Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:14
Behavioral task
behavioral1
Sample
9d4a5c5698b7400a3b08dcc2d382e2695ef5007bee80d070669f03b2889b512f.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9d4a5c5698b7400a3b08dcc2d382e2695ef5007bee80d070669f03b2889b512f.exe
-
Size
333KB
-
MD5
b1eaf5db7e7eb52285d559606b0eb4ee
-
SHA1
87a979a408c4c8431d9393071f105cf1a01d6937
-
SHA256
9d4a5c5698b7400a3b08dcc2d382e2695ef5007bee80d070669f03b2889b512f
-
SHA512
7f902a6dfe676a3a268fb73e87ecab81da312872ace10ce1c8259049ffe28e647d44f5395b33542337de85ad9edea9309980da881983d64c68f065612408f40e
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeTb:R4wFHoSHYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3344-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4948-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4444-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/444-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1408-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/64-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3128-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1216-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3372-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2488-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3756-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3332-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3000-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2132-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4308-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4852-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4384-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4088-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3336-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3256-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/540-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2592-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3624-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/700-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3760-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2044-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1152-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3332-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1016-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3236-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/664-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1112-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-488-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3640-493-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4948 djpdp.exe 4444 e86086.exe 444 pppvj.exe 1408 84808.exe 3436 202668.exe 64 ntnbnh.exe 2332 28426.exe 3128 6244260.exe 1216 hbthnh.exe 4280 jvvdv.exe 3372 640820.exe 4856 jjddp.exe 2488 248860.exe 3756 3frlfxr.exe 3092 80420.exe 2268 flflxrf.exe 1540 6260828.exe 3700 dppvv.exe 2920 004860.exe 440 0404088.exe 4104 62420.exe 3192 6484266.exe 3120 2646422.exe 2972 fxfxrrf.exe 3332 xrfffff.exe 5028 86220.exe 4348 66208.exe 1468 6008260.exe 1392 9tnhtt.exe 4492 vdjvp.exe 4976 6000404.exe 740 rfrxfxf.exe 4820 06266.exe 1632 c862644.exe 3000 3tnhbb.exe 2132 20042.exe 4308 lrxrffl.exe 4852 1tthtt.exe 4912 28260.exe 3880 jvppj.exe 4384 224422.exe 4952 nthbnn.exe 400 flrllll.exe 4748 btnhbb.exe 3640 2826488.exe 4088 w46060.exe 1612 8620482.exe 1360 9tbnbh.exe 3712 3xrllff.exe 3336 2620868.exe 1372 nhtbnh.exe 3928 dpvpv.exe 4232 8848222.exe 3256 220482.exe 4068 42608.exe 4364 46464.exe 3716 7rxrxff.exe 736 c620426.exe 540 7lfxrlf.exe 2592 202644.exe 1788 022026.exe 3624 tbthbn.exe 4640 rrfxfxr.exe 3704 4208866.exe -
resource yara_rule behavioral2/memory/3344-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b88-3.dat upx behavioral2/memory/3344-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c72-8.dat upx behavioral2/memory/4948-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c73-11.dat upx behavioral2/memory/4444-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/444-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c74-19.dat upx behavioral2/memory/444-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1408-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c75-25.dat upx behavioral2/files/0x0007000000023c76-29.dat upx behavioral2/files/0x0007000000023c77-33.dat upx behavioral2/memory/2332-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/64-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c78-39.dat upx behavioral2/memory/2332-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c79-44.dat upx behavioral2/memory/3128-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7a-49.dat upx behavioral2/memory/1216-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7b-56.dat upx behavioral2/memory/4280-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c6f-59.dat upx behavioral2/memory/3372-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7c-65.dat upx behavioral2/memory/4856-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2488-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7e-70.dat upx behavioral2/files/0x0007000000023c7f-74.dat upx behavioral2/files/0x0007000000023c80-80.dat upx behavioral2/files/0x0007000000023c81-85.dat upx behavioral2/memory/1540-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3756-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3092-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c82-89.dat upx behavioral2/files/0x0007000000023c83-94.dat upx behavioral2/files/0x0007000000023c84-97.dat upx behavioral2/files/0x0007000000023c85-102.dat upx behavioral2/files/0x0007000000023c86-106.dat upx behavioral2/files/0x0007000000023c87-109.dat upx behavioral2/memory/3120-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c88-114.dat upx behavioral2/files/0x0007000000023c89-118.dat upx behavioral2/memory/3332-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8a-123.dat upx behavioral2/memory/5028-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-128.dat upx behavioral2/files/0x0007000000023c8c-132.dat upx behavioral2/files/0x0007000000023c8d-136.dat upx behavioral2/memory/1392-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-141.dat upx behavioral2/files/0x0007000000023c8f-145.dat upx behavioral2/memory/4976-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c90-150.dat upx behavioral2/memory/4820-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3000-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2132-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4308-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4852-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4384-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4952-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/400-183-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fffrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c842482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q40248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 800644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6008260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0400040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8620482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3344 wrote to memory of 4948 3344 9d4a5c5698b7400a3b08dcc2d382e2695ef5007bee80d070669f03b2889b512f.exe 83 PID 3344 wrote to memory of 4948 3344 9d4a5c5698b7400a3b08dcc2d382e2695ef5007bee80d070669f03b2889b512f.exe 83 PID 3344 wrote to memory of 4948 3344 9d4a5c5698b7400a3b08dcc2d382e2695ef5007bee80d070669f03b2889b512f.exe 83 PID 4948 wrote to memory of 4444 4948 djpdp.exe 84 PID 4948 wrote to memory of 4444 4948 djpdp.exe 84 PID 4948 wrote to memory of 4444 4948 djpdp.exe 84 PID 4444 wrote to memory of 444 4444 e86086.exe 85 PID 4444 wrote to memory of 444 4444 e86086.exe 85 PID 4444 wrote to memory of 444 4444 e86086.exe 85 PID 444 wrote to memory of 1408 444 pppvj.exe 86 PID 444 wrote to memory of 1408 444 pppvj.exe 86 PID 444 wrote to memory of 1408 444 pppvj.exe 86 PID 1408 wrote to memory of 3436 1408 84808.exe 87 PID 1408 wrote to memory of 3436 1408 84808.exe 87 PID 1408 wrote to memory of 3436 1408 84808.exe 87 PID 3436 wrote to memory of 64 3436 202668.exe 88 PID 3436 wrote to memory of 64 3436 202668.exe 88 PID 3436 wrote to memory of 64 3436 202668.exe 88 PID 64 wrote to memory of 2332 64 ntnbnh.exe 89 PID 64 wrote to memory of 2332 64 ntnbnh.exe 89 PID 64 wrote to memory of 2332 64 ntnbnh.exe 89 PID 2332 wrote to memory of 3128 2332 28426.exe 90 PID 2332 wrote to memory of 3128 2332 28426.exe 90 PID 2332 wrote to memory of 3128 2332 28426.exe 90 PID 3128 wrote to memory of 1216 3128 6244260.exe 91 PID 3128 wrote to memory of 1216 3128 6244260.exe 91 PID 3128 wrote to memory of 1216 3128 6244260.exe 91 PID 1216 wrote to memory of 4280 1216 hbthnh.exe 92 PID 1216 wrote to memory of 4280 1216 hbthnh.exe 92 PID 1216 wrote to memory of 4280 1216 hbthnh.exe 92 PID 4280 wrote to memory of 3372 4280 jvvdv.exe 93 PID 4280 wrote to memory of 3372 4280 jvvdv.exe 93 PID 4280 wrote to memory of 3372 4280 jvvdv.exe 93 PID 3372 wrote to memory of 4856 3372 640820.exe 94 PID 3372 wrote to memory of 4856 3372 640820.exe 94 PID 3372 wrote to memory of 4856 3372 640820.exe 94 PID 4856 wrote to memory of 2488 4856 jjddp.exe 95 PID 4856 wrote to memory of 2488 4856 jjddp.exe 95 PID 4856 wrote to memory of 2488 4856 jjddp.exe 95 PID 2488 wrote to memory of 3756 2488 248860.exe 96 PID 2488 wrote to memory of 3756 2488 248860.exe 96 PID 2488 wrote to memory of 3756 2488 248860.exe 96 PID 3756 wrote to memory of 3092 3756 3frlfxr.exe 97 PID 3756 wrote to memory of 3092 3756 3frlfxr.exe 97 PID 3756 wrote to memory of 3092 3756 3frlfxr.exe 97 PID 3092 wrote to memory of 2268 3092 80420.exe 98 PID 3092 wrote to memory of 2268 3092 80420.exe 98 PID 3092 wrote to memory of 2268 3092 80420.exe 98 PID 2268 wrote to memory of 1540 2268 flflxrf.exe 99 PID 2268 wrote to memory of 1540 2268 flflxrf.exe 99 PID 2268 wrote to memory of 1540 2268 flflxrf.exe 99 PID 1540 wrote to memory of 3700 1540 6260828.exe 100 PID 1540 wrote to memory of 3700 1540 6260828.exe 100 PID 1540 wrote to memory of 3700 1540 6260828.exe 100 PID 3700 wrote to memory of 2920 3700 dppvv.exe 101 PID 3700 wrote to memory of 2920 3700 dppvv.exe 101 PID 3700 wrote to memory of 2920 3700 dppvv.exe 101 PID 2920 wrote to memory of 440 2920 004860.exe 102 PID 2920 wrote to memory of 440 2920 004860.exe 102 PID 2920 wrote to memory of 440 2920 004860.exe 102 PID 440 wrote to memory of 4104 440 0404088.exe 103 PID 440 wrote to memory of 4104 440 0404088.exe 103 PID 440 wrote to memory of 4104 440 0404088.exe 103 PID 4104 wrote to memory of 3192 4104 62420.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d4a5c5698b7400a3b08dcc2d382e2695ef5007bee80d070669f03b2889b512f.exe"C:\Users\Admin\AppData\Local\Temp\9d4a5c5698b7400a3b08dcc2d382e2695ef5007bee80d070669f03b2889b512f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\djpdp.exec:\djpdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\e86086.exec:\e86086.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\pppvj.exec:\pppvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\84808.exec:\84808.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\202668.exec:\202668.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\ntnbnh.exec:\ntnbnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\28426.exec:\28426.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\6244260.exec:\6244260.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\hbthnh.exec:\hbthnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\jvvdv.exec:\jvvdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\640820.exec:\640820.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\jjddp.exec:\jjddp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\248860.exec:\248860.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\3frlfxr.exec:\3frlfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\80420.exec:\80420.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\flflxrf.exec:\flflxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\6260828.exec:\6260828.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\dppvv.exec:\dppvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\004860.exec:\004860.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\0404088.exec:\0404088.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\62420.exec:\62420.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\6484266.exec:\6484266.exe23⤵
- Executes dropped EXE
PID:3192 -
\??\c:\2646422.exec:\2646422.exe24⤵
- Executes dropped EXE
PID:3120 -
\??\c:\fxfxrrf.exec:\fxfxrrf.exe25⤵
- Executes dropped EXE
PID:2972 -
\??\c:\xrfffff.exec:\xrfffff.exe26⤵
- Executes dropped EXE
PID:3332 -
\??\c:\86220.exec:\86220.exe27⤵
- Executes dropped EXE
PID:5028 -
\??\c:\66208.exec:\66208.exe28⤵
- Executes dropped EXE
PID:4348 -
\??\c:\6008260.exec:\6008260.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468 -
\??\c:\9tnhtt.exec:\9tnhtt.exe30⤵
- Executes dropped EXE
PID:1392 -
\??\c:\vdjvp.exec:\vdjvp.exe31⤵
- Executes dropped EXE
PID:4492 -
\??\c:\6000404.exec:\6000404.exe32⤵
- Executes dropped EXE
PID:4976 -
\??\c:\rfrxfxf.exec:\rfrxfxf.exe33⤵
- Executes dropped EXE
PID:740 -
\??\c:\06266.exec:\06266.exe34⤵
- Executes dropped EXE
PID:4820 -
\??\c:\c862644.exec:\c862644.exe35⤵
- Executes dropped EXE
PID:1632 -
\??\c:\3tnhbb.exec:\3tnhbb.exe36⤵
- Executes dropped EXE
PID:3000 -
\??\c:\20042.exec:\20042.exe37⤵
- Executes dropped EXE
PID:2132 -
\??\c:\lrxrffl.exec:\lrxrffl.exe38⤵
- Executes dropped EXE
PID:4308 -
\??\c:\1tthtt.exec:\1tthtt.exe39⤵
- Executes dropped EXE
PID:4852 -
\??\c:\28260.exec:\28260.exe40⤵
- Executes dropped EXE
PID:4912 -
\??\c:\jvppj.exec:\jvppj.exe41⤵
- Executes dropped EXE
PID:3880 -
\??\c:\224422.exec:\224422.exe42⤵
- Executes dropped EXE
PID:4384 -
\??\c:\nthbnn.exec:\nthbnn.exe43⤵
- Executes dropped EXE
PID:4952 -
\??\c:\flrllll.exec:\flrllll.exe44⤵
- Executes dropped EXE
PID:400 -
\??\c:\btnhbb.exec:\btnhbb.exe45⤵
- Executes dropped EXE
PID:4748 -
\??\c:\2826488.exec:\2826488.exe46⤵
- Executes dropped EXE
PID:3640 -
\??\c:\w46060.exec:\w46060.exe47⤵
- Executes dropped EXE
PID:4088 -
\??\c:\8620482.exec:\8620482.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
\??\c:\9tbnbh.exec:\9tbnbh.exe49⤵
- Executes dropped EXE
PID:1360 -
\??\c:\3xrllff.exec:\3xrllff.exe50⤵
- Executes dropped EXE
PID:3712 -
\??\c:\2620868.exec:\2620868.exe51⤵
- Executes dropped EXE
PID:3336 -
\??\c:\nhtbnh.exec:\nhtbnh.exe52⤵
- Executes dropped EXE
PID:1372 -
\??\c:\dpvpv.exec:\dpvpv.exe53⤵
- Executes dropped EXE
PID:3928 -
\??\c:\8848222.exec:\8848222.exe54⤵
- Executes dropped EXE
PID:4232 -
\??\c:\220482.exec:\220482.exe55⤵
- Executes dropped EXE
PID:3256 -
\??\c:\42608.exec:\42608.exe56⤵
- Executes dropped EXE
PID:4068 -
\??\c:\46464.exec:\46464.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4364 -
\??\c:\7rxrxff.exec:\7rxrxff.exe58⤵
- Executes dropped EXE
PID:3716 -
\??\c:\c620426.exec:\c620426.exe59⤵
- Executes dropped EXE
PID:736 -
\??\c:\7lfxrlf.exec:\7lfxrlf.exe60⤵
- Executes dropped EXE
PID:540 -
\??\c:\202644.exec:\202644.exe61⤵
- Executes dropped EXE
PID:2592 -
\??\c:\022026.exec:\022026.exe62⤵
- Executes dropped EXE
PID:1788 -
\??\c:\tbthbn.exec:\tbthbn.exe63⤵
- Executes dropped EXE
PID:3624 -
\??\c:\rrfxfxr.exec:\rrfxfxr.exe64⤵
- Executes dropped EXE
PID:4640 -
\??\c:\4208866.exec:\4208866.exe65⤵
- Executes dropped EXE
PID:3704 -
\??\c:\228460.exec:\228460.exe66⤵PID:4964
-
\??\c:\rrxfxrf.exec:\rrxfxrf.exe67⤵PID:2392
-
\??\c:\668266.exec:\668266.exe68⤵PID:2192
-
\??\c:\9hhbbb.exec:\9hhbbb.exe69⤵PID:5060
-
\??\c:\ddppp.exec:\ddppp.exe70⤵PID:2024
-
\??\c:\82824.exec:\82824.exe71⤵PID:2444
-
\??\c:\pdjdp.exec:\pdjdp.exe72⤵PID:700
-
\??\c:\s0208.exec:\s0208.exe73⤵PID:4632
-
\??\c:\dpppj.exec:\dpppj.exe74⤵PID:3088
-
\??\c:\206060.exec:\206060.exe75⤵
- System Location Discovery: System Language Discovery
PID:1860 -
\??\c:\jdvpj.exec:\jdvpj.exe76⤵PID:3760
-
\??\c:\8820820.exec:\8820820.exe77⤵PID:1964
-
\??\c:\4222004.exec:\4222004.exe78⤵PID:3060
-
\??\c:\tnbnbn.exec:\tnbnbn.exe79⤵PID:2044
-
\??\c:\vppdd.exec:\vppdd.exe80⤵PID:3132
-
\??\c:\vpjjj.exec:\vpjjj.exe81⤵PID:3092
-
\??\c:\vvdvd.exec:\vvdvd.exe82⤵PID:1152
-
\??\c:\frfxxrx.exec:\frfxxrx.exe83⤵PID:2996
-
\??\c:\btnbtn.exec:\btnbtn.exe84⤵PID:2168
-
\??\c:\060200.exec:\060200.exe85⤵PID:2728
-
\??\c:\24622.exec:\24622.exe86⤵PID:4772
-
\??\c:\0882668.exec:\0882668.exe87⤵PID:2920
-
\??\c:\28882.exec:\28882.exe88⤵PID:2284
-
\??\c:\84004.exec:\84004.exe89⤵PID:2424
-
\??\c:\dddvv.exec:\dddvv.exe90⤵PID:1476
-
\??\c:\9tbbtn.exec:\9tbbtn.exe91⤵
- System Location Discovery: System Language Discovery
PID:4644 -
\??\c:\ppdpj.exec:\ppdpj.exe92⤵PID:920
-
\??\c:\i848660.exec:\i848660.exe93⤵PID:2216
-
\??\c:\022266.exec:\022266.exe94⤵PID:3332
-
\??\c:\60060.exec:\60060.exe95⤵PID:220
-
\??\c:\fxrxrll.exec:\fxrxrll.exe96⤵PID:4744
-
\??\c:\a6226.exec:\a6226.exe97⤵PID:3764
-
\??\c:\vpvpd.exec:\vpvpd.exe98⤵PID:1468
-
\??\c:\7tnhtt.exec:\7tnhtt.exe99⤵PID:4664
-
\??\c:\dppjv.exec:\dppjv.exe100⤵PID:1112
-
\??\c:\5djdd.exec:\5djdd.exe101⤵PID:4492
-
\??\c:\jpvpp.exec:\jpvpp.exe102⤵PID:1996
-
\??\c:\tnnhtt.exec:\tnnhtt.exe103⤵PID:4256
-
\??\c:\668880.exec:\668880.exe104⤵PID:720
-
\??\c:\pdjdp.exec:\pdjdp.exe105⤵PID:4284
-
\??\c:\88480.exec:\88480.exe106⤵PID:2008
-
\??\c:\xrxlxfx.exec:\xrxlxfx.exe107⤵PID:1936
-
\??\c:\m6682.exec:\m6682.exe108⤵
- System Location Discovery: System Language Discovery
PID:4556 -
\??\c:\646000.exec:\646000.exe109⤵
- System Location Discovery: System Language Discovery
PID:1824 -
\??\c:\5vdvd.exec:\5vdvd.exe110⤵PID:1016
-
\??\c:\ntbthh.exec:\ntbthh.exe111⤵PID:4912
-
\??\c:\lrlrrrr.exec:\lrlrrrr.exe112⤵PID:3548
-
\??\c:\rrrrxff.exec:\rrrrxff.exe113⤵PID:2700
-
\??\c:\nhhhbb.exec:\nhhhbb.exe114⤵PID:3496
-
\??\c:\nhnhhh.exec:\nhnhhh.exe115⤵PID:400
-
\??\c:\068660.exec:\068660.exe116⤵PID:3236
-
\??\c:\0622668.exec:\0622668.exe117⤵PID:4916
-
\??\c:\60848.exec:\60848.exe118⤵PID:2460
-
\??\c:\48420.exec:\48420.exe119⤵PID:1360
-
\??\c:\0808262.exec:\0808262.exe120⤵PID:1956
-
\??\c:\lxlxlrf.exec:\lxlxlrf.exe121⤵PID:3928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-