Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe
-
Size
454KB
-
MD5
fe44e91b80a4d7160a68a8620e1ffc0e
-
SHA1
fc90233e18451e40f10de7f0a2503aa56d307031
-
SHA256
3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994
-
SHA512
819087618b66be5831ab5bc6bc927d72649f8ba951b26e07ac0d4ee16f1d7062531b5c8a746447cc09691ae5f3b34eb2c9bfce973a1fd78e0c0f5d85581ec426
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1608-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-838-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-887-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-924-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-1126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-1166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-1320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2248 vdpjd.exe 2968 846260.exe 2260 0028460.exe 3436 vjvvd.exe 228 02622.exe 4464 60648.exe 2976 bbhtth.exe 2044 04826.exe 1100 20262.exe 2040 2282660.exe 4956 206048.exe 2400 422666.exe 1648 822600.exe 372 c066448.exe 5100 6004848.exe 3976 886604.exe 2300 5rxlffx.exe 4324 4682266.exe 4228 5fxrllx.exe 4556 hnhbbt.exe 4716 868240.exe 1964 08820.exe 3500 04822.exe 2164 3ppjv.exe 3028 224208.exe 4276 vvdpj.exe 3772 1vpjv.exe 3912 8682600.exe 2720 htbnhb.exe 2224 628226.exe 3712 26860.exe 1360 lllfrlx.exe 4824 88600.exe 2352 xrxrrll.exe 4056 9lrlrrr.exe 2980 4260804.exe 4704 hnthtn.exe 3356 c280264.exe 4284 a0042.exe 4996 c664664.exe 4852 1rlfrll.exe 3036 06686.exe 4512 44086.exe 4172 rffrrll.exe 2052 206426.exe 3516 266866.exe 2492 1vjvj.exe 4460 66208.exe 2844 lfxrxrx.exe 2456 44044.exe 100 2404822.exe 228 260604.exe 3108 jvvpp.exe 1388 jjpdp.exe 2976 0800820.exe 1596 djjjj.exe 3768 648006.exe 1424 5vjvp.exe 2136 440204.exe 2768 3xlfrrl.exe 3260 3bttnb.exe 5020 08006.exe 2808 440286.exe 1312 640822.exe -
resource yara_rule behavioral2/memory/1608-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-821-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-838-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0060826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u226604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q24226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1608 wrote to memory of 2248 1608 3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe 83 PID 1608 wrote to memory of 2248 1608 3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe 83 PID 1608 wrote to memory of 2248 1608 3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe 83 PID 2248 wrote to memory of 2968 2248 vdpjd.exe 84 PID 2248 wrote to memory of 2968 2248 vdpjd.exe 84 PID 2248 wrote to memory of 2968 2248 vdpjd.exe 84 PID 2968 wrote to memory of 2260 2968 846260.exe 85 PID 2968 wrote to memory of 2260 2968 846260.exe 85 PID 2968 wrote to memory of 2260 2968 846260.exe 85 PID 2260 wrote to memory of 3436 2260 0028460.exe 86 PID 2260 wrote to memory of 3436 2260 0028460.exe 86 PID 2260 wrote to memory of 3436 2260 0028460.exe 86 PID 3436 wrote to memory of 228 3436 vjvvd.exe 87 PID 3436 wrote to memory of 228 3436 vjvvd.exe 87 PID 3436 wrote to memory of 228 3436 vjvvd.exe 87 PID 228 wrote to memory of 4464 228 02622.exe 88 PID 228 wrote to memory of 4464 228 02622.exe 88 PID 228 wrote to memory of 4464 228 02622.exe 88 PID 4464 wrote to memory of 2976 4464 60648.exe 89 PID 4464 wrote to memory of 2976 4464 60648.exe 89 PID 4464 wrote to memory of 2976 4464 60648.exe 89 PID 2976 wrote to memory of 2044 2976 bbhtth.exe 90 PID 2976 wrote to memory of 2044 2976 bbhtth.exe 90 PID 2976 wrote to memory of 2044 2976 bbhtth.exe 90 PID 2044 wrote to memory of 1100 2044 04826.exe 91 PID 2044 wrote to memory of 1100 2044 04826.exe 91 PID 2044 wrote to memory of 1100 2044 04826.exe 91 PID 1100 wrote to memory of 2040 1100 20262.exe 92 PID 1100 wrote to memory of 2040 1100 20262.exe 92 PID 1100 wrote to memory of 2040 1100 20262.exe 92 PID 2040 wrote to memory of 4956 2040 2282660.exe 93 PID 2040 wrote to memory of 4956 2040 2282660.exe 93 PID 2040 wrote to memory of 4956 2040 2282660.exe 93 PID 4956 wrote to memory of 2400 4956 206048.exe 94 PID 4956 wrote to memory of 2400 4956 206048.exe 94 PID 4956 wrote to memory of 2400 4956 206048.exe 94 PID 2400 wrote to memory of 1648 2400 422666.exe 95 PID 2400 wrote to memory of 1648 2400 422666.exe 95 PID 2400 wrote to memory of 1648 2400 422666.exe 95 PID 1648 wrote to memory of 372 1648 822600.exe 96 PID 1648 wrote to memory of 372 1648 822600.exe 96 PID 1648 wrote to memory of 372 1648 822600.exe 96 PID 372 wrote to memory of 5100 372 c066448.exe 97 PID 372 wrote to memory of 5100 372 c066448.exe 97 PID 372 wrote to memory of 5100 372 c066448.exe 97 PID 5100 wrote to memory of 3976 5100 6004848.exe 98 PID 5100 wrote to memory of 3976 5100 6004848.exe 98 PID 5100 wrote to memory of 3976 5100 6004848.exe 98 PID 3976 wrote to memory of 2300 3976 886604.exe 99 PID 3976 wrote to memory of 2300 3976 886604.exe 99 PID 3976 wrote to memory of 2300 3976 886604.exe 99 PID 2300 wrote to memory of 4324 2300 5rxlffx.exe 100 PID 2300 wrote to memory of 4324 2300 5rxlffx.exe 100 PID 2300 wrote to memory of 4324 2300 5rxlffx.exe 100 PID 4324 wrote to memory of 4228 4324 4682266.exe 101 PID 4324 wrote to memory of 4228 4324 4682266.exe 101 PID 4324 wrote to memory of 4228 4324 4682266.exe 101 PID 4228 wrote to memory of 4556 4228 5fxrllx.exe 102 PID 4228 wrote to memory of 4556 4228 5fxrllx.exe 102 PID 4228 wrote to memory of 4556 4228 5fxrllx.exe 102 PID 4556 wrote to memory of 4716 4556 hnhbbt.exe 103 PID 4556 wrote to memory of 4716 4556 hnhbbt.exe 103 PID 4556 wrote to memory of 4716 4556 hnhbbt.exe 103 PID 4716 wrote to memory of 1964 4716 868240.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe"C:\Users\Admin\AppData\Local\Temp\3482ec7f059ffbfe72fe4c8828686c7c3009b17ad72a37d275d4d767bc132994.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\vdpjd.exec:\vdpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\846260.exec:\846260.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\0028460.exec:\0028460.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\vjvvd.exec:\vjvvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\02622.exec:\02622.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\60648.exec:\60648.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\bbhtth.exec:\bbhtth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\04826.exec:\04826.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\20262.exec:\20262.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\2282660.exec:\2282660.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\206048.exec:\206048.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\422666.exec:\422666.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\822600.exec:\822600.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\c066448.exec:\c066448.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\6004848.exec:\6004848.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\886604.exec:\886604.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\5rxlffx.exec:\5rxlffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\4682266.exec:\4682266.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\5fxrllx.exec:\5fxrllx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\hnhbbt.exec:\hnhbbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\868240.exec:\868240.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\08820.exec:\08820.exe23⤵
- Executes dropped EXE
PID:1964 -
\??\c:\04822.exec:\04822.exe24⤵
- Executes dropped EXE
PID:3500 -
\??\c:\3ppjv.exec:\3ppjv.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
\??\c:\224208.exec:\224208.exe26⤵
- Executes dropped EXE
PID:3028 -
\??\c:\vvdpj.exec:\vvdpj.exe27⤵
- Executes dropped EXE
PID:4276 -
\??\c:\1vpjv.exec:\1vpjv.exe28⤵
- Executes dropped EXE
PID:3772 -
\??\c:\8682600.exec:\8682600.exe29⤵
- Executes dropped EXE
PID:3912 -
\??\c:\htbnhb.exec:\htbnhb.exe30⤵
- Executes dropped EXE
PID:2720 -
\??\c:\628226.exec:\628226.exe31⤵
- Executes dropped EXE
PID:2224 -
\??\c:\26860.exec:\26860.exe32⤵
- Executes dropped EXE
PID:3712 -
\??\c:\lllfrlx.exec:\lllfrlx.exe33⤵
- Executes dropped EXE
PID:1360 -
\??\c:\88600.exec:\88600.exe34⤵
- Executes dropped EXE
PID:4824 -
\??\c:\xrxrrll.exec:\xrxrrll.exe35⤵
- Executes dropped EXE
PID:2352 -
\??\c:\9lrlrrr.exec:\9lrlrrr.exe36⤵
- Executes dropped EXE
PID:4056 -
\??\c:\4260804.exec:\4260804.exe37⤵
- Executes dropped EXE
PID:2980 -
\??\c:\hnthtn.exec:\hnthtn.exe38⤵
- Executes dropped EXE
PID:4704 -
\??\c:\c280264.exec:\c280264.exe39⤵
- Executes dropped EXE
PID:3356 -
\??\c:\a0042.exec:\a0042.exe40⤵
- Executes dropped EXE
PID:4284 -
\??\c:\c664664.exec:\c664664.exe41⤵
- Executes dropped EXE
PID:4996 -
\??\c:\1rlfrll.exec:\1rlfrll.exe42⤵
- Executes dropped EXE
PID:4852 -
\??\c:\06686.exec:\06686.exe43⤵
- Executes dropped EXE
PID:3036 -
\??\c:\44086.exec:\44086.exe44⤵
- Executes dropped EXE
PID:4512 -
\??\c:\rffrrll.exec:\rffrrll.exe45⤵
- Executes dropped EXE
PID:4172 -
\??\c:\206426.exec:\206426.exe46⤵
- Executes dropped EXE
PID:2052 -
\??\c:\266866.exec:\266866.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3516 -
\??\c:\1vjvj.exec:\1vjvj.exe48⤵
- Executes dropped EXE
PID:2492 -
\??\c:\66208.exec:\66208.exe49⤵
- Executes dropped EXE
PID:4460 -
\??\c:\lfxrxrx.exec:\lfxrxrx.exe50⤵
- Executes dropped EXE
PID:2844 -
\??\c:\44044.exec:\44044.exe51⤵
- Executes dropped EXE
PID:2456 -
\??\c:\2404822.exec:\2404822.exe52⤵
- Executes dropped EXE
PID:100 -
\??\c:\260604.exec:\260604.exe53⤵
- Executes dropped EXE
PID:228 -
\??\c:\jvvpp.exec:\jvvpp.exe54⤵
- Executes dropped EXE
PID:3108 -
\??\c:\jjpdp.exec:\jjpdp.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1388 -
\??\c:\0800820.exec:\0800820.exe56⤵
- Executes dropped EXE
PID:2976 -
\??\c:\djjjj.exec:\djjjj.exe57⤵
- Executes dropped EXE
PID:1596 -
\??\c:\648006.exec:\648006.exe58⤵
- Executes dropped EXE
PID:3768 -
\??\c:\5vjvp.exec:\5vjvp.exe59⤵
- Executes dropped EXE
PID:1424 -
\??\c:\440204.exec:\440204.exe60⤵
- Executes dropped EXE
PID:2136 -
\??\c:\3xlfrrl.exec:\3xlfrrl.exe61⤵
- Executes dropped EXE
PID:2768 -
\??\c:\3bttnb.exec:\3bttnb.exe62⤵
- Executes dropped EXE
PID:3260 -
\??\c:\08006.exec:\08006.exe63⤵
- Executes dropped EXE
PID:5020 -
\??\c:\440286.exec:\440286.exe64⤵
- Executes dropped EXE
PID:2808 -
\??\c:\640822.exec:\640822.exe65⤵
- Executes dropped EXE
PID:1312 -
\??\c:\4426486.exec:\4426486.exe66⤵PID:3696
-
\??\c:\80620.exec:\80620.exe67⤵PID:4936
-
\??\c:\62864.exec:\62864.exe68⤵PID:2736
-
\??\c:\bbbnbt.exec:\bbbnbt.exe69⤵PID:3544
-
\??\c:\604822.exec:\604822.exe70⤵PID:4324
-
\??\c:\640848.exec:\640848.exe71⤵PID:2920
-
\??\c:\04426.exec:\04426.exe72⤵PID:4468
-
\??\c:\2622408.exec:\2622408.exe73⤵PID:4588
-
\??\c:\06204.exec:\06204.exe74⤵PID:3120
-
\??\c:\2286420.exec:\2286420.exe75⤵PID:4012
-
\??\c:\4020826.exec:\4020826.exe76⤵PID:1948
-
\??\c:\nhbnhb.exec:\nhbnhb.exe77⤵PID:1624
-
\??\c:\ppvjd.exec:\ppvjd.exe78⤵PID:928
-
\??\c:\lrrxrlf.exec:\lrrxrlf.exe79⤵PID:3820
-
\??\c:\022026.exec:\022026.exe80⤵PID:3028
-
\??\c:\244204.exec:\244204.exe81⤵PID:1256
-
\??\c:\w68204.exec:\w68204.exe82⤵PID:3652
-
\??\c:\1vpdp.exec:\1vpdp.exe83⤵PID:2396
-
\??\c:\dppdp.exec:\dppdp.exe84⤵PID:3912
-
\??\c:\bntntn.exec:\bntntn.exe85⤵PID:4248
-
\??\c:\6464204.exec:\6464204.exe86⤵PID:764
-
\??\c:\k00860.exec:\k00860.exe87⤵PID:2324
-
\??\c:\dddpv.exec:\dddpv.exe88⤵PID:1812
-
\??\c:\thtnbh.exec:\thtnbh.exe89⤵PID:3156
-
\??\c:\6248266.exec:\6248266.exe90⤵PID:3008
-
\??\c:\8460882.exec:\8460882.exe91⤵PID:4756
-
\??\c:\g8484.exec:\g8484.exe92⤵PID:2704
-
\??\c:\nthttn.exec:\nthttn.exe93⤵PID:920
-
\??\c:\42844.exec:\42844.exe94⤵PID:632
-
\??\c:\hhhttn.exec:\hhhttn.exe95⤵PID:3180
-
\??\c:\pjpdp.exec:\pjpdp.exe96⤵PID:1872
-
\??\c:\xrfrlxl.exec:\xrfrlxl.exe97⤵PID:3224
-
\??\c:\jvdvv.exec:\jvdvv.exe98⤵PID:4836
-
\??\c:\0604606.exec:\0604606.exe99⤵PID:1936
-
\??\c:\1llxrlx.exec:\1llxrlx.exe100⤵PID:5080
-
\??\c:\8842004.exec:\8842004.exe101⤵PID:1284
-
\??\c:\080862.exec:\080862.exe102⤵PID:4280
-
\??\c:\3llxffr.exec:\3llxffr.exe103⤵PID:552
-
\??\c:\88082.exec:\88082.exe104⤵PID:2624
-
\??\c:\vjvjv.exec:\vjvjv.exe105⤵PID:1496
-
\??\c:\i668260.exec:\i668260.exe106⤵PID:3396
-
\??\c:\4060482.exec:\4060482.exe107⤵PID:1452
-
\??\c:\46082.exec:\46082.exe108⤵PID:2456
-
\??\c:\hnnbnn.exec:\hnnbnn.exe109⤵PID:2060
-
\??\c:\vpvdj.exec:\vpvdj.exe110⤵PID:2016
-
\??\c:\lxrlxrl.exec:\lxrlxrl.exe111⤵PID:1468
-
\??\c:\6442608.exec:\6442608.exe112⤵PID:1740
-
\??\c:\04462.exec:\04462.exe113⤵PID:4940
-
\??\c:\08820.exec:\08820.exe114⤵PID:3844
-
\??\c:\lllrfxl.exec:\lllrfxl.exe115⤵PID:4040
-
\??\c:\xlrffrr.exec:\xlrffrr.exe116⤵PID:656
-
\??\c:\djpdp.exec:\djpdp.exe117⤵PID:3468
-
\??\c:\086486.exec:\086486.exe118⤵PID:4628
-
\??\c:\c620442.exec:\c620442.exe119⤵PID:3548
-
\??\c:\42420.exec:\42420.exe120⤵PID:2040
-
\??\c:\a0264.exec:\a0264.exe121⤵PID:1340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-