Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 23:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe
-
Size
452KB
-
MD5
62c1d9a088678e1601be87e3a7812ad2
-
SHA1
c9b441abd87a50d43067ce8ba674e5ec29f8dd82
-
SHA256
4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1
-
SHA512
f59ca0e23ae40d9736b31df83161245c6684540259ac8a704c4bec46b228e65ebad1fb5572962b94392af7a992c09f49b5ce52402e0ce023145e168985968f8c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2988-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-851-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-1084-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-1275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2444 646000.exe 4828 2440000.exe 3812 80660.exe 1872 nhtnhh.exe 4268 204866.exe 2116 hbhhhh.exe 1664 btttbh.exe 900 028262.exe 3292 thhtnh.exe 3052 08228.exe 3868 a0200.exe 3080 20684.exe 2352 nhhbhb.exe 3268 g8082.exe 4948 2864422.exe 4400 88482.exe 5036 pdvpj.exe 1592 80248.exe 1596 24844.exe 3656 pvjdp.exe 1792 422660.exe 1736 1fxrffx.exe 1684 vdjvp.exe 2336 jjjdp.exe 1492 02084.exe 2404 8882222.exe 2064 k22048.exe 4660 084200.exe 1680 frxrlff.exe 1076 llrllfx.exe 1524 frxrrrl.exe 5064 8220004.exe 1840 nntnhb.exe 3892 jdjdd.exe 3452 4822806.exe 2676 pvdjd.exe 2896 7dvvj.exe 4392 8848264.exe 2840 0420486.exe 5096 nbbtnh.exe 4420 5ntntt.exe 3120 9jdpj.exe 2944 20660.exe 2232 0208888.exe 2984 jvdvj.exe 4968 608822.exe 4372 flflrlr.exe 4312 k28222.exe 2988 884400.exe 2444 q00488.exe 864 64040.exe 1932 thnnnn.exe 1556 rxxlfxr.exe 2020 6804600.exe 2228 i808266.exe 2888 o420040.exe 3340 246400.exe 4776 ntbtnn.exe 1440 246606.exe 1664 62866.exe 5020 lxfllff.exe 1368 8406666.exe 2008 20826.exe 2696 044266.exe -
resource yara_rule behavioral2/memory/2988-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-672-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 246044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0620486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6464046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0420486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2226448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 246606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2444 2988 4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe 83 PID 2988 wrote to memory of 2444 2988 4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe 83 PID 2988 wrote to memory of 2444 2988 4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe 83 PID 2444 wrote to memory of 4828 2444 646000.exe 84 PID 2444 wrote to memory of 4828 2444 646000.exe 84 PID 2444 wrote to memory of 4828 2444 646000.exe 84 PID 4828 wrote to memory of 3812 4828 2440000.exe 85 PID 4828 wrote to memory of 3812 4828 2440000.exe 85 PID 4828 wrote to memory of 3812 4828 2440000.exe 85 PID 3812 wrote to memory of 1872 3812 80660.exe 86 PID 3812 wrote to memory of 1872 3812 80660.exe 86 PID 3812 wrote to memory of 1872 3812 80660.exe 86 PID 1872 wrote to memory of 4268 1872 nhtnhh.exe 87 PID 1872 wrote to memory of 4268 1872 nhtnhh.exe 87 PID 1872 wrote to memory of 4268 1872 nhtnhh.exe 87 PID 4268 wrote to memory of 2116 4268 204866.exe 88 PID 4268 wrote to memory of 2116 4268 204866.exe 88 PID 4268 wrote to memory of 2116 4268 204866.exe 88 PID 2116 wrote to memory of 1664 2116 hbhhhh.exe 89 PID 2116 wrote to memory of 1664 2116 hbhhhh.exe 89 PID 2116 wrote to memory of 1664 2116 hbhhhh.exe 89 PID 1664 wrote to memory of 900 1664 btttbh.exe 90 PID 1664 wrote to memory of 900 1664 btttbh.exe 90 PID 1664 wrote to memory of 900 1664 btttbh.exe 90 PID 900 wrote to memory of 3292 900 028262.exe 91 PID 900 wrote to memory of 3292 900 028262.exe 91 PID 900 wrote to memory of 3292 900 028262.exe 91 PID 3292 wrote to memory of 3052 3292 thhtnh.exe 92 PID 3292 wrote to memory of 3052 3292 thhtnh.exe 92 PID 3292 wrote to memory of 3052 3292 thhtnh.exe 92 PID 3052 wrote to memory of 3868 3052 08228.exe 93 PID 3052 wrote to memory of 3868 3052 08228.exe 93 PID 3052 wrote to memory of 3868 3052 08228.exe 93 PID 3868 wrote to memory of 3080 3868 a0200.exe 94 PID 3868 wrote to memory of 3080 3868 a0200.exe 94 PID 3868 wrote to memory of 3080 3868 a0200.exe 94 PID 3080 wrote to memory of 2352 3080 20684.exe 95 PID 3080 wrote to memory of 2352 3080 20684.exe 95 PID 3080 wrote to memory of 2352 3080 20684.exe 95 PID 2352 wrote to memory of 3268 2352 nhhbhb.exe 96 PID 2352 wrote to memory of 3268 2352 nhhbhb.exe 96 PID 2352 wrote to memory of 3268 2352 nhhbhb.exe 96 PID 3268 wrote to memory of 4948 3268 g8082.exe 97 PID 3268 wrote to memory of 4948 3268 g8082.exe 97 PID 3268 wrote to memory of 4948 3268 g8082.exe 97 PID 4948 wrote to memory of 4400 4948 2864422.exe 98 PID 4948 wrote to memory of 4400 4948 2864422.exe 98 PID 4948 wrote to memory of 4400 4948 2864422.exe 98 PID 4400 wrote to memory of 5036 4400 88482.exe 99 PID 4400 wrote to memory of 5036 4400 88482.exe 99 PID 4400 wrote to memory of 5036 4400 88482.exe 99 PID 5036 wrote to memory of 1592 5036 pdvpj.exe 100 PID 5036 wrote to memory of 1592 5036 pdvpj.exe 100 PID 5036 wrote to memory of 1592 5036 pdvpj.exe 100 PID 1592 wrote to memory of 1596 1592 80248.exe 101 PID 1592 wrote to memory of 1596 1592 80248.exe 101 PID 1592 wrote to memory of 1596 1592 80248.exe 101 PID 1596 wrote to memory of 3656 1596 24844.exe 102 PID 1596 wrote to memory of 3656 1596 24844.exe 102 PID 1596 wrote to memory of 3656 1596 24844.exe 102 PID 3656 wrote to memory of 1792 3656 pvjdp.exe 103 PID 3656 wrote to memory of 1792 3656 pvjdp.exe 103 PID 3656 wrote to memory of 1792 3656 pvjdp.exe 103 PID 1792 wrote to memory of 1736 1792 422660.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe"C:\Users\Admin\AppData\Local\Temp\4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\646000.exec:\646000.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\2440000.exec:\2440000.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\80660.exec:\80660.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\nhtnhh.exec:\nhtnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\204866.exec:\204866.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\hbhhhh.exec:\hbhhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\btttbh.exec:\btttbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\028262.exec:\028262.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\thhtnh.exec:\thhtnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\08228.exec:\08228.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\a0200.exec:\a0200.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\20684.exec:\20684.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\nhhbhb.exec:\nhhbhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\g8082.exec:\g8082.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\2864422.exec:\2864422.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\88482.exec:\88482.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\pdvpj.exec:\pdvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\80248.exec:\80248.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\24844.exec:\24844.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\pvjdp.exec:\pvjdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\422660.exec:\422660.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\1fxrffx.exec:\1fxrffx.exe23⤵
- Executes dropped EXE
PID:1736 -
\??\c:\vdjvp.exec:\vdjvp.exe24⤵
- Executes dropped EXE
PID:1684 -
\??\c:\jjjdp.exec:\jjjdp.exe25⤵
- Executes dropped EXE
PID:2336 -
\??\c:\02084.exec:\02084.exe26⤵
- Executes dropped EXE
PID:1492 -
\??\c:\8882222.exec:\8882222.exe27⤵
- Executes dropped EXE
PID:2404 -
\??\c:\k22048.exec:\k22048.exe28⤵
- Executes dropped EXE
PID:2064 -
\??\c:\084200.exec:\084200.exe29⤵
- Executes dropped EXE
PID:4660 -
\??\c:\frxrlff.exec:\frxrlff.exe30⤵
- Executes dropped EXE
PID:1680 -
\??\c:\llrllfx.exec:\llrllfx.exe31⤵
- Executes dropped EXE
PID:1076 -
\??\c:\frxrrrl.exec:\frxrrrl.exe32⤵
- Executes dropped EXE
PID:1524 -
\??\c:\8220004.exec:\8220004.exe33⤵
- Executes dropped EXE
PID:5064 -
\??\c:\nntnhb.exec:\nntnhb.exe34⤵
- Executes dropped EXE
PID:1840 -
\??\c:\jdjdd.exec:\jdjdd.exe35⤵
- Executes dropped EXE
PID:3892 -
\??\c:\4822806.exec:\4822806.exe36⤵
- Executes dropped EXE
PID:3452 -
\??\c:\pvdjd.exec:\pvdjd.exe37⤵
- Executes dropped EXE
PID:2676 -
\??\c:\7dvvj.exec:\7dvvj.exe38⤵
- Executes dropped EXE
PID:2896 -
\??\c:\8848264.exec:\8848264.exe39⤵
- Executes dropped EXE
PID:4392 -
\??\c:\0420486.exec:\0420486.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
\??\c:\nbbtnh.exec:\nbbtnh.exe41⤵
- Executes dropped EXE
PID:5096 -
\??\c:\5ntntt.exec:\5ntntt.exe42⤵
- Executes dropped EXE
PID:4420 -
\??\c:\9jdpj.exec:\9jdpj.exe43⤵
- Executes dropped EXE
PID:3120 -
\??\c:\20660.exec:\20660.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944 -
\??\c:\0208888.exec:\0208888.exe45⤵
- Executes dropped EXE
PID:2232 -
\??\c:\jvdvj.exec:\jvdvj.exe46⤵
- Executes dropped EXE
PID:2984 -
\??\c:\608822.exec:\608822.exe47⤵
- Executes dropped EXE
PID:4968 -
\??\c:\flflrlr.exec:\flflrlr.exe48⤵
- Executes dropped EXE
PID:4372 -
\??\c:\k28222.exec:\k28222.exe49⤵
- Executes dropped EXE
PID:4312 -
\??\c:\884400.exec:\884400.exe50⤵
- Executes dropped EXE
PID:2988 -
\??\c:\q00488.exec:\q00488.exe51⤵
- Executes dropped EXE
PID:2444 -
\??\c:\64040.exec:\64040.exe52⤵
- Executes dropped EXE
PID:864 -
\??\c:\thnnnn.exec:\thnnnn.exe53⤵
- Executes dropped EXE
PID:1932 -
\??\c:\rxxlfxr.exec:\rxxlfxr.exe54⤵
- Executes dropped EXE
PID:1556 -
\??\c:\6804600.exec:\6804600.exe55⤵
- Executes dropped EXE
PID:2020 -
\??\c:\i808266.exec:\i808266.exe56⤵
- Executes dropped EXE
PID:2228 -
\??\c:\o420040.exec:\o420040.exe57⤵
- Executes dropped EXE
PID:2888 -
\??\c:\246400.exec:\246400.exe58⤵
- Executes dropped EXE
PID:3340 -
\??\c:\ntbtnn.exec:\ntbtnn.exe59⤵
- Executes dropped EXE
PID:4776 -
\??\c:\246606.exec:\246606.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1440 -
\??\c:\62866.exec:\62866.exe61⤵
- Executes dropped EXE
PID:1664 -
\??\c:\lxfllff.exec:\lxfllff.exe62⤵
- Executes dropped EXE
PID:5020 -
\??\c:\8406666.exec:\8406666.exe63⤵
- Executes dropped EXE
PID:1368 -
\??\c:\20826.exec:\20826.exe64⤵
- Executes dropped EXE
PID:2008 -
\??\c:\044266.exec:\044266.exe65⤵
- Executes dropped EXE
PID:2696 -
\??\c:\084826.exec:\084826.exe66⤵PID:964
-
\??\c:\640482.exec:\640482.exe67⤵PID:3636
-
\??\c:\84044.exec:\84044.exe68⤵PID:2936
-
\??\c:\9rrxrrr.exec:\9rrxrrr.exe69⤵PID:2568
-
\??\c:\vjpvd.exec:\vjpvd.exe70⤵PID:4204
-
\??\c:\2048402.exec:\2048402.exe71⤵PID:1544
-
\??\c:\htthbt.exec:\htthbt.exe72⤵PID:1624
-
\??\c:\246628.exec:\246628.exe73⤵PID:2248
-
\??\c:\4842084.exec:\4842084.exe74⤵PID:3824
-
\??\c:\flrlllx.exec:\flrlllx.exe75⤵PID:4124
-
\??\c:\428266.exec:\428266.exe76⤵PID:1596
-
\??\c:\dpdjp.exec:\dpdjp.exe77⤵PID:1536
-
\??\c:\xlrlffx.exec:\xlrlffx.exe78⤵PID:3208
-
\??\c:\lfffxxr.exec:\lfffxxr.exe79⤵PID:4156
-
\??\c:\1jpjj.exec:\1jpjj.exe80⤵PID:1560
-
\??\c:\jjdvv.exec:\jjdvv.exe81⤵PID:1684
-
\??\c:\2240448.exec:\2240448.exe82⤵PID:3660
-
\??\c:\frfflll.exec:\frfflll.exe83⤵PID:2628
-
\??\c:\2648880.exec:\2648880.exe84⤵PID:4104
-
\??\c:\5fffxff.exec:\5fffxff.exe85⤵PID:2156
-
\??\c:\60640.exec:\60640.exe86⤵PID:208
-
\??\c:\lxxfrrl.exec:\lxxfrrl.exe87⤵PID:180
-
\??\c:\4020442.exec:\4020442.exe88⤵PID:792
-
\??\c:\1ddvp.exec:\1ddvp.exe89⤵PID:4840
-
\??\c:\246048.exec:\246048.exe90⤵PID:1680
-
\??\c:\bnhhbb.exec:\bnhhbb.exe91⤵PID:3696
-
\??\c:\u420600.exec:\u420600.exe92⤵PID:4316
-
\??\c:\rrxrllf.exec:\rrxrllf.exe93⤵PID:3632
-
\??\c:\8680202.exec:\8680202.exe94⤵PID:1972
-
\??\c:\vjjdv.exec:\vjjdv.exe95⤵PID:3288
-
\??\c:\g2426.exec:\g2426.exe96⤵PID:940
-
\??\c:\08022.exec:\08022.exe97⤵PID:5084
-
\??\c:\286202.exec:\286202.exe98⤵PID:2676
-
\??\c:\pppjj.exec:\pppjj.exe99⤵PID:2784
-
\??\c:\jpppj.exec:\jpppj.exe100⤵PID:4392
-
\??\c:\flrlffx.exec:\flrlffx.exe101⤵PID:3508
-
\??\c:\62482.exec:\62482.exe102⤵PID:3652
-
\??\c:\0826822.exec:\0826822.exe103⤵PID:1768
-
\??\c:\8060026.exec:\8060026.exe104⤵PID:3120
-
\??\c:\q84822.exec:\q84822.exe105⤵PID:4964
-
\??\c:\260022.exec:\260022.exe106⤵PID:4868
-
\??\c:\xxffllr.exec:\xxffllr.exe107⤵PID:2288
-
\??\c:\rrlfxxr.exec:\rrlfxxr.exe108⤵PID:4968
-
\??\c:\dvjdj.exec:\dvjdj.exe109⤵PID:4648
-
\??\c:\nnttbt.exec:\nnttbt.exe110⤵PID:4744
-
\??\c:\tnhntn.exec:\tnhntn.exe111⤵PID:2192
-
\??\c:\02802.exec:\02802.exe112⤵
- System Location Discovery: System Language Discovery
PID:1028 -
\??\c:\48800.exec:\48800.exe113⤵PID:4828
-
\??\c:\080000.exec:\080000.exe114⤵PID:3492
-
\??\c:\jdjvj.exec:\jdjvj.exe115⤵PID:5032
-
\??\c:\668600.exec:\668600.exe116⤵PID:5040
-
\??\c:\048608.exec:\048608.exe117⤵PID:3036
-
\??\c:\w28604.exec:\w28604.exe118⤵PID:4940
-
\??\c:\dvvdv.exec:\dvvdv.exe119⤵PID:3020
-
\??\c:\nbnbbt.exec:\nbnbbt.exe120⤵PID:4056
-
\??\c:\lxfxxfx.exec:\lxfxxfx.exe121⤵PID:1844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-