Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 01:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aea21d85085e6171ee3ab3d0523666c9a1fc96f9f137c63c48558cc955427634N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
aea21d85085e6171ee3ab3d0523666c9a1fc96f9f137c63c48558cc955427634N.exe
-
Size
453KB
-
MD5
2c62a0e9528ad681d332fe7cbfb47b90
-
SHA1
2309b65c6d9e57019a29ce0601e6c170332f4621
-
SHA256
aea21d85085e6171ee3ab3d0523666c9a1fc96f9f137c63c48558cc955427634
-
SHA512
d9618bd088aaf17f3da0c040da070a41771d7f66f5dd06863dab8e4ef0a54ea5bd034ae407608b80e43fe506b23f39bd308230ad77df35bb14bad7fa9e8a103b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ5:q7Tc2NYHUrAwfMp3CDJ5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1376-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-797-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-819-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-977-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-1161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-1607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1780 88448.exe 3212 660466.exe 4844 tnhbth.exe 3600 5fffflf.exe 5044 hbbtnh.exe 1100 28626.exe 3548 3ttnbb.exe 1868 1vpjj.exe 1592 5bbthh.exe 712 2448888.exe 1468 jvvjd.exe 876 bbttnn.exe 2580 0844282.exe 2704 5rxrllf.exe 4860 q80888.exe 5104 rxrlxxl.exe 244 7btnhh.exe 632 xxrlfxl.exe 2612 4260444.exe 3348 hnthbb.exe 4684 w26448.exe 1048 620048.exe 4792 rrrfxrr.exe 220 pdpjv.exe 2908 hbbttn.exe 4080 u260860.exe 4884 428648.exe 2868 xlfxlfr.exe 2412 7xxlfrf.exe 1008 2064044.exe 3060 ntthhb.exe 3784 ttbnbn.exe 4668 a8420.exe 2332 08608.exe 2372 200080.exe 4992 9vpdv.exe 2904 w08642.exe 1856 hnthtt.exe 2176 xxxlfxl.exe 5048 2866086.exe 1416 jvpvp.exe 2760 lrxrfxr.exe 2072 pvvpd.exe 3820 djdpd.exe 1680 2080820.exe 960 xllfrlf.exe 5056 240422.exe 4428 000020.exe 3224 3vdvd.exe 408 htnbnt.exe 900 1xlxlfr.exe 4548 8226660.exe 1820 402082.exe 5052 6464480.exe 4700 u664224.exe 2388 644208.exe 4996 llxlxrl.exe 2468 lxxrlfx.exe 3480 5bbtbt.exe 1840 0820820.exe 824 46208.exe 2816 vpjvj.exe 1592 a4840.exe 3316 00064.exe -
resource yara_rule behavioral2/memory/1376-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-819-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-869-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-873-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e46084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8620820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4626004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2288600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6060882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8848226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1376 wrote to memory of 1780 1376 aea21d85085e6171ee3ab3d0523666c9a1fc96f9f137c63c48558cc955427634N.exe 83 PID 1376 wrote to memory of 1780 1376 aea21d85085e6171ee3ab3d0523666c9a1fc96f9f137c63c48558cc955427634N.exe 83 PID 1376 wrote to memory of 1780 1376 aea21d85085e6171ee3ab3d0523666c9a1fc96f9f137c63c48558cc955427634N.exe 83 PID 1780 wrote to memory of 3212 1780 88448.exe 196 PID 1780 wrote to memory of 3212 1780 88448.exe 196 PID 1780 wrote to memory of 3212 1780 88448.exe 196 PID 3212 wrote to memory of 4844 3212 660466.exe 197 PID 3212 wrote to memory of 4844 3212 660466.exe 197 PID 3212 wrote to memory of 4844 3212 660466.exe 197 PID 4844 wrote to memory of 3600 4844 tnhbth.exe 86 PID 4844 wrote to memory of 3600 4844 tnhbth.exe 86 PID 4844 wrote to memory of 3600 4844 tnhbth.exe 86 PID 3600 wrote to memory of 5044 3600 5fffflf.exe 87 PID 3600 wrote to memory of 5044 3600 5fffflf.exe 87 PID 3600 wrote to memory of 5044 3600 5fffflf.exe 87 PID 5044 wrote to memory of 1100 5044 hbbtnh.exe 88 PID 5044 wrote to memory of 1100 5044 hbbtnh.exe 88 PID 5044 wrote to memory of 1100 5044 hbbtnh.exe 88 PID 1100 wrote to memory of 3548 1100 28626.exe 89 PID 1100 wrote to memory of 3548 1100 28626.exe 89 PID 1100 wrote to memory of 3548 1100 28626.exe 89 PID 3548 wrote to memory of 1868 3548 3ttnbb.exe 90 PID 3548 wrote to memory of 1868 3548 3ttnbb.exe 90 PID 3548 wrote to memory of 1868 3548 3ttnbb.exe 90 PID 1868 wrote to memory of 1592 1868 1vpjj.exe 91 PID 1868 wrote to memory of 1592 1868 1vpjj.exe 91 PID 1868 wrote to memory of 1592 1868 1vpjj.exe 91 PID 1592 wrote to memory of 712 1592 5bbthh.exe 92 PID 1592 wrote to memory of 712 1592 5bbthh.exe 92 PID 1592 wrote to memory of 712 1592 5bbthh.exe 92 PID 712 wrote to memory of 1468 712 2448888.exe 210 PID 712 wrote to memory of 1468 712 2448888.exe 210 PID 712 wrote to memory of 1468 712 2448888.exe 210 PID 1468 wrote to memory of 876 1468 jvvjd.exe 94 PID 1468 wrote to memory of 876 1468 jvvjd.exe 94 PID 1468 wrote to memory of 876 1468 jvvjd.exe 94 PID 876 wrote to memory of 2580 876 bbttnn.exe 95 PID 876 wrote to memory of 2580 876 bbttnn.exe 95 PID 876 wrote to memory of 2580 876 bbttnn.exe 95 PID 2580 wrote to memory of 2704 2580 0844282.exe 96 PID 2580 wrote to memory of 2704 2580 0844282.exe 96 PID 2580 wrote to memory of 2704 2580 0844282.exe 96 PID 2704 wrote to memory of 4860 2704 5rxrllf.exe 97 PID 2704 wrote to memory of 4860 2704 5rxrllf.exe 97 PID 2704 wrote to memory of 4860 2704 5rxrllf.exe 97 PID 4860 wrote to memory of 5104 4860 q80888.exe 98 PID 4860 wrote to memory of 5104 4860 q80888.exe 98 PID 4860 wrote to memory of 5104 4860 q80888.exe 98 PID 5104 wrote to memory of 244 5104 rxrlxxl.exe 99 PID 5104 wrote to memory of 244 5104 rxrlxxl.exe 99 PID 5104 wrote to memory of 244 5104 rxrlxxl.exe 99 PID 244 wrote to memory of 632 244 7btnhh.exe 100 PID 244 wrote to memory of 632 244 7btnhh.exe 100 PID 244 wrote to memory of 632 244 7btnhh.exe 100 PID 632 wrote to memory of 2612 632 xxrlfxl.exe 101 PID 632 wrote to memory of 2612 632 xxrlfxl.exe 101 PID 632 wrote to memory of 2612 632 xxrlfxl.exe 101 PID 2612 wrote to memory of 3348 2612 4260444.exe 102 PID 2612 wrote to memory of 3348 2612 4260444.exe 102 PID 2612 wrote to memory of 3348 2612 4260444.exe 102 PID 3348 wrote to memory of 4684 3348 hnthbb.exe 103 PID 3348 wrote to memory of 4684 3348 hnthbb.exe 103 PID 3348 wrote to memory of 4684 3348 hnthbb.exe 103 PID 4684 wrote to memory of 1048 4684 w26448.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\aea21d85085e6171ee3ab3d0523666c9a1fc96f9f137c63c48558cc955427634N.exe"C:\Users\Admin\AppData\Local\Temp\aea21d85085e6171ee3ab3d0523666c9a1fc96f9f137c63c48558cc955427634N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\88448.exec:\88448.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\660466.exec:\660466.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\tnhbth.exec:\tnhbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\5fffflf.exec:\5fffflf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\hbbtnh.exec:\hbbtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\28626.exec:\28626.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\3ttnbb.exec:\3ttnbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\1vpjj.exec:\1vpjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\5bbthh.exec:\5bbthh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\2448888.exec:\2448888.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\jvvjd.exec:\jvvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\bbttnn.exec:\bbttnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\0844282.exec:\0844282.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\5rxrllf.exec:\5rxrllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\q80888.exec:\q80888.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\rxrlxxl.exec:\rxrlxxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\7btnhh.exec:\7btnhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\xxrlfxl.exec:\xxrlfxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\4260444.exec:\4260444.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\hnthbb.exec:\hnthbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\w26448.exec:\w26448.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\620048.exec:\620048.exe23⤵
- Executes dropped EXE
PID:1048 -
\??\c:\rrrfxrr.exec:\rrrfxrr.exe24⤵
- Executes dropped EXE
PID:4792 -
\??\c:\pdpjv.exec:\pdpjv.exe25⤵
- Executes dropped EXE
PID:220 -
\??\c:\hbbttn.exec:\hbbttn.exe26⤵
- Executes dropped EXE
PID:2908 -
\??\c:\u260860.exec:\u260860.exe27⤵
- Executes dropped EXE
PID:4080 -
\??\c:\428648.exec:\428648.exe28⤵
- Executes dropped EXE
PID:4884 -
\??\c:\xlfxlfr.exec:\xlfxlfr.exe29⤵
- Executes dropped EXE
PID:2868 -
\??\c:\7xxlfrf.exec:\7xxlfrf.exe30⤵
- Executes dropped EXE
PID:2412 -
\??\c:\2064044.exec:\2064044.exe31⤵
- Executes dropped EXE
PID:1008 -
\??\c:\ntthhb.exec:\ntthhb.exe32⤵
- Executes dropped EXE
PID:3060 -
\??\c:\ttbnbn.exec:\ttbnbn.exe33⤵
- Executes dropped EXE
PID:3784 -
\??\c:\a8420.exec:\a8420.exe34⤵
- Executes dropped EXE
PID:4668 -
\??\c:\08608.exec:\08608.exe35⤵
- Executes dropped EXE
PID:2332 -
\??\c:\200080.exec:\200080.exe36⤵
- Executes dropped EXE
PID:2372 -
\??\c:\9vpdv.exec:\9vpdv.exe37⤵
- Executes dropped EXE
PID:4992 -
\??\c:\w08642.exec:\w08642.exe38⤵
- Executes dropped EXE
PID:2904 -
\??\c:\hnthtt.exec:\hnthtt.exe39⤵
- Executes dropped EXE
PID:1856 -
\??\c:\xxxlfxl.exec:\xxxlfxl.exe40⤵
- Executes dropped EXE
PID:2176 -
\??\c:\2866086.exec:\2866086.exe41⤵
- Executes dropped EXE
PID:5048 -
\??\c:\jvpvp.exec:\jvpvp.exe42⤵
- Executes dropped EXE
PID:1416 -
\??\c:\lrxrfxr.exec:\lrxrfxr.exe43⤵
- Executes dropped EXE
PID:2760 -
\??\c:\pvvpd.exec:\pvvpd.exe44⤵
- Executes dropped EXE
PID:2072 -
\??\c:\djdpd.exec:\djdpd.exe45⤵
- Executes dropped EXE
PID:3820 -
\??\c:\2080820.exec:\2080820.exe46⤵
- Executes dropped EXE
PID:1680 -
\??\c:\xllfrlf.exec:\xllfrlf.exe47⤵
- Executes dropped EXE
PID:960 -
\??\c:\240422.exec:\240422.exe48⤵
- Executes dropped EXE
PID:5056 -
\??\c:\000020.exec:\000020.exe49⤵
- Executes dropped EXE
PID:4428 -
\??\c:\3vdvd.exec:\3vdvd.exe50⤵
- Executes dropped EXE
PID:3224 -
\??\c:\htnbnt.exec:\htnbnt.exe51⤵
- Executes dropped EXE
PID:408 -
\??\c:\1xlxlfr.exec:\1xlxlfr.exe52⤵
- Executes dropped EXE
PID:900 -
\??\c:\8226660.exec:\8226660.exe53⤵
- Executes dropped EXE
PID:4548 -
\??\c:\402082.exec:\402082.exe54⤵
- Executes dropped EXE
PID:1820 -
\??\c:\6464480.exec:\6464480.exe55⤵
- Executes dropped EXE
PID:5052 -
\??\c:\u664224.exec:\u664224.exe56⤵
- Executes dropped EXE
PID:4700 -
\??\c:\644208.exec:\644208.exe57⤵
- Executes dropped EXE
PID:2388 -
\??\c:\llxlxrl.exec:\llxlxrl.exe58⤵
- Executes dropped EXE
PID:4996 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe59⤵
- Executes dropped EXE
PID:2468 -
\??\c:\5bbtbt.exec:\5bbtbt.exe60⤵
- Executes dropped EXE
PID:3480 -
\??\c:\0820820.exec:\0820820.exe61⤵
- Executes dropped EXE
PID:1840 -
\??\c:\46208.exec:\46208.exe62⤵
- Executes dropped EXE
PID:824 -
\??\c:\vpjvj.exec:\vpjvj.exe63⤵
- Executes dropped EXE
PID:2816 -
\??\c:\a4840.exec:\a4840.exe64⤵
- Executes dropped EXE
PID:1592 -
\??\c:\00064.exec:\00064.exe65⤵
- Executes dropped EXE
PID:3316 -
\??\c:\o442086.exec:\o442086.exe66⤵PID:2728
-
\??\c:\u286420.exec:\u286420.exe67⤵PID:1548
-
\??\c:\vvvjd.exec:\vvvjd.exe68⤵PID:4588
-
\??\c:\nbnbnn.exec:\nbnbnn.exe69⤵PID:2364
-
\??\c:\jvvjp.exec:\jvvjp.exe70⤵PID:3228
-
\??\c:\426082.exec:\426082.exe71⤵PID:100
-
\??\c:\w60860.exec:\w60860.exe72⤵PID:1072
-
\??\c:\42608.exec:\42608.exe73⤵PID:1252
-
\??\c:\lrfrfrx.exec:\lrfrfrx.exe74⤵PID:3884
-
\??\c:\8886048.exec:\8886048.exe75⤵PID:4540
-
\??\c:\nbbthh.exec:\nbbthh.exe76⤵PID:2880
-
\??\c:\lxxrrlf.exec:\lxxrrlf.exe77⤵PID:2840
-
\??\c:\s6620.exec:\s6620.exe78⤵PID:5084
-
\??\c:\tbtttb.exec:\tbtttb.exe79⤵PID:4556
-
\??\c:\vvdvv.exec:\vvdvv.exe80⤵PID:4792
-
\??\c:\400426.exec:\400426.exe81⤵PID:5096
-
\??\c:\lxfrflf.exec:\lxfrflf.exe82⤵PID:4948
-
\??\c:\fxllrrf.exec:\fxllrrf.exe83⤵PID:4940
-
\??\c:\jdvpp.exec:\jdvpp.exe84⤵PID:3924
-
\??\c:\u808828.exec:\u808828.exe85⤵PID:4616
-
\??\c:\htnhhb.exec:\htnhhb.exe86⤵PID:4628
-
\??\c:\tbnhnn.exec:\tbnhnn.exe87⤵PID:3136
-
\??\c:\rfxrxxl.exec:\rfxrxxl.exe88⤵PID:320
-
\??\c:\402660.exec:\402660.exe89⤵PID:2404
-
\??\c:\8426040.exec:\8426040.exe90⤵PID:3640
-
\??\c:\1ffrrxx.exec:\1ffrrxx.exe91⤵PID:404
-
\??\c:\dppjv.exec:\dppjv.exe92⤵PID:1484
-
\??\c:\68206.exec:\68206.exe93⤵PID:4324
-
\??\c:\2848226.exec:\2848226.exe94⤵PID:4652
-
\??\c:\2286486.exec:\2286486.exe95⤵PID:3724
-
\??\c:\dpvpp.exec:\dpvpp.exe96⤵PID:3472
-
\??\c:\rffxrlf.exec:\rffxrlf.exe97⤵PID:3020
-
\??\c:\20844.exec:\20844.exe98⤵PID:3916
-
\??\c:\84420.exec:\84420.exe99⤵
- System Location Discovery: System Language Discovery
PID:3736 -
\??\c:\240008.exec:\240008.exe100⤵PID:1532
-
\??\c:\8464282.exec:\8464282.exe101⤵PID:3032
-
\??\c:\86822.exec:\86822.exe102⤵PID:768
-
\??\c:\jvdpd.exec:\jvdpd.exe103⤵PID:3216
-
\??\c:\7tthtn.exec:\7tthtn.exe104⤵PID:2760
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe105⤵PID:2400
-
\??\c:\e02420.exec:\e02420.exe106⤵PID:2668
-
\??\c:\440420.exec:\440420.exe107⤵PID:3108
-
\??\c:\lrrllll.exec:\lrrllll.exe108⤵PID:4644
-
\??\c:\824448.exec:\824448.exe109⤵PID:3120
-
\??\c:\dvvdp.exec:\dvvdp.exe110⤵PID:1916
-
\??\c:\nnhthh.exec:\nnhthh.exe111⤵PID:2036
-
\??\c:\64082.exec:\64082.exe112⤵PID:1376
-
\??\c:\86424.exec:\86424.exe113⤵PID:2988
-
\??\c:\4820266.exec:\4820266.exe114⤵PID:3212
-
\??\c:\20424.exec:\20424.exe115⤵PID:4844
-
\??\c:\flrlxxx.exec:\flrlxxx.exe116⤵PID:5068
-
\??\c:\pjvjv.exec:\pjvjv.exe117⤵PID:1240
-
\??\c:\e62044.exec:\e62044.exe118⤵PID:5044
-
\??\c:\k00844.exec:\k00844.exe119⤵PID:1572
-
\??\c:\26648.exec:\26648.exe120⤵PID:3024
-
\??\c:\5bbtbb.exec:\5bbtbb.exe121⤵PID:4108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-