Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 01:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe
-
Size
454KB
-
MD5
c15fcd440d061fc6fec6fc05d291b1bd
-
SHA1
63059d94c0aac27ca1b772e990feac14df86c717
-
SHA256
9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9
-
SHA512
258de746f0c3b94ca873aa7ae80c7ac9a816eb3210231286d0a277301e884f7f41aa1eb67e6d27f1a5c2c6c8ee78e949875ca14e578174fc5cf53bf0a89b8c74
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbem:q7Tc2NYHUrAwfMp3CDm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3996-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-771-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-972-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-1105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2232 u846864.exe 976 a8208.exe 4440 pdddd.exe 1832 i620048.exe 3524 hbthbt.exe 4572 688240.exe 1928 nbbtnn.exe 1780 k48860.exe 4476 jpdvj.exe 4568 0008486.exe 4512 k86404.exe 2012 ntnhth.exe 1884 5vpdj.exe 4816 3jdpd.exe 4488 8606060.exe 3804 6620886.exe 1764 3dpdj.exe 3808 u068686.exe 1172 2220826.exe 2116 g4080.exe 3980 04864.exe 3096 288260.exe 4888 6844620.exe 3376 22642.exe 1272 00640.exe 3984 84624.exe 748 0220264.exe 3904 i066666.exe 1412 rllxxff.exe 5016 hbhtht.exe 1676 9ppdp.exe 2924 htnbbn.exe 1760 pjpjj.exe 2516 xrxxffl.exe 4972 60004.exe 3012 484488.exe 1440 k22648.exe 3168 vpjdv.exe 4372 7rlfxrr.exe 3704 9hhbtn.exe 4904 rlllfff.exe 2416 c244882.exe 2868 080400.exe 4448 pjjdv.exe 4764 66260.exe 4412 m2266.exe 1748 3nnbtn.exe 2780 rrxxxxf.exe 1200 vvvvp.exe 2616 llrlrrx.exe 4348 840822.exe 3724 vjjdp.exe 1648 a0204.exe 456 882604.exe 976 6448222.exe 3568 bhbbtt.exe 2060 ntnhhh.exe 1148 7nbttt.exe 2712 8864882.exe 680 tnnnhh.exe 4128 i242660.exe 3700 xrrlfff.exe 2104 1btbtt.exe 4512 vddvv.exe -
resource yara_rule behavioral2/memory/3996-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-771-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-796-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4022660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i066600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4400004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2264864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3996 wrote to memory of 2232 3996 9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe 83 PID 3996 wrote to memory of 2232 3996 9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe 83 PID 3996 wrote to memory of 2232 3996 9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe 83 PID 2232 wrote to memory of 976 2232 u846864.exe 138 PID 2232 wrote to memory of 976 2232 u846864.exe 138 PID 2232 wrote to memory of 976 2232 u846864.exe 138 PID 976 wrote to memory of 4440 976 a8208.exe 85 PID 976 wrote to memory of 4440 976 a8208.exe 85 PID 976 wrote to memory of 4440 976 a8208.exe 85 PID 4440 wrote to memory of 1832 4440 pdddd.exe 86 PID 4440 wrote to memory of 1832 4440 pdddd.exe 86 PID 4440 wrote to memory of 1832 4440 pdddd.exe 86 PID 1832 wrote to memory of 3524 1832 i620048.exe 87 PID 1832 wrote to memory of 3524 1832 i620048.exe 87 PID 1832 wrote to memory of 3524 1832 i620048.exe 87 PID 3524 wrote to memory of 4572 3524 hbthbt.exe 88 PID 3524 wrote to memory of 4572 3524 hbthbt.exe 88 PID 3524 wrote to memory of 4572 3524 hbthbt.exe 88 PID 4572 wrote to memory of 1928 4572 688240.exe 89 PID 4572 wrote to memory of 1928 4572 688240.exe 89 PID 4572 wrote to memory of 1928 4572 688240.exe 89 PID 1928 wrote to memory of 1780 1928 nbbtnn.exe 90 PID 1928 wrote to memory of 1780 1928 nbbtnn.exe 90 PID 1928 wrote to memory of 1780 1928 nbbtnn.exe 90 PID 1780 wrote to memory of 4476 1780 k48860.exe 91 PID 1780 wrote to memory of 4476 1780 k48860.exe 91 PID 1780 wrote to memory of 4476 1780 k48860.exe 91 PID 4476 wrote to memory of 4568 4476 jpdvj.exe 92 PID 4476 wrote to memory of 4568 4476 jpdvj.exe 92 PID 4476 wrote to memory of 4568 4476 jpdvj.exe 92 PID 4568 wrote to memory of 4512 4568 0008486.exe 93 PID 4568 wrote to memory of 4512 4568 0008486.exe 93 PID 4568 wrote to memory of 4512 4568 0008486.exe 93 PID 4512 wrote to memory of 2012 4512 k86404.exe 94 PID 4512 wrote to memory of 2012 4512 k86404.exe 94 PID 4512 wrote to memory of 2012 4512 k86404.exe 94 PID 2012 wrote to memory of 1884 2012 ntnhth.exe 95 PID 2012 wrote to memory of 1884 2012 ntnhth.exe 95 PID 2012 wrote to memory of 1884 2012 ntnhth.exe 95 PID 1884 wrote to memory of 4816 1884 5vpdj.exe 96 PID 1884 wrote to memory of 4816 1884 5vpdj.exe 96 PID 1884 wrote to memory of 4816 1884 5vpdj.exe 96 PID 4816 wrote to memory of 4488 4816 3jdpd.exe 97 PID 4816 wrote to memory of 4488 4816 3jdpd.exe 97 PID 4816 wrote to memory of 4488 4816 3jdpd.exe 97 PID 4488 wrote to memory of 3804 4488 8606060.exe 98 PID 4488 wrote to memory of 3804 4488 8606060.exe 98 PID 4488 wrote to memory of 3804 4488 8606060.exe 98 PID 3804 wrote to memory of 1764 3804 6620886.exe 99 PID 3804 wrote to memory of 1764 3804 6620886.exe 99 PID 3804 wrote to memory of 1764 3804 6620886.exe 99 PID 1764 wrote to memory of 3808 1764 3dpdj.exe 100 PID 1764 wrote to memory of 3808 1764 3dpdj.exe 100 PID 1764 wrote to memory of 3808 1764 3dpdj.exe 100 PID 3808 wrote to memory of 1172 3808 u068686.exe 101 PID 3808 wrote to memory of 1172 3808 u068686.exe 101 PID 3808 wrote to memory of 1172 3808 u068686.exe 101 PID 1172 wrote to memory of 2116 1172 2220826.exe 102 PID 1172 wrote to memory of 2116 1172 2220826.exe 102 PID 1172 wrote to memory of 2116 1172 2220826.exe 102 PID 2116 wrote to memory of 3980 2116 g4080.exe 103 PID 2116 wrote to memory of 3980 2116 g4080.exe 103 PID 2116 wrote to memory of 3980 2116 g4080.exe 103 PID 3980 wrote to memory of 3096 3980 04864.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe"C:\Users\Admin\AppData\Local\Temp\9b967274ca4cb7284decde8fad2c074ae65c5ec25331f6941194ff8b9b8a9ca9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\u846864.exec:\u846864.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\a8208.exec:\a8208.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\pdddd.exec:\pdddd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\i620048.exec:\i620048.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\hbthbt.exec:\hbthbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\688240.exec:\688240.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\nbbtnn.exec:\nbbtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\k48860.exec:\k48860.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\jpdvj.exec:\jpdvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\0008486.exec:\0008486.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\k86404.exec:\k86404.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\ntnhth.exec:\ntnhth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\5vpdj.exec:\5vpdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\3jdpd.exec:\3jdpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\8606060.exec:\8606060.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\6620886.exec:\6620886.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
\??\c:\3dpdj.exec:\3dpdj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\u068686.exec:\u068686.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\2220826.exec:\2220826.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\g4080.exec:\g4080.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\04864.exec:\04864.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\288260.exec:\288260.exe23⤵
- Executes dropped EXE
PID:3096 -
\??\c:\6844620.exec:\6844620.exe24⤵
- Executes dropped EXE
PID:4888 -
\??\c:\22642.exec:\22642.exe25⤵
- Executes dropped EXE
PID:3376 -
\??\c:\00640.exec:\00640.exe26⤵
- Executes dropped EXE
PID:1272 -
\??\c:\84624.exec:\84624.exe27⤵
- Executes dropped EXE
PID:3984 -
\??\c:\0220264.exec:\0220264.exe28⤵
- Executes dropped EXE
PID:748 -
\??\c:\i066666.exec:\i066666.exe29⤵
- Executes dropped EXE
PID:3904 -
\??\c:\rllxxff.exec:\rllxxff.exe30⤵
- Executes dropped EXE
PID:1412 -
\??\c:\hbhtht.exec:\hbhtht.exe31⤵
- Executes dropped EXE
PID:5016 -
\??\c:\9ppdp.exec:\9ppdp.exe32⤵
- Executes dropped EXE
PID:1676 -
\??\c:\htnbbn.exec:\htnbbn.exe33⤵
- Executes dropped EXE
PID:2924 -
\??\c:\pjpjj.exec:\pjpjj.exe34⤵
- Executes dropped EXE
PID:1760 -
\??\c:\xrxxffl.exec:\xrxxffl.exe35⤵
- Executes dropped EXE
PID:2516 -
\??\c:\60004.exec:\60004.exe36⤵
- Executes dropped EXE
PID:4972 -
\??\c:\484488.exec:\484488.exe37⤵
- Executes dropped EXE
PID:3012 -
\??\c:\k22648.exec:\k22648.exe38⤵
- Executes dropped EXE
PID:1440 -
\??\c:\vpjdv.exec:\vpjdv.exe39⤵
- Executes dropped EXE
PID:3168 -
\??\c:\7rlfxrr.exec:\7rlfxrr.exe40⤵
- Executes dropped EXE
PID:4372 -
\??\c:\9hhbtn.exec:\9hhbtn.exe41⤵
- Executes dropped EXE
PID:3704 -
\??\c:\rlllfff.exec:\rlllfff.exe42⤵
- Executes dropped EXE
PID:4904 -
\??\c:\c244882.exec:\c244882.exe43⤵
- Executes dropped EXE
PID:2416 -
\??\c:\080400.exec:\080400.exe44⤵
- Executes dropped EXE
PID:2868 -
\??\c:\pjjdv.exec:\pjjdv.exe45⤵
- Executes dropped EXE
PID:4448 -
\??\c:\66260.exec:\66260.exe46⤵
- Executes dropped EXE
PID:4764 -
\??\c:\m2266.exec:\m2266.exe47⤵
- Executes dropped EXE
PID:4412 -
\??\c:\3nnbtn.exec:\3nnbtn.exe48⤵
- Executes dropped EXE
PID:1748 -
\??\c:\rrxxxxf.exec:\rrxxxxf.exe49⤵
- Executes dropped EXE
PID:2780 -
\??\c:\vvvvp.exec:\vvvvp.exe50⤵
- Executes dropped EXE
PID:1200 -
\??\c:\llrlrrx.exec:\llrlrrx.exe51⤵
- Executes dropped EXE
PID:2616 -
\??\c:\vdjdv.exec:\vdjdv.exe52⤵PID:4364
-
\??\c:\840822.exec:\840822.exe53⤵
- Executes dropped EXE
PID:4348 -
\??\c:\vjjdp.exec:\vjjdp.exe54⤵
- Executes dropped EXE
PID:3724 -
\??\c:\a0204.exec:\a0204.exe55⤵
- Executes dropped EXE
PID:1648 -
\??\c:\882604.exec:\882604.exe56⤵
- Executes dropped EXE
PID:456 -
\??\c:\6448222.exec:\6448222.exe57⤵
- Executes dropped EXE
PID:976 -
\??\c:\bhbbtt.exec:\bhbbtt.exe58⤵
- Executes dropped EXE
PID:3568 -
\??\c:\ntnhhh.exec:\ntnhhh.exe59⤵
- Executes dropped EXE
PID:2060 -
\??\c:\7nbttt.exec:\7nbttt.exe60⤵
- Executes dropped EXE
PID:1148 -
\??\c:\8864882.exec:\8864882.exe61⤵
- Executes dropped EXE
PID:2712 -
\??\c:\tnnnhh.exec:\tnnnhh.exe62⤵
- Executes dropped EXE
PID:680 -
\??\c:\i242660.exec:\i242660.exe63⤵
- Executes dropped EXE
PID:4128 -
\??\c:\xrrlfff.exec:\xrrlfff.exe64⤵
- Executes dropped EXE
PID:3700 -
\??\c:\1btbtt.exec:\1btbtt.exe65⤵
- Executes dropped EXE
PID:2104 -
\??\c:\vddvv.exec:\vddvv.exe66⤵
- Executes dropped EXE
PID:4512 -
\??\c:\082084.exec:\082084.exe67⤵PID:2404
-
\??\c:\4844480.exec:\4844480.exe68⤵PID:4956
-
\??\c:\g4604.exec:\g4604.exe69⤵PID:3744
-
\??\c:\86602.exec:\86602.exe70⤵PID:968
-
\??\c:\66886.exec:\66886.exe71⤵PID:2904
-
\??\c:\200486.exec:\200486.exe72⤵PID:2844
-
\??\c:\xrfxlfx.exec:\xrfxlfx.exe73⤵PID:3808
-
\??\c:\84484.exec:\84484.exe74⤵PID:2240
-
\??\c:\864860.exec:\864860.exe75⤵PID:2856
-
\??\c:\c086860.exec:\c086860.exe76⤵PID:3608
-
\??\c:\2608208.exec:\2608208.exe77⤵PID:3896
-
\??\c:\xlrffxr.exec:\xlrffxr.exe78⤵PID:2472
-
\??\c:\00420.exec:\00420.exe79⤵PID:4152
-
\??\c:\2826482.exec:\2826482.exe80⤵PID:1028
-
\??\c:\xrxrrfl.exec:\xrxrrfl.exe81⤵PID:3984
-
\??\c:\dpjvj.exec:\dpjvj.exe82⤵PID:1412
-
\??\c:\6608042.exec:\6608042.exe83⤵PID:4652
-
\??\c:\20864.exec:\20864.exe84⤵PID:640
-
\??\c:\9jdvj.exec:\9jdvj.exe85⤵PID:2548
-
\??\c:\68622.exec:\68622.exe86⤵PID:4136
-
\??\c:\828640.exec:\828640.exe87⤵PID:2388
-
\??\c:\nbbnht.exec:\nbbnht.exe88⤵PID:3012
-
\??\c:\0482482.exec:\0482482.exe89⤵PID:912
-
\??\c:\5xxllll.exec:\5xxllll.exe90⤵PID:4372
-
\??\c:\40082.exec:\40082.exe91⤵PID:4596
-
\??\c:\btnhhb.exec:\btnhhb.exe92⤵PID:3240
-
\??\c:\m4046.exec:\m4046.exe93⤵PID:4532
-
\??\c:\860866.exec:\860866.exe94⤵PID:4592
-
\??\c:\bnbbtt.exec:\bnbbtt.exe95⤵PID:4140
-
\??\c:\g8642.exec:\g8642.exe96⤵PID:4124
-
\??\c:\vpddd.exec:\vpddd.exe97⤵PID:2224
-
\??\c:\pvjpp.exec:\pvjpp.exe98⤵PID:2836
-
\??\c:\lrrrfll.exec:\lrrrfll.exe99⤵PID:1200
-
\??\c:\rrffxxr.exec:\rrffxxr.exe100⤵PID:4668
-
\??\c:\vpjpj.exec:\vpjpj.exe101⤵PID:4364
-
\??\c:\60660.exec:\60660.exe102⤵PID:3724
-
\??\c:\2660444.exec:\2660444.exe103⤵PID:2220
-
\??\c:\xrrrrrf.exec:\xrrrrrf.exe104⤵PID:3016
-
\??\c:\dpppp.exec:\dpppp.exe105⤵PID:4040
-
\??\c:\hnbtth.exec:\hnbtth.exe106⤵PID:3636
-
\??\c:\dvvvp.exec:\dvvvp.exe107⤵PID:768
-
\??\c:\nnhhtt.exec:\nnhhtt.exe108⤵PID:1120
-
\??\c:\8682262.exec:\8682262.exe109⤵PID:2000
-
\??\c:\0882284.exec:\0882284.exe110⤵PID:800
-
\??\c:\ppddv.exec:\ppddv.exe111⤵PID:4408
-
\??\c:\242066.exec:\242066.exe112⤵PID:2644
-
\??\c:\046268.exec:\046268.exe113⤵PID:1548
-
\??\c:\5nbntt.exec:\5nbntt.exe114⤵PID:3760
-
\??\c:\5jdpd.exec:\5jdpd.exe115⤵PID:3044
-
\??\c:\lffxrrr.exec:\lffxrrr.exe116⤵PID:528
-
\??\c:\26266.exec:\26266.exe117⤵PID:1780
-
\??\c:\btthbb.exec:\btthbb.exe118⤵PID:3272
-
\??\c:\9bbtnn.exec:\9bbtnn.exe119⤵PID:1564
-
\??\c:\02822.exec:\02822.exe120⤵PID:1888
-
\??\c:\40400.exec:\40400.exe121⤵PID:2468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-