Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 23:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
60cd05bae39bce73265291440f620736b6e7df5ca91ae3d4db510a6339eb94f2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
60cd05bae39bce73265291440f620736b6e7df5ca91ae3d4db510a6339eb94f2.exe
-
Size
455KB
-
MD5
592734ff0e2731eec368c5437e304d15
-
SHA1
a5ac422d7ae9900c34d5dabdccd5230a27d96efb
-
SHA256
60cd05bae39bce73265291440f620736b6e7df5ca91ae3d4db510a6339eb94f2
-
SHA512
67286b2c21263a5c85a89fd69a51971ba77964de3303c5567a3ab65a2f217bd3064553225f965fbd59b832dcf70f66aafe714849b82077197cad693acc961d29
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3024-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-902-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-954-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-1063-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4828 ttbtbt.exe 208 vjjpd.exe 212 6286008.exe 2680 42604.exe 1356 k84822.exe 3036 fflfxxr.exe 2040 hnhnbt.exe 1968 208222.exe 1840 k68626.exe 2616 xffxrfx.exe 3468 vpjpj.exe 3696 5nbntn.exe 3660 1ffxrxr.exe 1164 64044.exe 3272 8664882.exe 3260 tthhtt.exe 2432 624822.exe 3228 6288660.exe 1800 xllfxrl.exe 368 4244006.exe 4512 400482.exe 3676 40666.exe 4492 c864826.exe 4504 lrrlfxr.exe 4536 k40864.exe 3032 bnthnb.exe 1868 08820.exe 2880 286426.exe 3704 htthbn.exe 4724 pjddd.exe 3936 q60864.exe 1776 k88604.exe 1160 rflxxrx.exe 2548 rfxlxrl.exe 4176 08264.exe 1964 5bthth.exe 2764 lfxlxlx.exe 2044 hhhbtt.exe 2340 fxlxxxx.exe 5008 022826.exe 4144 3bhbhn.exe 2992 8404268.exe 4136 dvdpj.exe 4340 dddvp.exe 3792 bttnbb.exe 3472 tthbhh.exe 1096 thnnhh.exe 2984 lfxrlff.exe 2776 hhnhhh.exe 1028 pvpvj.exe 3480 bbthbt.exe 4428 428844.exe 2160 402600.exe 1336 rrrrffl.exe 3036 88264.exe 3588 s2264.exe 4884 i448260.exe 4192 k42264.exe 1840 6864642.exe 2932 620848.exe 2904 8404822.exe 4064 jjjdv.exe 4500 9ddvd.exe 4636 htntth.exe -
resource yara_rule behavioral2/memory/3024-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-739-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0848266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 626220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6282620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0664220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 4828 3024 60cd05bae39bce73265291440f620736b6e7df5ca91ae3d4db510a6339eb94f2.exe 85 PID 3024 wrote to memory of 4828 3024 60cd05bae39bce73265291440f620736b6e7df5ca91ae3d4db510a6339eb94f2.exe 85 PID 3024 wrote to memory of 4828 3024 60cd05bae39bce73265291440f620736b6e7df5ca91ae3d4db510a6339eb94f2.exe 85 PID 4828 wrote to memory of 208 4828 ttbtbt.exe 86 PID 4828 wrote to memory of 208 4828 ttbtbt.exe 86 PID 4828 wrote to memory of 208 4828 ttbtbt.exe 86 PID 208 wrote to memory of 212 208 vjjpd.exe 87 PID 208 wrote to memory of 212 208 vjjpd.exe 87 PID 208 wrote to memory of 212 208 vjjpd.exe 87 PID 212 wrote to memory of 2680 212 6286008.exe 88 PID 212 wrote to memory of 2680 212 6286008.exe 88 PID 212 wrote to memory of 2680 212 6286008.exe 88 PID 2680 wrote to memory of 1356 2680 42604.exe 89 PID 2680 wrote to memory of 1356 2680 42604.exe 89 PID 2680 wrote to memory of 1356 2680 42604.exe 89 PID 1356 wrote to memory of 3036 1356 k84822.exe 90 PID 1356 wrote to memory of 3036 1356 k84822.exe 90 PID 1356 wrote to memory of 3036 1356 k84822.exe 90 PID 3036 wrote to memory of 2040 3036 fflfxxr.exe 91 PID 3036 wrote to memory of 2040 3036 fflfxxr.exe 91 PID 3036 wrote to memory of 2040 3036 fflfxxr.exe 91 PID 2040 wrote to memory of 1968 2040 hnhnbt.exe 92 PID 2040 wrote to memory of 1968 2040 hnhnbt.exe 92 PID 2040 wrote to memory of 1968 2040 hnhnbt.exe 92 PID 1968 wrote to memory of 1840 1968 208222.exe 93 PID 1968 wrote to memory of 1840 1968 208222.exe 93 PID 1968 wrote to memory of 1840 1968 208222.exe 93 PID 1840 wrote to memory of 2616 1840 k68626.exe 94 PID 1840 wrote to memory of 2616 1840 k68626.exe 94 PID 1840 wrote to memory of 2616 1840 k68626.exe 94 PID 2616 wrote to memory of 3468 2616 xffxrfx.exe 95 PID 2616 wrote to memory of 3468 2616 xffxrfx.exe 95 PID 2616 wrote to memory of 3468 2616 xffxrfx.exe 95 PID 3468 wrote to memory of 3696 3468 vpjpj.exe 96 PID 3468 wrote to memory of 3696 3468 vpjpj.exe 96 PID 3468 wrote to memory of 3696 3468 vpjpj.exe 96 PID 3696 wrote to memory of 3660 3696 5nbntn.exe 97 PID 3696 wrote to memory of 3660 3696 5nbntn.exe 97 PID 3696 wrote to memory of 3660 3696 5nbntn.exe 97 PID 3660 wrote to memory of 1164 3660 1ffxrxr.exe 98 PID 3660 wrote to memory of 1164 3660 1ffxrxr.exe 98 PID 3660 wrote to memory of 1164 3660 1ffxrxr.exe 98 PID 1164 wrote to memory of 3272 1164 64044.exe 99 PID 1164 wrote to memory of 3272 1164 64044.exe 99 PID 1164 wrote to memory of 3272 1164 64044.exe 99 PID 3272 wrote to memory of 3260 3272 8664882.exe 100 PID 3272 wrote to memory of 3260 3272 8664882.exe 100 PID 3272 wrote to memory of 3260 3272 8664882.exe 100 PID 3260 wrote to memory of 2432 3260 tthhtt.exe 101 PID 3260 wrote to memory of 2432 3260 tthhtt.exe 101 PID 3260 wrote to memory of 2432 3260 tthhtt.exe 101 PID 2432 wrote to memory of 3228 2432 624822.exe 102 PID 2432 wrote to memory of 3228 2432 624822.exe 102 PID 2432 wrote to memory of 3228 2432 624822.exe 102 PID 3228 wrote to memory of 1800 3228 6288660.exe 103 PID 3228 wrote to memory of 1800 3228 6288660.exe 103 PID 3228 wrote to memory of 1800 3228 6288660.exe 103 PID 1800 wrote to memory of 368 1800 xllfxrl.exe 104 PID 1800 wrote to memory of 368 1800 xllfxrl.exe 104 PID 1800 wrote to memory of 368 1800 xllfxrl.exe 104 PID 368 wrote to memory of 4512 368 4244006.exe 105 PID 368 wrote to memory of 4512 368 4244006.exe 105 PID 368 wrote to memory of 4512 368 4244006.exe 105 PID 4512 wrote to memory of 3676 4512 400482.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\60cd05bae39bce73265291440f620736b6e7df5ca91ae3d4db510a6339eb94f2.exe"C:\Users\Admin\AppData\Local\Temp\60cd05bae39bce73265291440f620736b6e7df5ca91ae3d4db510a6339eb94f2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\ttbtbt.exec:\ttbtbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\vjjpd.exec:\vjjpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\6286008.exec:\6286008.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\42604.exec:\42604.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\k84822.exec:\k84822.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\fflfxxr.exec:\fflfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\hnhnbt.exec:\hnhnbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\208222.exec:\208222.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\k68626.exec:\k68626.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\xffxrfx.exec:\xffxrfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\vpjpj.exec:\vpjpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\5nbntn.exec:\5nbntn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\1ffxrxr.exec:\1ffxrxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\64044.exec:\64044.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\8664882.exec:\8664882.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\tthhtt.exec:\tthhtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\624822.exec:\624822.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\6288660.exec:\6288660.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\xllfxrl.exec:\xllfxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\4244006.exec:\4244006.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\400482.exec:\400482.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\40666.exec:\40666.exe23⤵
- Executes dropped EXE
PID:3676 -
\??\c:\c864826.exec:\c864826.exe24⤵
- Executes dropped EXE
PID:4492 -
\??\c:\lrrlfxr.exec:\lrrlfxr.exe25⤵
- Executes dropped EXE
PID:4504 -
\??\c:\k40864.exec:\k40864.exe26⤵
- Executes dropped EXE
PID:4536 -
\??\c:\bnthnb.exec:\bnthnb.exe27⤵
- Executes dropped EXE
PID:3032 -
\??\c:\08820.exec:\08820.exe28⤵
- Executes dropped EXE
PID:1868 -
\??\c:\286426.exec:\286426.exe29⤵
- Executes dropped EXE
PID:2880 -
\??\c:\htthbn.exec:\htthbn.exe30⤵
- Executes dropped EXE
PID:3704 -
\??\c:\pjddd.exec:\pjddd.exe31⤵
- Executes dropped EXE
PID:4724 -
\??\c:\q60864.exec:\q60864.exe32⤵
- Executes dropped EXE
PID:3936 -
\??\c:\k88604.exec:\k88604.exe33⤵
- Executes dropped EXE
PID:1776 -
\??\c:\rflxxrx.exec:\rflxxrx.exe34⤵
- Executes dropped EXE
PID:1160 -
\??\c:\rfxlxrl.exec:\rfxlxrl.exe35⤵
- Executes dropped EXE
PID:2548 -
\??\c:\08264.exec:\08264.exe36⤵
- Executes dropped EXE
PID:4176 -
\??\c:\5bthth.exec:\5bthth.exe37⤵
- Executes dropped EXE
PID:1964 -
\??\c:\lfxlxlx.exec:\lfxlxlx.exe38⤵
- Executes dropped EXE
PID:2764 -
\??\c:\hhhbtt.exec:\hhhbtt.exe39⤵
- Executes dropped EXE
PID:2044 -
\??\c:\fxlxxxx.exec:\fxlxxxx.exe40⤵
- Executes dropped EXE
PID:2340 -
\??\c:\022826.exec:\022826.exe41⤵
- Executes dropped EXE
PID:5008 -
\??\c:\3bhbhn.exec:\3bhbhn.exe42⤵
- Executes dropped EXE
PID:4144 -
\??\c:\8404268.exec:\8404268.exe43⤵
- Executes dropped EXE
PID:2992 -
\??\c:\dvdpj.exec:\dvdpj.exe44⤵
- Executes dropped EXE
PID:4136 -
\??\c:\dddvp.exec:\dddvp.exe45⤵
- Executes dropped EXE
PID:4340 -
\??\c:\bttnbb.exec:\bttnbb.exe46⤵
- Executes dropped EXE
PID:3792 -
\??\c:\tthbhh.exec:\tthbhh.exe47⤵
- Executes dropped EXE
PID:3472 -
\??\c:\thnnhh.exec:\thnnhh.exe48⤵
- Executes dropped EXE
PID:1096 -
\??\c:\lfxrlff.exec:\lfxrlff.exe49⤵
- Executes dropped EXE
PID:2984 -
\??\c:\hhnhhh.exec:\hhnhhh.exe50⤵
- Executes dropped EXE
PID:2776 -
\??\c:\pvpvj.exec:\pvpvj.exe51⤵
- Executes dropped EXE
PID:1028 -
\??\c:\bbthbt.exec:\bbthbt.exe52⤵
- Executes dropped EXE
PID:3480 -
\??\c:\428844.exec:\428844.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428 -
\??\c:\402600.exec:\402600.exe54⤵
- Executes dropped EXE
PID:2160 -
\??\c:\rrrrffl.exec:\rrrrffl.exe55⤵
- Executes dropped EXE
PID:1336 -
\??\c:\88264.exec:\88264.exe56⤵
- Executes dropped EXE
PID:3036 -
\??\c:\s2264.exec:\s2264.exe57⤵
- Executes dropped EXE
PID:3588 -
\??\c:\i448260.exec:\i448260.exe58⤵
- Executes dropped EXE
PID:4884 -
\??\c:\k42264.exec:\k42264.exe59⤵
- Executes dropped EXE
PID:4192 -
\??\c:\6864642.exec:\6864642.exe60⤵
- Executes dropped EXE
PID:1840 -
\??\c:\620848.exec:\620848.exe61⤵
- Executes dropped EXE
PID:2932 -
\??\c:\8404822.exec:\8404822.exe62⤵
- Executes dropped EXE
PID:2904 -
\??\c:\jjjdv.exec:\jjjdv.exe63⤵
- Executes dropped EXE
PID:4064 -
\??\c:\9ddvd.exec:\9ddvd.exe64⤵
- Executes dropped EXE
PID:4500 -
\??\c:\htntth.exec:\htntth.exe65⤵
- Executes dropped EXE
PID:4636 -
\??\c:\446268.exec:\446268.exe66⤵PID:2452
-
\??\c:\nhbbnn.exec:\nhbbnn.exe67⤵PID:4936
-
\??\c:\q48642.exec:\q48642.exe68⤵PID:4376
-
\??\c:\2264484.exec:\2264484.exe69⤵PID:1576
-
\??\c:\u206600.exec:\u206600.exe70⤵PID:1152
-
\??\c:\8800044.exec:\8800044.exe71⤵PID:3312
-
\??\c:\260448.exec:\260448.exe72⤵PID:1460
-
\??\c:\hbhbbb.exec:\hbhbbb.exe73⤵PID:1844
-
\??\c:\m6884.exec:\m6884.exe74⤵PID:3208
-
\??\c:\rfrlxrf.exec:\rfrlxrf.exe75⤵PID:1408
-
\??\c:\24086.exec:\24086.exe76⤵PID:4008
-
\??\c:\3vpdd.exec:\3vpdd.exe77⤵PID:4512
-
\??\c:\vvdvp.exec:\vvdvp.exe78⤵
- System Location Discovery: System Language Discovery
PID:4424 -
\??\c:\844244.exec:\844244.exe79⤵PID:4916
-
\??\c:\dvddd.exec:\dvddd.exe80⤵PID:4520
-
\??\c:\822600.exec:\822600.exe81⤵PID:2448
-
\??\c:\thbhbt.exec:\thbhbt.exe82⤵PID:4996
-
\??\c:\646482.exec:\646482.exe83⤵PID:3176
-
\??\c:\04048.exec:\04048.exe84⤵PID:800
-
\??\c:\vvjvp.exec:\vvjvp.exe85⤵PID:4384
-
\??\c:\62486.exec:\62486.exe86⤵PID:2924
-
\??\c:\u060860.exec:\u060860.exe87⤵PID:1728
-
\??\c:\4060044.exec:\4060044.exe88⤵PID:3704
-
\??\c:\086006.exec:\086006.exe89⤵PID:1912
-
\??\c:\i664606.exec:\i664606.exe90⤵PID:512
-
\??\c:\626220.exec:\626220.exe91⤵
- System Location Discovery: System Language Discovery
PID:1928 -
\??\c:\jpjdj.exec:\jpjdj.exe92⤵PID:1272
-
\??\c:\8442086.exec:\8442086.exe93⤵PID:4088
-
\??\c:\428626.exec:\428626.exe94⤵PID:3632
-
\??\c:\hbbthh.exec:\hbbthh.exe95⤵PID:5000
-
\??\c:\m2020.exec:\m2020.exe96⤵PID:3268
-
\??\c:\u888660.exec:\u888660.exe97⤵PID:1896
-
\??\c:\e66482.exec:\e66482.exe98⤵PID:4456
-
\??\c:\428260.exec:\428260.exe99⤵PID:4524
-
\??\c:\a4042.exec:\a4042.exe100⤵PID:4432
-
\??\c:\vpvjd.exec:\vpvjd.exe101⤵PID:3520
-
\??\c:\nhtnnn.exec:\nhtnnn.exe102⤵PID:3408
-
\??\c:\028200.exec:\028200.exe103⤵PID:4328
-
\??\c:\3jdpv.exec:\3jdpv.exe104⤵PID:3724
-
\??\c:\42264.exec:\42264.exe105⤵
- System Location Discovery: System Language Discovery
PID:4864 -
\??\c:\4226488.exec:\4226488.exe106⤵PID:2788
-
\??\c:\rfxlfrf.exec:\rfxlfrf.exe107⤵PID:2108
-
\??\c:\42608.exec:\42608.exe108⤵PID:1096
-
\??\c:\66602.exec:\66602.exe109⤵PID:4948
-
\??\c:\08822.exec:\08822.exe110⤵PID:2776
-
\??\c:\nbbtth.exec:\nbbtth.exe111⤵PID:1028
-
\??\c:\5hbnbn.exec:\5hbnbn.exe112⤵PID:1632
-
\??\c:\208088.exec:\208088.exe113⤵PID:4428
-
\??\c:\jddvp.exec:\jddvp.exe114⤵PID:1888
-
\??\c:\0220820.exec:\0220820.exe115⤵PID:4448
-
\??\c:\28000.exec:\28000.exe116⤵PID:3036
-
\??\c:\84480.exec:\84480.exe117⤵PID:4068
-
\??\c:\9bthbn.exec:\9bthbn.exe118⤵PID:4884
-
\??\c:\dvpvj.exec:\dvpvj.exe119⤵PID:1644
-
\??\c:\btbttt.exec:\btbttt.exe120⤵PID:980
-
\??\c:\rffxlxf.exec:\rffxlxf.exe121⤵PID:2932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-