Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 06:16
Behavioral task
behavioral1
Sample
f863e231dbd1e81b1d47ff8318da9687e4eef6422dd47f99cf6b1a68246f9014N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f863e231dbd1e81b1d47ff8318da9687e4eef6422dd47f99cf6b1a68246f9014N.exe
-
Size
345KB
-
MD5
e44cca056e9fd63745627adf202ebde0
-
SHA1
2374b27f0f5089bebf2e0fd8585cb4564fe4e8f1
-
SHA256
f863e231dbd1e81b1d47ff8318da9687e4eef6422dd47f99cf6b1a68246f9014
-
SHA512
92500bb1d096b2b839a90cf41734e2538de9a10d134a5968cc16fee5ed5737d6f542c4b14dfc676667d047020de7f6745e5a85d9ee6db4a8da7b541b393a1737
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYAm:R4wFHoS3WXZshJX2VGdm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3396-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1740-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3436-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3852-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4960-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1716-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3064-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3136-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1520-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4268-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4052-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/828-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4516-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3484-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1828-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5052-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1452-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2144-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3832-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2176-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2288-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2624-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2804-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2584-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2636-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3156-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/824-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2748-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3952-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2348-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2228-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/804-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2708-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4620-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/744-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4176-441-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4256-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-475-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-506-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2224-549-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3424-628-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/368-704-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1704-773-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3396 frflfff.exe 4996 282804.exe 3436 1ddvj.exe 212 08866.exe 2348 282648.exe 3952 hhnhbn.exe 2748 htbhhb.exe 4008 vdvjd.exe 824 djjpj.exe 3156 6848200.exe 4296 frllrrr.exe 2636 66604.exe 2584 llrffff.exe 2804 htbhnt.exe 3852 tbnttn.exe 3456 xrxffrl.exe 3204 jvvpd.exe 4092 lflfxrl.exe 1712 2084044.exe 4860 pddpj.exe 2624 68628.exe 992 0680666.exe 2288 xxrxfrx.exe 2176 hbthtn.exe 3832 60264.exe 2144 vdpjd.exe 660 llrlfxx.exe 4548 hbbbtn.exe 2576 68620.exe 3672 4448266.exe 5096 4446008.exe 4304 pdpdd.exe 1452 686062.exe 4780 444444.exe 1900 ppvpp.exe 3788 846642.exe 5052 480602.exe 4172 djvpp.exe 1828 u208640.exe 3992 3llfxrr.exe 2852 tnbttt.exe 1572 nnnhhb.exe 3484 46844.exe 4524 24482.exe 4516 lflxfff.exe 5012 4848244.exe 828 60226.exe 1364 6480604.exe 2736 bhtnnn.exe 2108 lrfffrr.exe 4840 5xxrlfx.exe 5016 flrrrrr.exe 2004 442882.exe 2488 66808.exe 3392 dvvdd.exe 4680 0602240.exe 4960 vjvdd.exe 5044 486448.exe 4052 826648.exe 2712 ttnnnn.exe 1632 nbbhhn.exe 4036 xlrlrxx.exe 4268 xxrrrxx.exe 452 i602808.exe -
resource yara_rule behavioral2/memory/1740-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c7a-3.dat upx behavioral2/memory/3396-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1740-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c82-9.dat upx behavioral2/files/0x0007000000023c83-15.dat upx behavioral2/memory/3436-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c84-20.dat upx behavioral2/memory/212-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c85-24.dat upx behavioral2/files/0x0007000000023c87-35.dat upx behavioral2/files/0x0007000000023c8a-49.dat upx behavioral2/files/0x0007000000023c8d-65.dat upx behavioral2/memory/3852-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4860-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-130.dat upx behavioral2/memory/4960-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1716-279-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3064-274-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3964-269-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4996-266-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3136-260-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4420-250-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1520-245-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4268-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2712-223-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4052-220-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5044-217-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2736-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/828-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5012-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4516-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3484-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1828-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5052-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1452-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-153.dat upx behavioral2/memory/5096-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-148.dat upx behavioral2/files/0x0007000000023c9e-144.dat upx behavioral2/files/0x0007000000023c9d-140.dat upx behavioral2/memory/4548-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-135.dat upx behavioral2/memory/2144-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-126.dat upx behavioral2/memory/3832-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2804-286-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-121.dat upx behavioral2/memory/2176-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-116.dat upx behavioral2/memory/2288-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c97-111.dat upx behavioral2/files/0x0007000000023c96-107.dat upx behavioral2/memory/2624-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-102.dat upx behavioral2/files/0x0007000000023c94-97.dat upx behavioral2/files/0x0007000000023c93-93.dat upx behavioral2/memory/4092-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-88.dat upx behavioral2/files/0x0007000000023c91-84.dat upx behavioral2/files/0x0007000000023c90-80.dat upx behavioral2/files/0x0007000000023c8f-75.dat upx behavioral2/memory/2804-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-70.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 028844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4608648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6000488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i084844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4220220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2826420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnht.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1740 wrote to memory of 3396 1740 f863e231dbd1e81b1d47ff8318da9687e4eef6422dd47f99cf6b1a68246f9014N.exe 82 PID 1740 wrote to memory of 3396 1740 f863e231dbd1e81b1d47ff8318da9687e4eef6422dd47f99cf6b1a68246f9014N.exe 82 PID 1740 wrote to memory of 3396 1740 f863e231dbd1e81b1d47ff8318da9687e4eef6422dd47f99cf6b1a68246f9014N.exe 82 PID 3396 wrote to memory of 4996 3396 frflfff.exe 160 PID 3396 wrote to memory of 4996 3396 frflfff.exe 160 PID 3396 wrote to memory of 4996 3396 frflfff.exe 160 PID 4996 wrote to memory of 3436 4996 282804.exe 84 PID 4996 wrote to memory of 3436 4996 282804.exe 84 PID 4996 wrote to memory of 3436 4996 282804.exe 84 PID 3436 wrote to memory of 212 3436 1ddvj.exe 85 PID 3436 wrote to memory of 212 3436 1ddvj.exe 85 PID 3436 wrote to memory of 212 3436 1ddvj.exe 85 PID 212 wrote to memory of 2348 212 08866.exe 86 PID 212 wrote to memory of 2348 212 08866.exe 86 PID 212 wrote to memory of 2348 212 08866.exe 86 PID 2348 wrote to memory of 3952 2348 282648.exe 87 PID 2348 wrote to memory of 3952 2348 282648.exe 87 PID 2348 wrote to memory of 3952 2348 282648.exe 87 PID 3952 wrote to memory of 2748 3952 hhnhbn.exe 88 PID 3952 wrote to memory of 2748 3952 hhnhbn.exe 88 PID 3952 wrote to memory of 2748 3952 hhnhbn.exe 88 PID 2748 wrote to memory of 4008 2748 htbhhb.exe 89 PID 2748 wrote to memory of 4008 2748 htbhhb.exe 89 PID 2748 wrote to memory of 4008 2748 htbhhb.exe 89 PID 4008 wrote to memory of 824 4008 vdvjd.exe 90 PID 4008 wrote to memory of 824 4008 vdvjd.exe 90 PID 4008 wrote to memory of 824 4008 vdvjd.exe 90 PID 824 wrote to memory of 3156 824 djjpj.exe 91 PID 824 wrote to memory of 3156 824 djjpj.exe 91 PID 824 wrote to memory of 3156 824 djjpj.exe 91 PID 3156 wrote to memory of 4296 3156 6848200.exe 92 PID 3156 wrote to memory of 4296 3156 6848200.exe 92 PID 3156 wrote to memory of 4296 3156 6848200.exe 92 PID 4296 wrote to memory of 2636 4296 frllrrr.exe 93 PID 4296 wrote to memory of 2636 4296 frllrrr.exe 93 PID 4296 wrote to memory of 2636 4296 frllrrr.exe 93 PID 2636 wrote to memory of 2584 2636 66604.exe 94 PID 2636 wrote to memory of 2584 2636 66604.exe 94 PID 2636 wrote to memory of 2584 2636 66604.exe 94 PID 2584 wrote to memory of 2804 2584 llrffff.exe 169 PID 2584 wrote to memory of 2804 2584 llrffff.exe 169 PID 2584 wrote to memory of 2804 2584 llrffff.exe 169 PID 2804 wrote to memory of 3852 2804 htbhnt.exe 96 PID 2804 wrote to memory of 3852 2804 htbhnt.exe 96 PID 2804 wrote to memory of 3852 2804 htbhnt.exe 96 PID 3852 wrote to memory of 3456 3852 tbnttn.exe 97 PID 3852 wrote to memory of 3456 3852 tbnttn.exe 97 PID 3852 wrote to memory of 3456 3852 tbnttn.exe 97 PID 3456 wrote to memory of 3204 3456 xrxffrl.exe 98 PID 3456 wrote to memory of 3204 3456 xrxffrl.exe 98 PID 3456 wrote to memory of 3204 3456 xrxffrl.exe 98 PID 3204 wrote to memory of 4092 3204 jvvpd.exe 99 PID 3204 wrote to memory of 4092 3204 jvvpd.exe 99 PID 3204 wrote to memory of 4092 3204 jvvpd.exe 99 PID 4092 wrote to memory of 1712 4092 lflfxrl.exe 100 PID 4092 wrote to memory of 1712 4092 lflfxrl.exe 100 PID 4092 wrote to memory of 1712 4092 lflfxrl.exe 100 PID 1712 wrote to memory of 4860 1712 2084044.exe 101 PID 1712 wrote to memory of 4860 1712 2084044.exe 101 PID 1712 wrote to memory of 4860 1712 2084044.exe 101 PID 4860 wrote to memory of 2624 4860 pddpj.exe 102 PID 4860 wrote to memory of 2624 4860 pddpj.exe 102 PID 4860 wrote to memory of 2624 4860 pddpj.exe 102 PID 2624 wrote to memory of 992 2624 68628.exe 177
Processes
-
C:\Users\Admin\AppData\Local\Temp\f863e231dbd1e81b1d47ff8318da9687e4eef6422dd47f99cf6b1a68246f9014N.exe"C:\Users\Admin\AppData\Local\Temp\f863e231dbd1e81b1d47ff8318da9687e4eef6422dd47f99cf6b1a68246f9014N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\frflfff.exec:\frflfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\282804.exec:\282804.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\1ddvj.exec:\1ddvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\08866.exec:\08866.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\282648.exec:\282648.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\hhnhbn.exec:\hhnhbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\htbhhb.exec:\htbhhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\vdvjd.exec:\vdvjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\djjpj.exec:\djjpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\6848200.exec:\6848200.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\frllrrr.exec:\frllrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\66604.exec:\66604.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\llrffff.exec:\llrffff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\htbhnt.exec:\htbhnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\tbnttn.exec:\tbnttn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\xrxffrl.exec:\xrxffrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\jvvpd.exec:\jvvpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\lflfxrl.exec:\lflfxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\2084044.exec:\2084044.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\pddpj.exec:\pddpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\68628.exec:\68628.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\0680666.exec:\0680666.exe23⤵
- Executes dropped EXE
PID:992 -
\??\c:\xxrxfrx.exec:\xxrxfrx.exe24⤵
- Executes dropped EXE
PID:2288 -
\??\c:\hbthtn.exec:\hbthtn.exe25⤵
- Executes dropped EXE
PID:2176 -
\??\c:\60264.exec:\60264.exe26⤵
- Executes dropped EXE
PID:3832 -
\??\c:\vdpjd.exec:\vdpjd.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144 -
\??\c:\llrlfxx.exec:\llrlfxx.exe28⤵
- Executes dropped EXE
PID:660 -
\??\c:\hbbbtn.exec:\hbbbtn.exe29⤵
- Executes dropped EXE
PID:4548 -
\??\c:\68620.exec:\68620.exe30⤵
- Executes dropped EXE
PID:2576 -
\??\c:\4448266.exec:\4448266.exe31⤵
- Executes dropped EXE
PID:3672 -
\??\c:\4446008.exec:\4446008.exe32⤵
- Executes dropped EXE
PID:5096 -
\??\c:\pdpdd.exec:\pdpdd.exe33⤵
- Executes dropped EXE
PID:4304 -
\??\c:\686062.exec:\686062.exe34⤵
- Executes dropped EXE
PID:1452 -
\??\c:\444444.exec:\444444.exe35⤵
- Executes dropped EXE
PID:4780 -
\??\c:\ppvpp.exec:\ppvpp.exe36⤵
- Executes dropped EXE
PID:1900 -
\??\c:\846642.exec:\846642.exe37⤵
- Executes dropped EXE
PID:3788 -
\??\c:\480602.exec:\480602.exe38⤵
- Executes dropped EXE
PID:5052 -
\??\c:\djvpp.exec:\djvpp.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4172 -
\??\c:\u208640.exec:\u208640.exe40⤵
- Executes dropped EXE
PID:1828 -
\??\c:\3llfxrr.exec:\3llfxrr.exe41⤵
- Executes dropped EXE
PID:3992 -
\??\c:\tnbttt.exec:\tnbttt.exe42⤵
- Executes dropped EXE
PID:2852 -
\??\c:\nnnhhb.exec:\nnnhhb.exe43⤵
- Executes dropped EXE
PID:1572 -
\??\c:\46844.exec:\46844.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3484 -
\??\c:\24482.exec:\24482.exe45⤵
- Executes dropped EXE
PID:4524 -
\??\c:\lflxfff.exec:\lflxfff.exe46⤵
- Executes dropped EXE
PID:4516 -
\??\c:\4848244.exec:\4848244.exe47⤵
- Executes dropped EXE
PID:5012 -
\??\c:\60226.exec:\60226.exe48⤵
- Executes dropped EXE
PID:828 -
\??\c:\6480604.exec:\6480604.exe49⤵
- Executes dropped EXE
PID:1364 -
\??\c:\bhtnnn.exec:\bhtnnn.exe50⤵
- Executes dropped EXE
PID:2736 -
\??\c:\lrfffrr.exec:\lrfffrr.exe51⤵
- Executes dropped EXE
PID:2108 -
\??\c:\5xxrlfx.exec:\5xxrlfx.exe52⤵
- Executes dropped EXE
PID:4840 -
\??\c:\flrrrrr.exec:\flrrrrr.exe53⤵
- Executes dropped EXE
PID:5016 -
\??\c:\442882.exec:\442882.exe54⤵
- Executes dropped EXE
PID:2004 -
\??\c:\66808.exec:\66808.exe55⤵
- Executes dropped EXE
PID:2488 -
\??\c:\dvvdd.exec:\dvvdd.exe56⤵
- Executes dropped EXE
PID:3392 -
\??\c:\0602240.exec:\0602240.exe57⤵
- Executes dropped EXE
PID:4680 -
\??\c:\vjvdd.exec:\vjvdd.exe58⤵
- Executes dropped EXE
PID:4960 -
\??\c:\486448.exec:\486448.exe59⤵
- Executes dropped EXE
PID:5044 -
\??\c:\826648.exec:\826648.exe60⤵
- Executes dropped EXE
PID:4052 -
\??\c:\ttnnnn.exec:\ttnnnn.exe61⤵
- Executes dropped EXE
PID:2712 -
\??\c:\nbbhhn.exec:\nbbhhn.exe62⤵
- Executes dropped EXE
PID:1632 -
\??\c:\xlrlrxx.exec:\xlrlrxx.exe63⤵
- Executes dropped EXE
PID:4036 -
\??\c:\xxrrrxx.exec:\xxrrrxx.exe64⤵
- Executes dropped EXE
PID:4268 -
\??\c:\i602808.exec:\i602808.exe65⤵
- Executes dropped EXE
PID:452 -
\??\c:\xlllfxr.exec:\xlllfxr.exe66⤵PID:3904
-
\??\c:\jvjpv.exec:\jvjpv.exe67⤵PID:4788
-
\??\c:\dpvjp.exec:\dpvjp.exe68⤵PID:4104
-
\??\c:\jvpvd.exec:\jvpvd.exe69⤵PID:4652
-
\??\c:\jvvvv.exec:\jvvvv.exe70⤵PID:444
-
\??\c:\jdjpp.exec:\jdjpp.exe71⤵PID:1520
-
\??\c:\28260.exec:\28260.exe72⤵PID:1148
-
\??\c:\xxxrrrr.exec:\xxxrrrr.exe73⤵PID:4420
-
\??\c:\frxxxxx.exec:\frxxxxx.exe74⤵PID:4448
-
\??\c:\26826.exec:\26826.exe75⤵PID:1196
-
\??\c:\c422266.exec:\c422266.exe76⤵PID:3460
-
\??\c:\thntnh.exec:\thntnh.exe77⤵PID:4504
-
\??\c:\602666.exec:\602666.exe78⤵PID:3136
-
\??\c:\xfllflx.exec:\xfllflx.exe79⤵PID:4188
-
\??\c:\28802.exec:\28802.exe80⤵PID:4996
-
\??\c:\jpppp.exec:\jpppp.exe81⤵PID:3964
-
\??\c:\thnhhn.exec:\thnhhn.exe82⤵PID:2348
-
\??\c:\6882082.exec:\6882082.exe83⤵PID:3064
-
\??\c:\260666.exec:\260666.exe84⤵PID:3616
-
\??\c:\664062.exec:\664062.exe85⤵PID:1716
-
\??\c:\hnbnhn.exec:\hnbnhn.exe86⤵PID:1016
-
\??\c:\pddpd.exec:\pddpd.exe87⤵PID:3908
-
\??\c:\222428.exec:\222428.exe88⤵PID:1428
-
\??\c:\80606.exec:\80606.exe89⤵PID:2804
-
\??\c:\xlrxfff.exec:\xlrxfff.exe90⤵PID:3388
-
\??\c:\668284.exec:\668284.exe91⤵PID:3668
-
\??\c:\64402.exec:\64402.exe92⤵PID:2228
-
\??\c:\rrxxflf.exec:\rrxxflf.exe93⤵PID:2172
-
\??\c:\826646.exec:\826646.exe94⤵PID:4668
-
\??\c:\ttthtt.exec:\ttthtt.exe95⤵PID:4276
-
\??\c:\flrllrr.exec:\flrllrr.exe96⤵PID:804
-
\??\c:\rrrrrff.exec:\rrrrrff.exe97⤵PID:992
-
\??\c:\vpvpp.exec:\vpvpp.exe98⤵
- System Location Discovery: System Language Discovery
PID:3196 -
\??\c:\btnhnh.exec:\btnhnh.exe99⤵PID:4372
-
\??\c:\ddjpd.exec:\ddjpd.exe100⤵PID:3924
-
\??\c:\20282.exec:\20282.exe101⤵PID:2708
-
\??\c:\bbnhhb.exec:\bbnhhb.exe102⤵PID:1028
-
\??\c:\htnnhh.exec:\htnnhh.exe103⤵PID:4612
-
\??\c:\xxfxlll.exec:\xxfxlll.exe104⤵PID:2596
-
\??\c:\o640086.exec:\o640086.exe105⤵PID:912
-
\??\c:\vvvdj.exec:\vvvdj.exe106⤵PID:3568
-
\??\c:\8888608.exec:\8888608.exe107⤵PID:2744
-
\??\c:\lffxfxr.exec:\lffxfxr.exe108⤵PID:1900
-
\??\c:\frrrlll.exec:\frrrlll.exe109⤵PID:4904
-
\??\c:\jpdpd.exec:\jpdpd.exe110⤵PID:2656
-
\??\c:\jjppp.exec:\jjppp.exe111⤵PID:2788
-
\??\c:\rflfxxl.exec:\rflfxxl.exe112⤵PID:1448
-
\??\c:\htntbt.exec:\htntbt.exe113⤵PID:3020
-
\??\c:\flrlxxl.exec:\flrlxxl.exe114⤵PID:4120
-
\??\c:\ntttnb.exec:\ntttnb.exe115⤵PID:1212
-
\??\c:\862026.exec:\862026.exe116⤵PID:4552
-
\??\c:\bthnnt.exec:\bthnnt.exe117⤵PID:4180
-
\??\c:\8282226.exec:\8282226.exe118⤵PID:2108
-
\??\c:\66444.exec:\66444.exe119⤵PID:2024
-
\??\c:\28444.exec:\28444.exe120⤵PID:4500
-
\??\c:\rxxxllx.exec:\rxxxllx.exe121⤵PID:3896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-