Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe
-
Size
454KB
-
MD5
9ab324654d4c20eac2f711c6d1e4e9d0
-
SHA1
aa360fb8209c23e3cd76db608dae2f5b5ede1351
-
SHA256
a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4
-
SHA512
de4105a61f10020bd21b4bb855869c5b31d75cab9ffc2cda4a94edd2e90099c579ea7d7b7126fbf417e4620a004e694d7d93f1d6cfb6e359046d96c7f179960c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1588-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-772-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-979-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-1423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1224 tbhbbt.exe 3304 vvpjv.exe 4288 64448.exe 4876 hnbtnh.exe 4264 dppdv.exe 2432 rrfxlff.exe 4964 jdpjd.exe 3980 7fxrfxr.exe 4692 4282600.exe 3736 268288.exe 3840 i408822.exe 3524 1hhhbh.exe 4584 00608.exe 1732 jvpdp.exe 548 66264.exe 4780 bhhttb.exe 4652 vpjdv.exe 2928 rrrrrrl.exe 512 1tnhbb.exe 4856 240444.exe 1956 4844880.exe 1484 7ttnnn.exe 2652 thnhth.exe 468 lxlxfxl.exe 5096 4844480.exe 4816 bhhtnt.exe 972 62264.exe 1372 xlrlxlf.exe 3576 m2060.exe 900 k44204.exe 4680 fffrlfx.exe 2560 q06482.exe 2596 dvpvd.exe 2916 002260.exe 2716 3pddp.exe 2992 646460.exe 4788 hbbtnh.exe 800 tbbthb.exe 5064 a2826.exe 1500 02488.exe 2280 bnhhhh.exe 1548 08600.exe 4648 0626004.exe 3824 q06048.exe 4376 xrffxxx.exe 1660 62220.exe 4944 06042.exe 2980 bnbbtb.exe 636 rflrxlr.exe 4356 6686082.exe 1384 402600.exe 3920 8448228.exe 3304 vvddj.exe 1592 8246022.exe 1332 028226.exe 2968 bhhtht.exe 4180 3ntnnn.exe 5036 vpdvj.exe 1528 fxxlxrl.exe 664 nbbttt.exe 1844 0406066.exe 4224 w44264.exe 4692 vdjjd.exe 1020 3hhtnh.exe -
resource yara_rule behavioral2/memory/1588-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-40-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8246022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6400448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6806042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 066004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 226088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6060882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c008260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i008086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e28260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22264.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1588 wrote to memory of 1224 1588 a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe 83 PID 1588 wrote to memory of 1224 1588 a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe 83 PID 1588 wrote to memory of 1224 1588 a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe 83 PID 1224 wrote to memory of 3304 1224 tbhbbt.exe 196 PID 1224 wrote to memory of 3304 1224 tbhbbt.exe 196 PID 1224 wrote to memory of 3304 1224 tbhbbt.exe 196 PID 3304 wrote to memory of 4288 3304 vvpjv.exe 195 PID 3304 wrote to memory of 4288 3304 vvpjv.exe 195 PID 3304 wrote to memory of 4288 3304 vvpjv.exe 195 PID 4288 wrote to memory of 4876 4288 64448.exe 86 PID 4288 wrote to memory of 4876 4288 64448.exe 86 PID 4288 wrote to memory of 4876 4288 64448.exe 86 PID 4876 wrote to memory of 4264 4876 hnbtnh.exe 87 PID 4876 wrote to memory of 4264 4876 hnbtnh.exe 87 PID 4876 wrote to memory of 4264 4876 hnbtnh.exe 87 PID 4264 wrote to memory of 2432 4264 dppdv.exe 88 PID 4264 wrote to memory of 2432 4264 dppdv.exe 88 PID 4264 wrote to memory of 2432 4264 dppdv.exe 88 PID 2432 wrote to memory of 4964 2432 rrfxlff.exe 203 PID 2432 wrote to memory of 4964 2432 rrfxlff.exe 203 PID 2432 wrote to memory of 4964 2432 rrfxlff.exe 203 PID 4964 wrote to memory of 3980 4964 jdpjd.exe 90 PID 4964 wrote to memory of 3980 4964 jdpjd.exe 90 PID 4964 wrote to memory of 3980 4964 jdpjd.exe 90 PID 3980 wrote to memory of 4692 3980 7fxrfxr.exe 91 PID 3980 wrote to memory of 4692 3980 7fxrfxr.exe 91 PID 3980 wrote to memory of 4692 3980 7fxrfxr.exe 91 PID 4692 wrote to memory of 3736 4692 4282600.exe 297 PID 4692 wrote to memory of 3736 4692 4282600.exe 297 PID 4692 wrote to memory of 3736 4692 4282600.exe 297 PID 3736 wrote to memory of 3840 3736 268288.exe 93 PID 3736 wrote to memory of 3840 3736 268288.exe 93 PID 3736 wrote to memory of 3840 3736 268288.exe 93 PID 3840 wrote to memory of 3524 3840 i408822.exe 277 PID 3840 wrote to memory of 3524 3840 i408822.exe 277 PID 3840 wrote to memory of 3524 3840 i408822.exe 277 PID 3524 wrote to memory of 4584 3524 1hhhbh.exe 95 PID 3524 wrote to memory of 4584 3524 1hhhbh.exe 95 PID 3524 wrote to memory of 4584 3524 1hhhbh.exe 95 PID 4584 wrote to memory of 1732 4584 00608.exe 96 PID 4584 wrote to memory of 1732 4584 00608.exe 96 PID 4584 wrote to memory of 1732 4584 00608.exe 96 PID 1732 wrote to memory of 548 1732 jvpdp.exe 97 PID 1732 wrote to memory of 548 1732 jvpdp.exe 97 PID 1732 wrote to memory of 548 1732 jvpdp.exe 97 PID 548 wrote to memory of 4780 548 66264.exe 98 PID 548 wrote to memory of 4780 548 66264.exe 98 PID 548 wrote to memory of 4780 548 66264.exe 98 PID 4780 wrote to memory of 4652 4780 bhhttb.exe 99 PID 4780 wrote to memory of 4652 4780 bhhttb.exe 99 PID 4780 wrote to memory of 4652 4780 bhhttb.exe 99 PID 4652 wrote to memory of 2928 4652 vpjdv.exe 100 PID 4652 wrote to memory of 2928 4652 vpjdv.exe 100 PID 4652 wrote to memory of 2928 4652 vpjdv.exe 100 PID 2928 wrote to memory of 512 2928 rrrrrrl.exe 101 PID 2928 wrote to memory of 512 2928 rrrrrrl.exe 101 PID 2928 wrote to memory of 512 2928 rrrrrrl.exe 101 PID 512 wrote to memory of 4856 512 1tnhbb.exe 102 PID 512 wrote to memory of 4856 512 1tnhbb.exe 102 PID 512 wrote to memory of 4856 512 1tnhbb.exe 102 PID 4856 wrote to memory of 1956 4856 240444.exe 103 PID 4856 wrote to memory of 1956 4856 240444.exe 103 PID 4856 wrote to memory of 1956 4856 240444.exe 103 PID 1956 wrote to memory of 1484 1956 4844880.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe"C:\Users\Admin\AppData\Local\Temp\a609ebdd2ec5b8d784ec06af148371889014d19be6e75334cb06bbfa311c89a4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\tbhbbt.exec:\tbhbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\vvpjv.exec:\vvpjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\64448.exec:\64448.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\hnbtnh.exec:\hnbtnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\dppdv.exec:\dppdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\rrfxlff.exec:\rrfxlff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\jdpjd.exec:\jdpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\7fxrfxr.exec:\7fxrfxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\4282600.exec:\4282600.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\268288.exec:\268288.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\i408822.exec:\i408822.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\1hhhbh.exec:\1hhhbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\00608.exec:\00608.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\jvpdp.exec:\jvpdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\66264.exec:\66264.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\bhhttb.exec:\bhhttb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\vpjdv.exec:\vpjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\rrrrrrl.exec:\rrrrrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\1tnhbb.exec:\1tnhbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\240444.exec:\240444.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\4844880.exec:\4844880.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\7ttnnn.exec:\7ttnnn.exe23⤵
- Executes dropped EXE
PID:1484 -
\??\c:\thnhth.exec:\thnhth.exe24⤵
- Executes dropped EXE
PID:2652 -
\??\c:\lxlxfxl.exec:\lxlxfxl.exe25⤵
- Executes dropped EXE
PID:468 -
\??\c:\4844480.exec:\4844480.exe26⤵
- Executes dropped EXE
PID:5096 -
\??\c:\bhhtnt.exec:\bhhtnt.exe27⤵
- Executes dropped EXE
PID:4816 -
\??\c:\62264.exec:\62264.exe28⤵
- Executes dropped EXE
PID:972 -
\??\c:\xlrlxlf.exec:\xlrlxlf.exe29⤵
- Executes dropped EXE
PID:1372 -
\??\c:\m2060.exec:\m2060.exe30⤵
- Executes dropped EXE
PID:3576 -
\??\c:\k44204.exec:\k44204.exe31⤵
- Executes dropped EXE
PID:900 -
\??\c:\fffrlfx.exec:\fffrlfx.exe32⤵
- Executes dropped EXE
PID:4680 -
\??\c:\q06482.exec:\q06482.exe33⤵
- Executes dropped EXE
PID:2560 -
\??\c:\dvpvd.exec:\dvpvd.exe34⤵
- Executes dropped EXE
PID:2596 -
\??\c:\002260.exec:\002260.exe35⤵
- Executes dropped EXE
PID:2916 -
\??\c:\3pddp.exec:\3pddp.exe36⤵
- Executes dropped EXE
PID:2716 -
\??\c:\646460.exec:\646460.exe37⤵
- Executes dropped EXE
PID:2992 -
\??\c:\hbbtnh.exec:\hbbtnh.exe38⤵
- Executes dropped EXE
PID:4788 -
\??\c:\tbbthb.exec:\tbbthb.exe39⤵
- Executes dropped EXE
PID:800 -
\??\c:\a2826.exec:\a2826.exe40⤵
- Executes dropped EXE
PID:5064 -
\??\c:\02488.exec:\02488.exe41⤵
- Executes dropped EXE
PID:1500 -
\??\c:\bnhhhh.exec:\bnhhhh.exe42⤵
- Executes dropped EXE
PID:2280 -
\??\c:\08600.exec:\08600.exe43⤵
- Executes dropped EXE
PID:1548 -
\??\c:\0626004.exec:\0626004.exe44⤵
- Executes dropped EXE
PID:4648 -
\??\c:\q06048.exec:\q06048.exe45⤵
- Executes dropped EXE
PID:3824 -
\??\c:\xrffxxx.exec:\xrffxxx.exe46⤵
- Executes dropped EXE
PID:4376 -
\??\c:\62220.exec:\62220.exe47⤵
- Executes dropped EXE
PID:1660 -
\??\c:\06042.exec:\06042.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4944 -
\??\c:\bnbbtb.exec:\bnbbtb.exe49⤵
- Executes dropped EXE
PID:2980 -
\??\c:\rflrxlr.exec:\rflrxlr.exe50⤵
- Executes dropped EXE
PID:636 -
\??\c:\6686082.exec:\6686082.exe51⤵
- Executes dropped EXE
PID:4356 -
\??\c:\402600.exec:\402600.exe52⤵
- Executes dropped EXE
PID:1384 -
\??\c:\8448228.exec:\8448228.exe53⤵
- Executes dropped EXE
PID:3920 -
\??\c:\vvddj.exec:\vvddj.exe54⤵
- Executes dropped EXE
PID:3304 -
\??\c:\8246022.exec:\8246022.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592 -
\??\c:\028226.exec:\028226.exe56⤵
- Executes dropped EXE
PID:1332 -
\??\c:\bhhtht.exec:\bhhtht.exe57⤵
- Executes dropped EXE
PID:2968 -
\??\c:\3ntnnn.exec:\3ntnnn.exe58⤵
- Executes dropped EXE
PID:4180 -
\??\c:\vpdvj.exec:\vpdvj.exe59⤵
- Executes dropped EXE
PID:5036 -
\??\c:\fxxlxrl.exec:\fxxlxrl.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528 -
\??\c:\nbbttt.exec:\nbbttt.exe61⤵
- Executes dropped EXE
PID:664 -
\??\c:\0406066.exec:\0406066.exe62⤵
- Executes dropped EXE
PID:1844 -
\??\c:\w44264.exec:\w44264.exe63⤵
- Executes dropped EXE
PID:4224 -
\??\c:\vdjjd.exec:\vdjjd.exe64⤵
- Executes dropped EXE
PID:4692 -
\??\c:\3hhtnh.exec:\3hhtnh.exe65⤵
- Executes dropped EXE
PID:1020 -
\??\c:\2282048.exec:\2282048.exe66⤵PID:3040
-
\??\c:\pddvp.exec:\pddvp.exe67⤵PID:2740
-
\??\c:\nbbbtn.exec:\nbbbtn.exe68⤵PID:4956
-
\??\c:\btthbt.exec:\btthbt.exe69⤵PID:4952
-
\??\c:\484860.exec:\484860.exe70⤵PID:5032
-
\??\c:\04086.exec:\04086.exe71⤵PID:4852
-
\??\c:\jvjjp.exec:\jvjjp.exe72⤵PID:4496
-
\??\c:\lxxlxlf.exec:\lxxlxlf.exe73⤵
- System Location Discovery: System Language Discovery
PID:4124 -
\??\c:\fflxrfx.exec:\fflxrfx.exe74⤵PID:1216
-
\??\c:\llrfxrf.exec:\llrfxrf.exe75⤵PID:3984
-
\??\c:\606064.exec:\606064.exe76⤵PID:1148
-
\??\c:\7bthtn.exec:\7bthtn.exe77⤵PID:1552
-
\??\c:\066042.exec:\066042.exe78⤵PID:2652
-
\??\c:\64822.exec:\64822.exe79⤵PID:4292
-
\??\c:\4802660.exec:\4802660.exe80⤵PID:3716
-
\??\c:\i804260.exec:\i804260.exe81⤵PID:2256
-
\??\c:\hntnnn.exec:\hntnnn.exe82⤵PID:3968
-
\??\c:\28884.exec:\28884.exe83⤵PID:2168
-
\??\c:\3pjvp.exec:\3pjvp.exe84⤵PID:2852
-
\??\c:\4442088.exec:\4442088.exe85⤵PID:3592
-
\??\c:\vjjdp.exec:\vjjdp.exe86⤵PID:2272
-
\??\c:\1nttnn.exec:\1nttnn.exe87⤵PID:900
-
\??\c:\62822.exec:\62822.exe88⤵PID:4552
-
\??\c:\5ntnhn.exec:\5ntnhn.exe89⤵PID:1040
-
\??\c:\frlxlfx.exec:\frlxlfx.exe90⤵PID:4440
-
\??\c:\jvdvv.exec:\jvdvv.exe91⤵PID:3124
-
\??\c:\9pjdv.exec:\9pjdv.exe92⤵PID:2812
-
\??\c:\3rxlffx.exec:\3rxlffx.exe93⤵PID:4860
-
\??\c:\m6642.exec:\m6642.exe94⤵PID:4588
-
\??\c:\a0648.exec:\a0648.exe95⤵PID:4512
-
\??\c:\lfflxrf.exec:\lfflxrf.exe96⤵PID:3368
-
\??\c:\6282826.exec:\6282826.exe97⤵PID:4796
-
\??\c:\40004.exec:\40004.exe98⤵PID:2024
-
\??\c:\480426.exec:\480426.exe99⤵PID:3112
-
\??\c:\46080.exec:\46080.exe100⤵PID:3596
-
\??\c:\ddvpd.exec:\ddvpd.exe101⤵PID:3048
-
\??\c:\djpvj.exec:\djpvj.exe102⤵PID:4648
-
\??\c:\02642.exec:\02642.exe103⤵PID:1412
-
\??\c:\xllxxlr.exec:\xllxxlr.exe104⤵PID:1368
-
\??\c:\lxlxlrf.exec:\lxlxlrf.exe105⤵PID:1660
-
\??\c:\28864.exec:\28864.exe106⤵PID:4556
-
\??\c:\fllxlfr.exec:\fllxlfr.exe107⤵PID:3668
-
\??\c:\lrlfffx.exec:\lrlfffx.exe108⤵PID:804
-
\??\c:\i060448.exec:\i060448.exe109⤵PID:1316
-
\??\c:\0600666.exec:\0600666.exe110⤵PID:4356
-
\??\c:\o620220.exec:\o620220.exe111⤵PID:116
-
\??\c:\6480444.exec:\6480444.exe112⤵PID:1648
-
\??\c:\thbtht.exec:\thbtht.exe113⤵PID:4288
-
\??\c:\666042.exec:\666042.exe114⤵PID:3304
-
\??\c:\4022004.exec:\4022004.exe115⤵PID:640
-
\??\c:\7ttnhn.exec:\7ttnhn.exe116⤵PID:4760
-
\??\c:\4888822.exec:\4888822.exe117⤵PID:2968
-
\??\c:\hhnhtn.exec:\hhnhtn.exe118⤵PID:4392
-
\??\c:\08484.exec:\08484.exe119⤵PID:4908
-
\??\c:\m6860.exec:\m6860.exe120⤵PID:556
-
\??\c:\rflfllr.exec:\rflfllr.exe121⤵PID:4964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-