Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2024, 23:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe
-
Size
346KB
-
MD5
ccabd7100dc60875227597623cdc2fa0
-
SHA1
9eb9f45714a2d36d8afe80771c7a543c9c58d54b
-
SHA256
69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066
-
SHA512
f384f24db710ae947abfd1b4f472f87049ff5a5483d6c3add1f5991217257a7231b884148edbf9c5b30a33bcf97889862d95d98a3c5eca0d439a6002c2541f2e
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAa:l7TcbWXZshJX2VGda
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3616-5-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3084-14-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3160-26-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2328-36-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2144-103-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1140-214-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2420-227-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3248-221-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3664-210-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2400-206-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2280-193-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2192-184-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1404-178-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2316-167-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1116-155-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/372-150-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/856-144-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5104-138-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2640-127-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4976-121-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1872-115-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2648-109-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2760-97-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4340-91-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/648-80-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2936-74-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4836-68-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4092-62-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3524-56-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4324-49-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/824-44-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5096-43-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1484-20-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5088-13-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4380-238-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/544-248-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3464-258-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4928-262-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2224-275-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3524-279-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2516-291-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3600-311-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2336-321-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1844-337-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1752-347-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4256-351-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4704-355-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3712-365-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2476-372-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3644-425-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1500-435-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3212-451-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3388-464-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1872-477-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4812-484-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2948-515-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3708-543-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4396-712-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2476-791-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3624-889-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4632-1460-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1568-1836-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3076-1900-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5088 626884.exe 3084 xlrfxfx.exe 1484 8824606.exe 3160 tnhhtn.exe 2328 pddvv.exe 5096 bhhbtt.exe 824 pvjdv.exe 4324 lrllrll.exe 3524 286000.exe 4092 20222.exe 4836 ppppp.exe 2936 46680.exe 648 2444688.exe 3896 2644040.exe 4340 hthhbb.exe 2760 7hnhhn.exe 2144 w68886.exe 2648 llffrxf.exe 1872 xlxrlfx.exe 4976 hbthbn.exe 2640 vpjdp.exe 4652 4286882.exe 5104 vpdjj.exe 856 xrrrrrl.exe 372 0206446.exe 1116 ntnbnh.exe 4320 80820.exe 2316 46808.exe 4436 s2422.exe 1404 6086420.exe 2192 xrfrfxl.exe 4080 hbhttb.exe 2280 w28882.exe 4260 004882.exe 3328 42620.exe 2188 llxxfxx.exe 2400 024260.exe 3664 64204.exe 1140 m4684.exe 2088 jddpp.exe 3248 1hnbtt.exe 1192 222880.exe 2420 040266.exe 4692 02628.exe 4380 4824888.exe 3784 jdjjj.exe 3616 2086640.exe 544 46860.exe 2956 tbhttt.exe 4060 dddvp.exe 3464 jpdpd.exe 4928 442080.exe 1508 ttnnht.exe 1660 fflfrlx.exe 824 u248844.exe 2224 nhnnnt.exe 3524 hthhhn.exe 5036 rxxxxfr.exe 1568 rxxrxxx.exe 4828 660466.exe 2516 7xlffxl.exe 2736 dvvpj.exe 844 8288266.exe 1400 ppvpj.exe -
resource yara_rule behavioral2/memory/5088-7-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3616-5-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3084-14-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3160-26-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2328-36-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2144-103-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1140-214-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2420-227-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3248-221-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3664-210-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2400-206-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2280-193-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2192-184-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1404-178-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2316-167-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1116-155-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/372-150-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/856-144-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5104-138-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2640-127-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4976-121-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1872-115-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2648-109-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2760-97-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4340-91-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/648-80-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2936-74-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4836-68-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4092-62-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3524-56-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4324-49-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/824-44-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5096-43-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1484-20-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5088-13-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4380-238-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/544-248-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3464-258-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4928-262-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2224-275-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3524-279-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2516-291-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3600-311-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2336-321-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1844-337-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1752-347-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4256-351-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4704-355-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3712-365-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2476-372-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3400-406-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3644-425-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1500-435-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3212-451-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3388-464-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1872-477-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4812-484-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2948-515-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3708-543-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4396-712-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2476-791-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1688-807-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3624-889-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1568-968-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 800826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 464640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0206446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8862042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3616 wrote to memory of 5088 3616 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 84 PID 3616 wrote to memory of 5088 3616 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 84 PID 3616 wrote to memory of 5088 3616 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 84 PID 5088 wrote to memory of 3084 5088 626884.exe 85 PID 5088 wrote to memory of 3084 5088 626884.exe 85 PID 5088 wrote to memory of 3084 5088 626884.exe 85 PID 3084 wrote to memory of 1484 3084 xlrfxfx.exe 86 PID 3084 wrote to memory of 1484 3084 xlrfxfx.exe 86 PID 3084 wrote to memory of 1484 3084 xlrfxfx.exe 86 PID 1484 wrote to memory of 3160 1484 8824606.exe 87 PID 1484 wrote to memory of 3160 1484 8824606.exe 87 PID 1484 wrote to memory of 3160 1484 8824606.exe 87 PID 3160 wrote to memory of 2328 3160 tnhhtn.exe 88 PID 3160 wrote to memory of 2328 3160 tnhhtn.exe 88 PID 3160 wrote to memory of 2328 3160 tnhhtn.exe 88 PID 2328 wrote to memory of 5096 2328 pddvv.exe 89 PID 2328 wrote to memory of 5096 2328 pddvv.exe 89 PID 2328 wrote to memory of 5096 2328 pddvv.exe 89 PID 5096 wrote to memory of 824 5096 bhhbtt.exe 138 PID 5096 wrote to memory of 824 5096 bhhbtt.exe 138 PID 5096 wrote to memory of 824 5096 bhhbtt.exe 138 PID 824 wrote to memory of 4324 824 pvjdv.exe 91 PID 824 wrote to memory of 4324 824 pvjdv.exe 91 PID 824 wrote to memory of 4324 824 pvjdv.exe 91 PID 4324 wrote to memory of 3524 4324 lrllrll.exe 140 PID 4324 wrote to memory of 3524 4324 lrllrll.exe 140 PID 4324 wrote to memory of 3524 4324 lrllrll.exe 140 PID 3524 wrote to memory of 4092 3524 286000.exe 93 PID 3524 wrote to memory of 4092 3524 286000.exe 93 PID 3524 wrote to memory of 4092 3524 286000.exe 93 PID 4092 wrote to memory of 4836 4092 20222.exe 94 PID 4092 wrote to memory of 4836 4092 20222.exe 94 PID 4092 wrote to memory of 4836 4092 20222.exe 94 PID 4836 wrote to memory of 2936 4836 ppppp.exe 95 PID 4836 wrote to memory of 2936 4836 ppppp.exe 95 PID 4836 wrote to memory of 2936 4836 ppppp.exe 95 PID 2936 wrote to memory of 648 2936 46680.exe 96 PID 2936 wrote to memory of 648 2936 46680.exe 96 PID 2936 wrote to memory of 648 2936 46680.exe 96 PID 648 wrote to memory of 3896 648 2444688.exe 97 PID 648 wrote to memory of 3896 648 2444688.exe 97 PID 648 wrote to memory of 3896 648 2444688.exe 97 PID 3896 wrote to memory of 4340 3896 2644040.exe 98 PID 3896 wrote to memory of 4340 3896 2644040.exe 98 PID 3896 wrote to memory of 4340 3896 2644040.exe 98 PID 4340 wrote to memory of 2760 4340 hthhbb.exe 99 PID 4340 wrote to memory of 2760 4340 hthhbb.exe 99 PID 4340 wrote to memory of 2760 4340 hthhbb.exe 99 PID 2760 wrote to memory of 2144 2760 7hnhhn.exe 100 PID 2760 wrote to memory of 2144 2760 7hnhhn.exe 100 PID 2760 wrote to memory of 2144 2760 7hnhhn.exe 100 PID 2144 wrote to memory of 2648 2144 w68886.exe 101 PID 2144 wrote to memory of 2648 2144 w68886.exe 101 PID 2144 wrote to memory of 2648 2144 w68886.exe 101 PID 2648 wrote to memory of 1872 2648 llffrxf.exe 102 PID 2648 wrote to memory of 1872 2648 llffrxf.exe 102 PID 2648 wrote to memory of 1872 2648 llffrxf.exe 102 PID 1872 wrote to memory of 4976 1872 xlxrlfx.exe 103 PID 1872 wrote to memory of 4976 1872 xlxrlfx.exe 103 PID 1872 wrote to memory of 4976 1872 xlxrlfx.exe 103 PID 4976 wrote to memory of 2640 4976 hbthbn.exe 104 PID 4976 wrote to memory of 2640 4976 hbthbn.exe 104 PID 4976 wrote to memory of 2640 4976 hbthbn.exe 104 PID 2640 wrote to memory of 4652 2640 vpjdp.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe"C:\Users\Admin\AppData\Local\Temp\69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\626884.exec:\626884.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\xlrfxfx.exec:\xlrfxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\8824606.exec:\8824606.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\tnhhtn.exec:\tnhhtn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
\??\c:\pddvv.exec:\pddvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\bhhbtt.exec:\bhhbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\pvjdv.exec:\pvjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\lrllrll.exec:\lrllrll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\286000.exec:\286000.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\20222.exec:\20222.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\ppppp.exec:\ppppp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\46680.exec:\46680.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\2444688.exec:\2444688.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\2644040.exec:\2644040.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\hthhbb.exec:\hthhbb.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\7hnhhn.exec:\7hnhhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\w68886.exec:\w68886.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\llffrxf.exec:\llffrxf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\xlxrlfx.exec:\xlxrlfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\hbthbn.exec:\hbthbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\vpjdp.exec:\vpjdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\4286882.exec:\4286882.exe23⤵
- Executes dropped EXE
PID:4652 -
\??\c:\vpdjj.exec:\vpdjj.exe24⤵
- Executes dropped EXE
PID:5104 -
\??\c:\xrrrrrl.exec:\xrrrrrl.exe25⤵
- Executes dropped EXE
PID:856 -
\??\c:\0206446.exec:\0206446.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:372 -
\??\c:\ntnbnh.exec:\ntnbnh.exe27⤵
- Executes dropped EXE
PID:1116 -
\??\c:\80820.exec:\80820.exe28⤵
- Executes dropped EXE
PID:4320 -
\??\c:\46808.exec:\46808.exe29⤵
- Executes dropped EXE
PID:2316 -
\??\c:\s2422.exec:\s2422.exe30⤵
- Executes dropped EXE
PID:4436 -
\??\c:\6086420.exec:\6086420.exe31⤵
- Executes dropped EXE
PID:1404 -
\??\c:\xrfrfxl.exec:\xrfrfxl.exe32⤵
- Executes dropped EXE
PID:2192 -
\??\c:\hbhttb.exec:\hbhttb.exe33⤵
- Executes dropped EXE
PID:4080 -
\??\c:\w28882.exec:\w28882.exe34⤵
- Executes dropped EXE
PID:2280 -
\??\c:\004882.exec:\004882.exe35⤵
- Executes dropped EXE
PID:4260 -
\??\c:\42620.exec:\42620.exe36⤵
- Executes dropped EXE
PID:3328 -
\??\c:\llxxfxx.exec:\llxxfxx.exe37⤵
- Executes dropped EXE
PID:2188 -
\??\c:\024260.exec:\024260.exe38⤵
- Executes dropped EXE
PID:2400 -
\??\c:\64204.exec:\64204.exe39⤵
- Executes dropped EXE
PID:3664 -
\??\c:\m4684.exec:\m4684.exe40⤵
- Executes dropped EXE
PID:1140 -
\??\c:\jddpp.exec:\jddpp.exe41⤵
- Executes dropped EXE
PID:2088 -
\??\c:\1hnbtt.exec:\1hnbtt.exe42⤵
- Executes dropped EXE
PID:3248 -
\??\c:\222880.exec:\222880.exe43⤵
- Executes dropped EXE
PID:1192 -
\??\c:\040266.exec:\040266.exe44⤵
- Executes dropped EXE
PID:2420 -
\??\c:\02628.exec:\02628.exe45⤵
- Executes dropped EXE
PID:4692 -
\??\c:\4824888.exec:\4824888.exe46⤵
- Executes dropped EXE
PID:4380 -
\??\c:\jdjjj.exec:\jdjjj.exe47⤵
- Executes dropped EXE
PID:3784 -
\??\c:\2086640.exec:\2086640.exe48⤵
- Executes dropped EXE
PID:3616 -
\??\c:\46860.exec:\46860.exe49⤵
- Executes dropped EXE
PID:544 -
\??\c:\tbhttt.exec:\tbhttt.exe50⤵
- Executes dropped EXE
PID:2956 -
\??\c:\dddvp.exec:\dddvp.exe51⤵
- Executes dropped EXE
PID:4060 -
\??\c:\jpdpd.exec:\jpdpd.exe52⤵
- Executes dropped EXE
PID:3464 -
\??\c:\442080.exec:\442080.exe53⤵
- Executes dropped EXE
PID:4928 -
\??\c:\ttnnht.exec:\ttnnht.exe54⤵
- Executes dropped EXE
PID:1508 -
\??\c:\fflfrlx.exec:\fflfrlx.exe55⤵
- Executes dropped EXE
PID:1660 -
\??\c:\u248844.exec:\u248844.exe56⤵
- Executes dropped EXE
PID:824 -
\??\c:\nhnnnt.exec:\nhnnnt.exe57⤵
- Executes dropped EXE
PID:2224 -
\??\c:\hthhhn.exec:\hthhhn.exe58⤵
- Executes dropped EXE
PID:3524 -
\??\c:\rxxxxfr.exec:\rxxxxfr.exe59⤵
- Executes dropped EXE
PID:5036 -
\??\c:\rxxrxxx.exec:\rxxrxxx.exe60⤵
- Executes dropped EXE
PID:1568 -
\??\c:\660466.exec:\660466.exe61⤵
- Executes dropped EXE
PID:4828 -
\??\c:\7xlffxl.exec:\7xlffxl.exe62⤵
- Executes dropped EXE
PID:2516 -
\??\c:\dvvpj.exec:\dvvpj.exe63⤵
- Executes dropped EXE
PID:2736 -
\??\c:\8288266.exec:\8288266.exe64⤵
- Executes dropped EXE
PID:844 -
\??\c:\ppvpj.exec:\ppvpj.exe65⤵
- Executes dropped EXE
PID:1400 -
\??\c:\02062.exec:\02062.exe66⤵PID:4016
-
\??\c:\dvdvv.exec:\dvdvv.exe67⤵PID:3132
-
\??\c:\3nttnt.exec:\3nttnt.exe68⤵PID:3600
-
\??\c:\xflrrlf.exec:\xflrrlf.exe69⤵PID:3316
-
\??\c:\xlrrrrl.exec:\xlrrrrl.exe70⤵PID:4416
-
\??\c:\rfrflfr.exec:\rfrflfr.exe71⤵
- System Location Discovery: System Language Discovery
PID:2336 -
\??\c:\lxlxxrr.exec:\lxlxxrr.exe72⤵PID:5112
-
\??\c:\lrxxfrr.exec:\lrxxfrr.exe73⤵PID:2248
-
\??\c:\82020.exec:\82020.exe74⤵PID:2572
-
\??\c:\ttnhbh.exec:\ttnhbh.exe75⤵PID:4956
-
\??\c:\0606862.exec:\0606862.exe76⤵PID:1844
-
\??\c:\xrxfxrr.exec:\xrxfxrr.exe77⤵PID:1592
-
\??\c:\9bthnh.exec:\9bthnh.exe78⤵PID:4944
-
\??\c:\4868222.exec:\4868222.exe79⤵PID:1752
-
\??\c:\fffflll.exec:\fffflll.exe80⤵PID:4256
-
\??\c:\00260.exec:\00260.exe81⤵PID:4704
-
\??\c:\pdjjp.exec:\pdjjp.exe82⤵PID:220
-
\??\c:\3tbtnn.exec:\3tbtnn.exe83⤵PID:4080
-
\??\c:\rxfxxxf.exec:\rxfxxxf.exe84⤵PID:3712
-
\??\c:\0462226.exec:\0462226.exe85⤵PID:1432
-
\??\c:\686842.exec:\686842.exe86⤵PID:2476
-
\??\c:\1llfflf.exec:\1llfflf.exe87⤵PID:4604
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe88⤵PID:2540
-
\??\c:\6404882.exec:\6404882.exe89⤵PID:4792
-
\??\c:\lflfxrl.exec:\lflfxrl.exe90⤵PID:1188
-
\??\c:\jvdpd.exec:\jvdpd.exe91⤵PID:2696
-
\??\c:\c282444.exec:\c282444.exe92⤵PID:2088
-
\??\c:\g4666.exec:\g4666.exe93⤵PID:2444
-
\??\c:\vpppp.exec:\vpppp.exe94⤵PID:4360
-
\??\c:\djvvv.exec:\djvvv.exe95⤵PID:4856
-
\??\c:\o848222.exec:\o848222.exe96⤵PID:4468
-
\??\c:\82440.exec:\82440.exe97⤵PID:4352
-
\??\c:\q86266.exec:\q86266.exe98⤵PID:3400
-
\??\c:\82480.exec:\82480.exe99⤵PID:5088
-
\??\c:\bnbhhh.exec:\bnbhhh.exe100⤵PID:1020
-
\??\c:\flfrlxl.exec:\flfrlxl.exe101⤵PID:4624
-
\??\c:\9nttbb.exec:\9nttbb.exe102⤵PID:1484
-
\??\c:\rfrlxxx.exec:\rfrlxxx.exe103⤵PID:3644
-
\??\c:\288222.exec:\288222.exe104⤵PID:4460
-
\??\c:\26884.exec:\26884.exe105⤵PID:3940
-
\??\c:\8202228.exec:\8202228.exe106⤵PID:1500
-
\??\c:\k68604.exec:\k68604.exe107⤵PID:4848
-
\??\c:\024802.exec:\024802.exe108⤵PID:4992
-
\??\c:\82664.exec:\82664.exe109⤵PID:4232
-
\??\c:\rllfffr.exec:\rllfffr.exe110⤵PID:744
-
\??\c:\82442.exec:\82442.exe111⤵PID:3212
-
\??\c:\24622.exec:\24622.exe112⤵PID:684
-
\??\c:\464640.exec:\464640.exe113⤵
- System Location Discovery: System Language Discovery
PID:3652 -
\??\c:\rxrlffx.exec:\rxrlffx.exe114⤵PID:4340
-
\??\c:\1btnnn.exec:\1btnnn.exe115⤵PID:3388
-
\??\c:\pvdvj.exec:\pvdvj.exe116⤵PID:3924
-
\??\c:\ppvjd.exec:\ppvjd.exe117⤵PID:3740
-
\??\c:\xrxrllf.exec:\xrxrllf.exe118⤵PID:2608
-
\??\c:\pdjjp.exec:\pdjjp.exe119⤵PID:1872
-
\??\c:\4864068.exec:\4864068.exe120⤵PID:4416
-
\??\c:\4462266.exec:\4462266.exe121⤵PID:4812
-
\??\c:\vpvvd.exec:\vpvvd.exe122⤵PID:5112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-