476
-
\??\c:\26626.exec:\26626.exe96⤵PID:760
-
\??\c:\0644482.exec:\0644482.exe97⤵PID:5008
-
\??\c:\bbnthn.exec:\bbnthn.exe98⤵PID:1296
-
\??\c:\24082.exec:\24082.exe99⤵PID:2064
-
\??\c:\ffffrfx.exec:\ffffrfx.exe100⤵PID:4548
-
\??\c:\000000.exec:\000000.exe101⤵PID:3920
-
\??\c:\0624084.exec:\0624084.exe102⤵PID:2080
-
\??\c:\xxxxrrl.exec:\xxxxrrl.exe103⤵PID:4952
-
\??\c:\40082.exec:\40082.exe104⤵PID:3100
-
\??\c:\46448.exec:\46448.exe105⤵PID:2508
-
\??\c:\486622.exec:\486622.exe106⤵PID:4716
-
\??\c:\vjddv.exec:\vjddv.exe107⤵PID:2908
-
\??\c:\0688888.exec:\0688888.exe108⤵PID:2968
-
\??\c:\tbhhbh.exec:\tbhhbh.exe109⤵PID:3092
-
\??\c:\6862004.exec:\6862004.exe110⤵PID:1504
-
\??\c:\9nttbh.exec:\9nttbh.exe111⤵PID:1944
-
\??\c:\c406006.exec:\c406006.exe112⤵PID:4744
-
\??\c:\o400626.exec:\o400626.exe113⤵PID:400
-
\??\c:\9jdvp.exec:\9jdvp.exe114⤵
- System Location Discovery: System Language Discovery
PID:4664 -
\??\c:\ffffrrx.exec:\ffffrrx.exe115⤵PID:2268
-
\??\c:\5djjd.exec:\5djjd.exe116⤵PID:3484
-
\??\c:\400266.exec:\400266.exe117⤵PID:820
-
\??\c:\1tbhbn.exec:\1tbhbn.exe118⤵PID:3944
-
\??\c:\9nthhn.exec:\9nthhn.exe119⤵PID:4704
-
\??\c:\02226.exec:\02226.exe120⤵PID:2340
-
\??\c:\86462.exec:\86462.exe121⤵PID:3516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-