Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/12/2024, 22:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
63127448c68f9ab92928fd560e4670cb893bc1b05a922b016abeb14ad6fc9f43.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
63127448c68f9ab92928fd560e4670cb893bc1b05a922b016abeb14ad6fc9f43.exe
-
Size
453KB
-
MD5
5790ef9b1f4c0efd0647dea58b516a69
-
SHA1
10e81b9544b2506fc018a958447b3c67e7ec1d34
-
SHA256
63127448c68f9ab92928fd560e4670cb893bc1b05a922b016abeb14ad6fc9f43
-
SHA512
af68257b5a99dbf6528390bf8d1caeb98ee1eb3a1b015136288f2e37d70a17f063c5f502931b591848a8c8d13c2a0c23450847a84fe1e25ce1d4d8eb4d80131e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN3:q7Tc2NYHUrAwfMp3CDN3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4944-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-816-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-1032-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-1127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2232 22860.exe 516 604826.exe 3964 6244664.exe 1832 28208.exe 4664 426428.exe 1924 tbthtn.exe 768 ntnbnh.exe 3800 6420820.exe 2000 60488.exe 1524 jppvj.exe 3560 460860.exe 4544 vddvj.exe 5000 ntthnh.exe 3336 0280488.exe 4068 xrlffxr.exe 1548 26282.exe 1312 7ththb.exe 3032 804208.exe 4276 42606.exe 1872 3hhbbt.exe 2328 lllxrll.exe 2400 4208604.exe 2852 tbhtnh.exe 2580 26086.exe 1720 266462.exe 2176 xllfxrr.exe 4516 9bnthb.exe 3292 4820608.exe 4136 nhbnbt.exe 928 fllxlfr.exe 3484 nnnhbt.exe 1792 m0086.exe 640 84486.exe 940 lrrfrlx.exe 4836 o442048.exe 4480 44660.exe 4976 ntnhtn.exe 1888 22264.exe 4648 646482.exe 4460 2448266.exe 4024 8408264.exe 4596 0468204.exe 1664 240860.exe 4668 rllxrff.exe 4592 6448608.exe 1392 vpjjv.exe 2316 88420.exe 1516 066420.exe 1748 u666408.exe 2616 ppjdv.exe 1384 g4464.exe 4944 s8464.exe 5060 88608.exe 1544 21fxx.exe 2712 xxfrxxx.exe 2060 s2826.exe 968 thbnhb.exe 1596 2042042.exe 3016 vjpjd.exe 2360 lrrfxrf.exe 316 rffrlxr.exe 4264 xlfrfxl.exe 912 2842608.exe 3156 s0488.exe -
resource yara_rule behavioral2/memory/4944-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-759-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q40426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k84626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0864220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k40886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llflff.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4944 wrote to memory of 2232 4944 63127448c68f9ab92928fd560e4670cb893bc1b05a922b016abeb14ad6fc9f43.exe 83 PID 4944 wrote to memory of 2232 4944 63127448c68f9ab92928fd560e4670cb893bc1b05a922b016abeb14ad6fc9f43.exe 83 PID 4944 wrote to memory of 2232 4944 63127448c68f9ab92928fd560e4670cb893bc1b05a922b016abeb14ad6fc9f43.exe 83 PID 2232 wrote to memory of 516 2232 22860.exe 84 PID 2232 wrote to memory of 516 2232 22860.exe 84 PID 2232 wrote to memory of 516 2232 22860.exe 84 PID 516 wrote to memory of 3964 516 604826.exe 85 PID 516 wrote to memory of 3964 516 604826.exe 85 PID 516 wrote to memory of 3964 516 604826.exe 85 PID 3964 wrote to memory of 1832 3964 6244664.exe 86 PID 3964 wrote to memory of 1832 3964 6244664.exe 86 PID 3964 wrote to memory of 1832 3964 6244664.exe 86 PID 1832 wrote to memory of 4664 1832 28208.exe 87 PID 1832 wrote to memory of 4664 1832 28208.exe 87 PID 1832 wrote to memory of 4664 1832 28208.exe 87 PID 4664 wrote to memory of 1924 4664 426428.exe 88 PID 4664 wrote to memory of 1924 4664 426428.exe 88 PID 4664 wrote to memory of 1924 4664 426428.exe 88 PID 1924 wrote to memory of 768 1924 tbthtn.exe 89 PID 1924 wrote to memory of 768 1924 tbthtn.exe 89 PID 1924 wrote to memory of 768 1924 tbthtn.exe 89 PID 768 wrote to memory of 3800 768 ntnbnh.exe 90 PID 768 wrote to memory of 3800 768 ntnbnh.exe 90 PID 768 wrote to memory of 3800 768 ntnbnh.exe 90 PID 3800 wrote to memory of 2000 3800 6420820.exe 91 PID 3800 wrote to memory of 2000 3800 6420820.exe 91 PID 3800 wrote to memory of 2000 3800 6420820.exe 91 PID 2000 wrote to memory of 1524 2000 60488.exe 92 PID 2000 wrote to memory of 1524 2000 60488.exe 92 PID 2000 wrote to memory of 1524 2000 60488.exe 92 PID 1524 wrote to memory of 3560 1524 jppvj.exe 93 PID 1524 wrote to memory of 3560 1524 jppvj.exe 93 PID 1524 wrote to memory of 3560 1524 jppvj.exe 93 PID 3560 wrote to memory of 4544 3560 460860.exe 94 PID 3560 wrote to memory of 4544 3560 460860.exe 94 PID 3560 wrote to memory of 4544 3560 460860.exe 94 PID 4544 wrote to memory of 5000 4544 vddvj.exe 95 PID 4544 wrote to memory of 5000 4544 vddvj.exe 95 PID 4544 wrote to memory of 5000 4544 vddvj.exe 95 PID 5000 wrote to memory of 3336 5000 ntthnh.exe 96 PID 5000 wrote to memory of 3336 5000 ntthnh.exe 96 PID 5000 wrote to memory of 3336 5000 ntthnh.exe 96 PID 3336 wrote to memory of 4068 3336 0280488.exe 97 PID 3336 wrote to memory of 4068 3336 0280488.exe 97 PID 3336 wrote to memory of 4068 3336 0280488.exe 97 PID 4068 wrote to memory of 1548 4068 xrlffxr.exe 98 PID 4068 wrote to memory of 1548 4068 xrlffxr.exe 98 PID 4068 wrote to memory of 1548 4068 xrlffxr.exe 98 PID 1548 wrote to memory of 1312 1548 26282.exe 99 PID 1548 wrote to memory of 1312 1548 26282.exe 99 PID 1548 wrote to memory of 1312 1548 26282.exe 99 PID 1312 wrote to memory of 3032 1312 7ththb.exe 100 PID 1312 wrote to memory of 3032 1312 7ththb.exe 100 PID 1312 wrote to memory of 3032 1312 7ththb.exe 100 PID 3032 wrote to memory of 4276 3032 804208.exe 101 PID 3032 wrote to memory of 4276 3032 804208.exe 101 PID 3032 wrote to memory of 4276 3032 804208.exe 101 PID 4276 wrote to memory of 1872 4276 42606.exe 102 PID 4276 wrote to memory of 1872 4276 42606.exe 102 PID 4276 wrote to memory of 1872 4276 42606.exe 102 PID 1872 wrote to memory of 2328 1872 3hhbbt.exe 103 PID 1872 wrote to memory of 2328 1872 3hhbbt.exe 103 PID 1872 wrote to memory of 2328 1872 3hhbbt.exe 103 PID 2328 wrote to memory of 2400 2328 lllxrll.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\63127448c68f9ab92928fd560e4670cb893bc1b05a922b016abeb14ad6fc9f43.exe"C:\Users\Admin\AppData\Local\Temp\63127448c68f9ab92928fd560e4670cb893bc1b05a922b016abeb14ad6fc9f43.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\22860.exec:\22860.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\604826.exec:\604826.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\6244664.exec:\6244664.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\28208.exec:\28208.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\426428.exec:\426428.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\tbthtn.exec:\tbthtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\ntnbnh.exec:\ntnbnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\6420820.exec:\6420820.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
\??\c:\60488.exec:\60488.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\jppvj.exec:\jppvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\460860.exec:\460860.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\vddvj.exec:\vddvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\ntthnh.exec:\ntthnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\0280488.exec:\0280488.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\xrlffxr.exec:\xrlffxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\26282.exec:\26282.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\7ththb.exec:\7ththb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\804208.exec:\804208.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\42606.exec:\42606.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\3hhbbt.exec:\3hhbbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\lllxrll.exec:\lllxrll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\4208604.exec:\4208604.exe23⤵
- Executes dropped EXE
PID:2400 -
\??\c:\tbhtnh.exec:\tbhtnh.exe24⤵
- Executes dropped EXE
PID:2852 -
\??\c:\26086.exec:\26086.exe25⤵
- Executes dropped EXE
PID:2580 -
\??\c:\266462.exec:\266462.exe26⤵
- Executes dropped EXE
PID:1720 -
\??\c:\xllfxrr.exec:\xllfxrr.exe27⤵
- Executes dropped EXE
PID:2176 -
\??\c:\9bnthb.exec:\9bnthb.exe28⤵
- Executes dropped EXE
PID:4516 -
\??\c:\4820608.exec:\4820608.exe29⤵
- Executes dropped EXE
PID:3292 -
\??\c:\nhbnbt.exec:\nhbnbt.exe30⤵
- Executes dropped EXE
PID:4136 -
\??\c:\fllxlfr.exec:\fllxlfr.exe31⤵
- Executes dropped EXE
PID:928 -
\??\c:\nnnhbt.exec:\nnnhbt.exe32⤵
- Executes dropped EXE
PID:3484 -
\??\c:\m0086.exec:\m0086.exe33⤵
- Executes dropped EXE
PID:1792 -
\??\c:\84486.exec:\84486.exe34⤵
- Executes dropped EXE
PID:640 -
\??\c:\lrrfrlx.exec:\lrrfrlx.exe35⤵
- Executes dropped EXE
PID:940 -
\??\c:\o442048.exec:\o442048.exe36⤵
- Executes dropped EXE
PID:4836 -
\??\c:\44660.exec:\44660.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4480 -
\??\c:\ntnhtn.exec:\ntnhtn.exe38⤵
- Executes dropped EXE
PID:4976 -
\??\c:\22264.exec:\22264.exe39⤵
- Executes dropped EXE
PID:1888 -
\??\c:\646482.exec:\646482.exe40⤵
- Executes dropped EXE
PID:4648 -
\??\c:\2448266.exec:\2448266.exe41⤵
- Executes dropped EXE
PID:4460 -
\??\c:\8408264.exec:\8408264.exe42⤵
- Executes dropped EXE
PID:4024 -
\??\c:\0468204.exec:\0468204.exe43⤵
- Executes dropped EXE
PID:4596 -
\??\c:\240860.exec:\240860.exe44⤵
- Executes dropped EXE
PID:1664 -
\??\c:\rllxrff.exec:\rllxrff.exe45⤵
- Executes dropped EXE
PID:4668 -
\??\c:\6448608.exec:\6448608.exe46⤵
- Executes dropped EXE
PID:4592 -
\??\c:\vpjjv.exec:\vpjjv.exe47⤵
- Executes dropped EXE
PID:1392 -
\??\c:\88420.exec:\88420.exe48⤵
- Executes dropped EXE
PID:2316 -
\??\c:\066420.exec:\066420.exe49⤵
- Executes dropped EXE
PID:1516 -
\??\c:\u666408.exec:\u666408.exe50⤵
- Executes dropped EXE
PID:1748 -
\??\c:\ppjdv.exec:\ppjdv.exe51⤵
- Executes dropped EXE
PID:2616 -
\??\c:\g2466.exec:\g2466.exe52⤵PID:4364
-
\??\c:\g4464.exec:\g4464.exe53⤵
- Executes dropped EXE
PID:1384 -
\??\c:\s8464.exec:\s8464.exe54⤵
- Executes dropped EXE
PID:4944 -
\??\c:\88608.exec:\88608.exe55⤵
- Executes dropped EXE
PID:5060 -
\??\c:\21fxx.exec:\21fxx.exe56⤵
- Executes dropped EXE
PID:1544 -
\??\c:\xxfrxxx.exec:\xxfrxxx.exe57⤵
- Executes dropped EXE
PID:2712 -
\??\c:\s2826.exec:\s2826.exe58⤵
- Executes dropped EXE
PID:2060 -
\??\c:\thbnhb.exec:\thbnhb.exe59⤵
- Executes dropped EXE
PID:968 -
\??\c:\2042042.exec:\2042042.exe60⤵
- Executes dropped EXE
PID:1596 -
\??\c:\vjpjd.exec:\vjpjd.exe61⤵
- Executes dropped EXE
PID:3016 -
\??\c:\lrrfxrf.exec:\lrrfxrf.exe62⤵
- Executes dropped EXE
PID:2360 -
\??\c:\rffrlxr.exec:\rffrlxr.exe63⤵
- Executes dropped EXE
PID:316 -
\??\c:\xlfrfxl.exec:\xlfrfxl.exe64⤵
- Executes dropped EXE
PID:4264 -
\??\c:\2842608.exec:\2842608.exe65⤵
- Executes dropped EXE
PID:912 -
\??\c:\s0488.exec:\s0488.exe66⤵
- Executes dropped EXE
PID:3156 -
\??\c:\2882486.exec:\2882486.exe67⤵PID:3744
-
\??\c:\dvdpd.exec:\dvdpd.exe68⤵PID:4284
-
\??\c:\82204.exec:\82204.exe69⤵PID:3232
-
\??\c:\1jdpd.exec:\1jdpd.exe70⤵PID:2508
-
\??\c:\u442608.exec:\u442608.exe71⤵PID:4276
-
\??\c:\hbtnbt.exec:\hbtnbt.exe72⤵PID:1000
-
\??\c:\7fxlxrf.exec:\7fxlxrf.exe73⤵PID:4684
-
\??\c:\jvvvp.exec:\jvvvp.exe74⤵PID:2400
-
\??\c:\5nnbnh.exec:\5nnbnh.exe75⤵PID:2852
-
\??\c:\rffrlfr.exec:\rffrlfr.exe76⤵PID:448
-
\??\c:\e40482.exec:\e40482.exe77⤵PID:1512
-
\??\c:\g0086.exec:\g0086.exe78⤵PID:2176
-
\??\c:\xlffrrf.exec:\xlffrrf.exe79⤵PID:5020
-
\??\c:\04248.exec:\04248.exe80⤵PID:1208
-
\??\c:\bhbtbt.exec:\bhbtbt.exe81⤵PID:5048
-
\??\c:\k40886.exec:\k40886.exe82⤵
- System Location Discovery: System Language Discovery
PID:4136 -
\??\c:\hhbbbn.exec:\hhbbbn.exe83⤵PID:3940
-
\??\c:\xrlxlxr.exec:\xrlxlxr.exe84⤵PID:2824
-
\??\c:\1frffxf.exec:\1frffxf.exe85⤵PID:3564
-
\??\c:\266420.exec:\266420.exe86⤵PID:940
-
\??\c:\3tnbhb.exec:\3tnbhb.exe87⤵PID:2792
-
\??\c:\8480820.exec:\8480820.exe88⤵PID:3184
-
\??\c:\1btnht.exec:\1btnht.exe89⤵PID:3552
-
\??\c:\xlfrffr.exec:\xlfrffr.exe90⤵PID:4656
-
\??\c:\rlxrxrf.exec:\rlxrxrf.exe91⤵PID:3044
-
\??\c:\4660000.exec:\4660000.exe92⤵PID:3736
-
\??\c:\xrrfrlf.exec:\xrrfrlf.exe93⤵PID:4668
-
\??\c:\rlfrlfx.exec:\rlfrlfx.exe94⤵PID:4592
-
\??\c:\884420.exec:\884420.exe95⤵PID:2316
-
\??\c:\1nhnbt.exec:\1nhnbt.exe96⤵PID:5044
-
\??\c:\42826.exec:\42826.exe97⤵PID:4360
-
\??\c:\lxfrfxl.exec:\lxfrfxl.exe98⤵PID:2800
-
\??\c:\rlffrlf.exec:\rlffrlf.exe99⤵PID:2840
-
\??\c:\rlxlxlx.exec:\rlxlxlx.exe100⤵PID:1072
-
\??\c:\042806.exec:\042806.exe101⤵PID:4944
-
\??\c:\c848060.exec:\c848060.exe102⤵PID:892
-
\??\c:\c442042.exec:\c442042.exe103⤵PID:4140
-
\??\c:\flrlffx.exec:\flrlffx.exe104⤵PID:4468
-
\??\c:\442282.exec:\442282.exe105⤵PID:3700
-
\??\c:\dvjdp.exec:\dvjdp.exe106⤵PID:804
-
\??\c:\7vpdp.exec:\7vpdp.exe107⤵PID:3348
-
\??\c:\o064608.exec:\o064608.exe108⤵PID:4320
-
\??\c:\xfxxxxf.exec:\xfxxxxf.exe109⤵PID:4036
-
\??\c:\9dvpd.exec:\9dvpd.exe110⤵PID:1884
-
\??\c:\hnhhbb.exec:\hnhhbb.exe111⤵PID:1020
-
\??\c:\6000266.exec:\6000266.exe112⤵PID:912
-
\??\c:\4244220.exec:\4244220.exe113⤵PID:4068
-
\??\c:\pjvdp.exec:\pjvdp.exe114⤵PID:5036
-
\??\c:\ntthtn.exec:\ntthtn.exe115⤵PID:3380
-
\??\c:\hbnbht.exec:\hbnbht.exe116⤵PID:2152
-
\??\c:\2004220.exec:\2004220.exe117⤵PID:468
-
\??\c:\248208.exec:\248208.exe118⤵PID:1668
-
\??\c:\s4084.exec:\s4084.exe119⤵PID:5000
-
\??\c:\c482048.exec:\c482048.exe120⤵PID:1976
-
\??\c:\8066088.exec:\8066088.exe121⤵PID:5032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-