Analysis
-
max time kernel
120s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
62b1c114efa89f56dd1674f9053c0789b7f5da9ede566af0d9deda37540805fa.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
62b1c114efa89f56dd1674f9053c0789b7f5da9ede566af0d9deda37540805fa.exe
-
Size
454KB
-
MD5
37c4e6afc1ee892fed3257e783c5b961
-
SHA1
fbb22ac345c9ce2eae1d37996a8119b1c0f3f3bf
-
SHA256
62b1c114efa89f56dd1674f9053c0789b7f5da9ede566af0d9deda37540805fa
-
SHA512
a0479bbb155fa605127a4bba8ae740f5136bd0981e5919328ef33fa729f483eef82da94a89065c98c9e5e256fbb396fe74f572eeecd8a6e2cebc4ced06899ae1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAben:q7Tc2NYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4040-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/272-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-727-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-839-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-940-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-1233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-1793-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3208 4280448.exe 5012 vvpdj.exe 1400 nhtthn.exe 3856 fxflrrf.exe 1720 jvvjv.exe 4488 frlfxxr.exe 3764 5dvjd.exe 5028 tnnbhh.exe 3388 044860.exe 2632 28822.exe 808 9tbnbt.exe 764 88486.exe 3476 042822.exe 1012 flrfllr.exe 4804 w26848.exe 1076 bhhhbh.exe 884 vjddj.exe 1404 llrfxrl.exe 2780 e00822.exe 4196 w48204.exe 3176 hbthbb.exe 664 s0042.exe 2684 8086048.exe 1160 vvvpd.exe 4948 628288.exe 4972 9xfxxxr.exe 3060 rlfxrrr.exe 4892 ttttnb.exe 1748 xlrllrr.exe 4392 ddjdv.exe 2092 lrfflfl.exe 3396 vpppj.exe 4952 g2684.exe 2540 2804888.exe 1104 6460606.exe 4728 66482.exe 4768 80282.exe 4580 60844.exe 404 i682226.exe 4760 26884.exe 3052 6422448.exe 4704 vdppd.exe 3172 vvpjj.exe 4272 266044.exe 4468 frlffll.exe 1168 jjddv.exe 4608 26440.exe 2744 884822.exe 5012 djdpj.exe 1400 9jvpd.exe 3904 nbhbtt.exe 1720 btbtnh.exe 2724 64082.exe 4772 1tbhhh.exe 1852 628604.exe 3764 8280404.exe 2176 bntttt.exe 1352 xlxrfxr.exe 3272 644848.exe 3416 dppjd.exe 4464 400044.exe 3460 tbnhht.exe 2984 9rlfxxr.exe 1152 a8442.exe -
resource yara_rule behavioral2/memory/4040-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/272-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-839-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 446860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6400480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0424002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o826488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q44826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6666482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w20444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4040 wrote to memory of 3208 4040 62b1c114efa89f56dd1674f9053c0789b7f5da9ede566af0d9deda37540805fa.exe 85 PID 4040 wrote to memory of 3208 4040 62b1c114efa89f56dd1674f9053c0789b7f5da9ede566af0d9deda37540805fa.exe 85 PID 4040 wrote to memory of 3208 4040 62b1c114efa89f56dd1674f9053c0789b7f5da9ede566af0d9deda37540805fa.exe 85 PID 3208 wrote to memory of 5012 3208 4280448.exe 86 PID 3208 wrote to memory of 5012 3208 4280448.exe 86 PID 3208 wrote to memory of 5012 3208 4280448.exe 86 PID 5012 wrote to memory of 1400 5012 vvpdj.exe 87 PID 5012 wrote to memory of 1400 5012 vvpdj.exe 87 PID 5012 wrote to memory of 1400 5012 vvpdj.exe 87 PID 1400 wrote to memory of 3856 1400 nhtthn.exe 88 PID 1400 wrote to memory of 3856 1400 nhtthn.exe 88 PID 1400 wrote to memory of 3856 1400 nhtthn.exe 88 PID 3856 wrote to memory of 1720 3856 fxflrrf.exe 89 PID 3856 wrote to memory of 1720 3856 fxflrrf.exe 89 PID 3856 wrote to memory of 1720 3856 fxflrrf.exe 89 PID 1720 wrote to memory of 4488 1720 jvvjv.exe 90 PID 1720 wrote to memory of 4488 1720 jvvjv.exe 90 PID 1720 wrote to memory of 4488 1720 jvvjv.exe 90 PID 4488 wrote to memory of 3764 4488 frlfxxr.exe 91 PID 4488 wrote to memory of 3764 4488 frlfxxr.exe 91 PID 4488 wrote to memory of 3764 4488 frlfxxr.exe 91 PID 3764 wrote to memory of 5028 3764 5dvjd.exe 92 PID 3764 wrote to memory of 5028 3764 5dvjd.exe 92 PID 3764 wrote to memory of 5028 3764 5dvjd.exe 92 PID 5028 wrote to memory of 3388 5028 tnnbhh.exe 93 PID 5028 wrote to memory of 3388 5028 tnnbhh.exe 93 PID 5028 wrote to memory of 3388 5028 tnnbhh.exe 93 PID 3388 wrote to memory of 2632 3388 044860.exe 94 PID 3388 wrote to memory of 2632 3388 044860.exe 94 PID 3388 wrote to memory of 2632 3388 044860.exe 94 PID 2632 wrote to memory of 808 2632 28822.exe 95 PID 2632 wrote to memory of 808 2632 28822.exe 95 PID 2632 wrote to memory of 808 2632 28822.exe 95 PID 808 wrote to memory of 764 808 9tbnbt.exe 96 PID 808 wrote to memory of 764 808 9tbnbt.exe 96 PID 808 wrote to memory of 764 808 9tbnbt.exe 96 PID 764 wrote to memory of 3476 764 88486.exe 97 PID 764 wrote to memory of 3476 764 88486.exe 97 PID 764 wrote to memory of 3476 764 88486.exe 97 PID 3476 wrote to memory of 1012 3476 042822.exe 98 PID 3476 wrote to memory of 1012 3476 042822.exe 98 PID 3476 wrote to memory of 1012 3476 042822.exe 98 PID 1012 wrote to memory of 4804 1012 flrfllr.exe 99 PID 1012 wrote to memory of 4804 1012 flrfllr.exe 99 PID 1012 wrote to memory of 4804 1012 flrfllr.exe 99 PID 4804 wrote to memory of 1076 4804 w26848.exe 100 PID 4804 wrote to memory of 1076 4804 w26848.exe 100 PID 4804 wrote to memory of 1076 4804 w26848.exe 100 PID 1076 wrote to memory of 884 1076 bhhhbh.exe 101 PID 1076 wrote to memory of 884 1076 bhhhbh.exe 101 PID 1076 wrote to memory of 884 1076 bhhhbh.exe 101 PID 884 wrote to memory of 1404 884 vjddj.exe 102 PID 884 wrote to memory of 1404 884 vjddj.exe 102 PID 884 wrote to memory of 1404 884 vjddj.exe 102 PID 1404 wrote to memory of 2780 1404 llrfxrl.exe 103 PID 1404 wrote to memory of 2780 1404 llrfxrl.exe 103 PID 1404 wrote to memory of 2780 1404 llrfxrl.exe 103 PID 2780 wrote to memory of 4196 2780 e00822.exe 104 PID 2780 wrote to memory of 4196 2780 e00822.exe 104 PID 2780 wrote to memory of 4196 2780 e00822.exe 104 PID 4196 wrote to memory of 3176 4196 w48204.exe 105 PID 4196 wrote to memory of 3176 4196 w48204.exe 105 PID 4196 wrote to memory of 3176 4196 w48204.exe 105 PID 3176 wrote to memory of 664 3176 hbthbb.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\62b1c114efa89f56dd1674f9053c0789b7f5da9ede566af0d9deda37540805fa.exe"C:\Users\Admin\AppData\Local\Temp\62b1c114efa89f56dd1674f9053c0789b7f5da9ede566af0d9deda37540805fa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\4280448.exec:\4280448.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\vvpdj.exec:\vvpdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\nhtthn.exec:\nhtthn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\fxflrrf.exec:\fxflrrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\jvvjv.exec:\jvvjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\frlfxxr.exec:\frlfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\5dvjd.exec:\5dvjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\tnnbhh.exec:\tnnbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\044860.exec:\044860.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\28822.exec:\28822.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\9tbnbt.exec:\9tbnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\88486.exec:\88486.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\042822.exec:\042822.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\flrfllr.exec:\flrfllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\w26848.exec:\w26848.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\bhhhbh.exec:\bhhhbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\vjddj.exec:\vjddj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\llrfxrl.exec:\llrfxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\e00822.exec:\e00822.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\w48204.exec:\w48204.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\hbthbb.exec:\hbthbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\s0042.exec:\s0042.exe23⤵
- Executes dropped EXE
PID:664 -
\??\c:\8086048.exec:\8086048.exe24⤵
- Executes dropped EXE
PID:2684 -
\??\c:\vvvpd.exec:\vvvpd.exe25⤵
- Executes dropped EXE
PID:1160 -
\??\c:\628288.exec:\628288.exe26⤵
- Executes dropped EXE
PID:4948 -
\??\c:\9xfxxxr.exec:\9xfxxxr.exe27⤵
- Executes dropped EXE
PID:4972 -
\??\c:\rlfxrrr.exec:\rlfxrrr.exe28⤵
- Executes dropped EXE
PID:3060 -
\??\c:\ttttnb.exec:\ttttnb.exe29⤵
- Executes dropped EXE
PID:4892 -
\??\c:\xlrllrr.exec:\xlrllrr.exe30⤵
- Executes dropped EXE
PID:1748 -
\??\c:\ddjdv.exec:\ddjdv.exe31⤵
- Executes dropped EXE
PID:4392 -
\??\c:\lrfflfl.exec:\lrfflfl.exe32⤵
- Executes dropped EXE
PID:2092 -
\??\c:\vpppj.exec:\vpppj.exe33⤵
- Executes dropped EXE
PID:3396 -
\??\c:\g2684.exec:\g2684.exe34⤵
- Executes dropped EXE
PID:4952 -
\??\c:\2804888.exec:\2804888.exe35⤵
- Executes dropped EXE
PID:2540 -
\??\c:\6460606.exec:\6460606.exe36⤵
- Executes dropped EXE
PID:1104 -
\??\c:\66482.exec:\66482.exe37⤵
- Executes dropped EXE
PID:4728 -
\??\c:\80282.exec:\80282.exe38⤵
- Executes dropped EXE
PID:4768 -
\??\c:\60844.exec:\60844.exe39⤵
- Executes dropped EXE
PID:4580 -
\??\c:\i682226.exec:\i682226.exe40⤵
- Executes dropped EXE
PID:404 -
\??\c:\26884.exec:\26884.exe41⤵
- Executes dropped EXE
PID:4760 -
\??\c:\6422448.exec:\6422448.exe42⤵
- Executes dropped EXE
PID:3052 -
\??\c:\vdppd.exec:\vdppd.exe43⤵
- Executes dropped EXE
PID:4704 -
\??\c:\vvpjj.exec:\vvpjj.exe44⤵
- Executes dropped EXE
PID:3172 -
\??\c:\266044.exec:\266044.exe45⤵
- Executes dropped EXE
PID:4272 -
\??\c:\frlffll.exec:\frlffll.exe46⤵
- Executes dropped EXE
PID:4468 -
\??\c:\jjddv.exec:\jjddv.exe47⤵
- Executes dropped EXE
PID:1168 -
\??\c:\26440.exec:\26440.exe48⤵
- Executes dropped EXE
PID:4608 -
\??\c:\884822.exec:\884822.exe49⤵
- Executes dropped EXE
PID:2744 -
\??\c:\djdpj.exec:\djdpj.exe50⤵
- Executes dropped EXE
PID:5012 -
\??\c:\9jvpd.exec:\9jvpd.exe51⤵
- Executes dropped EXE
PID:1400 -
\??\c:\nbhbtt.exec:\nbhbtt.exe52⤵
- Executes dropped EXE
PID:3904 -
\??\c:\btbtnh.exec:\btbtnh.exe53⤵
- Executes dropped EXE
PID:1720 -
\??\c:\64082.exec:\64082.exe54⤵
- Executes dropped EXE
PID:2724 -
\??\c:\1tbhhh.exec:\1tbhhh.exe55⤵
- Executes dropped EXE
PID:4772 -
\??\c:\628604.exec:\628604.exe56⤵
- Executes dropped EXE
PID:1852 -
\??\c:\8280404.exec:\8280404.exe57⤵
- Executes dropped EXE
PID:3764 -
\??\c:\bntttt.exec:\bntttt.exe58⤵
- Executes dropped EXE
PID:2176 -
\??\c:\xlxrfxr.exec:\xlxrfxr.exe59⤵
- Executes dropped EXE
PID:1352 -
\??\c:\644848.exec:\644848.exe60⤵
- Executes dropped EXE
PID:3272 -
\??\c:\dppjd.exec:\dppjd.exe61⤵
- Executes dropped EXE
PID:3416 -
\??\c:\400044.exec:\400044.exe62⤵
- Executes dropped EXE
PID:4464 -
\??\c:\tbnhht.exec:\tbnhht.exe63⤵
- Executes dropped EXE
PID:3460 -
\??\c:\9rlfxxr.exec:\9rlfxxr.exe64⤵
- Executes dropped EXE
PID:2984 -
\??\c:\a8442.exec:\a8442.exe65⤵
- Executes dropped EXE
PID:1152 -
\??\c:\vpvjv.exec:\vpvjv.exe66⤵PID:2696
-
\??\c:\484088.exec:\484088.exe67⤵PID:4084
-
\??\c:\6486228.exec:\6486228.exe68⤵PID:4528
-
\??\c:\468228.exec:\468228.exe69⤵PID:2276
-
\??\c:\htbtnt.exec:\htbtnt.exe70⤵PID:1808
-
\??\c:\flfxxxx.exec:\flfxxxx.exe71⤵PID:3888
-
\??\c:\88826.exec:\88826.exe72⤵PID:2616
-
\??\c:\dpdpj.exec:\dpdpj.exe73⤵PID:8
-
\??\c:\rrlllll.exec:\rrlllll.exe74⤵PID:4072
-
\??\c:\5tbtnt.exec:\5tbtnt.exe75⤵PID:1192
-
\??\c:\vvjjv.exec:\vvjjv.exe76⤵PID:4328
-
\??\c:\lxfxxff.exec:\lxfxxff.exe77⤵PID:2272
-
\??\c:\600426.exec:\600426.exe78⤵PID:780
-
\??\c:\7nnhtb.exec:\7nnhtb.exe79⤵PID:484
-
\??\c:\9rxxxrx.exec:\9rxxxrx.exe80⤵PID:3984
-
\??\c:\vjdpp.exec:\vjdpp.exe81⤵PID:1692
-
\??\c:\64682.exec:\64682.exe82⤵PID:2676
-
\??\c:\8080244.exec:\8080244.exe83⤵PID:1112
-
\??\c:\xlrllrl.exec:\xlrllrl.exe84⤵PID:2924
-
\??\c:\frxrrll.exec:\frxrrll.exe85⤵PID:2316
-
\??\c:\lffxfxf.exec:\lffxfxf.exe86⤵PID:264
-
\??\c:\e28260.exec:\e28260.exe87⤵PID:2752
-
\??\c:\e22648.exec:\e22648.exe88⤵PID:1920
-
\??\c:\pjjdv.exec:\pjjdv.exe89⤵PID:552
-
\??\c:\242660.exec:\242660.exe90⤵PID:748
-
\??\c:\0440000.exec:\0440000.exe91⤵PID:3212
-
\??\c:\6426484.exec:\6426484.exe92⤵PID:2116
-
\??\c:\btbtnh.exec:\btbtnh.exe93⤵PID:3612
-
\??\c:\3jvpj.exec:\3jvpj.exe94⤵PID:4048
-
\??\c:\ffxxxrr.exec:\ffxxxrr.exe95⤵PID:220
-
\??\c:\9rrlfxr.exec:\9rrlfxr.exe96⤵PID:1532
-
\??\c:\82660.exec:\82660.exe97⤵PID:1616
-
\??\c:\1xlllll.exec:\1xlllll.exe98⤵PID:2796
-
\??\c:\hhnhnh.exec:\hhnhnh.exe99⤵PID:1600
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe100⤵PID:2288
-
\??\c:\60604.exec:\60604.exe101⤵PID:2284
-
\??\c:\xlxrlrl.exec:\xlxrlrl.exe102⤵PID:4640
-
\??\c:\g0266.exec:\g0266.exe103⤵PID:1900
-
\??\c:\tntttt.exec:\tntttt.exe104⤵PID:4420
-
\??\c:\424826.exec:\424826.exe105⤵PID:988
-
\??\c:\bbbnhb.exec:\bbbnhb.exe106⤵PID:272
-
\??\c:\flllfff.exec:\flllfff.exe107⤵PID:2732
-
\??\c:\pdjdd.exec:\pdjdd.exe108⤵PID:5068
-
\??\c:\jvdpj.exec:\jvdpj.exe109⤵PID:3244
-
\??\c:\26242.exec:\26242.exe110⤵PID:4408
-
\??\c:\480000.exec:\480000.exe111⤵PID:3504
-
\??\c:\bbbttt.exec:\bbbttt.exe112⤵PID:1916
-
\??\c:\9ppdv.exec:\9ppdv.exe113⤵PID:3424
-
\??\c:\htbbtt.exec:\htbbtt.exe114⤵PID:4488
-
\??\c:\6422884.exec:\6422884.exe115⤵PID:3744
-
\??\c:\8282004.exec:\8282004.exe116⤵PID:1852
-
\??\c:\hntnhn.exec:\hntnhn.exe117⤵PID:1460
-
\??\c:\q46688.exec:\q46688.exe118⤵PID:3764
-
\??\c:\c288222.exec:\c288222.exe119⤵PID:3388
-
\??\c:\66828.exec:\66828.exe120⤵PID:1992
-
\??\c:\484482.exec:\484482.exe121⤵
- System Location Discovery: System Language Discovery
PID:1316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-