Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 04:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe
-
Size
453KB
-
MD5
c5b5de336ea7eef236a9288b6b151c58
-
SHA1
cddfbc4f2a763e854eab6c59a006e5cfa9112f2b
-
SHA256
fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0
-
SHA512
5b5f8fc1d03318b05da3d5d3aefdc320d98a3c880f50c0706c66b404acb0bff96f13e590ea2ee19fd6af50f96dc5a81eec3f75add2e13913eb1667f1cbf8e81e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe+:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1112-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-830-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-986-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-1084-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-1139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-1143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1112 08084.exe 2260 9thbtt.exe 2512 w40444.exe 5060 thtnnn.exe 1452 jvdvv.exe 4876 480668.exe 3260 o244888.exe 1432 c680628.exe 1196 40066.exe 2016 42808.exe 2372 jvdvj.exe 3268 868860.exe 3328 lxxlfff.exe 3644 7bnnhn.exe 4176 g6888.exe 1032 064064.exe 3356 g6260.exe 4508 jvpjp.exe 2324 600044.exe 3036 dddjj.exe 3216 e40088.exe 1128 jpvpv.exe 4560 vpdvv.exe 3848 8642624.exe 1200 lfrffll.exe 2248 824288.exe 1976 486040.exe 1460 jjpjj.exe 2368 nbnhhh.exe 444 9llfrrl.exe 3272 3nhhbt.exe 3368 nntbtb.exe 4776 frxrllr.exe 4108 xlrxrfx.exe 1444 c248222.exe 5048 0026004.exe 3312 thhbnn.exe 3556 488222.exe 4576 a4266.exe 1180 2848226.exe 1004 64248.exe 3012 2466404.exe 3600 3xxxrrl.exe 3800 xrflfrx.exe 3664 pjjdv.exe 3580 bhtnbb.exe 2624 vpvvv.exe 1724 684488.exe 3248 bntnbb.exe 5044 pjjdp.exe 1420 688886.exe 3964 24048.exe 1988 000488.exe 1792 hhnhhh.exe 1800 1xfrxlf.exe 1252 48688.exe 2704 488062.exe 2460 vvdvj.exe 3144 7llflrx.exe 2332 3fllllf.exe 3008 9nnnhn.exe 2784 0688882.exe 4120 q06004.exe 1504 6804882.exe -
resource yara_rule behavioral2/memory/1112-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-870-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-986-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e24884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q82822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8842222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4480264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 1112 2524 fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe 85 PID 2524 wrote to memory of 1112 2524 fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe 85 PID 2524 wrote to memory of 1112 2524 fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe 85 PID 1112 wrote to memory of 2260 1112 08084.exe 86 PID 1112 wrote to memory of 2260 1112 08084.exe 86 PID 1112 wrote to memory of 2260 1112 08084.exe 86 PID 2260 wrote to memory of 2512 2260 9thbtt.exe 87 PID 2260 wrote to memory of 2512 2260 9thbtt.exe 87 PID 2260 wrote to memory of 2512 2260 9thbtt.exe 87 PID 2512 wrote to memory of 5060 2512 w40444.exe 88 PID 2512 wrote to memory of 5060 2512 w40444.exe 88 PID 2512 wrote to memory of 5060 2512 w40444.exe 88 PID 5060 wrote to memory of 1452 5060 thtnnn.exe 89 PID 5060 wrote to memory of 1452 5060 thtnnn.exe 89 PID 5060 wrote to memory of 1452 5060 thtnnn.exe 89 PID 1452 wrote to memory of 4876 1452 jvdvv.exe 90 PID 1452 wrote to memory of 4876 1452 jvdvv.exe 90 PID 1452 wrote to memory of 4876 1452 jvdvv.exe 90 PID 4876 wrote to memory of 3260 4876 480668.exe 91 PID 4876 wrote to memory of 3260 4876 480668.exe 91 PID 4876 wrote to memory of 3260 4876 480668.exe 91 PID 3260 wrote to memory of 1432 3260 o244888.exe 92 PID 3260 wrote to memory of 1432 3260 o244888.exe 92 PID 3260 wrote to memory of 1432 3260 o244888.exe 92 PID 1432 wrote to memory of 1196 1432 c680628.exe 93 PID 1432 wrote to memory of 1196 1432 c680628.exe 93 PID 1432 wrote to memory of 1196 1432 c680628.exe 93 PID 1196 wrote to memory of 2016 1196 40066.exe 94 PID 1196 wrote to memory of 2016 1196 40066.exe 94 PID 1196 wrote to memory of 2016 1196 40066.exe 94 PID 2016 wrote to memory of 2372 2016 42808.exe 95 PID 2016 wrote to memory of 2372 2016 42808.exe 95 PID 2016 wrote to memory of 2372 2016 42808.exe 95 PID 2372 wrote to memory of 3268 2372 jvdvj.exe 96 PID 2372 wrote to memory of 3268 2372 jvdvj.exe 96 PID 2372 wrote to memory of 3268 2372 jvdvj.exe 96 PID 3268 wrote to memory of 3328 3268 868860.exe 97 PID 3268 wrote to memory of 3328 3268 868860.exe 97 PID 3268 wrote to memory of 3328 3268 868860.exe 97 PID 3328 wrote to memory of 3644 3328 lxxlfff.exe 98 PID 3328 wrote to memory of 3644 3328 lxxlfff.exe 98 PID 3328 wrote to memory of 3644 3328 lxxlfff.exe 98 PID 3644 wrote to memory of 4176 3644 7bnnhn.exe 99 PID 3644 wrote to memory of 4176 3644 7bnnhn.exe 99 PID 3644 wrote to memory of 4176 3644 7bnnhn.exe 99 PID 4176 wrote to memory of 1032 4176 g6888.exe 100 PID 4176 wrote to memory of 1032 4176 g6888.exe 100 PID 4176 wrote to memory of 1032 4176 g6888.exe 100 PID 1032 wrote to memory of 3356 1032 064064.exe 101 PID 1032 wrote to memory of 3356 1032 064064.exe 101 PID 1032 wrote to memory of 3356 1032 064064.exe 101 PID 3356 wrote to memory of 4508 3356 g6260.exe 102 PID 3356 wrote to memory of 4508 3356 g6260.exe 102 PID 3356 wrote to memory of 4508 3356 g6260.exe 102 PID 4508 wrote to memory of 2324 4508 jvpjp.exe 103 PID 4508 wrote to memory of 2324 4508 jvpjp.exe 103 PID 4508 wrote to memory of 2324 4508 jvpjp.exe 103 PID 2324 wrote to memory of 3036 2324 600044.exe 104 PID 2324 wrote to memory of 3036 2324 600044.exe 104 PID 2324 wrote to memory of 3036 2324 600044.exe 104 PID 3036 wrote to memory of 3216 3036 dddjj.exe 105 PID 3036 wrote to memory of 3216 3036 dddjj.exe 105 PID 3036 wrote to memory of 3216 3036 dddjj.exe 105 PID 3216 wrote to memory of 1128 3216 e40088.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe"C:\Users\Admin\AppData\Local\Temp\fae5a57922f30e51062af129e682d364be707a58001ee81ee57467fe3f2675b0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\08084.exec:\08084.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\9thbtt.exec:\9thbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\w40444.exec:\w40444.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\thtnnn.exec:\thtnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\jvdvv.exec:\jvdvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\480668.exec:\480668.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\o244888.exec:\o244888.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\c680628.exec:\c680628.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\40066.exec:\40066.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\42808.exec:\42808.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\jvdvj.exec:\jvdvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\868860.exec:\868860.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\lxxlfff.exec:\lxxlfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\7bnnhn.exec:\7bnnhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\g6888.exec:\g6888.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\064064.exec:\064064.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\g6260.exec:\g6260.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\jvpjp.exec:\jvpjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\600044.exec:\600044.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\dddjj.exec:\dddjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\e40088.exec:\e40088.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\jpvpv.exec:\jpvpv.exe23⤵
- Executes dropped EXE
PID:1128 -
\??\c:\vpdvv.exec:\vpdvv.exe24⤵
- Executes dropped EXE
PID:4560 -
\??\c:\8642624.exec:\8642624.exe25⤵
- Executes dropped EXE
PID:3848 -
\??\c:\lfrffll.exec:\lfrffll.exe26⤵
- Executes dropped EXE
PID:1200 -
\??\c:\824288.exec:\824288.exe27⤵
- Executes dropped EXE
PID:2248 -
\??\c:\486040.exec:\486040.exe28⤵
- Executes dropped EXE
PID:1976 -
\??\c:\jjpjj.exec:\jjpjj.exe29⤵
- Executes dropped EXE
PID:1460 -
\??\c:\nbnhhh.exec:\nbnhhh.exe30⤵
- Executes dropped EXE
PID:2368 -
\??\c:\9llfrrl.exec:\9llfrrl.exe31⤵
- Executes dropped EXE
PID:444 -
\??\c:\3nhhbt.exec:\3nhhbt.exe32⤵
- Executes dropped EXE
PID:3272 -
\??\c:\nntbtb.exec:\nntbtb.exe33⤵
- Executes dropped EXE
PID:3368 -
\??\c:\frxrllr.exec:\frxrllr.exe34⤵
- Executes dropped EXE
PID:4776 -
\??\c:\xlrxrfx.exec:\xlrxrfx.exe35⤵
- Executes dropped EXE
PID:4108 -
\??\c:\c248222.exec:\c248222.exe36⤵
- Executes dropped EXE
PID:1444 -
\??\c:\0026004.exec:\0026004.exe37⤵
- Executes dropped EXE
PID:5048 -
\??\c:\thhbnn.exec:\thhbnn.exe38⤵
- Executes dropped EXE
PID:3312 -
\??\c:\488222.exec:\488222.exe39⤵
- Executes dropped EXE
PID:3556 -
\??\c:\a4266.exec:\a4266.exe40⤵
- Executes dropped EXE
PID:4576 -
\??\c:\2848226.exec:\2848226.exe41⤵
- Executes dropped EXE
PID:1180 -
\??\c:\64248.exec:\64248.exe42⤵
- Executes dropped EXE
PID:1004 -
\??\c:\2466404.exec:\2466404.exe43⤵
- Executes dropped EXE
PID:3012 -
\??\c:\3xxxrrl.exec:\3xxxrrl.exe44⤵
- Executes dropped EXE
PID:3600 -
\??\c:\xrflfrx.exec:\xrflfrx.exe45⤵
- Executes dropped EXE
PID:3800 -
\??\c:\pjjdv.exec:\pjjdv.exe46⤵
- Executes dropped EXE
PID:3664 -
\??\c:\bhtnbb.exec:\bhtnbb.exe47⤵
- Executes dropped EXE
PID:3580 -
\??\c:\vpvvv.exec:\vpvvv.exe48⤵
- Executes dropped EXE
PID:2624 -
\??\c:\684488.exec:\684488.exe49⤵
- Executes dropped EXE
PID:1724 -
\??\c:\bntnbb.exec:\bntnbb.exe50⤵
- Executes dropped EXE
PID:3248 -
\??\c:\pjjdp.exec:\pjjdp.exe51⤵
- Executes dropped EXE
PID:5044 -
\??\c:\688886.exec:\688886.exe52⤵
- Executes dropped EXE
PID:1420 -
\??\c:\24048.exec:\24048.exe53⤵
- Executes dropped EXE
PID:3964 -
\??\c:\000488.exec:\000488.exe54⤵
- Executes dropped EXE
PID:1988 -
\??\c:\hhnhhh.exec:\hhnhhh.exe55⤵
- Executes dropped EXE
PID:1792 -
\??\c:\1xfrxlf.exec:\1xfrxlf.exe56⤵
- Executes dropped EXE
PID:1800 -
\??\c:\48688.exec:\48688.exe57⤵
- Executes dropped EXE
PID:1252 -
\??\c:\488062.exec:\488062.exe58⤵
- Executes dropped EXE
PID:2704 -
\??\c:\vvdvj.exec:\vvdvj.exe59⤵
- Executes dropped EXE
PID:2460 -
\??\c:\8266682.exec:\8266682.exe60⤵PID:4592
-
\??\c:\7llflrx.exec:\7llflrx.exe61⤵
- Executes dropped EXE
PID:3144 -
\??\c:\3fllllf.exec:\3fllllf.exe62⤵
- Executes dropped EXE
PID:2332 -
\??\c:\9nnnhn.exec:\9nnnhn.exe63⤵
- Executes dropped EXE
PID:3008 -
\??\c:\0688882.exec:\0688882.exe64⤵
- Executes dropped EXE
PID:2784 -
\??\c:\q06004.exec:\q06004.exe65⤵
- Executes dropped EXE
PID:4120 -
\??\c:\6804882.exec:\6804882.exe66⤵
- Executes dropped EXE
PID:1504 -
\??\c:\3jppp.exec:\3jppp.exe67⤵PID:2612
-
\??\c:\00220.exec:\00220.exe68⤵PID:4876
-
\??\c:\884884.exec:\884884.exe69⤵PID:1196
-
\??\c:\jpvvp.exec:\jpvvp.exe70⤵PID:3288
-
\??\c:\xxfrllr.exec:\xxfrllr.exe71⤵PID:1116
-
\??\c:\ttbtnn.exec:\ttbtnn.exe72⤵PID:2016
-
\??\c:\08642.exec:\08642.exe73⤵PID:4552
-
\??\c:\ththnb.exec:\ththnb.exe74⤵PID:4152
-
\??\c:\620626.exec:\620626.exe75⤵PID:1796
-
\??\c:\tnbbhh.exec:\tnbbhh.exe76⤵PID:648
-
\??\c:\hbbnbb.exec:\hbbnbb.exe77⤵PID:2644
-
\??\c:\4404448.exec:\4404448.exe78⤵PID:4768
-
\??\c:\bhnhbb.exec:\bhnhbb.exe79⤵PID:2680
-
\??\c:\pjjdv.exec:\pjjdv.exe80⤵PID:1912
-
\??\c:\04026.exec:\04026.exe81⤵PID:3216
-
\??\c:\q28200.exec:\q28200.exe82⤵PID:2876
-
\??\c:\5xfxrlf.exec:\5xfxrlf.exe83⤵PID:2736
-
\??\c:\lfxrllr.exec:\lfxrllr.exe84⤵PID:4684
-
\??\c:\4886486.exec:\4886486.exe85⤵PID:2796
-
\??\c:\frxflxf.exec:\frxflxf.exe86⤵PID:1976
-
\??\c:\262200.exec:\262200.exe87⤵PID:3544
-
\??\c:\fffrrrl.exec:\fffrrrl.exe88⤵PID:3700
-
\??\c:\c026000.exec:\c026000.exe89⤵PID:1620
-
\??\c:\jvvpj.exec:\jvvpj.exe90⤵PID:3532
-
\??\c:\lxxrllf.exec:\lxxrllf.exe91⤵PID:2652
-
\??\c:\ddpdv.exec:\ddpdv.exe92⤵PID:1120
-
\??\c:\88000.exec:\88000.exe93⤵PID:1844
-
\??\c:\vjvpd.exec:\vjvpd.exe94⤵PID:4964
-
\??\c:\nbhhbh.exec:\nbhhbh.exe95⤵PID:1176
-
\??\c:\86208.exec:\86208.exe96⤵PID:2284
-
\??\c:\btttnb.exec:\btttnb.exe97⤵PID:4464
-
\??\c:\g4666.exec:\g4666.exe98⤵PID:1852
-
\??\c:\m6662.exec:\m6662.exe99⤵PID:1004
-
\??\c:\pjjdp.exec:\pjjdp.exe100⤵PID:2020
-
\??\c:\26444.exec:\26444.exe101⤵PID:1332
-
\??\c:\u460660.exec:\u460660.exe102⤵PID:2256
-
\??\c:\xrlfffx.exec:\xrlfffx.exe103⤵PID:3220
-
\??\c:\22826.exec:\22826.exe104⤵PID:3244
-
\??\c:\5jjpd.exec:\5jjpd.exe105⤵PID:2624
-
\??\c:\ddddv.exec:\ddddv.exe106⤵PID:2304
-
\??\c:\86266.exec:\86266.exe107⤵PID:5040
-
\??\c:\xxrrlll.exec:\xxrrlll.exe108⤵PID:1572
-
\??\c:\5tbbtt.exec:\5tbbtt.exe109⤵PID:2592
-
\??\c:\0444040.exec:\0444040.exe110⤵PID:64
-
\??\c:\9hnnnn.exec:\9hnnnn.exe111⤵PID:3688
-
\??\c:\hnnbnt.exec:\hnnbnt.exe112⤵PID:3956
-
\??\c:\420864.exec:\420864.exe113⤵PID:3820
-
\??\c:\4642604.exec:\4642604.exe114⤵PID:1484
-
\??\c:\s0604.exec:\s0604.exe115⤵PID:2024
-
\??\c:\7ntnhh.exec:\7ntnhh.exe116⤵PID:1792
-
\??\c:\08860.exec:\08860.exe117⤵PID:2604
-
\??\c:\42842.exec:\42842.exe118⤵PID:3620
-
\??\c:\644844.exec:\644844.exe119⤵PID:2228
-
\??\c:\pddvv.exec:\pddvv.exe120⤵PID:4280
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe121⤵PID:4424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-