Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 21:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3d6499912f468a47db7e51e1faaed536549bf16fe9447677acf6a195b58959c9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3d6499912f468a47db7e51e1faaed536549bf16fe9447677acf6a195b58959c9.exe
-
Size
453KB
-
MD5
92d1750356c64735661ee71df04d66f9
-
SHA1
480e5251c8173d28ffc15d2ceac092e7b3322636
-
SHA256
3d6499912f468a47db7e51e1faaed536549bf16fe9447677acf6a195b58959c9
-
SHA512
e8c15f73415434ec07d15c9999e09136102305f0a69cb32f09d3dc7f261d6cad7105f4276cf0e589c57bebadcd83b4da77ca54b6380061ffd6c351761074a1cf
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2976-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-1142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-1149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-1491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-1760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4052 hhhnth.exe 3840 lxfrfxl.exe 2476 w66082.exe 4552 4204882.exe 2640 q40260.exe 1908 400048.exe 64 m8882.exe 4700 tnbtnn.exe 3104 08844.exe 3876 484844.exe 220 w68848.exe 4980 4000448.exe 5084 dpvpp.exe 4112 24048.exe 1132 tnbtbb.exe 2768 08448.exe 4488 tnntnn.exe 4424 46226.exe 4108 bhnbtt.exe 440 4004004.exe 4940 2888224.exe 2500 6226680.exe 1604 rlrlrrx.exe 4860 fffxxxx.exe 3576 jvvvp.exe 2332 04040.exe 1344 4082000.exe 4456 8402020.exe 4284 6626420.exe 3524 3thhtt.exe 412 44664.exe 4704 8244002.exe 2620 htbtnh.exe 3116 hbnhhb.exe 3080 2886420.exe 4312 tnnbnn.exe 3684 djvdj.exe 1748 666426.exe 1808 fxllflf.exe 1924 3lxlxrx.exe 4268 20206.exe 5032 rrffrll.exe 2100 7llxrlf.exe 2300 e02464.exe 2980 tbnhth.exe 1320 htbnht.exe 2284 864826.exe 1720 4860488.exe 540 9ppjj.exe 1656 8042048.exe 4808 vjdpd.exe 804 vppvj.exe 3516 62246.exe 3660 440648.exe 4256 02208.exe 4328 2682600.exe 5016 ntnbnb.exe 3788 8660442.exe 2904 xlxxxfr.exe 3952 htnnhh.exe 2388 xrrrfxr.exe 1392 lffxxxx.exe 2644 7hnhbb.exe 2096 0064860.exe -
resource yara_rule behavioral2/memory/2976-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-973-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-986-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-1062-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-1142-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2464826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2004866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6464882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e80822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w04822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2976 wrote to memory of 4052 2976 3d6499912f468a47db7e51e1faaed536549bf16fe9447677acf6a195b58959c9.exe 83 PID 2976 wrote to memory of 4052 2976 3d6499912f468a47db7e51e1faaed536549bf16fe9447677acf6a195b58959c9.exe 83 PID 2976 wrote to memory of 4052 2976 3d6499912f468a47db7e51e1faaed536549bf16fe9447677acf6a195b58959c9.exe 83 PID 4052 wrote to memory of 3840 4052 hhhnth.exe 84 PID 4052 wrote to memory of 3840 4052 hhhnth.exe 84 PID 4052 wrote to memory of 3840 4052 hhhnth.exe 84 PID 3840 wrote to memory of 2476 3840 lxfrfxl.exe 85 PID 3840 wrote to memory of 2476 3840 lxfrfxl.exe 85 PID 3840 wrote to memory of 2476 3840 lxfrfxl.exe 85 PID 2476 wrote to memory of 4552 2476 w66082.exe 86 PID 2476 wrote to memory of 4552 2476 w66082.exe 86 PID 2476 wrote to memory of 4552 2476 w66082.exe 86 PID 4552 wrote to memory of 2640 4552 4204882.exe 87 PID 4552 wrote to memory of 2640 4552 4204882.exe 87 PID 4552 wrote to memory of 2640 4552 4204882.exe 87 PID 2640 wrote to memory of 1908 2640 q40260.exe 88 PID 2640 wrote to memory of 1908 2640 q40260.exe 88 PID 2640 wrote to memory of 1908 2640 q40260.exe 88 PID 1908 wrote to memory of 64 1908 400048.exe 89 PID 1908 wrote to memory of 64 1908 400048.exe 89 PID 1908 wrote to memory of 64 1908 400048.exe 89 PID 64 wrote to memory of 4700 64 m8882.exe 90 PID 64 wrote to memory of 4700 64 m8882.exe 90 PID 64 wrote to memory of 4700 64 m8882.exe 90 PID 4700 wrote to memory of 3104 4700 tnbtnn.exe 91 PID 4700 wrote to memory of 3104 4700 tnbtnn.exe 91 PID 4700 wrote to memory of 3104 4700 tnbtnn.exe 91 PID 3104 wrote to memory of 3876 3104 08844.exe 92 PID 3104 wrote to memory of 3876 3104 08844.exe 92 PID 3104 wrote to memory of 3876 3104 08844.exe 92 PID 3876 wrote to memory of 220 3876 484844.exe 93 PID 3876 wrote to memory of 220 3876 484844.exe 93 PID 3876 wrote to memory of 220 3876 484844.exe 93 PID 220 wrote to memory of 4980 220 w68848.exe 94 PID 220 wrote to memory of 4980 220 w68848.exe 94 PID 220 wrote to memory of 4980 220 w68848.exe 94 PID 4980 wrote to memory of 5084 4980 4000448.exe 95 PID 4980 wrote to memory of 5084 4980 4000448.exe 95 PID 4980 wrote to memory of 5084 4980 4000448.exe 95 PID 5084 wrote to memory of 4112 5084 dpvpp.exe 96 PID 5084 wrote to memory of 4112 5084 dpvpp.exe 96 PID 5084 wrote to memory of 4112 5084 dpvpp.exe 96 PID 4112 wrote to memory of 1132 4112 24048.exe 97 PID 4112 wrote to memory of 1132 4112 24048.exe 97 PID 4112 wrote to memory of 1132 4112 24048.exe 97 PID 1132 wrote to memory of 2768 1132 tnbtbb.exe 98 PID 1132 wrote to memory of 2768 1132 tnbtbb.exe 98 PID 1132 wrote to memory of 2768 1132 tnbtbb.exe 98 PID 2768 wrote to memory of 4488 2768 08448.exe 99 PID 2768 wrote to memory of 4488 2768 08448.exe 99 PID 2768 wrote to memory of 4488 2768 08448.exe 99 PID 4488 wrote to memory of 4424 4488 tnntnn.exe 100 PID 4488 wrote to memory of 4424 4488 tnntnn.exe 100 PID 4488 wrote to memory of 4424 4488 tnntnn.exe 100 PID 4424 wrote to memory of 4108 4424 46226.exe 101 PID 4424 wrote to memory of 4108 4424 46226.exe 101 PID 4424 wrote to memory of 4108 4424 46226.exe 101 PID 4108 wrote to memory of 440 4108 bhnbtt.exe 102 PID 4108 wrote to memory of 440 4108 bhnbtt.exe 102 PID 4108 wrote to memory of 440 4108 bhnbtt.exe 102 PID 440 wrote to memory of 4940 440 4004004.exe 103 PID 440 wrote to memory of 4940 440 4004004.exe 103 PID 440 wrote to memory of 4940 440 4004004.exe 103 PID 4940 wrote to memory of 2500 4940 2888224.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d6499912f468a47db7e51e1faaed536549bf16fe9447677acf6a195b58959c9.exe"C:\Users\Admin\AppData\Local\Temp\3d6499912f468a47db7e51e1faaed536549bf16fe9447677acf6a195b58959c9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\hhhnth.exec:\hhhnth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\lxfrfxl.exec:\lxfrfxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\w66082.exec:\w66082.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\4204882.exec:\4204882.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\q40260.exec:\q40260.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\400048.exec:\400048.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\m8882.exec:\m8882.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\tnbtnn.exec:\tnbtnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\08844.exec:\08844.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\484844.exec:\484844.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\w68848.exec:\w68848.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\4000448.exec:\4000448.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\dpvpp.exec:\dpvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\24048.exec:\24048.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\tnbtbb.exec:\tnbtbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\08448.exec:\08448.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\tnntnn.exec:\tnntnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\46226.exec:\46226.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\bhnbtt.exec:\bhnbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\4004004.exec:\4004004.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\2888224.exec:\2888224.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\6226680.exec:\6226680.exe23⤵
- Executes dropped EXE
PID:2500 -
\??\c:\rlrlrrx.exec:\rlrlrrx.exe24⤵
- Executes dropped EXE
PID:1604 -
\??\c:\fffxxxx.exec:\fffxxxx.exe25⤵
- Executes dropped EXE
PID:4860 -
\??\c:\jvvvp.exec:\jvvvp.exe26⤵
- Executes dropped EXE
PID:3576 -
\??\c:\04040.exec:\04040.exe27⤵
- Executes dropped EXE
PID:2332 -
\??\c:\4082000.exec:\4082000.exe28⤵
- Executes dropped EXE
PID:1344 -
\??\c:\8402020.exec:\8402020.exe29⤵
- Executes dropped EXE
PID:4456 -
\??\c:\6626420.exec:\6626420.exe30⤵
- Executes dropped EXE
PID:4284 -
\??\c:\3thhtt.exec:\3thhtt.exe31⤵
- Executes dropped EXE
PID:3524 -
\??\c:\44664.exec:\44664.exe32⤵
- Executes dropped EXE
PID:412 -
\??\c:\8244002.exec:\8244002.exe33⤵
- Executes dropped EXE
PID:4704 -
\??\c:\htbtnh.exec:\htbtnh.exe34⤵
- Executes dropped EXE
PID:2620 -
\??\c:\hbnhhb.exec:\hbnhhb.exe35⤵
- Executes dropped EXE
PID:3116 -
\??\c:\2886420.exec:\2886420.exe36⤵
- Executes dropped EXE
PID:3080 -
\??\c:\tnnbnn.exec:\tnnbnn.exe37⤵
- Executes dropped EXE
PID:4312 -
\??\c:\djvdj.exec:\djvdj.exe38⤵
- Executes dropped EXE
PID:3684 -
\??\c:\666426.exec:\666426.exe39⤵
- Executes dropped EXE
PID:1748 -
\??\c:\fxllflf.exec:\fxllflf.exe40⤵
- Executes dropped EXE
PID:1808 -
\??\c:\3lxlxrx.exec:\3lxlxrx.exe41⤵
- Executes dropped EXE
PID:1924 -
\??\c:\20206.exec:\20206.exe42⤵
- Executes dropped EXE
PID:4268 -
\??\c:\rrffrll.exec:\rrffrll.exe43⤵
- Executes dropped EXE
PID:5032 -
\??\c:\7llxrlf.exec:\7llxrlf.exe44⤵
- Executes dropped EXE
PID:2100 -
\??\c:\e02464.exec:\e02464.exe45⤵
- Executes dropped EXE
PID:2300 -
\??\c:\tbnhth.exec:\tbnhth.exe46⤵
- Executes dropped EXE
PID:2980 -
\??\c:\htbnht.exec:\htbnht.exe47⤵
- Executes dropped EXE
PID:1320 -
\??\c:\864826.exec:\864826.exe48⤵
- Executes dropped EXE
PID:2284 -
\??\c:\4860488.exec:\4860488.exe49⤵
- Executes dropped EXE
PID:1720 -
\??\c:\9ppjj.exec:\9ppjj.exe50⤵
- Executes dropped EXE
PID:540 -
\??\c:\8042048.exec:\8042048.exe51⤵
- Executes dropped EXE
PID:1656 -
\??\c:\vjdpd.exec:\vjdpd.exe52⤵
- Executes dropped EXE
PID:4808 -
\??\c:\vppvj.exec:\vppvj.exe53⤵
- Executes dropped EXE
PID:804 -
\??\c:\62246.exec:\62246.exe54⤵
- Executes dropped EXE
PID:3516 -
\??\c:\440648.exec:\440648.exe55⤵
- Executes dropped EXE
PID:3660 -
\??\c:\02208.exec:\02208.exe56⤵
- Executes dropped EXE
PID:4256 -
\??\c:\2682600.exec:\2682600.exe57⤵
- Executes dropped EXE
PID:4328 -
\??\c:\ntnbnb.exec:\ntnbnb.exe58⤵
- Executes dropped EXE
PID:5016 -
\??\c:\8660442.exec:\8660442.exe59⤵
- Executes dropped EXE
PID:3788 -
\??\c:\xlxxxfr.exec:\xlxxxfr.exe60⤵
- Executes dropped EXE
PID:2904 -
\??\c:\htnnhh.exec:\htnnhh.exe61⤵
- Executes dropped EXE
PID:3952 -
\??\c:\xrrrfxr.exec:\xrrrfxr.exe62⤵
- Executes dropped EXE
PID:2388 -
\??\c:\lffxxxx.exec:\lffxxxx.exe63⤵
- Executes dropped EXE
PID:1392 -
\??\c:\7hnhbb.exec:\7hnhbb.exe64⤵
- Executes dropped EXE
PID:2644 -
\??\c:\0064860.exec:\0064860.exe65⤵
- Executes dropped EXE
PID:2096 -
\??\c:\fxlxrfx.exec:\fxlxrfx.exe66⤵PID:3184
-
\??\c:\w00420.exec:\w00420.exe67⤵PID:3940
-
\??\c:\0844406.exec:\0844406.exe68⤵PID:1172
-
\??\c:\266048.exec:\266048.exe69⤵PID:5084
-
\??\c:\82040.exec:\82040.exe70⤵PID:1188
-
\??\c:\84040.exec:\84040.exe71⤵PID:2760
-
\??\c:\40406.exec:\40406.exe72⤵PID:4656
-
\??\c:\082626.exec:\082626.exe73⤵PID:2412
-
\??\c:\tnnhbb.exec:\tnnhbb.exe74⤵PID:2824
-
\??\c:\bnbtnt.exec:\bnbtnt.exe75⤵PID:1480
-
\??\c:\60048.exec:\60048.exe76⤵PID:1224
-
\??\c:\rflfxrl.exec:\rflfxrl.exe77⤵PID:4272
-
\??\c:\22008.exec:\22008.exe78⤵PID:1476
-
\??\c:\4020048.exec:\4020048.exe79⤵PID:624
-
\??\c:\4244868.exec:\4244868.exe80⤵PID:2028
-
\??\c:\tttthh.exec:\tttthh.exe81⤵PID:1060
-
\??\c:\2408624.exec:\2408624.exe82⤵PID:3056
-
\??\c:\lxfxlfr.exec:\lxfxlfr.exe83⤵PID:4836
-
\??\c:\ddjpj.exec:\ddjpj.exe84⤵PID:4860
-
\??\c:\4242822.exec:\4242822.exe85⤵PID:3552
-
\??\c:\5vdvp.exec:\5vdvp.exe86⤵
- System Location Discovery: System Language Discovery
PID:2400 -
\??\c:\8248222.exec:\8248222.exe87⤵PID:848
-
\??\c:\6888288.exec:\6888288.exe88⤵PID:2288
-
\??\c:\64864.exec:\64864.exe89⤵PID:4276
-
\??\c:\xxffrrl.exec:\xxffrrl.exe90⤵PID:2036
-
\??\c:\flxxrrl.exec:\flxxrrl.exe91⤵PID:1536
-
\??\c:\6088282.exec:\6088282.exe92⤵PID:2696
-
\??\c:\rrrrxxl.exec:\rrrrxxl.exe93⤵PID:1112
-
\??\c:\884866.exec:\884866.exe94⤵PID:2584
-
\??\c:\2222004.exec:\2222004.exe95⤵PID:3452
-
\??\c:\a2448.exec:\a2448.exe96⤵PID:2620
-
\??\c:\dvvvp.exec:\dvvvp.exe97⤵PID:1436
-
\??\c:\5thtbt.exec:\5thtbt.exe98⤵PID:1564
-
\??\c:\pddjd.exec:\pddjd.exe99⤵PID:4312
-
\??\c:\9xxlffl.exec:\9xxlffl.exe100⤵PID:3684
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe101⤵PID:4612
-
\??\c:\66226.exec:\66226.exe102⤵PID:3352
-
\??\c:\c220864.exec:\c220864.exe103⤵PID:3012
-
\??\c:\040482.exec:\040482.exe104⤵PID:4632
-
\??\c:\8064842.exec:\8064842.exe105⤵PID:1608
-
\??\c:\xfxfxfl.exec:\xfxfxfl.exe106⤵PID:2716
-
\??\c:\tnhnhb.exec:\tnhnhb.exe107⤵PID:212
-
\??\c:\42086.exec:\42086.exe108⤵PID:216
-
\??\c:\860088.exec:\860088.exe109⤵PID:3784
-
\??\c:\884826.exec:\884826.exe110⤵
- System Location Discovery: System Language Discovery
PID:3888 -
\??\c:\7xxlfxf.exec:\7xxlfxf.exe111⤵PID:4120
-
\??\c:\8064848.exec:\8064848.exe112⤵PID:4496
-
\??\c:\rxfxrll.exec:\rxfxrll.exe113⤵PID:1328
-
\??\c:\o064488.exec:\o064488.exe114⤵PID:4904
-
\??\c:\pjpjj.exec:\pjpjj.exe115⤵PID:1656
-
\??\c:\xrrlxrl.exec:\xrrlxrl.exe116⤵PID:4808
-
\??\c:\624804.exec:\624804.exe117⤵PID:804
-
\??\c:\u424660.exec:\u424660.exe118⤵PID:4052
-
\??\c:\848606.exec:\848606.exe119⤵PID:2892
-
\??\c:\jpjdj.exec:\jpjdj.exe120⤵PID:3660
-
\??\c:\7jdjv.exec:\7jdjv.exe121⤵PID:704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-