Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 06:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe
-
Size
453KB
-
MD5
88e4c6874275afbaac76d29f0fb4daa5
-
SHA1
3e5cab8047fc7e3c2eb5022d7b7b6a1c1a17e961
-
SHA256
f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076
-
SHA512
f9a96c0213be0e76193c9c64d76febb2ed43ce72a1c1dd2ec39077d20706449423d1a0026c936bd4b7527ce18281ea11772e9bad34845d91a567c053b280cd94
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4032-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-768-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-981-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-1066-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2224 6066004.exe 2288 806000.exe 2876 djvjj.exe 4820 82828.exe 5024 pppdv.exe 5096 tnhtnh.exe 4464 u404204.exe 2256 02820.exe 3892 3tnnhh.exe 3964 bhntbb.exe 2908 u460044.exe 3344 00482.exe 2544 hnnhtt.exe 2716 ttnnhb.exe 3412 240048.exe 1632 bbnbnb.exe 4968 lxxfxlf.exe 1540 q64062.exe 3368 nhhhbb.exe 1388 jppdv.exe 1672 nhbthb.exe 2748 bthbhh.exe 4964 2682608.exe 3444 ttnhhb.exe 3868 lllxrxr.exe 1876 9pdvj.exe 4940 pjjdv.exe 2124 a6860.exe 2580 jvjvp.exe 1288 66820.exe 4320 862000.exe 548 hhnnhh.exe 2788 6466262.exe 2012 4804860.exe 4528 hbtnbt.exe 4720 0848446.exe 3664 nhhbtn.exe 3712 2882000.exe 3972 24226.exe 4804 3hbnbb.exe 5080 68042.exe 2172 486044.exe 2052 284860.exe 2296 9vvpj.exe 1420 462020.exe 2004 826448.exe 2288 bbbnhb.exe 1556 3nbnhb.exe 3992 3dvpj.exe 5024 jvvpj.exe 3256 86880.exe 3504 288826.exe 3988 lflfrlx.exe 1992 dvpjp.exe 1944 jjppp.exe 4448 lxxffff.exe 4548 4060066.exe 3964 bnbtnn.exe 2908 24488.exe 3528 nhhbtt.exe 1936 vjpvd.exe 2544 jvdjv.exe 2716 hbntht.exe 3880 6048288.exe -
resource yara_rule behavioral2/memory/4032-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-764-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 444488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8404888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0268080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2468646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0488668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4032 wrote to memory of 2224 4032 f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe 83 PID 4032 wrote to memory of 2224 4032 f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe 83 PID 4032 wrote to memory of 2224 4032 f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe 83 PID 2224 wrote to memory of 2288 2224 6066004.exe 131 PID 2224 wrote to memory of 2288 2224 6066004.exe 131 PID 2224 wrote to memory of 2288 2224 6066004.exe 131 PID 2288 wrote to memory of 2876 2288 806000.exe 85 PID 2288 wrote to memory of 2876 2288 806000.exe 85 PID 2288 wrote to memory of 2876 2288 806000.exe 85 PID 2876 wrote to memory of 4820 2876 djvjj.exe 86 PID 2876 wrote to memory of 4820 2876 djvjj.exe 86 PID 2876 wrote to memory of 4820 2876 djvjj.exe 86 PID 4820 wrote to memory of 5024 4820 82828.exe 134 PID 4820 wrote to memory of 5024 4820 82828.exe 134 PID 4820 wrote to memory of 5024 4820 82828.exe 134 PID 5024 wrote to memory of 5096 5024 pppdv.exe 88 PID 5024 wrote to memory of 5096 5024 pppdv.exe 88 PID 5024 wrote to memory of 5096 5024 pppdv.exe 88 PID 5096 wrote to memory of 4464 5096 tnhtnh.exe 89 PID 5096 wrote to memory of 4464 5096 tnhtnh.exe 89 PID 5096 wrote to memory of 4464 5096 tnhtnh.exe 89 PID 4464 wrote to memory of 2256 4464 u404204.exe 90 PID 4464 wrote to memory of 2256 4464 u404204.exe 90 PID 4464 wrote to memory of 2256 4464 u404204.exe 90 PID 2256 wrote to memory of 3892 2256 02820.exe 91 PID 2256 wrote to memory of 3892 2256 02820.exe 91 PID 2256 wrote to memory of 3892 2256 02820.exe 91 PID 3892 wrote to memory of 3964 3892 3tnnhh.exe 92 PID 3892 wrote to memory of 3964 3892 3tnnhh.exe 92 PID 3892 wrote to memory of 3964 3892 3tnnhh.exe 92 PID 3964 wrote to memory of 2908 3964 bhntbb.exe 93 PID 3964 wrote to memory of 2908 3964 bhntbb.exe 93 PID 3964 wrote to memory of 2908 3964 bhntbb.exe 93 PID 2908 wrote to memory of 3344 2908 u460044.exe 94 PID 2908 wrote to memory of 3344 2908 u460044.exe 94 PID 2908 wrote to memory of 3344 2908 u460044.exe 94 PID 3344 wrote to memory of 2544 3344 00482.exe 146 PID 3344 wrote to memory of 2544 3344 00482.exe 146 PID 3344 wrote to memory of 2544 3344 00482.exe 146 PID 2544 wrote to memory of 2716 2544 hnnhtt.exe 96 PID 2544 wrote to memory of 2716 2544 hnnhtt.exe 96 PID 2544 wrote to memory of 2716 2544 hnnhtt.exe 96 PID 2716 wrote to memory of 3412 2716 ttnnhb.exe 97 PID 2716 wrote to memory of 3412 2716 ttnnhb.exe 97 PID 2716 wrote to memory of 3412 2716 ttnnhb.exe 97 PID 3412 wrote to memory of 1632 3412 240048.exe 149 PID 3412 wrote to memory of 1632 3412 240048.exe 149 PID 3412 wrote to memory of 1632 3412 240048.exe 149 PID 1632 wrote to memory of 4968 1632 bbnbnb.exe 99 PID 1632 wrote to memory of 4968 1632 bbnbnb.exe 99 PID 1632 wrote to memory of 4968 1632 bbnbnb.exe 99 PID 4968 wrote to memory of 1540 4968 lxxfxlf.exe 100 PID 4968 wrote to memory of 1540 4968 lxxfxlf.exe 100 PID 4968 wrote to memory of 1540 4968 lxxfxlf.exe 100 PID 1540 wrote to memory of 3368 1540 q64062.exe 101 PID 1540 wrote to memory of 3368 1540 q64062.exe 101 PID 1540 wrote to memory of 3368 1540 q64062.exe 101 PID 3368 wrote to memory of 1388 3368 nhhhbb.exe 102 PID 3368 wrote to memory of 1388 3368 nhhhbb.exe 102 PID 3368 wrote to memory of 1388 3368 nhhhbb.exe 102 PID 1388 wrote to memory of 1672 1388 jppdv.exe 103 PID 1388 wrote to memory of 1672 1388 jppdv.exe 103 PID 1388 wrote to memory of 1672 1388 jppdv.exe 103 PID 1672 wrote to memory of 2748 1672 nhbthb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe"C:\Users\Admin\AppData\Local\Temp\f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\6066004.exec:\6066004.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\806000.exec:\806000.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\djvjj.exec:\djvjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\82828.exec:\82828.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\pppdv.exec:\pppdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\tnhtnh.exec:\tnhtnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\u404204.exec:\u404204.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\02820.exec:\02820.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\3tnnhh.exec:\3tnnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\bhntbb.exec:\bhntbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\u460044.exec:\u460044.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\00482.exec:\00482.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\hnnhtt.exec:\hnnhtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\ttnnhb.exec:\ttnnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\240048.exec:\240048.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\bbnbnb.exec:\bbnbnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\lxxfxlf.exec:\lxxfxlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\q64062.exec:\q64062.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\nhhhbb.exec:\nhhhbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\jppdv.exec:\jppdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\nhbthb.exec:\nhbthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\bthbhh.exec:\bthbhh.exe23⤵
- Executes dropped EXE
PID:2748 -
\??\c:\2682608.exec:\2682608.exe24⤵
- Executes dropped EXE
PID:4964 -
\??\c:\ttnhhb.exec:\ttnhhb.exe25⤵
- Executes dropped EXE
PID:3444 -
\??\c:\lllxrxr.exec:\lllxrxr.exe26⤵
- Executes dropped EXE
PID:3868 -
\??\c:\9pdvj.exec:\9pdvj.exe27⤵
- Executes dropped EXE
PID:1876 -
\??\c:\pjjdv.exec:\pjjdv.exe28⤵
- Executes dropped EXE
PID:4940 -
\??\c:\a6860.exec:\a6860.exe29⤵
- Executes dropped EXE
PID:2124 -
\??\c:\jvjvp.exec:\jvjvp.exe30⤵
- Executes dropped EXE
PID:2580 -
\??\c:\66820.exec:\66820.exe31⤵
- Executes dropped EXE
PID:1288 -
\??\c:\862000.exec:\862000.exe32⤵
- Executes dropped EXE
PID:4320 -
\??\c:\hhnnhh.exec:\hhnnhh.exe33⤵
- Executes dropped EXE
PID:548 -
\??\c:\6466262.exec:\6466262.exe34⤵
- Executes dropped EXE
PID:2788 -
\??\c:\4804860.exec:\4804860.exe35⤵
- Executes dropped EXE
PID:2012 -
\??\c:\hbtnbt.exec:\hbtnbt.exe36⤵
- Executes dropped EXE
PID:4528 -
\??\c:\0848446.exec:\0848446.exe37⤵
- Executes dropped EXE
PID:4720 -
\??\c:\nhhbtn.exec:\nhhbtn.exe38⤵
- Executes dropped EXE
PID:3664 -
\??\c:\2882000.exec:\2882000.exe39⤵
- Executes dropped EXE
PID:3712 -
\??\c:\24226.exec:\24226.exe40⤵
- Executes dropped EXE
PID:3972 -
\??\c:\3hbnbb.exec:\3hbnbb.exe41⤵
- Executes dropped EXE
PID:4804 -
\??\c:\68042.exec:\68042.exe42⤵
- Executes dropped EXE
PID:5080 -
\??\c:\486044.exec:\486044.exe43⤵
- Executes dropped EXE
PID:2172 -
\??\c:\284860.exec:\284860.exe44⤵
- Executes dropped EXE
PID:2052 -
\??\c:\9vvpj.exec:\9vvpj.exe45⤵
- Executes dropped EXE
PID:2296 -
\??\c:\462020.exec:\462020.exe46⤵
- Executes dropped EXE
PID:1420 -
\??\c:\826448.exec:\826448.exe47⤵
- Executes dropped EXE
PID:2004 -
\??\c:\bbbnhb.exec:\bbbnhb.exe48⤵
- Executes dropped EXE
PID:2288 -
\??\c:\3nbnhb.exec:\3nbnhb.exe49⤵
- Executes dropped EXE
PID:1556 -
\??\c:\3dvpj.exec:\3dvpj.exe50⤵
- Executes dropped EXE
PID:3992 -
\??\c:\jvvpj.exec:\jvvpj.exe51⤵
- Executes dropped EXE
PID:5024 -
\??\c:\86880.exec:\86880.exe52⤵
- Executes dropped EXE
PID:3256 -
\??\c:\288826.exec:\288826.exe53⤵
- Executes dropped EXE
PID:3504 -
\??\c:\lflfrlx.exec:\lflfrlx.exe54⤵
- Executes dropped EXE
PID:3988 -
\??\c:\dvpjp.exec:\dvpjp.exe55⤵
- Executes dropped EXE
PID:1992 -
\??\c:\jjppp.exec:\jjppp.exe56⤵
- Executes dropped EXE
PID:1944 -
\??\c:\lxxffff.exec:\lxxffff.exe57⤵
- Executes dropped EXE
PID:4448 -
\??\c:\4060066.exec:\4060066.exe58⤵
- Executes dropped EXE
PID:4548 -
\??\c:\bnbtnn.exec:\bnbtnn.exe59⤵
- Executes dropped EXE
PID:3964 -
\??\c:\24488.exec:\24488.exe60⤵
- Executes dropped EXE
PID:2908 -
\??\c:\nhhbtt.exec:\nhhbtt.exe61⤵
- Executes dropped EXE
PID:3528 -
\??\c:\vjpvd.exec:\vjpvd.exe62⤵
- Executes dropped EXE
PID:1936 -
\??\c:\jvdjv.exec:\jvdjv.exe63⤵
- Executes dropped EXE
PID:2544 -
\??\c:\hbntht.exec:\hbntht.exe64⤵
- Executes dropped EXE
PID:2716 -
\??\c:\6048288.exec:\6048288.exe65⤵
- Executes dropped EXE
PID:3880 -
\??\c:\jdvjp.exec:\jdvjp.exe66⤵PID:1632
-
\??\c:\g6600.exec:\g6600.exe67⤵PID:4520
-
\??\c:\i286000.exec:\i286000.exe68⤵PID:1064
-
\??\c:\68600.exec:\68600.exe69⤵PID:1644
-
\??\c:\hbbnhb.exec:\hbbnhb.exe70⤵PID:4776
-
\??\c:\84420.exec:\84420.exe71⤵PID:2164
-
\??\c:\7ffrfxr.exec:\7ffrfxr.exe72⤵PID:2320
-
\??\c:\64626.exec:\64626.exe73⤵PID:1688
-
\??\c:\ffrlfrl.exec:\ffrlfrl.exe74⤵PID:4964
-
\??\c:\6462626.exec:\6462626.exe75⤵PID:3076
-
\??\c:\6824264.exec:\6824264.exe76⤵PID:3532
-
\??\c:\flrrllf.exec:\flrrllf.exe77⤵PID:1876
-
\??\c:\1flrffl.exec:\1flrffl.exe78⤵PID:916
-
\??\c:\68448.exec:\68448.exe79⤵PID:2548
-
\??\c:\tnbbbt.exec:\tnbbbt.exe80⤵PID:1488
-
\??\c:\86604.exec:\86604.exe81⤵PID:4104
-
\??\c:\q62044.exec:\q62044.exe82⤵PID:264
-
\??\c:\8844862.exec:\8844862.exe83⤵PID:540
-
\??\c:\80600.exec:\80600.exe84⤵PID:2960
-
\??\c:\80266.exec:\80266.exe85⤵PID:1352
-
\??\c:\228204.exec:\228204.exe86⤵PID:4952
-
\??\c:\688828.exec:\688828.exe87⤵PID:464
-
\??\c:\7vjjd.exec:\7vjjd.exe88⤵PID:2516
-
\??\c:\02860.exec:\02860.exe89⤵PID:4772
-
\??\c:\o660682.exec:\o660682.exe90⤵PID:1740
-
\??\c:\jvvvp.exec:\jvvvp.exe91⤵PID:2412
-
\??\c:\2006066.exec:\2006066.exe92⤵PID:2108
-
\??\c:\httnth.exec:\httnth.exe93⤵PID:4312
-
\??\c:\806048.exec:\806048.exe94⤵PID:436
-
\??\c:\222024.exec:\222024.exe95⤵PID:3616
-
\??\c:\40622.exec:\40622.exe96⤵PID:1080
-
\??\c:\hbbtnn.exec:\hbbtnn.exe97⤵PID:1548
-
\??\c:\3ppvv.exec:\3ppvv.exe98⤵PID:1724
-
\??\c:\9hhbtb.exec:\9hhbtb.exe99⤵PID:4032
-
\??\c:\04600.exec:\04600.exe100⤵PID:3992
-
\??\c:\0004444.exec:\0004444.exe101⤵PID:4944
-
\??\c:\04048.exec:\04048.exe102⤵PID:2448
-
\??\c:\ttbttt.exec:\ttbttt.exe103⤵PID:5060
-
\??\c:\pppdv.exec:\pppdv.exe104⤵PID:3800
-
\??\c:\664444.exec:\664444.exe105⤵PID:2256
-
\??\c:\0644044.exec:\0644044.exe106⤵PID:4248
-
\??\c:\jdjvp.exec:\jdjvp.exe107⤵PID:3392
-
\??\c:\bnthhb.exec:\bnthhb.exe108⤵PID:4984
-
\??\c:\bbhbtn.exec:\bbhbtn.exe109⤵PID:3624
-
\??\c:\422040.exec:\422040.exe110⤵PID:1476
-
\??\c:\20488.exec:\20488.exe111⤵PID:3344
-
\??\c:\00820.exec:\00820.exe112⤵PID:5056
-
\??\c:\2848828.exec:\2848828.exe113⤵PID:4932
-
\??\c:\6426060.exec:\6426060.exe114⤵PID:3916
-
\??\c:\jdjpd.exec:\jdjpd.exe115⤵PID:532
-
\??\c:\02840.exec:\02840.exe116⤵PID:2468
-
\??\c:\02620.exec:\02620.exe117⤵PID:4348
-
\??\c:\nbnnnt.exec:\nbnnnt.exe118⤵PID:4816
-
\??\c:\tnnbtt.exec:\tnnbtt.exe119⤵PID:2408
-
\??\c:\22864.exec:\22864.exe120⤵PID:1056
-
\??\c:\ttthbn.exec:\ttthbn.exe121⤵PID:4556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-