Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 20:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1978cd7f48af420d15f520cdfa9d443b363afd3dc4f05d8ab4abb38c098e8f76.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1978cd7f48af420d15f520cdfa9d443b363afd3dc4f05d8ab4abb38c098e8f76.exe
-
Size
454KB
-
MD5
cd85dba726b3975f6586cfb7a5001734
-
SHA1
01e7194421d130bf64c54fd0b2aabf62a5591e97
-
SHA256
1978cd7f48af420d15f520cdfa9d443b363afd3dc4f05d8ab4abb38c098e8f76
-
SHA512
2b9821672d98550b3a2fa15869c983afc71c50d580c8c6e4eafd8d105f3b16b8d52b6a505389d005fbda53e2cb81e856ce1fda9723e2abfe83cfa212fcc0f553
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeH:q7Tc2NYHUrAwfMp3CDH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3620-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-876-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-1346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-1681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-1758-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1848 o284066.exe 2956 dvjvp.exe 760 nhhbtt.exe 4896 xffrrll.exe 1592 22260.exe 1080 40460.exe 1028 48604.exe 2156 thhbtn.exe 3956 8442604.exe 3752 dvvpv.exe 4292 22644.exe 1104 28820.exe 3288 244004.exe 696 64208.exe 3060 66086.exe 4520 262208.exe 732 dvjdv.exe 4532 44482.exe 2780 u008048.exe 964 64608.exe 1752 40408.exe 1552 3ththb.exe 3616 u844204.exe 3716 8024286.exe 1148 bntnbt.exe 4620 tbhntb.exe 1808 20086.exe 4448 4666600.exe 2316 646448.exe 4824 9xlxllx.exe 1124 20486.exe 4884 666026.exe 4600 ttnbhb.exe 2320 q66026.exe 3224 6226004.exe 928 c060266.exe 4304 1ddvp.exe 1040 62684.exe 1652 9xflllx.exe 2736 6606860.exe 3124 684822.exe 2940 84060.exe 3936 7rlfxfx.exe 4248 6004884.exe 4912 jvvpj.exe 2960 vjvjv.exe 4800 pjjdp.exe 652 rlllffx.exe 1548 68884.exe 772 s4042.exe 2328 2666000.exe 2660 06266.exe 1208 6288222.exe 4596 g4448.exe 2248 6428228.exe 2820 9hnnnn.exe 3668 pdpvp.exe 4468 bnnnnh.exe 4528 462882.exe 1304 lflfxxx.exe 1848 rxflrfl.exe 4784 8222660.exe 1432 6482660.exe 2676 822600.exe -
resource yara_rule behavioral2/memory/3620-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-876-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-1346-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0440848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o220264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2062004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c060444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6604826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0882600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 464006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 800422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3620 wrote to memory of 1848 3620 1978cd7f48af420d15f520cdfa9d443b363afd3dc4f05d8ab4abb38c098e8f76.exe 83 PID 3620 wrote to memory of 1848 3620 1978cd7f48af420d15f520cdfa9d443b363afd3dc4f05d8ab4abb38c098e8f76.exe 83 PID 3620 wrote to memory of 1848 3620 1978cd7f48af420d15f520cdfa9d443b363afd3dc4f05d8ab4abb38c098e8f76.exe 83 PID 1848 wrote to memory of 2956 1848 o284066.exe 84 PID 1848 wrote to memory of 2956 1848 o284066.exe 84 PID 1848 wrote to memory of 2956 1848 o284066.exe 84 PID 2956 wrote to memory of 760 2956 dvjvp.exe 85 PID 2956 wrote to memory of 760 2956 dvjvp.exe 85 PID 2956 wrote to memory of 760 2956 dvjvp.exe 85 PID 760 wrote to memory of 4896 760 nhhbtt.exe 86 PID 760 wrote to memory of 4896 760 nhhbtt.exe 86 PID 760 wrote to memory of 4896 760 nhhbtt.exe 86 PID 4896 wrote to memory of 1592 4896 xffrrll.exe 87 PID 4896 wrote to memory of 1592 4896 xffrrll.exe 87 PID 4896 wrote to memory of 1592 4896 xffrrll.exe 87 PID 1592 wrote to memory of 1080 1592 22260.exe 88 PID 1592 wrote to memory of 1080 1592 22260.exe 88 PID 1592 wrote to memory of 1080 1592 22260.exe 88 PID 1080 wrote to memory of 1028 1080 40460.exe 89 PID 1080 wrote to memory of 1028 1080 40460.exe 89 PID 1080 wrote to memory of 1028 1080 40460.exe 89 PID 1028 wrote to memory of 2156 1028 48604.exe 90 PID 1028 wrote to memory of 2156 1028 48604.exe 90 PID 1028 wrote to memory of 2156 1028 48604.exe 90 PID 2156 wrote to memory of 3956 2156 thhbtn.exe 91 PID 2156 wrote to memory of 3956 2156 thhbtn.exe 91 PID 2156 wrote to memory of 3956 2156 thhbtn.exe 91 PID 3956 wrote to memory of 3752 3956 8442604.exe 92 PID 3956 wrote to memory of 3752 3956 8442604.exe 92 PID 3956 wrote to memory of 3752 3956 8442604.exe 92 PID 3752 wrote to memory of 4292 3752 dvvpv.exe 93 PID 3752 wrote to memory of 4292 3752 dvvpv.exe 93 PID 3752 wrote to memory of 4292 3752 dvvpv.exe 93 PID 4292 wrote to memory of 1104 4292 22644.exe 94 PID 4292 wrote to memory of 1104 4292 22644.exe 94 PID 4292 wrote to memory of 1104 4292 22644.exe 94 PID 1104 wrote to memory of 3288 1104 28820.exe 95 PID 1104 wrote to memory of 3288 1104 28820.exe 95 PID 1104 wrote to memory of 3288 1104 28820.exe 95 PID 3288 wrote to memory of 696 3288 244004.exe 96 PID 3288 wrote to memory of 696 3288 244004.exe 96 PID 3288 wrote to memory of 696 3288 244004.exe 96 PID 696 wrote to memory of 3060 696 64208.exe 97 PID 696 wrote to memory of 3060 696 64208.exe 97 PID 696 wrote to memory of 3060 696 64208.exe 97 PID 3060 wrote to memory of 4520 3060 66086.exe 98 PID 3060 wrote to memory of 4520 3060 66086.exe 98 PID 3060 wrote to memory of 4520 3060 66086.exe 98 PID 4520 wrote to memory of 732 4520 262208.exe 99 PID 4520 wrote to memory of 732 4520 262208.exe 99 PID 4520 wrote to memory of 732 4520 262208.exe 99 PID 732 wrote to memory of 4532 732 dvjdv.exe 100 PID 732 wrote to memory of 4532 732 dvjdv.exe 100 PID 732 wrote to memory of 4532 732 dvjdv.exe 100 PID 4532 wrote to memory of 2780 4532 44482.exe 101 PID 4532 wrote to memory of 2780 4532 44482.exe 101 PID 4532 wrote to memory of 2780 4532 44482.exe 101 PID 2780 wrote to memory of 964 2780 u008048.exe 102 PID 2780 wrote to memory of 964 2780 u008048.exe 102 PID 2780 wrote to memory of 964 2780 u008048.exe 102 PID 964 wrote to memory of 1752 964 64608.exe 103 PID 964 wrote to memory of 1752 964 64608.exe 103 PID 964 wrote to memory of 1752 964 64608.exe 103 PID 1752 wrote to memory of 1552 1752 40408.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1978cd7f48af420d15f520cdfa9d443b363afd3dc4f05d8ab4abb38c098e8f76.exe"C:\Users\Admin\AppData\Local\Temp\1978cd7f48af420d15f520cdfa9d443b363afd3dc4f05d8ab4abb38c098e8f76.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\o284066.exec:\o284066.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\dvjvp.exec:\dvjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\nhhbtt.exec:\nhhbtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\xffrrll.exec:\xffrrll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\22260.exec:\22260.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\40460.exec:\40460.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\48604.exec:\48604.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\thhbtn.exec:\thhbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\8442604.exec:\8442604.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\dvvpv.exec:\dvvpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\22644.exec:\22644.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\28820.exec:\28820.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\244004.exec:\244004.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\64208.exec:\64208.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\66086.exec:\66086.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\262208.exec:\262208.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\dvjdv.exec:\dvjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\44482.exec:\44482.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\u008048.exec:\u008048.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\64608.exec:\64608.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\40408.exec:\40408.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\3ththb.exec:\3ththb.exe23⤵
- Executes dropped EXE
PID:1552 -
\??\c:\u844204.exec:\u844204.exe24⤵
- Executes dropped EXE
PID:3616 -
\??\c:\8024286.exec:\8024286.exe25⤵
- Executes dropped EXE
PID:3716 -
\??\c:\bntnbt.exec:\bntnbt.exe26⤵
- Executes dropped EXE
PID:1148 -
\??\c:\tbhntb.exec:\tbhntb.exe27⤵
- Executes dropped EXE
PID:4620 -
\??\c:\20086.exec:\20086.exe28⤵
- Executes dropped EXE
PID:1808 -
\??\c:\4666600.exec:\4666600.exe29⤵
- Executes dropped EXE
PID:4448 -
\??\c:\646448.exec:\646448.exe30⤵
- Executes dropped EXE
PID:2316 -
\??\c:\9xlxllx.exec:\9xlxllx.exe31⤵
- Executes dropped EXE
PID:4824 -
\??\c:\20486.exec:\20486.exe32⤵
- Executes dropped EXE
PID:1124 -
\??\c:\666026.exec:\666026.exe33⤵
- Executes dropped EXE
PID:4884 -
\??\c:\ttnbhb.exec:\ttnbhb.exe34⤵
- Executes dropped EXE
PID:4600 -
\??\c:\q66026.exec:\q66026.exe35⤵
- Executes dropped EXE
PID:2320 -
\??\c:\6226004.exec:\6226004.exe36⤵
- Executes dropped EXE
PID:3224 -
\??\c:\c060266.exec:\c060266.exe37⤵
- Executes dropped EXE
PID:928 -
\??\c:\1ddvp.exec:\1ddvp.exe38⤵
- Executes dropped EXE
PID:4304 -
\??\c:\62684.exec:\62684.exe39⤵
- Executes dropped EXE
PID:1040 -
\??\c:\9xflllx.exec:\9xflllx.exe40⤵
- Executes dropped EXE
PID:1652 -
\??\c:\6606860.exec:\6606860.exe41⤵
- Executes dropped EXE
PID:2736 -
\??\c:\684822.exec:\684822.exe42⤵
- Executes dropped EXE
PID:3124 -
\??\c:\84060.exec:\84060.exe43⤵
- Executes dropped EXE
PID:2940 -
\??\c:\7rlfxfx.exec:\7rlfxfx.exe44⤵
- Executes dropped EXE
PID:3936 -
\??\c:\6004884.exec:\6004884.exe45⤵
- Executes dropped EXE
PID:4248 -
\??\c:\jvvpj.exec:\jvvpj.exe46⤵
- Executes dropped EXE
PID:4912 -
\??\c:\vjvjv.exec:\vjvjv.exe47⤵
- Executes dropped EXE
PID:2960 -
\??\c:\pjjdp.exec:\pjjdp.exe48⤵
- Executes dropped EXE
PID:4800 -
\??\c:\rlllffx.exec:\rlllffx.exe49⤵
- Executes dropped EXE
PID:652 -
\??\c:\68884.exec:\68884.exe50⤵
- Executes dropped EXE
PID:1548 -
\??\c:\s4042.exec:\s4042.exe51⤵
- Executes dropped EXE
PID:772 -
\??\c:\2666000.exec:\2666000.exe52⤵
- Executes dropped EXE
PID:2328 -
\??\c:\06266.exec:\06266.exe53⤵
- Executes dropped EXE
PID:2660 -
\??\c:\6288222.exec:\6288222.exe54⤵
- Executes dropped EXE
PID:1208 -
\??\c:\g4448.exec:\g4448.exe55⤵
- Executes dropped EXE
PID:4596 -
\??\c:\6428228.exec:\6428228.exe56⤵
- Executes dropped EXE
PID:2248 -
\??\c:\9hnnnn.exec:\9hnnnn.exe57⤵
- Executes dropped EXE
PID:2820 -
\??\c:\pdpvp.exec:\pdpvp.exe58⤵
- Executes dropped EXE
PID:3668 -
\??\c:\bnnnnh.exec:\bnnnnh.exe59⤵
- Executes dropped EXE
PID:4468 -
\??\c:\462882.exec:\462882.exe60⤵
- Executes dropped EXE
PID:4528 -
\??\c:\lflfxxx.exec:\lflfxxx.exe61⤵
- Executes dropped EXE
PID:1304 -
\??\c:\rxflrfl.exec:\rxflrfl.exe62⤵
- Executes dropped EXE
PID:1848 -
\??\c:\8222660.exec:\8222660.exe63⤵
- Executes dropped EXE
PID:4784 -
\??\c:\6482660.exec:\6482660.exe64⤵
- Executes dropped EXE
PID:1432 -
\??\c:\822600.exec:\822600.exe65⤵
- Executes dropped EXE
PID:2676 -
\??\c:\hbhbtn.exec:\hbhbtn.exe66⤵PID:2424
-
\??\c:\9vjjd.exec:\9vjjd.exe67⤵PID:3744
-
\??\c:\44044.exec:\44044.exe68⤵PID:3628
-
\??\c:\xrxrffr.exec:\xrxrffr.exe69⤵PID:3228
-
\??\c:\frxrlll.exec:\frxrlll.exe70⤵PID:3580
-
\??\c:\jdvpj.exec:\jdvpj.exe71⤵PID:4980
-
\??\c:\400088.exec:\400088.exe72⤵PID:1756
-
\??\c:\o204848.exec:\o204848.exe73⤵PID:1844
-
\??\c:\280088.exec:\280088.exe74⤵PID:3544
-
\??\c:\pjjjd.exec:\pjjjd.exe75⤵PID:2392
-
\??\c:\06226.exec:\06226.exe76⤵PID:2016
-
\??\c:\fxxrffx.exec:\fxxrffx.exe77⤵PID:4244
-
\??\c:\q80088.exec:\q80088.exe78⤵PID:4460
-
\??\c:\206828.exec:\206828.exe79⤵PID:4540
-
\??\c:\u084448.exec:\u084448.exe80⤵PID:2972
-
\??\c:\xflfxrr.exec:\xflfxrr.exe81⤵PID:4692
-
\??\c:\vpdpj.exec:\vpdpj.exe82⤵PID:4852
-
\??\c:\5vjdd.exec:\5vjdd.exe83⤵PID:3736
-
\??\c:\pjjdv.exec:\pjjdv.exe84⤵PID:4616
-
\??\c:\ppdpd.exec:\ppdpd.exe85⤵PID:3220
-
\??\c:\rxxrllf.exec:\rxxrllf.exe86⤵PID:996
-
\??\c:\djjdd.exec:\djjdd.exe87⤵PID:3716
-
\??\c:\200448.exec:\200448.exe88⤵PID:468
-
\??\c:\rllrxfr.exec:\rllrxfr.exe89⤵PID:4332
-
\??\c:\pjjjd.exec:\pjjjd.exe90⤵PID:1604
-
\??\c:\o022228.exec:\o022228.exe91⤵PID:4776
-
\??\c:\6666660.exec:\6666660.exe92⤵PID:3468
-
\??\c:\vpjdd.exec:\vpjdd.exe93⤵PID:3272
-
\??\c:\dvpjd.exec:\dvpjd.exe94⤵PID:4960
-
\??\c:\w64480.exec:\w64480.exe95⤵PID:8
-
\??\c:\8800022.exec:\8800022.exe96⤵PID:4672
-
\??\c:\pjpjj.exec:\pjpjj.exe97⤵PID:2540
-
\??\c:\1flfrrl.exec:\1flfrrl.exe98⤵PID:1504
-
\??\c:\ntthtn.exec:\ntthtn.exe99⤵PID:5080
-
\??\c:\djpjv.exec:\djpjv.exe100⤵PID:2736
-
\??\c:\824626.exec:\824626.exe101⤵PID:3124
-
\??\c:\jpdvd.exec:\jpdvd.exe102⤵PID:3844
-
\??\c:\nbbnhh.exec:\nbbnhh.exe103⤵PID:4564
-
\??\c:\i022884.exec:\i022884.exe104⤵PID:5064
-
\??\c:\3hnhbb.exec:\3hnhbb.exe105⤵PID:4248
-
\??\c:\88448.exec:\88448.exe106⤵PID:3568
-
\??\c:\bttnhh.exec:\bttnhh.exe107⤵PID:3868
-
\??\c:\rffxrlr.exec:\rffxrlr.exe108⤵PID:3112
-
\??\c:\062042.exec:\062042.exe109⤵PID:1548
-
\??\c:\84482.exec:\84482.exe110⤵PID:3036
-
\??\c:\0020860.exec:\0020860.exe111⤵PID:4240
-
\??\c:\6442042.exec:\6442042.exe112⤵PID:3832
-
\??\c:\frlfrlx.exec:\frlfrlx.exe113⤵PID:1352
-
\??\c:\u020826.exec:\u020826.exe114⤵PID:408
-
\??\c:\s6206.exec:\s6206.exe115⤵PID:5052
-
\??\c:\6248604.exec:\6248604.exe116⤵PID:1092
-
\??\c:\jjvvp.exec:\jjvvp.exe117⤵PID:4340
-
\??\c:\dpdvj.exec:\dpdvj.exe118⤵PID:1216
-
\??\c:\404860.exec:\404860.exe119⤵PID:2264
-
\??\c:\68648.exec:\68648.exe120⤵PID:4604
-
\??\c:\rfxrfxr.exec:\rfxrfxr.exe121⤵PID:4368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-