Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce42c846d966d33b378fbe3bbbfc0cd13d81a9f81dd795f7571b251ae4d8309d.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ce42c846d966d33b378fbe3bbbfc0cd13d81a9f81dd795f7571b251ae4d8309d.exe
-
Size
455KB
-
MD5
c160fc9558e6f046a55c288c66c8430c
-
SHA1
6f5e76da930beb6956be5ea7311f4ee08a8225b9
-
SHA256
ce42c846d966d33b378fbe3bbbfc0cd13d81a9f81dd795f7571b251ae4d8309d
-
SHA512
80d7605653b91eaf52d10144e24c42cd2e9e29bfe4a0815ec40e445b7398b24f3ea7d5d86fc8f4b698a8197175994455b0129a00b6cba25825a28e65e9865b52
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4R:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4712-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-934-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-1040-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-1833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4712 84044.exe 3984 tnbhbt.exe 532 jppjp.exe 4700 jjddv.exe 2720 424646.exe 1420 k04806.exe 4476 226882.exe 2296 htbttn.exe 2816 c842600.exe 3148 bhnhbn.exe 1592 rrffrxr.exe 3592 4882668.exe 1668 pjjdd.exe 4500 hbbhhh.exe 2088 rffrlrl.exe 3076 jjdvv.exe 4420 024488.exe 2872 dddvv.exe 1064 xrlrxxx.exe 876 040820.exe 2952 42468.exe 3640 0440668.exe 1068 824448.exe 812 lrxrllf.exe 2760 vpppj.exe 3064 6004444.exe 1352 844482.exe 1908 0468288.exe 2332 64826.exe 3328 06264.exe 2988 bbhnhb.exe 2748 dvjdd.exe 3656 m8826.exe 2680 66822.exe 4544 8448822.exe 4808 4066060.exe 4788 4000448.exe 64 8662446.exe 464 4060444.exe 2616 6440600.exe 2452 ffllrll.exe 4036 22424.exe 1604 204644.exe 1692 btbtnn.exe 1528 4666044.exe 3432 k20860.exe 1912 2800442.exe 1184 nhntbh.exe 2480 820606.exe 4004 0466442.exe 4304 644822.exe 3964 hntnhh.exe 4356 bbhtbb.exe 2672 266004.exe 980 42604.exe 1196 08422.exe 3300 jppvv.exe 3828 00048.exe 1176 djvpv.exe 1152 0444060.exe 552 xffxrlf.exe 1556 jpjdv.exe 2160 7nbtnt.exe 3952 rrllfff.exe -
resource yara_rule behavioral2/memory/4712-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-788-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0842662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u060488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e40042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k82082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2866040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4016 wrote to memory of 4712 4016 ce42c846d966d33b378fbe3bbbfc0cd13d81a9f81dd795f7571b251ae4d8309d.exe 83 PID 4016 wrote to memory of 4712 4016 ce42c846d966d33b378fbe3bbbfc0cd13d81a9f81dd795f7571b251ae4d8309d.exe 83 PID 4016 wrote to memory of 4712 4016 ce42c846d966d33b378fbe3bbbfc0cd13d81a9f81dd795f7571b251ae4d8309d.exe 83 PID 4712 wrote to memory of 3984 4712 84044.exe 84 PID 4712 wrote to memory of 3984 4712 84044.exe 84 PID 4712 wrote to memory of 3984 4712 84044.exe 84 PID 3984 wrote to memory of 532 3984 tnbhbt.exe 85 PID 3984 wrote to memory of 532 3984 tnbhbt.exe 85 PID 3984 wrote to memory of 532 3984 tnbhbt.exe 85 PID 532 wrote to memory of 4700 532 jppjp.exe 86 PID 532 wrote to memory of 4700 532 jppjp.exe 86 PID 532 wrote to memory of 4700 532 jppjp.exe 86 PID 4700 wrote to memory of 2720 4700 jjddv.exe 87 PID 4700 wrote to memory of 2720 4700 jjddv.exe 87 PID 4700 wrote to memory of 2720 4700 jjddv.exe 87 PID 2720 wrote to memory of 1420 2720 424646.exe 88 PID 2720 wrote to memory of 1420 2720 424646.exe 88 PID 2720 wrote to memory of 1420 2720 424646.exe 88 PID 1420 wrote to memory of 4476 1420 k04806.exe 89 PID 1420 wrote to memory of 4476 1420 k04806.exe 89 PID 1420 wrote to memory of 4476 1420 k04806.exe 89 PID 4476 wrote to memory of 2296 4476 226882.exe 90 PID 4476 wrote to memory of 2296 4476 226882.exe 90 PID 4476 wrote to memory of 2296 4476 226882.exe 90 PID 2296 wrote to memory of 2816 2296 htbttn.exe 91 PID 2296 wrote to memory of 2816 2296 htbttn.exe 91 PID 2296 wrote to memory of 2816 2296 htbttn.exe 91 PID 2816 wrote to memory of 3148 2816 c842600.exe 92 PID 2816 wrote to memory of 3148 2816 c842600.exe 92 PID 2816 wrote to memory of 3148 2816 c842600.exe 92 PID 3148 wrote to memory of 1592 3148 bhnhbn.exe 93 PID 3148 wrote to memory of 1592 3148 bhnhbn.exe 93 PID 3148 wrote to memory of 1592 3148 bhnhbn.exe 93 PID 1592 wrote to memory of 3592 1592 rrffrxr.exe 94 PID 1592 wrote to memory of 3592 1592 rrffrxr.exe 94 PID 1592 wrote to memory of 3592 1592 rrffrxr.exe 94 PID 3592 wrote to memory of 1668 3592 4882668.exe 95 PID 3592 wrote to memory of 1668 3592 4882668.exe 95 PID 3592 wrote to memory of 1668 3592 4882668.exe 95 PID 1668 wrote to memory of 4500 1668 pjjdd.exe 96 PID 1668 wrote to memory of 4500 1668 pjjdd.exe 96 PID 1668 wrote to memory of 4500 1668 pjjdd.exe 96 PID 4500 wrote to memory of 2088 4500 hbbhhh.exe 97 PID 4500 wrote to memory of 2088 4500 hbbhhh.exe 97 PID 4500 wrote to memory of 2088 4500 hbbhhh.exe 97 PID 2088 wrote to memory of 3076 2088 rffrlrl.exe 98 PID 2088 wrote to memory of 3076 2088 rffrlrl.exe 98 PID 2088 wrote to memory of 3076 2088 rffrlrl.exe 98 PID 3076 wrote to memory of 4420 3076 jjdvv.exe 157 PID 3076 wrote to memory of 4420 3076 jjdvv.exe 157 PID 3076 wrote to memory of 4420 3076 jjdvv.exe 157 PID 4420 wrote to memory of 2872 4420 024488.exe 100 PID 4420 wrote to memory of 2872 4420 024488.exe 100 PID 4420 wrote to memory of 2872 4420 024488.exe 100 PID 2872 wrote to memory of 1064 2872 dddvv.exe 101 PID 2872 wrote to memory of 1064 2872 dddvv.exe 101 PID 2872 wrote to memory of 1064 2872 dddvv.exe 101 PID 1064 wrote to memory of 876 1064 xrlrxxx.exe 102 PID 1064 wrote to memory of 876 1064 xrlrxxx.exe 102 PID 1064 wrote to memory of 876 1064 xrlrxxx.exe 102 PID 876 wrote to memory of 2952 876 040820.exe 103 PID 876 wrote to memory of 2952 876 040820.exe 103 PID 876 wrote to memory of 2952 876 040820.exe 103 PID 2952 wrote to memory of 3640 2952 42468.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce42c846d966d33b378fbe3bbbfc0cd13d81a9f81dd795f7571b251ae4d8309d.exe"C:\Users\Admin\AppData\Local\Temp\ce42c846d966d33b378fbe3bbbfc0cd13d81a9f81dd795f7571b251ae4d8309d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\84044.exec:\84044.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\tnbhbt.exec:\tnbhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\jppjp.exec:\jppjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\jjddv.exec:\jjddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\424646.exec:\424646.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\k04806.exec:\k04806.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\226882.exec:\226882.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\htbttn.exec:\htbttn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\c842600.exec:\c842600.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\bhnhbn.exec:\bhnhbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\rrffrxr.exec:\rrffrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\4882668.exec:\4882668.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\pjjdd.exec:\pjjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\hbbhhh.exec:\hbbhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\rffrlrl.exec:\rffrlrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\jjdvv.exec:\jjdvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\024488.exec:\024488.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\dddvv.exec:\dddvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\xrlrxxx.exec:\xrlrxxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\040820.exec:\040820.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\42468.exec:\42468.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\0440668.exec:\0440668.exe23⤵
- Executes dropped EXE
PID:3640 -
\??\c:\824448.exec:\824448.exe24⤵
- Executes dropped EXE
PID:1068 -
\??\c:\lrxrllf.exec:\lrxrllf.exe25⤵
- Executes dropped EXE
PID:812 -
\??\c:\vpppj.exec:\vpppj.exe26⤵
- Executes dropped EXE
PID:2760 -
\??\c:\6004444.exec:\6004444.exe27⤵
- Executes dropped EXE
PID:3064 -
\??\c:\844482.exec:\844482.exe28⤵
- Executes dropped EXE
PID:1352 -
\??\c:\0468288.exec:\0468288.exe29⤵
- Executes dropped EXE
PID:1908 -
\??\c:\64826.exec:\64826.exe30⤵
- Executes dropped EXE
PID:2332 -
\??\c:\06264.exec:\06264.exe31⤵
- Executes dropped EXE
PID:3328 -
\??\c:\bbhnhb.exec:\bbhnhb.exe32⤵
- Executes dropped EXE
PID:2988 -
\??\c:\dvjdd.exec:\dvjdd.exe33⤵
- Executes dropped EXE
PID:2748 -
\??\c:\m8826.exec:\m8826.exe34⤵
- Executes dropped EXE
PID:3656 -
\??\c:\66822.exec:\66822.exe35⤵
- Executes dropped EXE
PID:2680 -
\??\c:\8448822.exec:\8448822.exe36⤵
- Executes dropped EXE
PID:4544 -
\??\c:\4066060.exec:\4066060.exe37⤵
- Executes dropped EXE
PID:4808 -
\??\c:\4000448.exec:\4000448.exe38⤵
- Executes dropped EXE
PID:4788 -
\??\c:\8662446.exec:\8662446.exe39⤵
- Executes dropped EXE
PID:64 -
\??\c:\4060444.exec:\4060444.exe40⤵
- Executes dropped EXE
PID:464 -
\??\c:\6440600.exec:\6440600.exe41⤵
- Executes dropped EXE
PID:2616 -
\??\c:\ffllrll.exec:\ffllrll.exe42⤵
- Executes dropped EXE
PID:2452 -
\??\c:\22424.exec:\22424.exe43⤵
- Executes dropped EXE
PID:4036 -
\??\c:\204644.exec:\204644.exe44⤵
- Executes dropped EXE
PID:1604 -
\??\c:\btbtnn.exec:\btbtnn.exe45⤵
- Executes dropped EXE
PID:1692 -
\??\c:\4666044.exec:\4666044.exe46⤵
- Executes dropped EXE
PID:1528 -
\??\c:\k20860.exec:\k20860.exe47⤵
- Executes dropped EXE
PID:3432 -
\??\c:\2800442.exec:\2800442.exe48⤵
- Executes dropped EXE
PID:1912 -
\??\c:\nhntbh.exec:\nhntbh.exe49⤵
- Executes dropped EXE
PID:1184 -
\??\c:\820606.exec:\820606.exe50⤵
- Executes dropped EXE
PID:2480 -
\??\c:\0466442.exec:\0466442.exe51⤵
- Executes dropped EXE
PID:4004 -
\??\c:\644822.exec:\644822.exe52⤵
- Executes dropped EXE
PID:4304 -
\??\c:\hntnhh.exec:\hntnhh.exe53⤵
- Executes dropped EXE
PID:3964 -
\??\c:\bbhtbb.exec:\bbhtbb.exe54⤵
- Executes dropped EXE
PID:4356 -
\??\c:\266004.exec:\266004.exe55⤵
- Executes dropped EXE
PID:2672 -
\??\c:\42604.exec:\42604.exe56⤵
- Executes dropped EXE
PID:980 -
\??\c:\08422.exec:\08422.exe57⤵
- Executes dropped EXE
PID:1196 -
\??\c:\jppvv.exec:\jppvv.exe58⤵
- Executes dropped EXE
PID:3300 -
\??\c:\00048.exec:\00048.exe59⤵
- Executes dropped EXE
PID:3828 -
\??\c:\djvpv.exec:\djvpv.exe60⤵
- Executes dropped EXE
PID:1176 -
\??\c:\0444060.exec:\0444060.exe61⤵
- Executes dropped EXE
PID:1152 -
\??\c:\xffxrlf.exec:\xffxrlf.exe62⤵
- Executes dropped EXE
PID:552 -
\??\c:\jpjdv.exec:\jpjdv.exe63⤵
- Executes dropped EXE
PID:1556 -
\??\c:\7nbtnt.exec:\7nbtnt.exe64⤵
- Executes dropped EXE
PID:2160 -
\??\c:\rrllfff.exec:\rrllfff.exe65⤵
- Executes dropped EXE
PID:3952 -
\??\c:\xxrfxxr.exec:\xxrfxxr.exe66⤵PID:4628
-
\??\c:\2660404.exec:\2660404.exe67⤵PID:2640
-
\??\c:\26884.exec:\26884.exe68⤵PID:3092
-
\??\c:\xxlffxl.exec:\xxlffxl.exe69⤵PID:2236
-
\??\c:\828204.exec:\828204.exe70⤵PID:2792
-
\??\c:\hhntnn.exec:\hhntnn.exe71⤵PID:2292
-
\??\c:\686088.exec:\686088.exe72⤵PID:2660
-
\??\c:\rflfffx.exec:\rflfffx.exe73⤵PID:4100
-
\??\c:\rrfxxrr.exec:\rrfxxrr.exe74⤵PID:4156
-
\??\c:\vpdvj.exec:\vpdvj.exe75⤵PID:4312
-
\??\c:\6804800.exec:\6804800.exe76⤵PID:4420
-
\??\c:\4048260.exec:\4048260.exe77⤵PID:684
-
\??\c:\frrflff.exec:\frrflff.exe78⤵PID:2960
-
\??\c:\8448000.exec:\8448000.exe79⤵PID:5028
-
\??\c:\282046.exec:\282046.exe80⤵PID:4900
-
\??\c:\jjppv.exec:\jjppv.exe81⤵PID:1252
-
\??\c:\80626.exec:\80626.exe82⤵PID:3312
-
\??\c:\a6062.exec:\a6062.exe83⤵PID:1264
-
\??\c:\pvdjd.exec:\pvdjd.exe84⤵PID:1800
-
\??\c:\btntth.exec:\btntth.exe85⤵PID:4952
-
\??\c:\0288886.exec:\0288886.exe86⤵PID:4368
-
\??\c:\nbtttb.exec:\nbtttb.exe87⤵PID:3384
-
\??\c:\02482.exec:\02482.exe88⤵PID:3448
-
\??\c:\fxllllf.exec:\fxllllf.exe89⤵PID:3480
-
\??\c:\jdjdv.exec:\jdjdv.exe90⤵PID:1428
-
\??\c:\bnnnnn.exec:\bnnnnn.exe91⤵PID:900
-
\??\c:\2462622.exec:\2462622.exe92⤵PID:1020
-
\??\c:\8862806.exec:\8862806.exe93⤵PID:212
-
\??\c:\btnnhh.exec:\btnnhh.exe94⤵PID:2712
-
\??\c:\fllllll.exec:\fllllll.exe95⤵PID:4660
-
\??\c:\48048.exec:\48048.exe96⤵PID:4072
-
\??\c:\66608.exec:\66608.exe97⤵PID:4808
-
\??\c:\llxllfr.exec:\llxllfr.exe98⤵PID:4360
-
\??\c:\04644.exec:\04644.exe99⤵PID:2264
-
\??\c:\ddddv.exec:\ddddv.exe100⤵PID:4764
-
\??\c:\6044028.exec:\6044028.exe101⤵PID:1392
-
\??\c:\240482.exec:\240482.exe102⤵PID:2452
-
\??\c:\68006.exec:\68006.exe103⤵PID:2268
-
\??\c:\8060060.exec:\8060060.exe104⤵PID:3832
-
\??\c:\xxlflll.exec:\xxlflll.exe105⤵PID:4296
-
\??\c:\m0202.exec:\m0202.exe106⤵PID:4080
-
\??\c:\ddjdv.exec:\ddjdv.exe107⤵PID:2912
-
\??\c:\htttnn.exec:\htttnn.exe108⤵PID:2908
-
\??\c:\w2828.exec:\w2828.exe109⤵PID:1344
-
\??\c:\622464.exec:\622464.exe110⤵PID:4572
-
\??\c:\jddvd.exec:\jddvd.exe111⤵PID:1620
-
\??\c:\nhhbtb.exec:\nhhbtb.exe112⤵PID:3704
-
\??\c:\pppjd.exec:\pppjd.exe113⤵PID:2328
-
\??\c:\fllfxrl.exec:\fllfxrl.exe114⤵PID:1460
-
\??\c:\jvvpj.exec:\jvvpj.exe115⤵PID:4004
-
\??\c:\2684846.exec:\2684846.exe116⤵PID:3572
-
\??\c:\406404.exec:\406404.exe117⤵PID:5080
-
\??\c:\tnbntn.exec:\tnbntn.exe118⤵PID:440
-
\??\c:\484848.exec:\484848.exe119⤵PID:2672
-
\??\c:\lfrlfff.exec:\lfrlfff.exe120⤵PID:980
-
\??\c:\08046.exec:\08046.exe121⤵PID:1196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-