Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 01:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1b4166f45bf54b83f39d13bfebeaaf6742773823f2ced23327eec8c02556fd58N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1b4166f45bf54b83f39d13bfebeaaf6742773823f2ced23327eec8c02556fd58N.exe
-
Size
454KB
-
MD5
ddf85624cd8a101cd2d1a48b51897450
-
SHA1
804d687027ac97fe4d96fb6593304718604d721e
-
SHA256
1b4166f45bf54b83f39d13bfebeaaf6742773823f2ced23327eec8c02556fd58
-
SHA512
fffa093e1ab13c2727207e05d6ce09825d09a5863d8217c7c193c6d4e19bd559f7a1f25c6f741d89c7df87f4dfcc76750255972bcc29c56a61f10e98cf715aeb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeI:q7Tc2NYHUrAwfMp3CDI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5116-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/784-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-882-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-955-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-1064-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-1086-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2684 thbbnh.exe 100 402082.exe 2816 08822.exe 3604 xfllffx.exe 3992 k62644.exe 1484 1ffxrxr.exe 4688 9ppjd.exe 4040 w60208.exe 1172 ttbnbt.exe 4768 3xxfflf.exe 216 640004.exe 4712 26864.exe 5084 hntnhn.exe 2176 062666.exe 2952 84048.exe 1856 dvpjj.exe 4716 u664860.exe 4376 668608.exe 2260 vjppj.exe 4956 c660482.exe 916 64040.exe 4848 xlrlfff.exe 2992 406004.exe 1032 1jddv.exe 4328 80604.exe 4632 0646402.exe 4408 bhbnth.exe 3328 dvjdp.exe 2928 0026004.exe 4488 8660444.exe 3416 9tnhbb.exe 4900 c064880.exe 1756 1jddv.exe 2752 006048.exe 1904 7vvpj.exe 708 044866.exe 3372 rrllffx.exe 1548 ttbtnn.exe 1048 422866.exe 2240 hbbthb.exe 632 88082.exe 3528 u226444.exe 1040 dpjdj.exe 1764 bhnntt.exe 3576 9bhntt.exe 4032 fflfffl.exe 336 26484.exe 1876 u404826.exe 1144 bhhbtn.exe 4448 5tnnhh.exe 4700 k28260.exe 2156 xrrlxrl.exe 3424 w40482.exe 2124 htbtnn.exe 4888 bttnbb.exe 2700 06482.exe 3940 fxffffl.exe 4464 tttnhb.exe 4172 42260.exe 2280 tbhbnn.exe 4620 dpvpj.exe 4048 888266.exe 1188 86426.exe 3972 nbbhbh.exe -
resource yara_rule behavioral2/memory/5116-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/784-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-882-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8886486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2684260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5116 wrote to memory of 2684 5116 1b4166f45bf54b83f39d13bfebeaaf6742773823f2ced23327eec8c02556fd58N.exe 85 PID 5116 wrote to memory of 2684 5116 1b4166f45bf54b83f39d13bfebeaaf6742773823f2ced23327eec8c02556fd58N.exe 85 PID 5116 wrote to memory of 2684 5116 1b4166f45bf54b83f39d13bfebeaaf6742773823f2ced23327eec8c02556fd58N.exe 85 PID 2684 wrote to memory of 100 2684 thbbnh.exe 86 PID 2684 wrote to memory of 100 2684 thbbnh.exe 86 PID 2684 wrote to memory of 100 2684 thbbnh.exe 86 PID 100 wrote to memory of 2816 100 402082.exe 87 PID 100 wrote to memory of 2816 100 402082.exe 87 PID 100 wrote to memory of 2816 100 402082.exe 87 PID 2816 wrote to memory of 3604 2816 08822.exe 88 PID 2816 wrote to memory of 3604 2816 08822.exe 88 PID 2816 wrote to memory of 3604 2816 08822.exe 88 PID 3604 wrote to memory of 3992 3604 xfllffx.exe 89 PID 3604 wrote to memory of 3992 3604 xfllffx.exe 89 PID 3604 wrote to memory of 3992 3604 xfllffx.exe 89 PID 3992 wrote to memory of 1484 3992 k62644.exe 90 PID 3992 wrote to memory of 1484 3992 k62644.exe 90 PID 3992 wrote to memory of 1484 3992 k62644.exe 90 PID 1484 wrote to memory of 4688 1484 1ffxrxr.exe 91 PID 1484 wrote to memory of 4688 1484 1ffxrxr.exe 91 PID 1484 wrote to memory of 4688 1484 1ffxrxr.exe 91 PID 4688 wrote to memory of 4040 4688 9ppjd.exe 92 PID 4688 wrote to memory of 4040 4688 9ppjd.exe 92 PID 4688 wrote to memory of 4040 4688 9ppjd.exe 92 PID 4040 wrote to memory of 1172 4040 w60208.exe 149 PID 4040 wrote to memory of 1172 4040 w60208.exe 149 PID 4040 wrote to memory of 1172 4040 w60208.exe 149 PID 1172 wrote to memory of 4768 1172 ttbnbt.exe 94 PID 1172 wrote to memory of 4768 1172 ttbnbt.exe 94 PID 1172 wrote to memory of 4768 1172 ttbnbt.exe 94 PID 4768 wrote to memory of 216 4768 3xxfflf.exe 95 PID 4768 wrote to memory of 216 4768 3xxfflf.exe 95 PID 4768 wrote to memory of 216 4768 3xxfflf.exe 95 PID 216 wrote to memory of 4712 216 640004.exe 96 PID 216 wrote to memory of 4712 216 640004.exe 96 PID 216 wrote to memory of 4712 216 640004.exe 96 PID 4712 wrote to memory of 5084 4712 26864.exe 97 PID 4712 wrote to memory of 5084 4712 26864.exe 97 PID 4712 wrote to memory of 5084 4712 26864.exe 97 PID 5084 wrote to memory of 2176 5084 hntnhn.exe 98 PID 5084 wrote to memory of 2176 5084 hntnhn.exe 98 PID 5084 wrote to memory of 2176 5084 hntnhn.exe 98 PID 2176 wrote to memory of 2952 2176 062666.exe 99 PID 2176 wrote to memory of 2952 2176 062666.exe 99 PID 2176 wrote to memory of 2952 2176 062666.exe 99 PID 2952 wrote to memory of 1856 2952 84048.exe 100 PID 2952 wrote to memory of 1856 2952 84048.exe 100 PID 2952 wrote to memory of 1856 2952 84048.exe 100 PID 1856 wrote to memory of 4716 1856 dvpjj.exe 101 PID 1856 wrote to memory of 4716 1856 dvpjj.exe 101 PID 1856 wrote to memory of 4716 1856 dvpjj.exe 101 PID 4716 wrote to memory of 4376 4716 u664860.exe 102 PID 4716 wrote to memory of 4376 4716 u664860.exe 102 PID 4716 wrote to memory of 4376 4716 u664860.exe 102 PID 4376 wrote to memory of 2260 4376 668608.exe 103 PID 4376 wrote to memory of 2260 4376 668608.exe 103 PID 4376 wrote to memory of 2260 4376 668608.exe 103 PID 2260 wrote to memory of 4956 2260 vjppj.exe 104 PID 2260 wrote to memory of 4956 2260 vjppj.exe 104 PID 2260 wrote to memory of 4956 2260 vjppj.exe 104 PID 4956 wrote to memory of 916 4956 c660482.exe 105 PID 4956 wrote to memory of 916 4956 c660482.exe 105 PID 4956 wrote to memory of 916 4956 c660482.exe 105 PID 916 wrote to memory of 4848 916 64040.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b4166f45bf54b83f39d13bfebeaaf6742773823f2ced23327eec8c02556fd58N.exe"C:\Users\Admin\AppData\Local\Temp\1b4166f45bf54b83f39d13bfebeaaf6742773823f2ced23327eec8c02556fd58N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\thbbnh.exec:\thbbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\402082.exec:\402082.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\08822.exec:\08822.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\xfllffx.exec:\xfllffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\k62644.exec:\k62644.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\1ffxrxr.exec:\1ffxrxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\9ppjd.exec:\9ppjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\w60208.exec:\w60208.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\ttbnbt.exec:\ttbnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\3xxfflf.exec:\3xxfflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\640004.exec:\640004.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\26864.exec:\26864.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\hntnhn.exec:\hntnhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\062666.exec:\062666.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\84048.exec:\84048.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\dvpjj.exec:\dvpjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\u664860.exec:\u664860.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\668608.exec:\668608.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\vjppj.exec:\vjppj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\c660482.exec:\c660482.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\64040.exec:\64040.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\xlrlfff.exec:\xlrlfff.exe23⤵
- Executes dropped EXE
PID:4848 -
\??\c:\406004.exec:\406004.exe24⤵
- Executes dropped EXE
PID:2992 -
\??\c:\1jddv.exec:\1jddv.exe25⤵
- Executes dropped EXE
PID:1032 -
\??\c:\80604.exec:\80604.exe26⤵
- Executes dropped EXE
PID:4328 -
\??\c:\0646402.exec:\0646402.exe27⤵
- Executes dropped EXE
PID:4632 -
\??\c:\bhbnth.exec:\bhbnth.exe28⤵
- Executes dropped EXE
PID:4408 -
\??\c:\dvjdp.exec:\dvjdp.exe29⤵
- Executes dropped EXE
PID:3328 -
\??\c:\0026004.exec:\0026004.exe30⤵
- Executes dropped EXE
PID:2928 -
\??\c:\8660444.exec:\8660444.exe31⤵
- Executes dropped EXE
PID:4488 -
\??\c:\9tnhbb.exec:\9tnhbb.exe32⤵
- Executes dropped EXE
PID:3416 -
\??\c:\c064880.exec:\c064880.exe33⤵
- Executes dropped EXE
PID:4900 -
\??\c:\1jddv.exec:\1jddv.exe34⤵
- Executes dropped EXE
PID:1756 -
\??\c:\006048.exec:\006048.exe35⤵
- Executes dropped EXE
PID:2752 -
\??\c:\7vvpj.exec:\7vvpj.exe36⤵
- Executes dropped EXE
PID:1904 -
\??\c:\044866.exec:\044866.exe37⤵
- Executes dropped EXE
PID:708 -
\??\c:\rrllffx.exec:\rrllffx.exe38⤵
- Executes dropped EXE
PID:3372 -
\??\c:\ttbtnn.exec:\ttbtnn.exe39⤵
- Executes dropped EXE
PID:1548 -
\??\c:\422866.exec:\422866.exe40⤵
- Executes dropped EXE
PID:1048 -
\??\c:\hbbthb.exec:\hbbthb.exe41⤵
- Executes dropped EXE
PID:2240 -
\??\c:\88082.exec:\88082.exe42⤵
- Executes dropped EXE
PID:632 -
\??\c:\u226444.exec:\u226444.exe43⤵
- Executes dropped EXE
PID:3528 -
\??\c:\dpjdj.exec:\dpjdj.exe44⤵
- Executes dropped EXE
PID:1040 -
\??\c:\bhnntt.exec:\bhnntt.exe45⤵
- Executes dropped EXE
PID:1764 -
\??\c:\9bhntt.exec:\9bhntt.exe46⤵
- Executes dropped EXE
PID:3576 -
\??\c:\fflfffl.exec:\fflfffl.exe47⤵
- Executes dropped EXE
PID:4032 -
\??\c:\26484.exec:\26484.exe48⤵
- Executes dropped EXE
PID:336 -
\??\c:\u404826.exec:\u404826.exe49⤵
- Executes dropped EXE
PID:1876 -
\??\c:\bhhbtn.exec:\bhhbtn.exe50⤵
- Executes dropped EXE
PID:1144 -
\??\c:\5tnnhh.exec:\5tnnhh.exe51⤵
- Executes dropped EXE
PID:4448 -
\??\c:\k28260.exec:\k28260.exe52⤵
- Executes dropped EXE
PID:4700 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe53⤵
- Executes dropped EXE
PID:2156 -
\??\c:\w40482.exec:\w40482.exe54⤵
- Executes dropped EXE
PID:3424 -
\??\c:\htbtnn.exec:\htbtnn.exe55⤵
- Executes dropped EXE
PID:2124 -
\??\c:\bttnbb.exec:\bttnbb.exe56⤵
- Executes dropped EXE
PID:4888 -
\??\c:\06482.exec:\06482.exe57⤵
- Executes dropped EXE
PID:2700 -
\??\c:\fxffffl.exec:\fxffffl.exe58⤵
- Executes dropped EXE
PID:3940 -
\??\c:\tttnhb.exec:\tttnhb.exe59⤵
- Executes dropped EXE
PID:4464 -
\??\c:\42260.exec:\42260.exe60⤵
- Executes dropped EXE
PID:4172 -
\??\c:\tbhbnn.exec:\tbhbnn.exe61⤵
- Executes dropped EXE
PID:2280 -
\??\c:\dpvpj.exec:\dpvpj.exe62⤵
- Executes dropped EXE
PID:4620 -
\??\c:\888266.exec:\888266.exe63⤵
- Executes dropped EXE
PID:4048 -
\??\c:\86426.exec:\86426.exe64⤵
- Executes dropped EXE
PID:1188 -
\??\c:\nbbhbh.exec:\nbbhbh.exe65⤵
- Executes dropped EXE
PID:3972 -
\??\c:\5lfxxlf.exec:\5lfxxlf.exe66⤵PID:1172
-
\??\c:\244488.exec:\244488.exe67⤵PID:2932
-
\??\c:\20262.exec:\20262.exe68⤵PID:348
-
\??\c:\4240448.exec:\4240448.exe69⤵PID:4576
-
\??\c:\llrflff.exec:\llrflff.exe70⤵PID:2664
-
\??\c:\7pdvj.exec:\7pdvj.exe71⤵PID:400
-
\??\c:\1jdvd.exec:\1jdvd.exe72⤵PID:2384
-
\??\c:\06866.exec:\06866.exe73⤵PID:3440
-
\??\c:\rffrfrl.exec:\rffrfrl.exe74⤵PID:4716
-
\??\c:\w44860.exec:\w44860.exe75⤵PID:4216
-
\??\c:\rlxxlrf.exec:\rlxxlrf.exe76⤵PID:1328
-
\??\c:\624828.exec:\624828.exe77⤵PID:4792
-
\??\c:\64864.exec:\64864.exe78⤵PID:4376
-
\??\c:\5bbnnh.exec:\5bbnnh.exe79⤵PID:1056
-
\??\c:\m2664.exec:\m2664.exe80⤵PID:2556
-
\??\c:\fllxlff.exec:\fllxlff.exe81⤵PID:1784
-
\??\c:\1vpvp.exec:\1vpvp.exe82⤵PID:4840
-
\??\c:\8886486.exec:\8886486.exe83⤵
- System Location Discovery: System Language Discovery
PID:4632 -
\??\c:\vjddp.exec:\vjddp.exe84⤵PID:4420
-
\??\c:\o286206.exec:\o286206.exe85⤵PID:4144
-
\??\c:\c682606.exec:\c682606.exe86⤵PID:4380
-
\??\c:\8666422.exec:\8666422.exe87⤵PID:4336
-
\??\c:\s8002.exec:\s8002.exe88⤵
- System Location Discovery: System Language Discovery
PID:1212 -
\??\c:\e86428.exec:\e86428.exe89⤵PID:4720
-
\??\c:\i466000.exec:\i466000.exe90⤵PID:4788
-
\??\c:\vvpdp.exec:\vvpdp.exe91⤵PID:4156
-
\??\c:\fxrlrlf.exec:\fxrlrlf.exe92⤵PID:3548
-
\??\c:\lrrfxlf.exec:\lrrfxlf.exe93⤵PID:2228
-
\??\c:\bhbnnh.exec:\bhbnnh.exe94⤵PID:3256
-
\??\c:\084866.exec:\084866.exe95⤵PID:632
-
\??\c:\flrxlxl.exec:\flrxlxl.exe96⤵PID:4584
-
\??\c:\xffrffx.exec:\xffrffx.exe97⤵PID:2660
-
\??\c:\o668208.exec:\o668208.exe98⤵PID:3112
-
\??\c:\fxrfxlf.exec:\fxrfxlf.exe99⤵PID:1844
-
\??\c:\022420.exec:\022420.exe100⤵PID:2608
-
\??\c:\42208.exec:\42208.exe101⤵PID:3912
-
\??\c:\028404.exec:\028404.exe102⤵PID:1876
-
\??\c:\7bhnht.exec:\7bhnht.exe103⤵PID:4984
-
\??\c:\nnbnbt.exec:\nnbnbt.exe104⤵PID:4784
-
\??\c:\8268860.exec:\8268860.exe105⤵PID:8
-
\??\c:\pjdpd.exec:\pjdpd.exe106⤵PID:428
-
\??\c:\6826000.exec:\6826000.exe107⤵PID:4832
-
\??\c:\062604.exec:\062604.exe108⤵PID:3068
-
\??\c:\xrrrlff.exec:\xrrrlff.exe109⤵PID:4836
-
\??\c:\204064.exec:\204064.exe110⤵PID:2032
-
\??\c:\422602.exec:\422602.exe111⤵PID:2700
-
\??\c:\vpjpd.exec:\vpjpd.exe112⤵PID:3604
-
\??\c:\flrxlfr.exec:\flrxlfr.exe113⤵PID:3376
-
\??\c:\vvpdp.exec:\vvpdp.exe114⤵PID:1884
-
\??\c:\hbbtbt.exec:\hbbtbt.exe115⤵PID:2204
-
\??\c:\pppjv.exec:\pppjv.exe116⤵PID:4464
-
\??\c:\dpvjp.exec:\dpvjp.exe117⤵PID:3600
-
\??\c:\68462.exec:\68462.exe118⤵PID:4444
-
\??\c:\88864.exec:\88864.exe119⤵PID:2872
-
\??\c:\bnhtbt.exec:\bnhtbt.exe120⤵PID:3752
-
\??\c:\848024.exec:\848024.exe121⤵PID:3196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-