Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 20:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1696f45b85f9c29e345bc537fc993158bb8f56aec0612bceea992a83c2e9dad9N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1696f45b85f9c29e345bc537fc993158bb8f56aec0612bceea992a83c2e9dad9N.exe
-
Size
453KB
-
MD5
c967468cfd5fff190a6403e77fd7fa20
-
SHA1
eff7cd140a0e66ccfe3cd264f869af2319130757
-
SHA256
1696f45b85f9c29e345bc537fc993158bb8f56aec0612bceea992a83c2e9dad9
-
SHA512
e21cdbddf22c57ea56374a277bea313f0b1d25ddc0f7356ae107359dc97bbf171288ac35e3227415214b1431e915c07deb45dd76d208c6ad90f4005f739bf141
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2476-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-1140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-1315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-1427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-1823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 468 lrxrlfx.exe 1556 s0048.exe 3696 htttnh.exe 1304 jjjdd.exe 4876 1nnhbh.exe 2152 02226.exe 2776 lfxxrxr.exe 1600 48040.exe 3476 086482.exe 2096 pjdvp.exe 2848 42488.exe 3120 xllfrrf.exe 60 8626268.exe 1512 k48660.exe 4912 428626.exe 1856 86048.exe 4836 6460444.exe 4568 468268.exe 4904 48486.exe 180 thbthb.exe 1132 06840.exe 2016 3tnbnh.exe 2740 688042.exe 708 8048484.exe 4932 8486064.exe 4188 jdpjd.exe 4048 482282.exe 4316 64486.exe 2116 6448440.exe 3892 jpjdp.exe 888 5ddvv.exe 3988 84204.exe 3324 08226.exe 1576 9jdpj.exe 852 nbnhbt.exe 3084 ttthth.exe 1976 bbhbtt.exe 3808 k40608.exe 4416 5rlrlfl.exe 4972 e22260.exe 4736 46266.exe 4788 480400.exe 4652 djdpj.exe 2324 7lllflf.exe 1932 u048664.exe 4212 8422666.exe 4992 228642.exe 1844 thhbhb.exe 1340 6460000.exe 3080 5bbhbb.exe 4592 bhbbtn.exe 2908 80284.exe 2140 jjjvp.exe 3944 2408888.exe 1556 868666.exe 1772 htnhtt.exe 5004 40648.exe 4028 084848.exe 3720 o488626.exe 4116 o284826.exe 4036 hbhbhh.exe 872 q04086.exe 1416 064400.exe 2024 lfxrrxx.exe -
resource yara_rule behavioral2/memory/2476-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-1140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-1315-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q40048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0444482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4600860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6486484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6426482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e28864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 468 2476 1696f45b85f9c29e345bc537fc993158bb8f56aec0612bceea992a83c2e9dad9N.exe 83 PID 2476 wrote to memory of 468 2476 1696f45b85f9c29e345bc537fc993158bb8f56aec0612bceea992a83c2e9dad9N.exe 83 PID 2476 wrote to memory of 468 2476 1696f45b85f9c29e345bc537fc993158bb8f56aec0612bceea992a83c2e9dad9N.exe 83 PID 468 wrote to memory of 1556 468 lrxrlfx.exe 84 PID 468 wrote to memory of 1556 468 lrxrlfx.exe 84 PID 468 wrote to memory of 1556 468 lrxrlfx.exe 84 PID 1556 wrote to memory of 3696 1556 s0048.exe 85 PID 1556 wrote to memory of 3696 1556 s0048.exe 85 PID 1556 wrote to memory of 3696 1556 s0048.exe 85 PID 3696 wrote to memory of 1304 3696 htttnh.exe 86 PID 3696 wrote to memory of 1304 3696 htttnh.exe 86 PID 3696 wrote to memory of 1304 3696 htttnh.exe 86 PID 1304 wrote to memory of 4876 1304 jjjdd.exe 87 PID 1304 wrote to memory of 4876 1304 jjjdd.exe 87 PID 1304 wrote to memory of 4876 1304 jjjdd.exe 87 PID 4876 wrote to memory of 2152 4876 1nnhbh.exe 88 PID 4876 wrote to memory of 2152 4876 1nnhbh.exe 88 PID 4876 wrote to memory of 2152 4876 1nnhbh.exe 88 PID 2152 wrote to memory of 2776 2152 02226.exe 89 PID 2152 wrote to memory of 2776 2152 02226.exe 89 PID 2152 wrote to memory of 2776 2152 02226.exe 89 PID 2776 wrote to memory of 1600 2776 lfxxrxr.exe 90 PID 2776 wrote to memory of 1600 2776 lfxxrxr.exe 90 PID 2776 wrote to memory of 1600 2776 lfxxrxr.exe 90 PID 1600 wrote to memory of 3476 1600 48040.exe 91 PID 1600 wrote to memory of 3476 1600 48040.exe 91 PID 1600 wrote to memory of 3476 1600 48040.exe 91 PID 3476 wrote to memory of 2096 3476 086482.exe 92 PID 3476 wrote to memory of 2096 3476 086482.exe 92 PID 3476 wrote to memory of 2096 3476 086482.exe 92 PID 2096 wrote to memory of 2848 2096 pjdvp.exe 93 PID 2096 wrote to memory of 2848 2096 pjdvp.exe 93 PID 2096 wrote to memory of 2848 2096 pjdvp.exe 93 PID 2848 wrote to memory of 3120 2848 42488.exe 94 PID 2848 wrote to memory of 3120 2848 42488.exe 94 PID 2848 wrote to memory of 3120 2848 42488.exe 94 PID 3120 wrote to memory of 60 3120 xllfrrf.exe 95 PID 3120 wrote to memory of 60 3120 xllfrrf.exe 95 PID 3120 wrote to memory of 60 3120 xllfrrf.exe 95 PID 60 wrote to memory of 1512 60 8626268.exe 96 PID 60 wrote to memory of 1512 60 8626268.exe 96 PID 60 wrote to memory of 1512 60 8626268.exe 96 PID 1512 wrote to memory of 4912 1512 k48660.exe 97 PID 1512 wrote to memory of 4912 1512 k48660.exe 97 PID 1512 wrote to memory of 4912 1512 k48660.exe 97 PID 4912 wrote to memory of 1856 4912 428626.exe 98 PID 4912 wrote to memory of 1856 4912 428626.exe 98 PID 4912 wrote to memory of 1856 4912 428626.exe 98 PID 1856 wrote to memory of 4836 1856 86048.exe 99 PID 1856 wrote to memory of 4836 1856 86048.exe 99 PID 1856 wrote to memory of 4836 1856 86048.exe 99 PID 4836 wrote to memory of 4568 4836 6460444.exe 100 PID 4836 wrote to memory of 4568 4836 6460444.exe 100 PID 4836 wrote to memory of 4568 4836 6460444.exe 100 PID 4568 wrote to memory of 4904 4568 468268.exe 101 PID 4568 wrote to memory of 4904 4568 468268.exe 101 PID 4568 wrote to memory of 4904 4568 468268.exe 101 PID 4904 wrote to memory of 180 4904 48486.exe 102 PID 4904 wrote to memory of 180 4904 48486.exe 102 PID 4904 wrote to memory of 180 4904 48486.exe 102 PID 180 wrote to memory of 1132 180 thbthb.exe 103 PID 180 wrote to memory of 1132 180 thbthb.exe 103 PID 180 wrote to memory of 1132 180 thbthb.exe 103 PID 1132 wrote to memory of 2016 1132 06840.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1696f45b85f9c29e345bc537fc993158bb8f56aec0612bceea992a83c2e9dad9N.exe"C:\Users\Admin\AppData\Local\Temp\1696f45b85f9c29e345bc537fc993158bb8f56aec0612bceea992a83c2e9dad9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\lrxrlfx.exec:\lrxrlfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\s0048.exec:\s0048.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\htttnh.exec:\htttnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\jjjdd.exec:\jjjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\1nnhbh.exec:\1nnhbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\02226.exec:\02226.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\lfxxrxr.exec:\lfxxrxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\48040.exec:\48040.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\086482.exec:\086482.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\pjdvp.exec:\pjdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\42488.exec:\42488.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\xllfrrf.exec:\xllfrrf.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\8626268.exec:\8626268.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\k48660.exec:\k48660.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\428626.exec:\428626.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\86048.exec:\86048.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\6460444.exec:\6460444.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\468268.exec:\468268.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\48486.exec:\48486.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\thbthb.exec:\thbthb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
\??\c:\06840.exec:\06840.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\3tnbnh.exec:\3tnbnh.exe23⤵
- Executes dropped EXE
PID:2016 -
\??\c:\688042.exec:\688042.exe24⤵
- Executes dropped EXE
PID:2740 -
\??\c:\8048484.exec:\8048484.exe25⤵
- Executes dropped EXE
PID:708 -
\??\c:\8486064.exec:\8486064.exe26⤵
- Executes dropped EXE
PID:4932 -
\??\c:\jdpjd.exec:\jdpjd.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4188 -
\??\c:\482282.exec:\482282.exe28⤵
- Executes dropped EXE
PID:4048 -
\??\c:\64486.exec:\64486.exe29⤵
- Executes dropped EXE
PID:4316 -
\??\c:\6448440.exec:\6448440.exe30⤵
- Executes dropped EXE
PID:2116 -
\??\c:\jpjdp.exec:\jpjdp.exe31⤵
- Executes dropped EXE
PID:3892 -
\??\c:\5ddvv.exec:\5ddvv.exe32⤵
- Executes dropped EXE
PID:888 -
\??\c:\84204.exec:\84204.exe33⤵
- Executes dropped EXE
PID:3988 -
\??\c:\08226.exec:\08226.exe34⤵
- Executes dropped EXE
PID:3324 -
\??\c:\9jdpj.exec:\9jdpj.exe35⤵
- Executes dropped EXE
PID:1576 -
\??\c:\nbnhbt.exec:\nbnhbt.exe36⤵
- Executes dropped EXE
PID:852 -
\??\c:\ttthth.exec:\ttthth.exe37⤵
- Executes dropped EXE
PID:3084 -
\??\c:\bbhbtt.exec:\bbhbtt.exe38⤵
- Executes dropped EXE
PID:1976 -
\??\c:\k40608.exec:\k40608.exe39⤵
- Executes dropped EXE
PID:3808 -
\??\c:\5rlrlfl.exec:\5rlrlfl.exe40⤵
- Executes dropped EXE
PID:4416 -
\??\c:\e22260.exec:\e22260.exe41⤵
- Executes dropped EXE
PID:4972 -
\??\c:\46266.exec:\46266.exe42⤵
- Executes dropped EXE
PID:4736 -
\??\c:\480400.exec:\480400.exe43⤵
- Executes dropped EXE
PID:4788 -
\??\c:\djdpj.exec:\djdpj.exe44⤵
- Executes dropped EXE
PID:4652 -
\??\c:\7lllflf.exec:\7lllflf.exe45⤵
- Executes dropped EXE
PID:2324 -
\??\c:\u048664.exec:\u048664.exe46⤵
- Executes dropped EXE
PID:1932 -
\??\c:\8422666.exec:\8422666.exe47⤵
- Executes dropped EXE
PID:4212 -
\??\c:\228642.exec:\228642.exe48⤵
- Executes dropped EXE
PID:4992 -
\??\c:\thhbhb.exec:\thhbhb.exe49⤵
- Executes dropped EXE
PID:1844 -
\??\c:\6460000.exec:\6460000.exe50⤵
- Executes dropped EXE
PID:1340 -
\??\c:\5bbhbb.exec:\5bbhbb.exe51⤵
- Executes dropped EXE
PID:3080 -
\??\c:\bhbbtn.exec:\bhbbtn.exe52⤵
- Executes dropped EXE
PID:4592 -
\??\c:\80284.exec:\80284.exe53⤵
- Executes dropped EXE
PID:2908 -
\??\c:\jjjvp.exec:\jjjvp.exe54⤵
- Executes dropped EXE
PID:2140 -
\??\c:\2408888.exec:\2408888.exe55⤵
- Executes dropped EXE
PID:3944 -
\??\c:\868666.exec:\868666.exe56⤵
- Executes dropped EXE
PID:1556 -
\??\c:\htnhtt.exec:\htnhtt.exe57⤵
- Executes dropped EXE
PID:1772 -
\??\c:\40648.exec:\40648.exe58⤵
- Executes dropped EXE
PID:5004 -
\??\c:\084848.exec:\084848.exe59⤵
- Executes dropped EXE
PID:4028 -
\??\c:\o488626.exec:\o488626.exe60⤵
- Executes dropped EXE
PID:3720 -
\??\c:\o284826.exec:\o284826.exe61⤵
- Executes dropped EXE
PID:4116 -
\??\c:\hbhbhh.exec:\hbhbhh.exe62⤵
- Executes dropped EXE
PID:4036 -
\??\c:\q04086.exec:\q04086.exe63⤵
- Executes dropped EXE
PID:872 -
\??\c:\064400.exec:\064400.exe64⤵
- Executes dropped EXE
PID:1416 -
\??\c:\lfxrrxx.exec:\lfxrrxx.exe65⤵
- Executes dropped EXE
PID:2024 -
\??\c:\i260048.exec:\i260048.exe66⤵PID:4508
-
\??\c:\hnnbnb.exec:\hnnbnb.exe67⤵PID:4520
-
\??\c:\nbhbth.exec:\nbhbth.exe68⤵PID:3052
-
\??\c:\5hhtnh.exec:\5hhtnh.exe69⤵PID:3424
-
\??\c:\u066628.exec:\u066628.exe70⤵PID:3120
-
\??\c:\0822008.exec:\0822008.exe71⤵PID:2000
-
\??\c:\7bbthn.exec:\7bbthn.exe72⤵PID:4464
-
\??\c:\6426482.exec:\6426482.exe73⤵
- System Location Discovery: System Language Discovery
PID:1376 -
\??\c:\7flffxl.exec:\7flffxl.exe74⤵PID:1076
-
\??\c:\824004.exec:\824004.exe75⤵PID:1604
-
\??\c:\c004880.exec:\c004880.exe76⤵PID:1872
-
\??\c:\xxxrxrl.exec:\xxxrxrl.exe77⤵PID:3076
-
\??\c:\04668.exec:\04668.exe78⤵PID:4596
-
\??\c:\8260222.exec:\8260222.exe79⤵PID:2928
-
\??\c:\8080268.exec:\8080268.exe80⤵PID:180
-
\??\c:\6882226.exec:\6882226.exe81⤵PID:2660
-
\??\c:\vpjdd.exec:\vpjdd.exe82⤵PID:3400
-
\??\c:\1nhbhh.exec:\1nhbhh.exe83⤵PID:1560
-
\??\c:\m4408.exec:\m4408.exe84⤵
- System Location Discovery: System Language Discovery
PID:1140 -
\??\c:\4844222.exec:\4844222.exe85⤵PID:1220
-
\??\c:\86282.exec:\86282.exe86⤵PID:4692
-
\??\c:\ththhn.exec:\ththhn.exe87⤵PID:4648
-
\??\c:\o666048.exec:\o666048.exe88⤵PID:4516
-
\??\c:\rxxlflx.exec:\rxxlflx.exe89⤵PID:4316
-
\??\c:\jvvpj.exec:\jvvpj.exe90⤵PID:2628
-
\??\c:\860048.exec:\860048.exe91⤵PID:5080
-
\??\c:\k84444.exec:\k84444.exe92⤵PID:5048
-
\??\c:\k28666.exec:\k28666.exe93⤵PID:4380
-
\??\c:\fxxrlfr.exec:\fxxrlfr.exe94⤵PID:2012
-
\??\c:\u082622.exec:\u082622.exe95⤵PID:760
-
\??\c:\26402.exec:\26402.exe96⤵PID:852
-
\??\c:\pppjd.exec:\pppjd.exe97⤵PID:2364
-
\??\c:\vdjjd.exec:\vdjjd.exe98⤵PID:3412
-
\??\c:\m8404.exec:\m8404.exe99⤵PID:3996
-
\??\c:\bnbtbb.exec:\bnbtbb.exe100⤵PID:1164
-
\??\c:\5lrlfxl.exec:\5lrlfxl.exe101⤵PID:3340
-
\??\c:\2442244.exec:\2442244.exe102⤵PID:3088
-
\??\c:\q88226.exec:\q88226.exe103⤵PID:4804
-
\??\c:\1ntnhn.exec:\1ntnhn.exe104⤵PID:3112
-
\??\c:\666082.exec:\666082.exe105⤵PID:1808
-
\??\c:\bntnhh.exec:\bntnhh.exe106⤵PID:2320
-
\??\c:\68484.exec:\68484.exe107⤵PID:3488
-
\??\c:\8660004.exec:\8660004.exe108⤵PID:2792
-
\??\c:\822042.exec:\822042.exe109⤵PID:1932
-
\??\c:\ntthbt.exec:\ntthbt.exe110⤵PID:4716
-
\??\c:\4226008.exec:\4226008.exe111⤵PID:4992
-
\??\c:\dvvdv.exec:\dvvdv.exe112⤵PID:1908
-
\??\c:\thnntb.exec:\thnntb.exe113⤵PID:1732
-
\??\c:\4486600.exec:\4486600.exe114⤵PID:4456
-
\??\c:\024880.exec:\024880.exe115⤵PID:2332
-
\??\c:\fxxlxxr.exec:\fxxlxxr.exe116⤵PID:2476
-
\??\c:\5xfxxfx.exec:\5xfxxfx.exe117⤵PID:468
-
\??\c:\42420.exec:\42420.exe118⤵PID:548
-
\??\c:\4466004.exec:\4466004.exe119⤵PID:552
-
\??\c:\xlxlxrf.exec:\xlxlxrf.exe120⤵PID:3900
-
\??\c:\86822.exec:\86822.exe121⤵PID:3192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-