Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 02:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe
-
Size
455KB
-
MD5
d0246ea9665f16b301cd37508b7c8b78
-
SHA1
597a09e53cdcf69b04e1ee1bac61489a8fadbb18
-
SHA256
94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3
-
SHA512
44ced969ddbc215c50b8931f606dd0646bf62ec1cfedc72b8099b63bd1d8b99b8baef3bc1dcb90f808c47196c75a3e9f720acb5620d9fc27e34c75613ea2d6ee
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRd:q7Tc2NYHUrAwfMp3CDRd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/964-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-1198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-1767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4432 28826.exe 4592 tbhtht.exe 3372 08446.exe 1972 djvjd.exe 4764 xrfxrxf.exe 1700 frrfrlf.exe 4420 a2046.exe 464 60082.exe 2980 42200.exe 320 5djdj.exe 4932 vvvdp.exe 2252 k40404.exe 3572 444860.exe 552 a4426.exe 2384 vdjdj.exe 2016 226604.exe 4164 dpdpj.exe 4868 s4004.exe 3656 thhhnt.exe 4560 062082.exe 2024 jjvpv.exe 4988 xffxrrl.exe 916 802228.exe 2636 080488.exe 4456 3fffxff.exe 1028 tnnnht.exe 1444 xxxxfxl.exe 3368 hbhthh.exe 1596 0680448.exe 4980 m8882.exe 624 2460448.exe 4128 46266.exe 1452 3vjjp.exe 4912 86604.exe 3108 vvdvj.exe 4856 0460820.exe 3548 pddvv.exe 3020 88864.exe 1660 jdjjp.exe 2348 btnhhb.exe 3460 1nhthb.exe 2700 6048660.exe 2388 9btnbt.exe 3520 nttnhn.exe 452 jjjjp.exe 5116 600426.exe 4372 66048.exe 4944 fxfxffr.exe 4432 482266.exe 3512 jddjv.exe 3876 e80048.exe 2904 ntttbb.exe 1776 vjjvp.exe 3644 6664042.exe 1124 08486.exe 2480 ddpjj.exe 1700 48220.exe 2224 nhbttn.exe 2012 vppvp.exe 3404 hnnbtn.exe 428 rxllxxx.exe 2440 lxlfffx.exe 320 7btbnn.exe 3316 bhttbh.exe -
resource yara_rule behavioral2/memory/964-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-681-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8442044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 622426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2044886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e64444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e44204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8848826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o204886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 964 wrote to memory of 4432 964 94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe 85 PID 964 wrote to memory of 4432 964 94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe 85 PID 964 wrote to memory of 4432 964 94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe 85 PID 4432 wrote to memory of 4592 4432 28826.exe 86 PID 4432 wrote to memory of 4592 4432 28826.exe 86 PID 4432 wrote to memory of 4592 4432 28826.exe 86 PID 4592 wrote to memory of 3372 4592 tbhtht.exe 87 PID 4592 wrote to memory of 3372 4592 tbhtht.exe 87 PID 4592 wrote to memory of 3372 4592 tbhtht.exe 87 PID 3372 wrote to memory of 1972 3372 08446.exe 88 PID 3372 wrote to memory of 1972 3372 08446.exe 88 PID 3372 wrote to memory of 1972 3372 08446.exe 88 PID 1972 wrote to memory of 4764 1972 djvjd.exe 89 PID 1972 wrote to memory of 4764 1972 djvjd.exe 89 PID 1972 wrote to memory of 4764 1972 djvjd.exe 89 PID 4764 wrote to memory of 1700 4764 xrfxrxf.exe 141 PID 4764 wrote to memory of 1700 4764 xrfxrxf.exe 141 PID 4764 wrote to memory of 1700 4764 xrfxrxf.exe 141 PID 1700 wrote to memory of 4420 1700 frrfrlf.exe 91 PID 1700 wrote to memory of 4420 1700 frrfrlf.exe 91 PID 1700 wrote to memory of 4420 1700 frrfrlf.exe 91 PID 4420 wrote to memory of 464 4420 a2046.exe 92 PID 4420 wrote to memory of 464 4420 a2046.exe 92 PID 4420 wrote to memory of 464 4420 a2046.exe 92 PID 464 wrote to memory of 2980 464 60082.exe 202 PID 464 wrote to memory of 2980 464 60082.exe 202 PID 464 wrote to memory of 2980 464 60082.exe 202 PID 2980 wrote to memory of 320 2980 42200.exe 147 PID 2980 wrote to memory of 320 2980 42200.exe 147 PID 2980 wrote to memory of 320 2980 42200.exe 147 PID 320 wrote to memory of 4932 320 5djdj.exe 95 PID 320 wrote to memory of 4932 320 5djdj.exe 95 PID 320 wrote to memory of 4932 320 5djdj.exe 95 PID 4932 wrote to memory of 2252 4932 vvvdp.exe 96 PID 4932 wrote to memory of 2252 4932 vvvdp.exe 96 PID 4932 wrote to memory of 2252 4932 vvvdp.exe 96 PID 2252 wrote to memory of 3572 2252 k40404.exe 97 PID 2252 wrote to memory of 3572 2252 k40404.exe 97 PID 2252 wrote to memory of 3572 2252 k40404.exe 97 PID 3572 wrote to memory of 552 3572 444860.exe 98 PID 3572 wrote to memory of 552 3572 444860.exe 98 PID 3572 wrote to memory of 552 3572 444860.exe 98 PID 552 wrote to memory of 2384 552 a4426.exe 99 PID 552 wrote to memory of 2384 552 a4426.exe 99 PID 552 wrote to memory of 2384 552 a4426.exe 99 PID 2384 wrote to memory of 2016 2384 vdjdj.exe 100 PID 2384 wrote to memory of 2016 2384 vdjdj.exe 100 PID 2384 wrote to memory of 2016 2384 vdjdj.exe 100 PID 2016 wrote to memory of 4164 2016 226604.exe 101 PID 2016 wrote to memory of 4164 2016 226604.exe 101 PID 2016 wrote to memory of 4164 2016 226604.exe 101 PID 4164 wrote to memory of 4868 4164 dpdpj.exe 102 PID 4164 wrote to memory of 4868 4164 dpdpj.exe 102 PID 4164 wrote to memory of 4868 4164 dpdpj.exe 102 PID 4868 wrote to memory of 3656 4868 s4004.exe 103 PID 4868 wrote to memory of 3656 4868 s4004.exe 103 PID 4868 wrote to memory of 3656 4868 s4004.exe 103 PID 3656 wrote to memory of 4560 3656 thhhnt.exe 104 PID 3656 wrote to memory of 4560 3656 thhhnt.exe 104 PID 3656 wrote to memory of 4560 3656 thhhnt.exe 104 PID 4560 wrote to memory of 2024 4560 062082.exe 105 PID 4560 wrote to memory of 2024 4560 062082.exe 105 PID 4560 wrote to memory of 2024 4560 062082.exe 105 PID 2024 wrote to memory of 4988 2024 jjvpv.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe"C:\Users\Admin\AppData\Local\Temp\94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\28826.exec:\28826.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\tbhtht.exec:\tbhtht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\08446.exec:\08446.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\djvjd.exec:\djvjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\xrfxrxf.exec:\xrfxrxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\frrfrlf.exec:\frrfrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\a2046.exec:\a2046.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\60082.exec:\60082.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\42200.exec:\42200.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\5djdj.exec:\5djdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\vvvdp.exec:\vvvdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\k40404.exec:\k40404.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\444860.exec:\444860.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\a4426.exec:\a4426.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\vdjdj.exec:\vdjdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\226604.exec:\226604.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\dpdpj.exec:\dpdpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\s4004.exec:\s4004.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\thhhnt.exec:\thhhnt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\062082.exec:\062082.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\jjvpv.exec:\jjvpv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\xffxrrl.exec:\xffxrrl.exe23⤵
- Executes dropped EXE
PID:4988 -
\??\c:\802228.exec:\802228.exe24⤵
- Executes dropped EXE
PID:916 -
\??\c:\080488.exec:\080488.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636 -
\??\c:\3fffxff.exec:\3fffxff.exe26⤵
- Executes dropped EXE
PID:4456 -
\??\c:\tnnnht.exec:\tnnnht.exe27⤵
- Executes dropped EXE
PID:1028 -
\??\c:\xxxxfxl.exec:\xxxxfxl.exe28⤵
- Executes dropped EXE
PID:1444 -
\??\c:\hbhthh.exec:\hbhthh.exe29⤵
- Executes dropped EXE
PID:3368 -
\??\c:\0680448.exec:\0680448.exe30⤵
- Executes dropped EXE
PID:1596 -
\??\c:\m8882.exec:\m8882.exe31⤵
- Executes dropped EXE
PID:4980 -
\??\c:\2460448.exec:\2460448.exe32⤵
- Executes dropped EXE
PID:624 -
\??\c:\46266.exec:\46266.exe33⤵
- Executes dropped EXE
PID:4128 -
\??\c:\3vjjp.exec:\3vjjp.exe34⤵
- Executes dropped EXE
PID:1452 -
\??\c:\86604.exec:\86604.exe35⤵
- Executes dropped EXE
PID:4912 -
\??\c:\vvdvj.exec:\vvdvj.exe36⤵
- Executes dropped EXE
PID:3108 -
\??\c:\0460820.exec:\0460820.exe37⤵
- Executes dropped EXE
PID:4856 -
\??\c:\pddvv.exec:\pddvv.exe38⤵
- Executes dropped EXE
PID:3548 -
\??\c:\88864.exec:\88864.exe39⤵
- Executes dropped EXE
PID:3020 -
\??\c:\jdjjp.exec:\jdjjp.exe40⤵
- Executes dropped EXE
PID:1660 -
\??\c:\btnhhb.exec:\btnhhb.exe41⤵
- Executes dropped EXE
PID:2348 -
\??\c:\1nhthb.exec:\1nhthb.exe42⤵
- Executes dropped EXE
PID:3460 -
\??\c:\6048660.exec:\6048660.exe43⤵
- Executes dropped EXE
PID:2700 -
\??\c:\9btnbt.exec:\9btnbt.exe44⤵
- Executes dropped EXE
PID:2388 -
\??\c:\nttnhn.exec:\nttnhn.exe45⤵
- Executes dropped EXE
PID:3520 -
\??\c:\jjjjp.exec:\jjjjp.exe46⤵
- Executes dropped EXE
PID:452 -
\??\c:\600426.exec:\600426.exe47⤵
- Executes dropped EXE
PID:5116 -
\??\c:\66048.exec:\66048.exe48⤵
- Executes dropped EXE
PID:4372 -
\??\c:\fxfxffr.exec:\fxfxffr.exe49⤵
- Executes dropped EXE
PID:4944 -
\??\c:\482266.exec:\482266.exe50⤵
- Executes dropped EXE
PID:4432 -
\??\c:\jddjv.exec:\jddjv.exe51⤵
- Executes dropped EXE
PID:3512 -
\??\c:\e80048.exec:\e80048.exe52⤵
- Executes dropped EXE
PID:3876 -
\??\c:\ntttbb.exec:\ntttbb.exe53⤵
- Executes dropped EXE
PID:2904 -
\??\c:\vjjvp.exec:\vjjvp.exe54⤵
- Executes dropped EXE
PID:1776 -
\??\c:\6664042.exec:\6664042.exe55⤵
- Executes dropped EXE
PID:3644 -
\??\c:\08486.exec:\08486.exe56⤵
- Executes dropped EXE
PID:1124 -
\??\c:\ddpjj.exec:\ddpjj.exe57⤵
- Executes dropped EXE
PID:2480 -
\??\c:\48220.exec:\48220.exe58⤵
- Executes dropped EXE
PID:1700 -
\??\c:\nhbttn.exec:\nhbttn.exe59⤵
- Executes dropped EXE
PID:2224 -
\??\c:\vppvp.exec:\vppvp.exe60⤵
- Executes dropped EXE
PID:2012 -
\??\c:\hnnbtn.exec:\hnnbtn.exe61⤵
- Executes dropped EXE
PID:3404 -
\??\c:\rxllxxx.exec:\rxllxxx.exe62⤵
- Executes dropped EXE
PID:428 -
\??\c:\lxlfffx.exec:\lxlfffx.exe63⤵
- Executes dropped EXE
PID:2440 -
\??\c:\7btbnn.exec:\7btbnn.exe64⤵
- Executes dropped EXE
PID:320 -
\??\c:\bhttbh.exec:\bhttbh.exe65⤵
- Executes dropped EXE
PID:3316 -
\??\c:\4620060.exec:\4620060.exe66⤵PID:2584
-
\??\c:\pjjjd.exec:\pjjjd.exe67⤵PID:2928
-
\??\c:\088860.exec:\088860.exe68⤵PID:2408
-
\??\c:\lrrlxxr.exec:\lrrlxxr.exe69⤵PID:212
-
\??\c:\q46604.exec:\q46604.exe70⤵PID:3472
-
\??\c:\6626048.exec:\6626048.exe71⤵PID:4164
-
\??\c:\xlllllr.exec:\xlllllr.exe72⤵PID:1372
-
\??\c:\9lxrllf.exec:\9lxrllf.exe73⤵PID:3324
-
\??\c:\hbnnhh.exec:\hbnnhh.exe74⤵PID:948
-
\??\c:\nbhbtt.exec:\nbhbtt.exe75⤵PID:512
-
\??\c:\8282648.exec:\8282648.exe76⤵PID:1220
-
\??\c:\rxrffrx.exec:\rxrffrx.exe77⤵PID:4600
-
\??\c:\m6404.exec:\m6404.exe78⤵PID:3516
-
\??\c:\1lfxrlf.exec:\1lfxrlf.exe79⤵PID:4512
-
\??\c:\rfxlfrx.exec:\rfxlfrx.exe80⤵PID:840
-
\??\c:\08428.exec:\08428.exe81⤵PID:2636
-
\??\c:\7jdvj.exec:\7jdvj.exe82⤵PID:4848
-
\??\c:\xfxlxrf.exec:\xfxlxrf.exe83⤵PID:3308
-
\??\c:\2008608.exec:\2008608.exe84⤵PID:1540
-
\??\c:\444200.exec:\444200.exe85⤵PID:4528
-
\??\c:\9pjpj.exec:\9pjpj.exe86⤵PID:3196
-
\??\c:\42822.exec:\42822.exe87⤵PID:4544
-
\??\c:\frrxlfr.exec:\frrxlfr.exe88⤵PID:4952
-
\??\c:\ddjdp.exec:\ddjdp.exe89⤵PID:5092
-
\??\c:\jppjv.exec:\jppjv.exe90⤵PID:1512
-
\??\c:\s8824.exec:\s8824.exe91⤵PID:4844
-
\??\c:\9llxrrf.exec:\9llxrrf.exe92⤵PID:640
-
\??\c:\rffrfxr.exec:\rffrfxr.exe93⤵PID:3724
-
\??\c:\o884260.exec:\o884260.exe94⤵PID:4616
-
\??\c:\o864260.exec:\o864260.exe95⤵PID:2064
-
\??\c:\q86082.exec:\q86082.exe96⤵PID:1920
-
\??\c:\0664264.exec:\0664264.exe97⤵PID:2940
-
\??\c:\644260.exec:\644260.exe98⤵
- System Location Discovery: System Language Discovery
PID:1324 -
\??\c:\vppjd.exec:\vppjd.exe99⤵PID:3492
-
\??\c:\lflfxfx.exec:\lflfxfx.exe100⤵PID:2316
-
\??\c:\048266.exec:\048266.exe101⤵PID:2084
-
\??\c:\w00648.exec:\w00648.exe102⤵PID:4840
-
\??\c:\82664.exec:\82664.exe103⤵PID:4368
-
\??\c:\2004866.exec:\2004866.exe104⤵PID:1764
-
\??\c:\880048.exec:\880048.exe105⤵PID:2800
-
\??\c:\htthtn.exec:\htthtn.exe106⤵PID:2184
-
\??\c:\vdvdp.exec:\vdvdp.exe107⤵PID:960
-
\??\c:\nnhbnn.exec:\nnhbnn.exe108⤵PID:4888
-
\??\c:\httnbt.exec:\httnbt.exe109⤵PID:3436
-
\??\c:\8626822.exec:\8626822.exe110⤵PID:1224
-
\??\c:\nnnhhb.exec:\nnnhhb.exe111⤵PID:4716
-
\??\c:\xfxxrrf.exec:\xfxxrrf.exe112⤵PID:2224
-
\??\c:\frrfxrl.exec:\frrfxrl.exe113⤵PID:2764
-
\??\c:\rrrxlxf.exec:\rrrxlxf.exe114⤵PID:2980
-
\??\c:\u686444.exec:\u686444.exe115⤵PID:1780
-
\??\c:\nhbthb.exec:\nhbthb.exe116⤵PID:3204
-
\??\c:\282082.exec:\282082.exe117⤵PID:408
-
\??\c:\ddvjv.exec:\ddvjv.exe118⤵PID:3616
-
\??\c:\08040.exec:\08040.exe119⤵PID:2092
-
\??\c:\i660822.exec:\i660822.exe120⤵PID:536
-
\??\c:\w40406.exec:\w40406.exe121⤵PID:5016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-