Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 20:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe
-
Size
454KB
-
MD5
46a7f8b252b602740d469013d50f4fea
-
SHA1
6698c429e1ec586083ee9f35a20606aaca5a630c
-
SHA256
1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0
-
SHA512
a93fb4896d86b21545eb048fd42712af0b456925aa1fe8cd158547f80943d4d7825acf41320c43b865c778a2b23cb69247452c7a9f67365539c261187c60930a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3700-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-1442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-1545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3544 4822226.exe 3064 24846.exe 1616 pjjdd.exe 1320 bhnhbb.exe 2068 ppjvd.exe 4420 826000.exe 4468 064846.exe 2132 frrlllx.exe 4712 hhhthn.exe 2520 flrlffx.exe 4112 062664.exe 2272 ddjjd.exe 3860 4468806.exe 1132 bthhnh.exe 372 7jjvp.exe 3644 pppjj.exe 3480 jvpjd.exe 2956 3lxrrxx.exe 1896 rrlffrl.exe 1740 2206628.exe 1956 llxrxlf.exe 4900 a4608.exe 4012 9jdpd.exe 4092 htbnhh.exe 916 8686488.exe 3920 dvdvv.exe 1828 bhbtnh.exe 2808 460448.exe 532 84206.exe 1424 e20440.exe 4680 48066.exe 4704 688866.exe 688 422600.exe 2148 3vvvp.exe 232 26806.exe 4052 68482.exe 1172 082203f.exe 1000 fffxxrr.exe 180 42888.exe 2800 jddpp.exe 4444 jdpjv.exe 4432 o282666.exe 3520 40604.exe 3692 w80600.exe 2352 60264.exe 3776 22462.exe 1152 hhhbnh.exe 1468 jvpjv.exe 4636 o442648.exe 4384 nttnbt.exe 1948 6400400.exe 2636 60000.exe 868 3tbbnb.exe 1144 htnhtn.exe 4672 5tnbnh.exe 4712 pddpv.exe 684 lxfrxrl.exe 1012 lrxfxll.exe 4288 k46044.exe 1552 jpvjj.exe 5032 462048.exe 2036 k40644.exe 4352 62448.exe 3532 xllfrrr.exe -
resource yara_rule behavioral2/memory/3700-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-759-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c442048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 822040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4460228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8686046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3700 wrote to memory of 3544 3700 1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe 83 PID 3700 wrote to memory of 3544 3700 1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe 83 PID 3700 wrote to memory of 3544 3700 1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe 83 PID 3544 wrote to memory of 3064 3544 4822226.exe 84 PID 3544 wrote to memory of 3064 3544 4822226.exe 84 PID 3544 wrote to memory of 3064 3544 4822226.exe 84 PID 3064 wrote to memory of 1616 3064 24846.exe 85 PID 3064 wrote to memory of 1616 3064 24846.exe 85 PID 3064 wrote to memory of 1616 3064 24846.exe 85 PID 1616 wrote to memory of 1320 1616 pjjdd.exe 86 PID 1616 wrote to memory of 1320 1616 pjjdd.exe 86 PID 1616 wrote to memory of 1320 1616 pjjdd.exe 86 PID 1320 wrote to memory of 2068 1320 bhnhbb.exe 87 PID 1320 wrote to memory of 2068 1320 bhnhbb.exe 87 PID 1320 wrote to memory of 2068 1320 bhnhbb.exe 87 PID 2068 wrote to memory of 4420 2068 ppjvd.exe 88 PID 2068 wrote to memory of 4420 2068 ppjvd.exe 88 PID 2068 wrote to memory of 4420 2068 ppjvd.exe 88 PID 4420 wrote to memory of 4468 4420 826000.exe 89 PID 4420 wrote to memory of 4468 4420 826000.exe 89 PID 4420 wrote to memory of 4468 4420 826000.exe 89 PID 4468 wrote to memory of 2132 4468 064846.exe 90 PID 4468 wrote to memory of 2132 4468 064846.exe 90 PID 4468 wrote to memory of 2132 4468 064846.exe 90 PID 2132 wrote to memory of 4712 2132 frrlllx.exe 91 PID 2132 wrote to memory of 4712 2132 frrlllx.exe 91 PID 2132 wrote to memory of 4712 2132 frrlllx.exe 91 PID 4712 wrote to memory of 2520 4712 hhhthn.exe 92 PID 4712 wrote to memory of 2520 4712 hhhthn.exe 92 PID 4712 wrote to memory of 2520 4712 hhhthn.exe 92 PID 2520 wrote to memory of 4112 2520 flrlffx.exe 93 PID 2520 wrote to memory of 4112 2520 flrlffx.exe 93 PID 2520 wrote to memory of 4112 2520 flrlffx.exe 93 PID 4112 wrote to memory of 2272 4112 062664.exe 94 PID 4112 wrote to memory of 2272 4112 062664.exe 94 PID 4112 wrote to memory of 2272 4112 062664.exe 94 PID 2272 wrote to memory of 3860 2272 ddjjd.exe 95 PID 2272 wrote to memory of 3860 2272 ddjjd.exe 95 PID 2272 wrote to memory of 3860 2272 ddjjd.exe 95 PID 3860 wrote to memory of 1132 3860 4468806.exe 96 PID 3860 wrote to memory of 1132 3860 4468806.exe 96 PID 3860 wrote to memory of 1132 3860 4468806.exe 96 PID 1132 wrote to memory of 372 1132 bthhnh.exe 97 PID 1132 wrote to memory of 372 1132 bthhnh.exe 97 PID 1132 wrote to memory of 372 1132 bthhnh.exe 97 PID 372 wrote to memory of 3644 372 7jjvp.exe 98 PID 372 wrote to memory of 3644 372 7jjvp.exe 98 PID 372 wrote to memory of 3644 372 7jjvp.exe 98 PID 3644 wrote to memory of 3480 3644 pppjj.exe 99 PID 3644 wrote to memory of 3480 3644 pppjj.exe 99 PID 3644 wrote to memory of 3480 3644 pppjj.exe 99 PID 3480 wrote to memory of 2956 3480 jvpjd.exe 100 PID 3480 wrote to memory of 2956 3480 jvpjd.exe 100 PID 3480 wrote to memory of 2956 3480 jvpjd.exe 100 PID 2956 wrote to memory of 1896 2956 3lxrrxx.exe 101 PID 2956 wrote to memory of 1896 2956 3lxrrxx.exe 101 PID 2956 wrote to memory of 1896 2956 3lxrrxx.exe 101 PID 1896 wrote to memory of 1740 1896 rrlffrl.exe 102 PID 1896 wrote to memory of 1740 1896 rrlffrl.exe 102 PID 1896 wrote to memory of 1740 1896 rrlffrl.exe 102 PID 1740 wrote to memory of 1956 1740 2206628.exe 103 PID 1740 wrote to memory of 1956 1740 2206628.exe 103 PID 1740 wrote to memory of 1956 1740 2206628.exe 103 PID 1956 wrote to memory of 4900 1956 llxrxlf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe"C:\Users\Admin\AppData\Local\Temp\1919880747286829fb5451b8a47c2dddf457cd367de8056f7e62a0a04e8f8ce0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\4822226.exec:\4822226.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\24846.exec:\24846.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\pjjdd.exec:\pjjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\bhnhbb.exec:\bhnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\ppjvd.exec:\ppjvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\826000.exec:\826000.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\064846.exec:\064846.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\frrlllx.exec:\frrlllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\hhhthn.exec:\hhhthn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\flrlffx.exec:\flrlffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\062664.exec:\062664.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\ddjjd.exec:\ddjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\4468806.exec:\4468806.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\bthhnh.exec:\bthhnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\7jjvp.exec:\7jjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\pppjj.exec:\pppjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\jvpjd.exec:\jvpjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\3lxrrxx.exec:\3lxrrxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\rrlffrl.exec:\rrlffrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\2206628.exec:\2206628.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\llxrxlf.exec:\llxrxlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\a4608.exec:\a4608.exe23⤵
- Executes dropped EXE
PID:4900 -
\??\c:\9jdpd.exec:\9jdpd.exe24⤵
- Executes dropped EXE
PID:4012 -
\??\c:\htbnhh.exec:\htbnhh.exe25⤵
- Executes dropped EXE
PID:4092 -
\??\c:\8686488.exec:\8686488.exe26⤵
- Executes dropped EXE
PID:916 -
\??\c:\dvdvv.exec:\dvdvv.exe27⤵
- Executes dropped EXE
PID:3920 -
\??\c:\bhbtnh.exec:\bhbtnh.exe28⤵
- Executes dropped EXE
PID:1828 -
\??\c:\460448.exec:\460448.exe29⤵
- Executes dropped EXE
PID:2808 -
\??\c:\84206.exec:\84206.exe30⤵
- Executes dropped EXE
PID:532 -
\??\c:\e20440.exec:\e20440.exe31⤵
- Executes dropped EXE
PID:1424 -
\??\c:\48066.exec:\48066.exe32⤵
- Executes dropped EXE
PID:4680 -
\??\c:\688866.exec:\688866.exe33⤵
- Executes dropped EXE
PID:4704 -
\??\c:\422600.exec:\422600.exe34⤵
- Executes dropped EXE
PID:688 -
\??\c:\3vvvp.exec:\3vvvp.exe35⤵
- Executes dropped EXE
PID:2148 -
\??\c:\26806.exec:\26806.exe36⤵
- Executes dropped EXE
PID:232 -
\??\c:\68482.exec:\68482.exe37⤵
- Executes dropped EXE
PID:4052 -
\??\c:\082203f.exec:\082203f.exe38⤵
- Executes dropped EXE
PID:1172 -
\??\c:\fffxxrr.exec:\fffxxrr.exe39⤵
- Executes dropped EXE
PID:1000 -
\??\c:\42888.exec:\42888.exe40⤵
- Executes dropped EXE
PID:180 -
\??\c:\jddpp.exec:\jddpp.exe41⤵
- Executes dropped EXE
PID:2800 -
\??\c:\jdpjv.exec:\jdpjv.exe42⤵
- Executes dropped EXE
PID:4444 -
\??\c:\o282666.exec:\o282666.exe43⤵
- Executes dropped EXE
PID:4432 -
\??\c:\40604.exec:\40604.exe44⤵
- Executes dropped EXE
PID:3520 -
\??\c:\w80600.exec:\w80600.exe45⤵
- Executes dropped EXE
PID:3692 -
\??\c:\60264.exec:\60264.exe46⤵
- Executes dropped EXE
PID:2352 -
\??\c:\22462.exec:\22462.exe47⤵
- Executes dropped EXE
PID:3776 -
\??\c:\hhhbnh.exec:\hhhbnh.exe48⤵
- Executes dropped EXE
PID:1152 -
\??\c:\jvpjv.exec:\jvpjv.exe49⤵
- Executes dropped EXE
PID:1468 -
\??\c:\o442648.exec:\o442648.exe50⤵
- Executes dropped EXE
PID:4636 -
\??\c:\nttnbt.exec:\nttnbt.exe51⤵
- Executes dropped EXE
PID:4384 -
\??\c:\6400400.exec:\6400400.exe52⤵
- Executes dropped EXE
PID:1948 -
\??\c:\60000.exec:\60000.exe53⤵
- Executes dropped EXE
PID:2636 -
\??\c:\3tbbnb.exec:\3tbbnb.exe54⤵
- Executes dropped EXE
PID:868 -
\??\c:\htnhtn.exec:\htnhtn.exe55⤵
- Executes dropped EXE
PID:1144 -
\??\c:\5tnbnh.exec:\5tnbnh.exe56⤵
- Executes dropped EXE
PID:4672 -
\??\c:\pddpv.exec:\pddpv.exe57⤵
- Executes dropped EXE
PID:4712 -
\??\c:\lxfrxrl.exec:\lxfrxrl.exe58⤵
- Executes dropped EXE
PID:684 -
\??\c:\lrxfxll.exec:\lrxfxll.exe59⤵
- Executes dropped EXE
PID:1012 -
\??\c:\k46044.exec:\k46044.exe60⤵
- Executes dropped EXE
PID:4288 -
\??\c:\jpvjj.exec:\jpvjj.exe61⤵
- Executes dropped EXE
PID:1552 -
\??\c:\462048.exec:\462048.exe62⤵
- Executes dropped EXE
PID:5032 -
\??\c:\k40644.exec:\k40644.exe63⤵
- Executes dropped EXE
PID:2036 -
\??\c:\62448.exec:\62448.exe64⤵
- Executes dropped EXE
PID:4352 -
\??\c:\xllfrrr.exec:\xllfrrr.exe65⤵
- Executes dropped EXE
PID:3532 -
\??\c:\08442.exec:\08442.exe66⤵PID:1700
-
\??\c:\q84826.exec:\q84826.exe67⤵PID:3444
-
\??\c:\dpdvv.exec:\dpdvv.exe68⤵PID:60
-
\??\c:\k06060.exec:\k06060.exe69⤵PID:220
-
\??\c:\68242.exec:\68242.exe70⤵PID:1896
-
\??\c:\o068206.exec:\o068206.exe71⤵PID:4784
-
\??\c:\hbbnbt.exec:\hbbnbt.exe72⤵PID:1740
-
\??\c:\o608642.exec:\o608642.exe73⤵PID:2308
-
\??\c:\8622222.exec:\8622222.exe74⤵PID:4900
-
\??\c:\1pvjd.exec:\1pvjd.exe75⤵PID:3804
-
\??\c:\8486042.exec:\8486042.exe76⤵PID:2848
-
\??\c:\44864.exec:\44864.exe77⤵PID:2524
-
\??\c:\rxxlrlx.exec:\rxxlrlx.exe78⤵PID:1736
-
\??\c:\vvvjv.exec:\vvvjv.exe79⤵PID:2088
-
\??\c:\9llxxxl.exec:\9llxxxl.exe80⤵PID:3904
-
\??\c:\048604.exec:\048604.exe81⤵PID:3144
-
\??\c:\0068604.exec:\0068604.exe82⤵PID:3268
-
\??\c:\vpvpj.exec:\vpvpj.exe83⤵PID:2804
-
\??\c:\2060404.exec:\2060404.exe84⤵PID:532
-
\??\c:\xxlfllr.exec:\xxlfllr.exe85⤵PID:776
-
\??\c:\c686084.exec:\c686084.exe86⤵PID:2432
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe87⤵PID:3528
-
\??\c:\624280.exec:\624280.exe88⤵PID:5088
-
\??\c:\jppdj.exec:\jppdj.exe89⤵PID:4612
-
\??\c:\m8242.exec:\m8242.exe90⤵PID:2136
-
\??\c:\rllfxxx.exec:\rllfxxx.exe91⤵PID:1696
-
\??\c:\ppjvj.exec:\ppjvj.exe92⤵PID:3780
-
\??\c:\s2226.exec:\s2226.exe93⤵PID:2300
-
\??\c:\0008642.exec:\0008642.exe94⤵PID:2108
-
\??\c:\08826.exec:\08826.exe95⤵PID:4072
-
\??\c:\62868.exec:\62868.exe96⤵PID:4452
-
\??\c:\llrflfx.exec:\llrflfx.exe97⤵PID:4992
-
\??\c:\68264.exec:\68264.exe98⤵PID:2360
-
\??\c:\pdjdp.exec:\pdjdp.exe99⤵PID:2472
-
\??\c:\rlrlfrl.exec:\rlrlfrl.exe100⤵PID:4356
-
\??\c:\5jpdv.exec:\5jpdv.exe101⤵PID:2364
-
\??\c:\2664264.exec:\2664264.exe102⤵PID:1616
-
\??\c:\48260.exec:\48260.exe103⤵PID:4936
-
\??\c:\82220.exec:\82220.exe104⤵PID:1260
-
\??\c:\9bttnn.exec:\9bttnn.exe105⤵PID:1396
-
\??\c:\488204.exec:\488204.exe106⤵PID:2076
-
\??\c:\llxrrrl.exec:\llxrrrl.exe107⤵PID:3228
-
\??\c:\0486486.exec:\0486486.exe108⤵PID:2040
-
\??\c:\dpdpj.exec:\dpdpj.exe109⤵PID:5016
-
\??\c:\5vjdj.exec:\5vjdj.exe110⤵PID:1344
-
\??\c:\64448.exec:\64448.exe111⤵PID:3016
-
\??\c:\pjdpj.exec:\pjdpj.exe112⤵PID:1144
-
\??\c:\9nthhb.exec:\9nthhb.exe113⤵PID:1556
-
\??\c:\262648.exec:\262648.exe114⤵PID:1972
-
\??\c:\pppdv.exec:\pppdv.exe115⤵PID:4700
-
\??\c:\e00860.exec:\e00860.exe116⤵PID:3404
-
\??\c:\4828822.exec:\4828822.exe117⤵PID:4812
-
\??\c:\206426.exec:\206426.exe118⤵PID:3768
-
\??\c:\206080.exec:\206080.exe119⤵PID:3860
-
\??\c:\22220.exec:\22220.exe120⤵PID:3464
-
\??\c:\lfxlffx.exec:\lfxlffx.exe121⤵PID:3748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-