Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 03:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe
-
Size
453KB
-
MD5
c9594346b28443ea1b42c92b5a711c36
-
SHA1
09031f2bf3e1fb0b183f884b32b9727c120470ff
-
SHA256
ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d
-
SHA512
2ed33e1c35dfb5d7f342d0f4ccecdc9b463cf53c960b88f3200c2678070dca3a49cf4603321749253ab9a456f1b4b080bb7dfd2cb1a6264b8dd9abbb18af334a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1900-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/788-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-936-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-1084-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-1416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-1564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2852 tbhtht.exe 2332 jpdvj.exe 2696 64424.exe 4120 w84268.exe 4960 vddpd.exe 1912 00860.exe 3308 5rlxrfr.exe 1964 w44642.exe 3076 624242.exe 3532 bnnhtn.exe 4152 q66464.exe 4340 08220.exe 1032 6402040.exe 2020 002282.exe 4616 2224860.exe 4208 448682.exe 2768 dpdpd.exe 3084 ddddd.exe 64 7jvjd.exe 5028 02488.exe 4992 nhhbtn.exe 3636 s0604.exe 2340 pvvvp.exe 4240 1lfxrrr.exe 444 2288222.exe 636 httnhh.exe 2508 8240844.exe 1176 a2484.exe 4996 jvjdp.exe 2328 26642.exe 2560 i620208.exe 1332 jvdvv.exe 4568 5fffxxr.exe 1540 86888.exe 660 nbbbtt.exe 632 6804222.exe 4380 1jpjj.exe 5040 646060.exe 840 6284882.exe 916 44482.exe 1500 lrfxffx.exe 3964 xxlflrx.exe 3692 7tttnb.exe 1880 xrflxlx.exe 4196 htbtnn.exe 1920 3htnnn.exe 3196 48662.exe 4492 fxlffff.exe 4280 4226482.exe 2464 bbbtnn.exe 892 040444.exe 2852 5jdvp.exe 3576 8682828.exe 3584 66266.exe 648 hbhbhb.exe 4184 s2202.exe 2144 tbnbbt.exe 1788 0460006.exe 2772 7nnbtt.exe 428 e40448.exe 2016 3ttbtt.exe 1092 bnbthh.exe 2468 thtnhh.exe 1992 88822.exe -
resource yara_rule behavioral2/memory/1900-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/788-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-890-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-936-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-1084-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-1121-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 842004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o224048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6620204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8064862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxflxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1900 wrote to memory of 2852 1900 ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe 83 PID 1900 wrote to memory of 2852 1900 ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe 83 PID 1900 wrote to memory of 2852 1900 ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe 83 PID 2852 wrote to memory of 2332 2852 tbhtht.exe 84 PID 2852 wrote to memory of 2332 2852 tbhtht.exe 84 PID 2852 wrote to memory of 2332 2852 tbhtht.exe 84 PID 2332 wrote to memory of 2696 2332 jpdvj.exe 85 PID 2332 wrote to memory of 2696 2332 jpdvj.exe 85 PID 2332 wrote to memory of 2696 2332 jpdvj.exe 85 PID 2696 wrote to memory of 4120 2696 64424.exe 86 PID 2696 wrote to memory of 4120 2696 64424.exe 86 PID 2696 wrote to memory of 4120 2696 64424.exe 86 PID 4120 wrote to memory of 4960 4120 w84268.exe 87 PID 4120 wrote to memory of 4960 4120 w84268.exe 87 PID 4120 wrote to memory of 4960 4120 w84268.exe 87 PID 4960 wrote to memory of 1912 4960 vddpd.exe 88 PID 4960 wrote to memory of 1912 4960 vddpd.exe 88 PID 4960 wrote to memory of 1912 4960 vddpd.exe 88 PID 1912 wrote to memory of 3308 1912 00860.exe 89 PID 1912 wrote to memory of 3308 1912 00860.exe 89 PID 1912 wrote to memory of 3308 1912 00860.exe 89 PID 3308 wrote to memory of 1964 3308 5rlxrfr.exe 90 PID 3308 wrote to memory of 1964 3308 5rlxrfr.exe 90 PID 3308 wrote to memory of 1964 3308 5rlxrfr.exe 90 PID 1964 wrote to memory of 3076 1964 w44642.exe 91 PID 1964 wrote to memory of 3076 1964 w44642.exe 91 PID 1964 wrote to memory of 3076 1964 w44642.exe 91 PID 3076 wrote to memory of 3532 3076 624242.exe 92 PID 3076 wrote to memory of 3532 3076 624242.exe 92 PID 3076 wrote to memory of 3532 3076 624242.exe 92 PID 3532 wrote to memory of 4152 3532 bnnhtn.exe 93 PID 3532 wrote to memory of 4152 3532 bnnhtn.exe 93 PID 3532 wrote to memory of 4152 3532 bnnhtn.exe 93 PID 4152 wrote to memory of 4340 4152 q66464.exe 94 PID 4152 wrote to memory of 4340 4152 q66464.exe 94 PID 4152 wrote to memory of 4340 4152 q66464.exe 94 PID 4340 wrote to memory of 1032 4340 08220.exe 95 PID 4340 wrote to memory of 1032 4340 08220.exe 95 PID 4340 wrote to memory of 1032 4340 08220.exe 95 PID 1032 wrote to memory of 2020 1032 6402040.exe 96 PID 1032 wrote to memory of 2020 1032 6402040.exe 96 PID 1032 wrote to memory of 2020 1032 6402040.exe 96 PID 2020 wrote to memory of 4616 2020 002282.exe 97 PID 2020 wrote to memory of 4616 2020 002282.exe 97 PID 2020 wrote to memory of 4616 2020 002282.exe 97 PID 4616 wrote to memory of 4208 4616 2224860.exe 98 PID 4616 wrote to memory of 4208 4616 2224860.exe 98 PID 4616 wrote to memory of 4208 4616 2224860.exe 98 PID 4208 wrote to memory of 2768 4208 448682.exe 99 PID 4208 wrote to memory of 2768 4208 448682.exe 99 PID 4208 wrote to memory of 2768 4208 448682.exe 99 PID 2768 wrote to memory of 3084 2768 dpdpd.exe 100 PID 2768 wrote to memory of 3084 2768 dpdpd.exe 100 PID 2768 wrote to memory of 3084 2768 dpdpd.exe 100 PID 3084 wrote to memory of 64 3084 ddddd.exe 101 PID 3084 wrote to memory of 64 3084 ddddd.exe 101 PID 3084 wrote to memory of 64 3084 ddddd.exe 101 PID 64 wrote to memory of 5028 64 7jvjd.exe 102 PID 64 wrote to memory of 5028 64 7jvjd.exe 102 PID 64 wrote to memory of 5028 64 7jvjd.exe 102 PID 5028 wrote to memory of 4992 5028 02488.exe 103 PID 5028 wrote to memory of 4992 5028 02488.exe 103 PID 5028 wrote to memory of 4992 5028 02488.exe 103 PID 4992 wrote to memory of 3636 4992 nhhbtn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe"C:\Users\Admin\AppData\Local\Temp\ce3b3eb0ae684fe46edae4fad7d4ebbb592a74f003f2ee1e04658a103a11175d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\tbhtht.exec:\tbhtht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\jpdvj.exec:\jpdvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\64424.exec:\64424.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\w84268.exec:\w84268.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\vddpd.exec:\vddpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\00860.exec:\00860.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\5rlxrfr.exec:\5rlxrfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\w44642.exec:\w44642.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\624242.exec:\624242.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\bnnhtn.exec:\bnnhtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\q66464.exec:\q66464.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\08220.exec:\08220.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\6402040.exec:\6402040.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\002282.exec:\002282.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\2224860.exec:\2224860.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\448682.exec:\448682.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\dpdpd.exec:\dpdpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\ddddd.exec:\ddddd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\7jvjd.exec:\7jvjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\02488.exec:\02488.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\nhhbtn.exec:\nhhbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\s0604.exec:\s0604.exe23⤵
- Executes dropped EXE
PID:3636 -
\??\c:\pvvvp.exec:\pvvvp.exe24⤵
- Executes dropped EXE
PID:2340 -
\??\c:\1lfxrrr.exec:\1lfxrrr.exe25⤵
- Executes dropped EXE
PID:4240 -
\??\c:\2288222.exec:\2288222.exe26⤵
- Executes dropped EXE
PID:444 -
\??\c:\httnhh.exec:\httnhh.exe27⤵
- Executes dropped EXE
PID:636 -
\??\c:\8240844.exec:\8240844.exe28⤵
- Executes dropped EXE
PID:2508 -
\??\c:\a2484.exec:\a2484.exe29⤵
- Executes dropped EXE
PID:1176 -
\??\c:\jvjdp.exec:\jvjdp.exe30⤵
- Executes dropped EXE
PID:4996 -
\??\c:\26642.exec:\26642.exe31⤵
- Executes dropped EXE
PID:2328 -
\??\c:\i620208.exec:\i620208.exe32⤵
- Executes dropped EXE
PID:2560 -
\??\c:\jvdvv.exec:\jvdvv.exe33⤵
- Executes dropped EXE
PID:1332 -
\??\c:\5fffxxr.exec:\5fffxxr.exe34⤵
- Executes dropped EXE
PID:4568 -
\??\c:\86888.exec:\86888.exe35⤵
- Executes dropped EXE
PID:1540 -
\??\c:\nbbbtt.exec:\nbbbtt.exe36⤵
- Executes dropped EXE
PID:660 -
\??\c:\6804222.exec:\6804222.exe37⤵
- Executes dropped EXE
PID:632 -
\??\c:\1jpjj.exec:\1jpjj.exe38⤵
- Executes dropped EXE
PID:4380 -
\??\c:\646060.exec:\646060.exe39⤵
- Executes dropped EXE
PID:5040 -
\??\c:\6284882.exec:\6284882.exe40⤵
- Executes dropped EXE
PID:840 -
\??\c:\44482.exec:\44482.exe41⤵
- Executes dropped EXE
PID:916 -
\??\c:\lrfxffx.exec:\lrfxffx.exe42⤵
- Executes dropped EXE
PID:1500 -
\??\c:\xxlflrx.exec:\xxlflrx.exe43⤵
- Executes dropped EXE
PID:3964 -
\??\c:\7tttnb.exec:\7tttnb.exe44⤵
- Executes dropped EXE
PID:3692 -
\??\c:\xrflxlx.exec:\xrflxlx.exe45⤵
- Executes dropped EXE
PID:1880 -
\??\c:\htbtnn.exec:\htbtnn.exe46⤵
- Executes dropped EXE
PID:4196 -
\??\c:\3htnnn.exec:\3htnnn.exe47⤵
- Executes dropped EXE
PID:1920 -
\??\c:\48662.exec:\48662.exe48⤵
- Executes dropped EXE
PID:3196 -
\??\c:\fxlffff.exec:\fxlffff.exe49⤵
- Executes dropped EXE
PID:4492 -
\??\c:\4226482.exec:\4226482.exe50⤵
- Executes dropped EXE
PID:4280 -
\??\c:\bbbtnn.exec:\bbbtnn.exe51⤵
- Executes dropped EXE
PID:2464 -
\??\c:\040444.exec:\040444.exe52⤵
- Executes dropped EXE
PID:892 -
\??\c:\5jdvp.exec:\5jdvp.exe53⤵
- Executes dropped EXE
PID:2852 -
\??\c:\8682828.exec:\8682828.exe54⤵
- Executes dropped EXE
PID:3576 -
\??\c:\66266.exec:\66266.exe55⤵
- Executes dropped EXE
PID:3584 -
\??\c:\hbhbhb.exec:\hbhbhb.exe56⤵
- Executes dropped EXE
PID:648 -
\??\c:\s2202.exec:\s2202.exe57⤵
- Executes dropped EXE
PID:4184 -
\??\c:\tbnbbt.exec:\tbnbbt.exe58⤵
- Executes dropped EXE
PID:2144 -
\??\c:\0460006.exec:\0460006.exe59⤵
- Executes dropped EXE
PID:1788 -
\??\c:\7nnbtt.exec:\7nnbtt.exe60⤵
- Executes dropped EXE
PID:2772 -
\??\c:\e40448.exec:\e40448.exe61⤵
- Executes dropped EXE
PID:428 -
\??\c:\3ttbtt.exec:\3ttbtt.exe62⤵
- Executes dropped EXE
PID:2016 -
\??\c:\bnbthh.exec:\bnbthh.exe63⤵
- Executes dropped EXE
PID:1092 -
\??\c:\thtnhh.exec:\thtnhh.exe64⤵
- Executes dropped EXE
PID:2468 -
\??\c:\88822.exec:\88822.exe65⤵
- Executes dropped EXE
PID:1992 -
\??\c:\pvdpd.exec:\pvdpd.exe66⤵PID:4728
-
\??\c:\682200.exec:\682200.exe67⤵PID:4640
-
\??\c:\1btnbb.exec:\1btnbb.exe68⤵PID:1948
-
\??\c:\0800682.exec:\0800682.exe69⤵PID:788
-
\??\c:\bttttt.exec:\bttttt.exe70⤵PID:216
-
\??\c:\8404826.exec:\8404826.exe71⤵PID:384
-
\??\c:\a4042.exec:\a4042.exe72⤵PID:2188
-
\??\c:\jvvpj.exec:\jvvpj.exe73⤵PID:5068
-
\??\c:\jdjvp.exec:\jdjvp.exe74⤵PID:2324
-
\??\c:\2004404.exec:\2004404.exe75⤵PID:4208
-
\??\c:\rfrlllf.exec:\rfrlllf.exe76⤵PID:4644
-
\??\c:\062262.exec:\062262.exe77⤵PID:3084
-
\??\c:\60286.exec:\60286.exe78⤵PID:2564
-
\??\c:\86260.exec:\86260.exe79⤵PID:4888
-
\??\c:\0806448.exec:\0806448.exe80⤵PID:2640
-
\??\c:\lrxxllf.exec:\lrxxllf.exe81⤵PID:2592
-
\??\c:\84044.exec:\84044.exe82⤵PID:3448
-
\??\c:\8064222.exec:\8064222.exe83⤵PID:4896
-
\??\c:\8804826.exec:\8804826.exe84⤵PID:1520
-
\??\c:\402600.exec:\402600.exe85⤵PID:964
-
\??\c:\84482.exec:\84482.exe86⤵PID:4240
-
\??\c:\028866.exec:\028866.exe87⤵PID:4836
-
\??\c:\xllfrrr.exec:\xllfrrr.exe88⤵PID:3696
-
\??\c:\bthnnt.exec:\bthnnt.exe89⤵PID:1704
-
\??\c:\24402.exec:\24402.exe90⤵PID:3720
-
\??\c:\ntbhnb.exec:\ntbhnb.exe91⤵PID:2652
-
\??\c:\7bnhhh.exec:\7bnhhh.exe92⤵PID:3748
-
\??\c:\9pjjj.exec:\9pjjj.exe93⤵PID:4996
-
\??\c:\8644006.exec:\8644006.exe94⤵PID:4356
-
\??\c:\frrrlrr.exec:\frrrlrr.exe95⤵PID:1180
-
\??\c:\pvddj.exec:\pvddj.exe96⤵PID:228
-
\??\c:\e24880.exec:\e24880.exe97⤵PID:4568
-
\??\c:\pjjdd.exec:\pjjdd.exe98⤵PID:1296
-
\??\c:\402200.exec:\402200.exe99⤵PID:1676
-
\??\c:\fxrlxrl.exec:\fxrlxrl.exe100⤵PID:632
-
\??\c:\xfllflf.exec:\xfllflf.exe101⤵PID:4380
-
\??\c:\xrxlffx.exec:\xrxlffx.exe102⤵PID:2104
-
\??\c:\6882466.exec:\6882466.exe103⤵PID:3688
-
\??\c:\228828.exec:\228828.exe104⤵PID:3264
-
\??\c:\2082828.exec:\2082828.exe105⤵PID:3984
-
\??\c:\04448.exec:\04448.exe106⤵PID:2820
-
\??\c:\vpppp.exec:\vpppp.exe107⤵PID:4028
-
\??\c:\4282226.exec:\4282226.exe108⤵PID:3704
-
\??\c:\06828.exec:\06828.exe109⤵PID:3340
-
\??\c:\7jpjj.exec:\7jpjj.exe110⤵
- System Location Discovery: System Language Discovery
PID:464 -
\??\c:\o004260.exec:\o004260.exe111⤵PID:3452
-
\??\c:\w44826.exec:\w44826.exe112⤵PID:4440
-
\??\c:\nnhbbt.exec:\nnhbbt.exe113⤵PID:5052
-
\??\c:\084822.exec:\084822.exe114⤵PID:4404
-
\??\c:\5nhbtt.exec:\5nhbtt.exe115⤵PID:3940
-
\??\c:\7lfxrlf.exec:\7lfxrlf.exe116⤵PID:892
-
\??\c:\684004.exec:\684004.exe117⤵PID:2852
-
\??\c:\fxxlffx.exec:\fxxlffx.exe118⤵PID:3836
-
\??\c:\0882604.exec:\0882604.exe119⤵PID:2696
-
\??\c:\i282626.exec:\i282626.exe120⤵PID:392
-
\??\c:\xxxxrxx.exec:\xxxxrxx.exe121⤵PID:3260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-