Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 03:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
deac635ed4412a40b5b0c067af6f96f71838c4a4db3dfbfc4528b073d6c1de8c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
deac635ed4412a40b5b0c067af6f96f71838c4a4db3dfbfc4528b073d6c1de8c.exe
-
Size
453KB
-
MD5
ba274fe6f2037b531a64f06221f45da9
-
SHA1
833846027601302270d04bf48e97626710bc3e62
-
SHA256
deac635ed4412a40b5b0c067af6f96f71838c4a4db3dfbfc4528b073d6c1de8c
-
SHA512
12776e74c382149b3705c2933906c3feace8796e30fbd69f09bcd2eaae617c801a131d925d7a7a2218ef92c63e80531343c0423634b159ebc46aa896a7999061
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeC:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4624-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-851-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-939-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-1067-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-1134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-1305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-1382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4624 thnbnh.exe 5088 0686082.exe 4360 tnhthb.exe 4512 406482.exe 1072 2888284.exe 3236 6442604.exe 4952 vppdd.exe 4408 406604.exe 2012 hnnbnh.exe 2028 c086426.exe 4584 86648.exe 1656 2644226.exe 3320 bnbnbt.exe 4564 020422.exe 3560 lrlxfrl.exe 4404 482648.exe 1840 xrlfxxr.exe 5008 824800.exe 3688 nbbnbt.exe 1856 0886282.exe 3580 5bbnht.exe 5096 8642042.exe 3668 6060064.exe 8 3bhbnh.exe 2360 frrffxr.exe 1800 06642.exe 3640 9fxrlfx.exe 4456 c224020.exe 3040 8442042.exe 3312 jvvjd.exe 4324 fxrfxrl.exe 3080 208664.exe 3700 o844266.exe 1736 e62600.exe 1156 2404822.exe 1344 rffrfxr.exe 3056 2282008.exe 1080 vddpd.exe 2024 a4820.exe 4444 2022042.exe 1660 42268.exe 376 4262088.exe 2364 pdvvj.exe 4636 0660820.exe 1404 w04862.exe 2332 i880264.exe 4476 s0826.exe 4416 048420.exe 3944 vjjdj.exe 3980 20426.exe 2844 bbhbth.exe 3152 fxfxffl.exe 4144 dpdpp.exe 216 440488.exe 4708 nhhthb.exe 5052 666844.exe 4388 pvdpp.exe 4408 084282.exe 736 xlflfxx.exe 1376 3rlfxxr.exe 1740 44488.exe 3432 tbhthb.exe 2704 2284264.exe 3520 i808622.exe -
resource yara_rule behavioral2/memory/4624-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-851-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-868-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 400624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c086426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o226044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q02486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0624226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0420660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4048 wrote to memory of 4624 4048 deac635ed4412a40b5b0c067af6f96f71838c4a4db3dfbfc4528b073d6c1de8c.exe 83 PID 4048 wrote to memory of 4624 4048 deac635ed4412a40b5b0c067af6f96f71838c4a4db3dfbfc4528b073d6c1de8c.exe 83 PID 4048 wrote to memory of 4624 4048 deac635ed4412a40b5b0c067af6f96f71838c4a4db3dfbfc4528b073d6c1de8c.exe 83 PID 4624 wrote to memory of 5088 4624 thnbnh.exe 84 PID 4624 wrote to memory of 5088 4624 thnbnh.exe 84 PID 4624 wrote to memory of 5088 4624 thnbnh.exe 84 PID 5088 wrote to memory of 4360 5088 0686082.exe 85 PID 5088 wrote to memory of 4360 5088 0686082.exe 85 PID 5088 wrote to memory of 4360 5088 0686082.exe 85 PID 4360 wrote to memory of 4512 4360 tnhthb.exe 86 PID 4360 wrote to memory of 4512 4360 tnhthb.exe 86 PID 4360 wrote to memory of 4512 4360 tnhthb.exe 86 PID 4512 wrote to memory of 1072 4512 406482.exe 87 PID 4512 wrote to memory of 1072 4512 406482.exe 87 PID 4512 wrote to memory of 1072 4512 406482.exe 87 PID 1072 wrote to memory of 3236 1072 2888284.exe 88 PID 1072 wrote to memory of 3236 1072 2888284.exe 88 PID 1072 wrote to memory of 3236 1072 2888284.exe 88 PID 3236 wrote to memory of 4952 3236 6442604.exe 89 PID 3236 wrote to memory of 4952 3236 6442604.exe 89 PID 3236 wrote to memory of 4952 3236 6442604.exe 89 PID 4952 wrote to memory of 4408 4952 vppdd.exe 90 PID 4952 wrote to memory of 4408 4952 vppdd.exe 90 PID 4952 wrote to memory of 4408 4952 vppdd.exe 90 PID 4408 wrote to memory of 2012 4408 406604.exe 91 PID 4408 wrote to memory of 2012 4408 406604.exe 91 PID 4408 wrote to memory of 2012 4408 406604.exe 91 PID 2012 wrote to memory of 2028 2012 hnnbnh.exe 92 PID 2012 wrote to memory of 2028 2012 hnnbnh.exe 92 PID 2012 wrote to memory of 2028 2012 hnnbnh.exe 92 PID 2028 wrote to memory of 4584 2028 c086426.exe 93 PID 2028 wrote to memory of 4584 2028 c086426.exe 93 PID 2028 wrote to memory of 4584 2028 c086426.exe 93 PID 4584 wrote to memory of 1656 4584 86648.exe 94 PID 4584 wrote to memory of 1656 4584 86648.exe 94 PID 4584 wrote to memory of 1656 4584 86648.exe 94 PID 1656 wrote to memory of 3320 1656 2644226.exe 95 PID 1656 wrote to memory of 3320 1656 2644226.exe 95 PID 1656 wrote to memory of 3320 1656 2644226.exe 95 PID 3320 wrote to memory of 4564 3320 bnbnbt.exe 96 PID 3320 wrote to memory of 4564 3320 bnbnbt.exe 96 PID 3320 wrote to memory of 4564 3320 bnbnbt.exe 96 PID 4564 wrote to memory of 3560 4564 020422.exe 97 PID 4564 wrote to memory of 3560 4564 020422.exe 97 PID 4564 wrote to memory of 3560 4564 020422.exe 97 PID 3560 wrote to memory of 4404 3560 lrlxfrl.exe 98 PID 3560 wrote to memory of 4404 3560 lrlxfrl.exe 98 PID 3560 wrote to memory of 4404 3560 lrlxfrl.exe 98 PID 4404 wrote to memory of 1840 4404 482648.exe 99 PID 4404 wrote to memory of 1840 4404 482648.exe 99 PID 4404 wrote to memory of 1840 4404 482648.exe 99 PID 1840 wrote to memory of 5008 1840 xrlfxxr.exe 100 PID 1840 wrote to memory of 5008 1840 xrlfxxr.exe 100 PID 1840 wrote to memory of 5008 1840 xrlfxxr.exe 100 PID 5008 wrote to memory of 3688 5008 824800.exe 101 PID 5008 wrote to memory of 3688 5008 824800.exe 101 PID 5008 wrote to memory of 3688 5008 824800.exe 101 PID 3688 wrote to memory of 1856 3688 nbbnbt.exe 102 PID 3688 wrote to memory of 1856 3688 nbbnbt.exe 102 PID 3688 wrote to memory of 1856 3688 nbbnbt.exe 102 PID 1856 wrote to memory of 3580 1856 0886282.exe 103 PID 1856 wrote to memory of 3580 1856 0886282.exe 103 PID 1856 wrote to memory of 3580 1856 0886282.exe 103 PID 3580 wrote to memory of 5096 3580 5bbnht.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\deac635ed4412a40b5b0c067af6f96f71838c4a4db3dfbfc4528b073d6c1de8c.exe"C:\Users\Admin\AppData\Local\Temp\deac635ed4412a40b5b0c067af6f96f71838c4a4db3dfbfc4528b073d6c1de8c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\thnbnh.exec:\thnbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\0686082.exec:\0686082.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\tnhthb.exec:\tnhthb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\406482.exec:\406482.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\2888284.exec:\2888284.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\6442604.exec:\6442604.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\vppdd.exec:\vppdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\406604.exec:\406604.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\hnnbnh.exec:\hnnbnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\c086426.exec:\c086426.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\86648.exec:\86648.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\2644226.exec:\2644226.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\bnbnbt.exec:\bnbnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\020422.exec:\020422.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\lrlxfrl.exec:\lrlxfrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\482648.exec:\482648.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\824800.exec:\824800.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\nbbnbt.exec:\nbbnbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\0886282.exec:\0886282.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\5bbnht.exec:\5bbnht.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\8642042.exec:\8642042.exe23⤵
- Executes dropped EXE
PID:5096 -
\??\c:\6060064.exec:\6060064.exe24⤵
- Executes dropped EXE
PID:3668 -
\??\c:\3bhbnh.exec:\3bhbnh.exe25⤵
- Executes dropped EXE
PID:8 -
\??\c:\frrffxr.exec:\frrffxr.exe26⤵
- Executes dropped EXE
PID:2360 -
\??\c:\06642.exec:\06642.exe27⤵
- Executes dropped EXE
PID:1800 -
\??\c:\9fxrlfx.exec:\9fxrlfx.exe28⤵
- Executes dropped EXE
PID:3640 -
\??\c:\c224020.exec:\c224020.exe29⤵
- Executes dropped EXE
PID:4456 -
\??\c:\8442042.exec:\8442042.exe30⤵
- Executes dropped EXE
PID:3040 -
\??\c:\jvvjd.exec:\jvvjd.exe31⤵
- Executes dropped EXE
PID:3312 -
\??\c:\fxrfxrl.exec:\fxrfxrl.exe32⤵
- Executes dropped EXE
PID:4324 -
\??\c:\208664.exec:\208664.exe33⤵
- Executes dropped EXE
PID:3080 -
\??\c:\o844266.exec:\o844266.exe34⤵
- Executes dropped EXE
PID:3700 -
\??\c:\e62600.exec:\e62600.exe35⤵
- Executes dropped EXE
PID:1736 -
\??\c:\2404822.exec:\2404822.exe36⤵
- Executes dropped EXE
PID:1156 -
\??\c:\rffrfxr.exec:\rffrfxr.exe37⤵
- Executes dropped EXE
PID:1344 -
\??\c:\2282008.exec:\2282008.exe38⤵
- Executes dropped EXE
PID:3056 -
\??\c:\vddpd.exec:\vddpd.exe39⤵
- Executes dropped EXE
PID:1080 -
\??\c:\a4820.exec:\a4820.exe40⤵
- Executes dropped EXE
PID:2024 -
\??\c:\2022042.exec:\2022042.exe41⤵
- Executes dropped EXE
PID:4444 -
\??\c:\42268.exec:\42268.exe42⤵
- Executes dropped EXE
PID:1660 -
\??\c:\4262088.exec:\4262088.exe43⤵
- Executes dropped EXE
PID:376 -
\??\c:\pdvvj.exec:\pdvvj.exe44⤵
- Executes dropped EXE
PID:2364 -
\??\c:\0660820.exec:\0660820.exe45⤵
- Executes dropped EXE
PID:4636 -
\??\c:\w04862.exec:\w04862.exe46⤵
- Executes dropped EXE
PID:1404 -
\??\c:\i880264.exec:\i880264.exe47⤵
- Executes dropped EXE
PID:2332 -
\??\c:\s0826.exec:\s0826.exe48⤵
- Executes dropped EXE
PID:4476 -
\??\c:\048420.exec:\048420.exe49⤵
- Executes dropped EXE
PID:4416 -
\??\c:\vjjdj.exec:\vjjdj.exe50⤵
- Executes dropped EXE
PID:3944 -
\??\c:\20426.exec:\20426.exe51⤵
- Executes dropped EXE
PID:3980 -
\??\c:\bbhbth.exec:\bbhbth.exe52⤵
- Executes dropped EXE
PID:2844 -
\??\c:\fxfxffl.exec:\fxfxffl.exe53⤵
- Executes dropped EXE
PID:3152 -
\??\c:\dpdpp.exec:\dpdpp.exe54⤵
- Executes dropped EXE
PID:4144 -
\??\c:\440488.exec:\440488.exe55⤵
- Executes dropped EXE
PID:216 -
\??\c:\nhhthb.exec:\nhhthb.exe56⤵
- Executes dropped EXE
PID:4708 -
\??\c:\666844.exec:\666844.exe57⤵
- Executes dropped EXE
PID:5052 -
\??\c:\pvdpp.exec:\pvdpp.exe58⤵
- Executes dropped EXE
PID:4388 -
\??\c:\084282.exec:\084282.exe59⤵
- Executes dropped EXE
PID:4408 -
\??\c:\xlflfxx.exec:\xlflfxx.exe60⤵
- Executes dropped EXE
PID:736 -
\??\c:\3rlfxxr.exec:\3rlfxxr.exe61⤵
- Executes dropped EXE
PID:1376 -
\??\c:\44488.exec:\44488.exe62⤵
- Executes dropped EXE
PID:1740 -
\??\c:\tbhthb.exec:\tbhthb.exe63⤵
- Executes dropped EXE
PID:3432 -
\??\c:\2284264.exec:\2284264.exe64⤵
- Executes dropped EXE
PID:2704 -
\??\c:\i808622.exec:\i808622.exe65⤵
- Executes dropped EXE
PID:3520 -
\??\c:\hhnnbn.exec:\hhnnbn.exe66⤵PID:2852
-
\??\c:\w00864.exec:\w00864.exe67⤵PID:1924
-
\??\c:\lxfrfll.exec:\lxfrfll.exe68⤵PID:4652
-
\??\c:\8440282.exec:\8440282.exe69⤵PID:1512
-
\??\c:\vjvdd.exec:\vjvdd.exe70⤵
- System Location Discovery: System Language Discovery
PID:3360 -
\??\c:\1bhttn.exec:\1bhttn.exe71⤵PID:2248
-
\??\c:\66426.exec:\66426.exe72⤵PID:4404
-
\??\c:\dvdvj.exec:\dvdvj.exe73⤵PID:3204
-
\??\c:\a0280.exec:\a0280.exe74⤵PID:2296
-
\??\c:\66608.exec:\66608.exe75⤵PID:988
-
\??\c:\rrrflfx.exec:\rrrflfx.exe76⤵PID:1440
-
\??\c:\jppdv.exec:\jppdv.exe77⤵PID:2836
-
\??\c:\2064488.exec:\2064488.exe78⤵PID:1212
-
\??\c:\7pjvj.exec:\7pjvj.exe79⤵PID:1360
-
\??\c:\0006644.exec:\0006644.exe80⤵PID:3676
-
\??\c:\fffxlfr.exec:\fffxlfr.exe81⤵PID:1636
-
\??\c:\20042.exec:\20042.exe82⤵PID:1556
-
\??\c:\g8020.exec:\g8020.exe83⤵PID:4880
-
\??\c:\rflxlxr.exec:\rflxlxr.exe84⤵PID:2444
-
\??\c:\jvvdv.exec:\jvvdv.exe85⤵PID:3632
-
\??\c:\jppdv.exec:\jppdv.exe86⤵
- System Location Discovery: System Language Discovery
PID:4412 -
\??\c:\vppjv.exec:\vppjv.exe87⤵PID:2044
-
\??\c:\q60848.exec:\q60848.exe88⤵PID:1800
-
\??\c:\w40844.exec:\w40844.exe89⤵PID:1364
-
\??\c:\5bhttn.exec:\5bhttn.exe90⤵PID:4008
-
\??\c:\u842260.exec:\u842260.exe91⤵PID:3864
-
\??\c:\86660.exec:\86660.exe92⤵PID:3928
-
\??\c:\xxffxrr.exec:\xxffxrr.exe93⤵PID:4004
-
\??\c:\206426.exec:\206426.exe94⤵PID:2592
-
\??\c:\7tnbnh.exec:\7tnbnh.exe95⤵PID:4684
-
\??\c:\7jdjd.exec:\7jdjd.exe96⤵PID:2796
-
\??\c:\pjpdp.exec:\pjpdp.exe97⤵PID:2556
-
\??\c:\02448.exec:\02448.exe98⤵PID:1092
-
\??\c:\xlffrlx.exec:\xlffrlx.exe99⤵PID:3556
-
\??\c:\1ntnnn.exec:\1ntnnn.exe100⤵PID:3592
-
\??\c:\1fxlfxr.exec:\1fxlfxr.exe101⤵PID:1276
-
\??\c:\084204.exec:\084204.exe102⤵PID:4396
-
\??\c:\nhthnh.exec:\nhthnh.exe103⤵PID:3016
-
\??\c:\nbbbtn.exec:\nbbbtn.exe104⤵PID:4816
-
\??\c:\228602.exec:\228602.exe105⤵PID:4444
-
\??\c:\8886044.exec:\8886044.exe106⤵PID:1484
-
\??\c:\61xlx.exec:\61xlx.exe107⤵PID:1168
-
\??\c:\o226044.exec:\o226044.exe108⤵
- System Location Discovery: System Language Discovery
PID:2404 -
\??\c:\jjpjj.exec:\jjpjj.exe109⤵PID:3636
-
\??\c:\vvpjj.exec:\vvpjj.exe110⤵PID:2568
-
\??\c:\64004.exec:\64004.exe111⤵PID:4360
-
\??\c:\2842042.exec:\2842042.exe112⤵PID:1228
-
\??\c:\1hthbt.exec:\1hthbt.exe113⤵PID:3168
-
\??\c:\hbttnn.exec:\hbttnn.exe114⤵PID:392
-
\??\c:\0282000.exec:\0282000.exe115⤵PID:4024
-
\??\c:\426426.exec:\426426.exe116⤵PID:3980
-
\??\c:\q40648.exec:\q40648.exe117⤵PID:1952
-
\??\c:\86080.exec:\86080.exe118⤵PID:3376
-
\??\c:\nbnbnn.exec:\nbnbnn.exe119⤵PID:4328
-
\??\c:\bbhtnn.exec:\bbhtnn.exe120⤵PID:1796
-
\??\c:\m4226.exec:\m4226.exe121⤵PID:224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-