Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2024, 01:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9eca38b96ee8700a6bf65c50a1714ae5875c96f8af020ff741817254e24c42dc.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9eca38b96ee8700a6bf65c50a1714ae5875c96f8af020ff741817254e24c42dc.exe
-
Size
453KB
-
MD5
a394982cbd7f72d44239ed9df2840116
-
SHA1
e39f8adce5f6a1ed9b4d2257b731c5b1c376a272
-
SHA256
9eca38b96ee8700a6bf65c50a1714ae5875c96f8af020ff741817254e24c42dc
-
SHA512
62069f90f6436c71a32a54116b9528c0ec49377ea87c983e4bb7a95ba7ae8166d15a85be8dc3d7622e696eaa9ae3d65e0dde9e69fc6694d3ea10a1e5a60b536c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/468-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-1302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-1318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-1944-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 468 8066262.exe 4240 ppjdp.exe 2084 6086468.exe 4664 462868.exe 2888 hbtbth.exe 632 202824.exe 2264 bbtnnh.exe 3812 0420028.exe 3900 jdjjj.exe 1840 7bhbth.exe 1324 pjjdv.exe 924 lflxxxl.exe 5048 q66486.exe 2500 vdvvj.exe 1076 djjjd.exe 3756 2622080.exe 1560 thbhhh.exe 4436 lxxxfrr.exe 4024 vvjjp.exe 2960 jvjdj.exe 1504 thhhtb.exe 2064 hnhthh.exe 4804 ddpvp.exe 888 btbhnb.exe 4004 4626600.exe 5064 frffxxr.exe 2616 046204.exe 4356 djpjd.exe 4796 7rlxxfr.exe 5052 64242.exe 2448 fxxfxff.exe 1744 3pjdp.exe 1540 06424.exe 3944 826282.exe 3652 84086.exe 3156 4064820.exe 3208 20660.exe 4924 hhnhtn.exe 2796 40642.exe 804 flffrrr.exe 2736 42648.exe 2720 000248.exe 1060 vvjdv.exe 2988 m0222.exe 3796 8842682.exe 2436 hhhtnt.exe 4820 xrllfxl.exe 4408 260866.exe 4268 pjvvd.exe 3196 pdjvp.exe 1480 ppdjd.exe 3664 7bhhbb.exe 1488 nnbttn.exe 2724 820600.exe 4760 nthbbh.exe 1340 u064604.exe 5008 frrfxxr.exe 3408 rxxxxxr.exe 1876 nhnntt.exe 1104 nntnnt.exe 1792 dvvvj.exe 4440 0664604.exe 4652 rlrrlff.exe 2096 xxfrllf.exe -
resource yara_rule behavioral2/memory/468-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-904-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-1302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-1318-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e62220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 282484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4844 wrote to memory of 468 4844 9eca38b96ee8700a6bf65c50a1714ae5875c96f8af020ff741817254e24c42dc.exe 83 PID 4844 wrote to memory of 468 4844 9eca38b96ee8700a6bf65c50a1714ae5875c96f8af020ff741817254e24c42dc.exe 83 PID 4844 wrote to memory of 468 4844 9eca38b96ee8700a6bf65c50a1714ae5875c96f8af020ff741817254e24c42dc.exe 83 PID 468 wrote to memory of 4240 468 8066262.exe 84 PID 468 wrote to memory of 4240 468 8066262.exe 84 PID 468 wrote to memory of 4240 468 8066262.exe 84 PID 4240 wrote to memory of 2084 4240 ppjdp.exe 85 PID 4240 wrote to memory of 2084 4240 ppjdp.exe 85 PID 4240 wrote to memory of 2084 4240 ppjdp.exe 85 PID 2084 wrote to memory of 4664 2084 6086468.exe 86 PID 2084 wrote to memory of 4664 2084 6086468.exe 86 PID 2084 wrote to memory of 4664 2084 6086468.exe 86 PID 4664 wrote to memory of 2888 4664 462868.exe 87 PID 4664 wrote to memory of 2888 4664 462868.exe 87 PID 4664 wrote to memory of 2888 4664 462868.exe 87 PID 2888 wrote to memory of 632 2888 hbtbth.exe 88 PID 2888 wrote to memory of 632 2888 hbtbth.exe 88 PID 2888 wrote to memory of 632 2888 hbtbth.exe 88 PID 632 wrote to memory of 2264 632 202824.exe 89 PID 632 wrote to memory of 2264 632 202824.exe 89 PID 632 wrote to memory of 2264 632 202824.exe 89 PID 2264 wrote to memory of 3812 2264 bbtnnh.exe 90 PID 2264 wrote to memory of 3812 2264 bbtnnh.exe 90 PID 2264 wrote to memory of 3812 2264 bbtnnh.exe 90 PID 3812 wrote to memory of 3900 3812 0420028.exe 91 PID 3812 wrote to memory of 3900 3812 0420028.exe 91 PID 3812 wrote to memory of 3900 3812 0420028.exe 91 PID 3900 wrote to memory of 1840 3900 jdjjj.exe 92 PID 3900 wrote to memory of 1840 3900 jdjjj.exe 92 PID 3900 wrote to memory of 1840 3900 jdjjj.exe 92 PID 1840 wrote to memory of 1324 1840 7bhbth.exe 93 PID 1840 wrote to memory of 1324 1840 7bhbth.exe 93 PID 1840 wrote to memory of 1324 1840 7bhbth.exe 93 PID 1324 wrote to memory of 924 1324 pjjdv.exe 94 PID 1324 wrote to memory of 924 1324 pjjdv.exe 94 PID 1324 wrote to memory of 924 1324 pjjdv.exe 94 PID 924 wrote to memory of 5048 924 lflxxxl.exe 95 PID 924 wrote to memory of 5048 924 lflxxxl.exe 95 PID 924 wrote to memory of 5048 924 lflxxxl.exe 95 PID 5048 wrote to memory of 2500 5048 q66486.exe 96 PID 5048 wrote to memory of 2500 5048 q66486.exe 96 PID 5048 wrote to memory of 2500 5048 q66486.exe 96 PID 2500 wrote to memory of 1076 2500 vdvvj.exe 97 PID 2500 wrote to memory of 1076 2500 vdvvj.exe 97 PID 2500 wrote to memory of 1076 2500 vdvvj.exe 97 PID 1076 wrote to memory of 3756 1076 djjjd.exe 98 PID 1076 wrote to memory of 3756 1076 djjjd.exe 98 PID 1076 wrote to memory of 3756 1076 djjjd.exe 98 PID 3756 wrote to memory of 1560 3756 2622080.exe 99 PID 3756 wrote to memory of 1560 3756 2622080.exe 99 PID 3756 wrote to memory of 1560 3756 2622080.exe 99 PID 1560 wrote to memory of 4436 1560 thbhhh.exe 100 PID 1560 wrote to memory of 4436 1560 thbhhh.exe 100 PID 1560 wrote to memory of 4436 1560 thbhhh.exe 100 PID 4436 wrote to memory of 4024 4436 lxxxfrr.exe 101 PID 4436 wrote to memory of 4024 4436 lxxxfrr.exe 101 PID 4436 wrote to memory of 4024 4436 lxxxfrr.exe 101 PID 4024 wrote to memory of 2960 4024 vvjjp.exe 102 PID 4024 wrote to memory of 2960 4024 vvjjp.exe 102 PID 4024 wrote to memory of 2960 4024 vvjjp.exe 102 PID 2960 wrote to memory of 1504 2960 jvjdj.exe 103 PID 2960 wrote to memory of 1504 2960 jvjdj.exe 103 PID 2960 wrote to memory of 1504 2960 jvjdj.exe 103 PID 1504 wrote to memory of 2064 1504 thhhtb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9eca38b96ee8700a6bf65c50a1714ae5875c96f8af020ff741817254e24c42dc.exe"C:\Users\Admin\AppData\Local\Temp\9eca38b96ee8700a6bf65c50a1714ae5875c96f8af020ff741817254e24c42dc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\8066262.exec:\8066262.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\ppjdp.exec:\ppjdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\6086468.exec:\6086468.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\462868.exec:\462868.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\hbtbth.exec:\hbtbth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\202824.exec:\202824.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\bbtnnh.exec:\bbtnnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\0420028.exec:\0420028.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\jdjjj.exec:\jdjjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\7bhbth.exec:\7bhbth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\pjjdv.exec:\pjjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\lflxxxl.exec:\lflxxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\q66486.exec:\q66486.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\vdvvj.exec:\vdvvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\djjjd.exec:\djjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\2622080.exec:\2622080.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\thbhhh.exec:\thbhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\lxxxfrr.exec:\lxxxfrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\vvjjp.exec:\vvjjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\jvjdj.exec:\jvjdj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\thhhtb.exec:\thhhtb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\hnhthh.exec:\hnhthh.exe23⤵
- Executes dropped EXE
PID:2064 -
\??\c:\ddpvp.exec:\ddpvp.exe24⤵
- Executes dropped EXE
PID:4804 -
\??\c:\btbhnb.exec:\btbhnb.exe25⤵
- Executes dropped EXE
PID:888 -
\??\c:\4626600.exec:\4626600.exe26⤵
- Executes dropped EXE
PID:4004 -
\??\c:\frffxxr.exec:\frffxxr.exe27⤵
- Executes dropped EXE
PID:5064 -
\??\c:\046204.exec:\046204.exe28⤵
- Executes dropped EXE
PID:2616 -
\??\c:\djpjd.exec:\djpjd.exe29⤵
- Executes dropped EXE
PID:4356 -
\??\c:\7rlxxfr.exec:\7rlxxfr.exe30⤵
- Executes dropped EXE
PID:4796 -
\??\c:\64242.exec:\64242.exe31⤵
- Executes dropped EXE
PID:5052 -
\??\c:\fxxfxff.exec:\fxxfxff.exe32⤵
- Executes dropped EXE
PID:2448 -
\??\c:\3pjdp.exec:\3pjdp.exe33⤵
- Executes dropped EXE
PID:1744 -
\??\c:\06424.exec:\06424.exe34⤵
- Executes dropped EXE
PID:1540 -
\??\c:\826282.exec:\826282.exe35⤵
- Executes dropped EXE
PID:3944 -
\??\c:\84086.exec:\84086.exe36⤵
- Executes dropped EXE
PID:3652 -
\??\c:\4064820.exec:\4064820.exe37⤵
- Executes dropped EXE
PID:3156 -
\??\c:\20660.exec:\20660.exe38⤵
- Executes dropped EXE
PID:3208 -
\??\c:\hhnhtn.exec:\hhnhtn.exe39⤵
- Executes dropped EXE
PID:4924 -
\??\c:\40642.exec:\40642.exe40⤵
- Executes dropped EXE
PID:2796 -
\??\c:\flffrrr.exec:\flffrrr.exe41⤵
- Executes dropped EXE
PID:804 -
\??\c:\42648.exec:\42648.exe42⤵
- Executes dropped EXE
PID:2736 -
\??\c:\000248.exec:\000248.exe43⤵
- Executes dropped EXE
PID:2720 -
\??\c:\vvjdv.exec:\vvjdv.exe44⤵
- Executes dropped EXE
PID:1060 -
\??\c:\m0222.exec:\m0222.exe45⤵
- Executes dropped EXE
PID:2988 -
\??\c:\8842682.exec:\8842682.exe46⤵
- Executes dropped EXE
PID:3796 -
\??\c:\pdvdv.exec:\pdvdv.exe47⤵PID:4452
-
\??\c:\hhhtnt.exec:\hhhtnt.exe48⤵
- Executes dropped EXE
PID:2436 -
\??\c:\xrllfxl.exec:\xrllfxl.exe49⤵
- Executes dropped EXE
PID:4820 -
\??\c:\260866.exec:\260866.exe50⤵
- Executes dropped EXE
PID:4408 -
\??\c:\pjvvd.exec:\pjvvd.exe51⤵
- Executes dropped EXE
PID:4268 -
\??\c:\pdjvp.exec:\pdjvp.exe52⤵
- Executes dropped EXE
PID:3196 -
\??\c:\ppdjd.exec:\ppdjd.exe53⤵
- Executes dropped EXE
PID:1480 -
\??\c:\7bhhbb.exec:\7bhhbb.exe54⤵
- Executes dropped EXE
PID:3664 -
\??\c:\nnbttn.exec:\nnbttn.exe55⤵
- Executes dropped EXE
PID:1488 -
\??\c:\820600.exec:\820600.exe56⤵
- Executes dropped EXE
PID:2724 -
\??\c:\nthbbh.exec:\nthbbh.exe57⤵
- Executes dropped EXE
PID:4760 -
\??\c:\u064604.exec:\u064604.exe58⤵
- Executes dropped EXE
PID:1340 -
\??\c:\frrfxxr.exec:\frrfxxr.exe59⤵
- Executes dropped EXE
PID:5008 -
\??\c:\rxxxxxr.exec:\rxxxxxr.exe60⤵
- Executes dropped EXE
PID:3408 -
\??\c:\nhnntt.exec:\nhnntt.exe61⤵
- Executes dropped EXE
PID:1876 -
\??\c:\nntnnt.exec:\nntnnt.exe62⤵
- Executes dropped EXE
PID:1104 -
\??\c:\dvvvj.exec:\dvvvj.exe63⤵
- Executes dropped EXE
PID:1792 -
\??\c:\0664604.exec:\0664604.exe64⤵
- Executes dropped EXE
PID:4440 -
\??\c:\rlrrlff.exec:\rlrrlff.exe65⤵
- Executes dropped EXE
PID:4652 -
\??\c:\xxfrllf.exec:\xxfrllf.exe66⤵
- Executes dropped EXE
PID:2096 -
\??\c:\44082.exec:\44082.exe67⤵PID:4756
-
\??\c:\vppdv.exec:\vppdv.exe68⤵PID:3672
-
\??\c:\3ddpv.exec:\3ddpv.exe69⤵PID:4448
-
\??\c:\68648.exec:\68648.exe70⤵PID:4328
-
\??\c:\08482.exec:\08482.exe71⤵PID:3488
-
\??\c:\pvjdj.exec:\pvjdj.exe72⤵PID:1756
-
\??\c:\q46222.exec:\q46222.exe73⤵PID:3560
-
\??\c:\4804048.exec:\4804048.exe74⤵PID:3000
-
\??\c:\vjpjd.exec:\vjpjd.exe75⤵PID:1680
-
\??\c:\nbnbhh.exec:\nbnbhh.exe76⤵PID:996
-
\??\c:\a0660.exec:\a0660.exe77⤵PID:1056
-
\??\c:\40602.exec:\40602.exe78⤵PID:4956
-
\??\c:\jdvdd.exec:\jdvdd.exe79⤵PID:1788
-
\??\c:\84224.exec:\84224.exe80⤵PID:3452
-
\??\c:\226600.exec:\226600.exe81⤵PID:4284
-
\??\c:\xxfxxrx.exec:\xxfxxrx.exe82⤵PID:2492
-
\??\c:\4404808.exec:\4404808.exe83⤵PID:5052
-
\??\c:\jpvpp.exec:\jpvpp.exe84⤵PID:2604
-
\??\c:\dvvdv.exec:\dvvdv.exe85⤵PID:4980
-
\??\c:\ttnntn.exec:\ttnntn.exe86⤵PID:4920
-
\??\c:\7tnnhn.exec:\7tnnhn.exe87⤵PID:4616
-
\??\c:\ddpjd.exec:\ddpjd.exe88⤵PID:1892
-
\??\c:\btbtnh.exec:\btbtnh.exe89⤵PID:3316
-
\??\c:\408086.exec:\408086.exe90⤵PID:1584
-
\??\c:\hhbbtt.exec:\hhbbtt.exe91⤵PID:2032
-
\??\c:\nbhtnh.exec:\nbhtnh.exe92⤵PID:1748
-
\??\c:\8264088.exec:\8264088.exe93⤵PID:3180
-
\??\c:\5dpjv.exec:\5dpjv.exe94⤵PID:2796
-
\??\c:\vjppj.exec:\vjppj.exe95⤵PID:2876
-
\??\c:\rxfllxr.exec:\rxfllxr.exe96⤵PID:2736
-
\??\c:\rfxfxxx.exec:\rfxfxxx.exe97⤵PID:3772
-
\??\c:\jjjdd.exec:\jjjdd.exe98⤵PID:4552
-
\??\c:\04042.exec:\04042.exe99⤵PID:4388
-
\??\c:\e06688.exec:\e06688.exe100⤵PID:1500
-
\??\c:\jjdvj.exec:\jjdvj.exe101⤵PID:4464
-
\??\c:\7llfxfx.exec:\7llfxfx.exe102⤵PID:1856
-
\??\c:\pvdvv.exec:\pvdvv.exe103⤵PID:4820
-
\??\c:\8024624.exec:\8024624.exe104⤵PID:4408
-
\??\c:\flrlffx.exec:\flrlffx.exe105⤵PID:1212
-
\??\c:\822604.exec:\822604.exe106⤵PID:4764
-
\??\c:\7fxxrxx.exec:\7fxxrxx.exe107⤵PID:1480
-
\??\c:\dvvpj.exec:\dvvpj.exe108⤵PID:2984
-
\??\c:\nntthh.exec:\nntthh.exe109⤵PID:1488
-
\??\c:\7tnhbh.exec:\7tnhbh.exe110⤵PID:464
-
\??\c:\6682666.exec:\6682666.exe111⤵PID:3872
-
\??\c:\jdpjp.exec:\jdpjp.exe112⤵PID:4572
-
\??\c:\260604.exec:\260604.exe113⤵PID:5008
-
\??\c:\008628.exec:\008628.exe114⤵PID:4524
-
\??\c:\46822.exec:\46822.exe115⤵PID:3996
-
\??\c:\nnnnbb.exec:\nnnnbb.exe116⤵PID:4484
-
\??\c:\m0886.exec:\m0886.exe117⤵PID:4584
-
\??\c:\g6428.exec:\g6428.exe118⤵PID:1816
-
\??\c:\jjpvp.exec:\jjpvp.exe119⤵PID:4316
-
\??\c:\2020668.exec:\2020668.exe120⤵PID:3624
-
\??\c:\flxflll.exec:\flxflll.exe121⤵PID:3320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-