Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 21:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe
-
Size
456KB
-
MD5
54228cbbc3980dffb6e84088304dcb71
-
SHA1
a685aee5b17f9b104ce5ae05e7ce48e919ae7c0e
-
SHA256
324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7
-
SHA512
dc2180444b8f0bbe729439294a544b26845c40727785c8bf32e03b114396fdaacbc737062dc98230c0b531832cfe8236100f8aff1cfc33a0e31a7314248add77
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRV:q7Tc2NYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4316-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-907-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-1001-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-1504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-1523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-1740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4444 u648828.exe 4876 htthtn.exe 4588 vvvpp.exe 3152 0822660.exe 3108 a4606.exe 4268 ddvvd.exe 1168 444482.exe 4412 7ddvv.exe 2280 pjvpj.exe 4996 9rlfxxx.exe 1564 628266.exe 4184 rlrrxxf.exe 5044 266066.exe 3028 nnnnhh.exe 4032 s6622.exe 1988 20882.exe 968 26640.exe 4756 bbhbtt.exe 3688 vppdv.exe 1556 64448.exe 392 8426664.exe 4704 882260.exe 4252 xllxxxx.exe 1852 ttnbnb.exe 5092 08006.exe 4384 262020.exe 1420 1nbbtn.exe 812 02604.exe 4724 jpjvj.exe 3060 4608646.exe 1580 flxrfxl.exe 2884 lllxlxl.exe 3192 dvvjp.exe 3056 fxrrxfl.exe 4804 8842086.exe 4524 q22082.exe 2904 vjvjp.exe 2700 4008648.exe 4548 tbbhtn.exe 3332 2862408.exe 1412 2664262.exe 1980 64820.exe 2892 hhhthb.exe 4372 fxxrrrl.exe 1352 xlrfrlx.exe 4196 66844.exe 4272 6026228.exe 1808 vjvvj.exe 4308 68864.exe 2356 i064422.exe 852 004268.exe 2288 ttbnht.exe 4788 w86648.exe 2008 42646.exe 2304 vdppp.exe 1996 ffxrfxl.exe 3108 bhhtht.exe 4352 k00648.exe 4100 9lfrlfr.exe 668 28088.exe 332 jpvdv.exe 1104 lffxrrr.exe 3120 84488.exe 4852 462644.exe -
resource yara_rule behavioral2/memory/4316-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-907-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4000864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0822660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 460602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2844088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4442048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2622840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2266004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4316 wrote to memory of 4444 4316 324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe 85 PID 4316 wrote to memory of 4444 4316 324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe 85 PID 4316 wrote to memory of 4444 4316 324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe 85 PID 4444 wrote to memory of 4876 4444 u648828.exe 86 PID 4444 wrote to memory of 4876 4444 u648828.exe 86 PID 4444 wrote to memory of 4876 4444 u648828.exe 86 PID 4876 wrote to memory of 4588 4876 htthtn.exe 87 PID 4876 wrote to memory of 4588 4876 htthtn.exe 87 PID 4876 wrote to memory of 4588 4876 htthtn.exe 87 PID 4588 wrote to memory of 3152 4588 vvvpp.exe 88 PID 4588 wrote to memory of 3152 4588 vvvpp.exe 88 PID 4588 wrote to memory of 3152 4588 vvvpp.exe 88 PID 3152 wrote to memory of 3108 3152 0822660.exe 89 PID 3152 wrote to memory of 3108 3152 0822660.exe 89 PID 3152 wrote to memory of 3108 3152 0822660.exe 89 PID 3108 wrote to memory of 4268 3108 a4606.exe 90 PID 3108 wrote to memory of 4268 3108 a4606.exe 90 PID 3108 wrote to memory of 4268 3108 a4606.exe 90 PID 4268 wrote to memory of 1168 4268 ddvvd.exe 91 PID 4268 wrote to memory of 1168 4268 ddvvd.exe 91 PID 4268 wrote to memory of 1168 4268 ddvvd.exe 91 PID 1168 wrote to memory of 4412 1168 444482.exe 92 PID 1168 wrote to memory of 4412 1168 444482.exe 92 PID 1168 wrote to memory of 4412 1168 444482.exe 92 PID 4412 wrote to memory of 2280 4412 7ddvv.exe 93 PID 4412 wrote to memory of 2280 4412 7ddvv.exe 93 PID 4412 wrote to memory of 2280 4412 7ddvv.exe 93 PID 2280 wrote to memory of 4996 2280 pjvpj.exe 94 PID 2280 wrote to memory of 4996 2280 pjvpj.exe 94 PID 2280 wrote to memory of 4996 2280 pjvpj.exe 94 PID 4996 wrote to memory of 1564 4996 9rlfxxx.exe 95 PID 4996 wrote to memory of 1564 4996 9rlfxxx.exe 95 PID 4996 wrote to memory of 1564 4996 9rlfxxx.exe 95 PID 1564 wrote to memory of 4184 1564 628266.exe 96 PID 1564 wrote to memory of 4184 1564 628266.exe 96 PID 1564 wrote to memory of 4184 1564 628266.exe 96 PID 4184 wrote to memory of 5044 4184 rlrrxxf.exe 97 PID 4184 wrote to memory of 5044 4184 rlrrxxf.exe 97 PID 4184 wrote to memory of 5044 4184 rlrrxxf.exe 97 PID 5044 wrote to memory of 3028 5044 266066.exe 98 PID 5044 wrote to memory of 3028 5044 266066.exe 98 PID 5044 wrote to memory of 3028 5044 266066.exe 98 PID 3028 wrote to memory of 4032 3028 nnnnhh.exe 99 PID 3028 wrote to memory of 4032 3028 nnnnhh.exe 99 PID 3028 wrote to memory of 4032 3028 nnnnhh.exe 99 PID 4032 wrote to memory of 1988 4032 s6622.exe 100 PID 4032 wrote to memory of 1988 4032 s6622.exe 100 PID 4032 wrote to memory of 1988 4032 s6622.exe 100 PID 1988 wrote to memory of 968 1988 20882.exe 101 PID 1988 wrote to memory of 968 1988 20882.exe 101 PID 1988 wrote to memory of 968 1988 20882.exe 101 PID 968 wrote to memory of 4756 968 26640.exe 102 PID 968 wrote to memory of 4756 968 26640.exe 102 PID 968 wrote to memory of 4756 968 26640.exe 102 PID 4756 wrote to memory of 3688 4756 bbhbtt.exe 103 PID 4756 wrote to memory of 3688 4756 bbhbtt.exe 103 PID 4756 wrote to memory of 3688 4756 bbhbtt.exe 103 PID 3688 wrote to memory of 1556 3688 vppdv.exe 104 PID 3688 wrote to memory of 1556 3688 vppdv.exe 104 PID 3688 wrote to memory of 1556 3688 vppdv.exe 104 PID 1556 wrote to memory of 392 1556 64448.exe 105 PID 1556 wrote to memory of 392 1556 64448.exe 105 PID 1556 wrote to memory of 392 1556 64448.exe 105 PID 392 wrote to memory of 4704 392 8426664.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe"C:\Users\Admin\AppData\Local\Temp\324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\u648828.exec:\u648828.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\htthtn.exec:\htthtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\vvvpp.exec:\vvvpp.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\0822660.exec:\0822660.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\a4606.exec:\a4606.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\ddvvd.exec:\ddvvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\444482.exec:\444482.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\7ddvv.exec:\7ddvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\pjvpj.exec:\pjvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\9rlfxxx.exec:\9rlfxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\628266.exec:\628266.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\rlrrxxf.exec:\rlrrxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\266066.exec:\266066.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\nnnnhh.exec:\nnnnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\s6622.exec:\s6622.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\20882.exec:\20882.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\26640.exec:\26640.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\bbhbtt.exec:\bbhbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\vppdv.exec:\vppdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\64448.exec:\64448.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\8426664.exec:\8426664.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\882260.exec:\882260.exe23⤵
- Executes dropped EXE
PID:4704 -
\??\c:\xllxxxx.exec:\xllxxxx.exe24⤵
- Executes dropped EXE
PID:4252 -
\??\c:\ttnbnb.exec:\ttnbnb.exe25⤵
- Executes dropped EXE
PID:1852 -
\??\c:\08006.exec:\08006.exe26⤵
- Executes dropped EXE
PID:5092 -
\??\c:\262020.exec:\262020.exe27⤵
- Executes dropped EXE
PID:4384 -
\??\c:\1nbbtn.exec:\1nbbtn.exe28⤵
- Executes dropped EXE
PID:1420 -
\??\c:\02604.exec:\02604.exe29⤵
- Executes dropped EXE
PID:812 -
\??\c:\jpjvj.exec:\jpjvj.exe30⤵
- Executes dropped EXE
PID:4724 -
\??\c:\4608646.exec:\4608646.exe31⤵
- Executes dropped EXE
PID:3060 -
\??\c:\flxrfxl.exec:\flxrfxl.exe32⤵
- Executes dropped EXE
PID:1580 -
\??\c:\lllxlxl.exec:\lllxlxl.exe33⤵
- Executes dropped EXE
PID:2884 -
\??\c:\dvvjp.exec:\dvvjp.exe34⤵
- Executes dropped EXE
PID:3192 -
\??\c:\fxrrxfl.exec:\fxrrxfl.exe35⤵
- Executes dropped EXE
PID:3056 -
\??\c:\8842086.exec:\8842086.exe36⤵
- Executes dropped EXE
PID:4804 -
\??\c:\q22082.exec:\q22082.exe37⤵
- Executes dropped EXE
PID:4524 -
\??\c:\vjvjp.exec:\vjvjp.exe38⤵
- Executes dropped EXE
PID:2904 -
\??\c:\4008648.exec:\4008648.exe39⤵
- Executes dropped EXE
PID:2700 -
\??\c:\tbbhtn.exec:\tbbhtn.exe40⤵
- Executes dropped EXE
PID:4548 -
\??\c:\2862408.exec:\2862408.exe41⤵
- Executes dropped EXE
PID:3332 -
\??\c:\2664262.exec:\2664262.exe42⤵
- Executes dropped EXE
PID:1412 -
\??\c:\64820.exec:\64820.exe43⤵
- Executes dropped EXE
PID:1980 -
\??\c:\hhhthb.exec:\hhhthb.exe44⤵
- Executes dropped EXE
PID:2892 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe45⤵
- Executes dropped EXE
PID:4372 -
\??\c:\xlrfrlx.exec:\xlrfrlx.exe46⤵
- Executes dropped EXE
PID:1352 -
\??\c:\66844.exec:\66844.exe47⤵
- Executes dropped EXE
PID:4196 -
\??\c:\6026228.exec:\6026228.exe48⤵
- Executes dropped EXE
PID:4272 -
\??\c:\vjvvj.exec:\vjvvj.exe49⤵
- Executes dropped EXE
PID:1808 -
\??\c:\68864.exec:\68864.exe50⤵
- Executes dropped EXE
PID:4308 -
\??\c:\i064422.exec:\i064422.exe51⤵
- Executes dropped EXE
PID:2356 -
\??\c:\004268.exec:\004268.exe52⤵
- Executes dropped EXE
PID:852 -
\??\c:\ttbnht.exec:\ttbnht.exe53⤵
- Executes dropped EXE
PID:2288 -
\??\c:\w86648.exec:\w86648.exe54⤵
- Executes dropped EXE
PID:4788 -
\??\c:\42646.exec:\42646.exe55⤵
- Executes dropped EXE
PID:2008 -
\??\c:\vdppp.exec:\vdppp.exe56⤵
- Executes dropped EXE
PID:2304 -
\??\c:\ffxrfxl.exec:\ffxrfxl.exe57⤵
- Executes dropped EXE
PID:1996 -
\??\c:\bhhtht.exec:\bhhtht.exe58⤵
- Executes dropped EXE
PID:3108 -
\??\c:\k00648.exec:\k00648.exe59⤵
- Executes dropped EXE
PID:4352 -
\??\c:\9lfrlfr.exec:\9lfrlfr.exe60⤵
- Executes dropped EXE
PID:4100 -
\??\c:\28088.exec:\28088.exe61⤵
- Executes dropped EXE
PID:668 -
\??\c:\jpvdv.exec:\jpvdv.exe62⤵
- Executes dropped EXE
PID:332 -
\??\c:\lffxrrr.exec:\lffxrrr.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1104 -
\??\c:\84488.exec:\84488.exe64⤵
- Executes dropped EXE
PID:3120 -
\??\c:\462644.exec:\462644.exe65⤵
- Executes dropped EXE
PID:4852 -
\??\c:\2844488.exec:\2844488.exe66⤵PID:4980
-
\??\c:\hbhhnn.exec:\hbhhnn.exe67⤵PID:988
-
\??\c:\888266.exec:\888266.exe68⤵PID:3956
-
\??\c:\rrlxlfr.exec:\rrlxlfr.exe69⤵PID:3028
-
\??\c:\nhhhbb.exec:\nhhhbb.exe70⤵PID:3500
-
\??\c:\4882660.exec:\4882660.exe71⤵PID:2608
-
\??\c:\xlrlffx.exec:\xlrlffx.exe72⤵PID:3692
-
\??\c:\hbtnnn.exec:\hbtnnn.exe73⤵PID:3612
-
\??\c:\5xxxrrf.exec:\5xxxrrf.exe74⤵PID:4168
-
\??\c:\m6806.exec:\m6806.exe75⤵PID:4452
-
\??\c:\464880.exec:\464880.exe76⤵PID:2532
-
\??\c:\62886.exec:\62886.exe77⤵PID:1164
-
\??\c:\flxrffx.exec:\flxrffx.exe78⤵PID:3892
-
\??\c:\0622600.exec:\0622600.exe79⤵PID:440
-
\??\c:\7rlfrrr.exec:\7rlfrrr.exe80⤵PID:2392
-
\??\c:\844444.exec:\844444.exe81⤵PID:1184
-
\??\c:\828682.exec:\828682.exe82⤵PID:4344
-
\??\c:\nntnbt.exec:\nntnbt.exe83⤵PID:4884
-
\??\c:\vvvpp.exec:\vvvpp.exe84⤵PID:320
-
\??\c:\0400608.exec:\0400608.exe85⤵PID:3724
-
\??\c:\a8866.exec:\a8866.exe86⤵PID:4796
-
\??\c:\pdvpd.exec:\pdvpd.exe87⤵PID:620
-
\??\c:\5bhtbt.exec:\5bhtbt.exe88⤵PID:1420
-
\??\c:\ntbthh.exec:\ntbthh.exe89⤵PID:1124
-
\??\c:\jdpdp.exec:\jdpdp.exe90⤵PID:3304
-
\??\c:\u222064.exec:\u222064.exe91⤵PID:3212
-
\??\c:\40486.exec:\40486.exe92⤵PID:3060
-
\??\c:\s6642.exec:\s6642.exe93⤵PID:1940
-
\??\c:\428642.exec:\428642.exe94⤵PID:4000
-
\??\c:\2844088.exec:\2844088.exe95⤵
- System Location Discovery: System Language Discovery
PID:2592 -
\??\c:\200268.exec:\200268.exe96⤵PID:3628
-
\??\c:\22220.exec:\22220.exe97⤵PID:836
-
\??\c:\rrrlffx.exec:\rrrlffx.exe98⤵PID:4064
-
\??\c:\ddjdd.exec:\ddjdd.exe99⤵PID:3812
-
\??\c:\i822486.exec:\i822486.exe100⤵PID:2324
-
\??\c:\6666666.exec:\6666666.exe101⤵PID:4300
-
\??\c:\pjjdv.exec:\pjjdv.exe102⤵PID:1492
-
\??\c:\7rlfxxr.exec:\7rlfxxr.exe103⤵PID:1720
-
\??\c:\xllxrrl.exec:\xllxrrl.exe104⤵PID:1008
-
\??\c:\2226442.exec:\2226442.exe105⤵PID:1672
-
\??\c:\lrrfxrf.exec:\lrrfxrf.exe106⤵PID:3792
-
\??\c:\6400444.exec:\6400444.exe107⤵PID:2068
-
\??\c:\442266.exec:\442266.exe108⤵PID:5108
-
\??\c:\hhnhhb.exec:\hhnhhb.exe109⤵PID:2644
-
\??\c:\002288.exec:\002288.exe110⤵PID:3480
-
\??\c:\u804084.exec:\u804084.exe111⤵PID:4320
-
\??\c:\s4868.exec:\s4868.exe112⤵PID:816
-
\??\c:\24008.exec:\24008.exe113⤵PID:1260
-
\??\c:\djpjd.exec:\djpjd.exe114⤵PID:1824
-
\??\c:\c060448.exec:\c060448.exe115⤵PID:3660
-
\??\c:\dddpd.exec:\dddpd.exe116⤵PID:3676
-
\??\c:\2044620.exec:\2044620.exe117⤵PID:2424
-
\??\c:\3ffrfxx.exec:\3ffrfxx.exe118⤵PID:3836
-
\??\c:\u226428.exec:\u226428.exe119⤵PID:3632
-
\??\c:\1djjj.exec:\1djjj.exe120⤵PID:1896
-
\??\c:\vddpd.exec:\vddpd.exe121⤵PID:4324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-