Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 20:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
280c70f2fd22e21349e4a5ae01548fbb18c4a0c1a4ee7ad5021f55b21282699c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
280c70f2fd22e21349e4a5ae01548fbb18c4a0c1a4ee7ad5021f55b21282699c.exe
-
Size
456KB
-
MD5
403bc20881046249e8ae7dd489de5ee0
-
SHA1
e144f116da9ac6d84affb50203ed6c36c7f6be86
-
SHA256
280c70f2fd22e21349e4a5ae01548fbb18c4a0c1a4ee7ad5021f55b21282699c
-
SHA512
77f608c4c8ffa713b6011f4372fe3e5cd237054a73a5b8b4902af131fc3f635deb7d089196280bc8c5212cb2bb5942859068b81fbc3e1ad43f62f3caffa8a743
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRm:q7Tc2NYHUrAwfMp3CDRm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/3028-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-1090-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-1121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1796 tttnht.exe 2356 1jjjd.exe 3124 46204.exe 4796 thhhbb.exe 3936 vpjdp.exe 412 httnbb.exe 2052 xlfxrrr.exe 2864 82440.exe 3168 822488.exe 1936 9rrlflf.exe 60 42004.exe 4772 lxfxrxr.exe 2396 446004.exe 3088 22260.exe 4532 8286048.exe 1636 xlrlfxr.exe 1588 llxfflx.exe 3628 jvpdp.exe 1552 w68600.exe 4528 464206.exe 3780 jddvv.exe 4680 i682660.exe 3880 806048.exe 2740 228660.exe 5044 1rlfrrf.exe 4072 jpvpp.exe 100 6060482.exe 4808 468660.exe 4848 824288.exe 768 xrfxfxf.exe 1180 9pjvp.exe 3388 0648660.exe 2564 44448.exe 1384 46886.exe 1776 264484.exe 468 9ntnbb.exe 3768 ntbttn.exe 3068 66042.exe 5112 pjvpj.exe 4616 w84260.exe 5016 llllfxr.exe 1520 48826.exe 752 httntt.exe 3676 7hnhbh.exe 3964 9xxrxxr.exe 2792 02820.exe 4384 nhhttn.exe 4380 bnhbnt.exe 2284 5xxrrrl.exe 748 m6488.exe 2140 c840048.exe 1844 8226448.exe 3600 62088.exe 1980 vddvp.exe 4256 q00488.exe 2780 xlrlllr.exe 3936 nthbtt.exe 4424 6864866.exe 4204 lfxrlfr.exe 4476 bnthnh.exe 5056 64084.exe 1548 jvvpj.exe 556 5jjvp.exe 2884 3jvpd.exe -
resource yara_rule behavioral2/memory/3028-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-732-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c820420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4266026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c084226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q24822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 1796 3028 280c70f2fd22e21349e4a5ae01548fbb18c4a0c1a4ee7ad5021f55b21282699c.exe 83 PID 3028 wrote to memory of 1796 3028 280c70f2fd22e21349e4a5ae01548fbb18c4a0c1a4ee7ad5021f55b21282699c.exe 83 PID 3028 wrote to memory of 1796 3028 280c70f2fd22e21349e4a5ae01548fbb18c4a0c1a4ee7ad5021f55b21282699c.exe 83 PID 1796 wrote to memory of 2356 1796 tttnht.exe 84 PID 1796 wrote to memory of 2356 1796 tttnht.exe 84 PID 1796 wrote to memory of 2356 1796 tttnht.exe 84 PID 2356 wrote to memory of 3124 2356 1jjjd.exe 85 PID 2356 wrote to memory of 3124 2356 1jjjd.exe 85 PID 2356 wrote to memory of 3124 2356 1jjjd.exe 85 PID 3124 wrote to memory of 4796 3124 46204.exe 86 PID 3124 wrote to memory of 4796 3124 46204.exe 86 PID 3124 wrote to memory of 4796 3124 46204.exe 86 PID 4796 wrote to memory of 3936 4796 thhhbb.exe 140 PID 4796 wrote to memory of 3936 4796 thhhbb.exe 140 PID 4796 wrote to memory of 3936 4796 thhhbb.exe 140 PID 3936 wrote to memory of 412 3936 vpjdp.exe 88 PID 3936 wrote to memory of 412 3936 vpjdp.exe 88 PID 3936 wrote to memory of 412 3936 vpjdp.exe 88 PID 412 wrote to memory of 2052 412 httnbb.exe 89 PID 412 wrote to memory of 2052 412 httnbb.exe 89 PID 412 wrote to memory of 2052 412 httnbb.exe 89 PID 2052 wrote to memory of 2864 2052 xlfxrrr.exe 90 PID 2052 wrote to memory of 2864 2052 xlfxrrr.exe 90 PID 2052 wrote to memory of 2864 2052 xlfxrrr.exe 90 PID 2864 wrote to memory of 3168 2864 82440.exe 91 PID 2864 wrote to memory of 3168 2864 82440.exe 91 PID 2864 wrote to memory of 3168 2864 82440.exe 91 PID 3168 wrote to memory of 1936 3168 822488.exe 92 PID 3168 wrote to memory of 1936 3168 822488.exe 92 PID 3168 wrote to memory of 1936 3168 822488.exe 92 PID 1936 wrote to memory of 60 1936 9rrlflf.exe 93 PID 1936 wrote to memory of 60 1936 9rrlflf.exe 93 PID 1936 wrote to memory of 60 1936 9rrlflf.exe 93 PID 60 wrote to memory of 4772 60 42004.exe 94 PID 60 wrote to memory of 4772 60 42004.exe 94 PID 60 wrote to memory of 4772 60 42004.exe 94 PID 4772 wrote to memory of 2396 4772 lxfxrxr.exe 95 PID 4772 wrote to memory of 2396 4772 lxfxrxr.exe 95 PID 4772 wrote to memory of 2396 4772 lxfxrxr.exe 95 PID 2396 wrote to memory of 3088 2396 446004.exe 96 PID 2396 wrote to memory of 3088 2396 446004.exe 96 PID 2396 wrote to memory of 3088 2396 446004.exe 96 PID 3088 wrote to memory of 4532 3088 22260.exe 97 PID 3088 wrote to memory of 4532 3088 22260.exe 97 PID 3088 wrote to memory of 4532 3088 22260.exe 97 PID 4532 wrote to memory of 1636 4532 8286048.exe 98 PID 4532 wrote to memory of 1636 4532 8286048.exe 98 PID 4532 wrote to memory of 1636 4532 8286048.exe 98 PID 1636 wrote to memory of 1588 1636 xlrlfxr.exe 156 PID 1636 wrote to memory of 1588 1636 xlrlfxr.exe 156 PID 1636 wrote to memory of 1588 1636 xlrlfxr.exe 156 PID 1588 wrote to memory of 3628 1588 llxfflx.exe 157 PID 1588 wrote to memory of 3628 1588 llxfflx.exe 157 PID 1588 wrote to memory of 3628 1588 llxfflx.exe 157 PID 3628 wrote to memory of 1552 3628 jvpdp.exe 101 PID 3628 wrote to memory of 1552 3628 jvpdp.exe 101 PID 3628 wrote to memory of 1552 3628 jvpdp.exe 101 PID 1552 wrote to memory of 4528 1552 w68600.exe 102 PID 1552 wrote to memory of 4528 1552 w68600.exe 102 PID 1552 wrote to memory of 4528 1552 w68600.exe 102 PID 4528 wrote to memory of 3780 4528 464206.exe 103 PID 4528 wrote to memory of 3780 4528 464206.exe 103 PID 4528 wrote to memory of 3780 4528 464206.exe 103 PID 3780 wrote to memory of 4680 3780 jddvv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\280c70f2fd22e21349e4a5ae01548fbb18c4a0c1a4ee7ad5021f55b21282699c.exe"C:\Users\Admin\AppData\Local\Temp\280c70f2fd22e21349e4a5ae01548fbb18c4a0c1a4ee7ad5021f55b21282699c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\tttnht.exec:\tttnht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\1jjjd.exec:\1jjjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\46204.exec:\46204.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\thhhbb.exec:\thhhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\vpjdp.exec:\vpjdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\httnbb.exec:\httnbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\xlfxrrr.exec:\xlfxrrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\82440.exec:\82440.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\822488.exec:\822488.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\9rrlflf.exec:\9rrlflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\42004.exec:\42004.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\lxfxrxr.exec:\lxfxrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\446004.exec:\446004.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\22260.exec:\22260.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\8286048.exec:\8286048.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\llxfflx.exec:\llxfflx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\jvpdp.exec:\jvpdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\w68600.exec:\w68600.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\464206.exec:\464206.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\jddvv.exec:\jddvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\i682660.exec:\i682660.exe23⤵
- Executes dropped EXE
PID:4680 -
\??\c:\806048.exec:\806048.exe24⤵
- Executes dropped EXE
PID:3880 -
\??\c:\228660.exec:\228660.exe25⤵
- Executes dropped EXE
PID:2740 -
\??\c:\1rlfrrf.exec:\1rlfrrf.exe26⤵
- Executes dropped EXE
PID:5044 -
\??\c:\jpvpp.exec:\jpvpp.exe27⤵
- Executes dropped EXE
PID:4072 -
\??\c:\6060482.exec:\6060482.exe28⤵
- Executes dropped EXE
PID:100 -
\??\c:\468660.exec:\468660.exe29⤵
- Executes dropped EXE
PID:4808 -
\??\c:\824288.exec:\824288.exe30⤵
- Executes dropped EXE
PID:4848 -
\??\c:\xrfxfxf.exec:\xrfxfxf.exe31⤵
- Executes dropped EXE
PID:768 -
\??\c:\9pjvp.exec:\9pjvp.exe32⤵
- Executes dropped EXE
PID:1180 -
\??\c:\0648660.exec:\0648660.exe33⤵
- Executes dropped EXE
PID:3388 -
\??\c:\44448.exec:\44448.exe34⤵
- Executes dropped EXE
PID:2564 -
\??\c:\46886.exec:\46886.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1384 -
\??\c:\264484.exec:\264484.exe36⤵
- Executes dropped EXE
PID:1776 -
\??\c:\9ntnbb.exec:\9ntnbb.exe37⤵
- Executes dropped EXE
PID:468 -
\??\c:\ntbttn.exec:\ntbttn.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3768 -
\??\c:\66042.exec:\66042.exe39⤵
- Executes dropped EXE
PID:3068 -
\??\c:\pjvpj.exec:\pjvpj.exe40⤵
- Executes dropped EXE
PID:5112 -
\??\c:\w84260.exec:\w84260.exe41⤵
- Executes dropped EXE
PID:4616 -
\??\c:\llllfxr.exec:\llllfxr.exe42⤵
- Executes dropped EXE
PID:5016 -
\??\c:\48826.exec:\48826.exe43⤵
- Executes dropped EXE
PID:1520 -
\??\c:\httntt.exec:\httntt.exe44⤵
- Executes dropped EXE
PID:752 -
\??\c:\7hnhbh.exec:\7hnhbh.exe45⤵
- Executes dropped EXE
PID:3676 -
\??\c:\9xxrxxr.exec:\9xxrxxr.exe46⤵
- Executes dropped EXE
PID:3964 -
\??\c:\02820.exec:\02820.exe47⤵
- Executes dropped EXE
PID:2792 -
\??\c:\nhhttn.exec:\nhhttn.exe48⤵
- Executes dropped EXE
PID:4384 -
\??\c:\xrrrlff.exec:\xrrrlff.exe49⤵PID:4276
-
\??\c:\bnhbnt.exec:\bnhbnt.exe50⤵
- Executes dropped EXE
PID:4380 -
\??\c:\5xxrrrl.exec:\5xxrrrl.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284 -
\??\c:\m6488.exec:\m6488.exe52⤵
- Executes dropped EXE
PID:748 -
\??\c:\c840048.exec:\c840048.exe53⤵
- Executes dropped EXE
PID:2140 -
\??\c:\8226448.exec:\8226448.exe54⤵
- Executes dropped EXE
PID:1844 -
\??\c:\62088.exec:\62088.exe55⤵
- Executes dropped EXE
PID:3600 -
\??\c:\vddvp.exec:\vddvp.exe56⤵
- Executes dropped EXE
PID:1980 -
\??\c:\q00488.exec:\q00488.exe57⤵
- Executes dropped EXE
PID:4256 -
\??\c:\xlrlllr.exec:\xlrlllr.exe58⤵
- Executes dropped EXE
PID:2780 -
\??\c:\nthbtt.exec:\nthbtt.exe59⤵
- Executes dropped EXE
PID:3936 -
\??\c:\6864866.exec:\6864866.exe60⤵
- Executes dropped EXE
PID:4424 -
\??\c:\lfxrlfr.exec:\lfxrlfr.exe61⤵
- Executes dropped EXE
PID:4204 -
\??\c:\bnthnh.exec:\bnthnh.exe62⤵
- Executes dropped EXE
PID:4476 -
\??\c:\64084.exec:\64084.exe63⤵
- Executes dropped EXE
PID:5056 -
\??\c:\jvvpj.exec:\jvvpj.exe64⤵
- Executes dropped EXE
PID:1548 -
\??\c:\5jjvp.exec:\5jjvp.exe65⤵
- Executes dropped EXE
PID:556 -
\??\c:\3jvpd.exec:\3jvpd.exe66⤵
- Executes dropped EXE
PID:2884 -
\??\c:\3nhhbb.exec:\3nhhbb.exe67⤵PID:4220
-
\??\c:\i228240.exec:\i228240.exe68⤵PID:2036
-
\??\c:\040484.exec:\040484.exe69⤵PID:1836
-
\??\c:\268260.exec:\268260.exe70⤵PID:4428
-
\??\c:\0266224.exec:\0266224.exe71⤵PID:4108
-
\??\c:\a6200.exec:\a6200.exe72⤵PID:2796
-
\??\c:\02208.exec:\02208.exe73⤵PID:2616
-
\??\c:\3nthtn.exec:\3nthtn.exe74⤵PID:2536
-
\??\c:\vjpjd.exec:\vjpjd.exe75⤵PID:1588
-
\??\c:\rffxrrr.exec:\rffxrrr.exe76⤵PID:3628
-
\??\c:\httnhh.exec:\httnhh.exe77⤵PID:1468
-
\??\c:\402662.exec:\402662.exe78⤵PID:2932
-
\??\c:\884426.exec:\884426.exe79⤵PID:4556
-
\??\c:\s2820.exec:\s2820.exe80⤵PID:5040
-
\??\c:\bthbtn.exec:\bthbtn.exe81⤵PID:2860
-
\??\c:\0626600.exec:\0626600.exe82⤵PID:1692
-
\??\c:\xlfxxrl.exec:\xlfxxrl.exe83⤵PID:4784
-
\??\c:\7rrlfff.exec:\7rrlfff.exe84⤵PID:3604
-
\??\c:\xrllfxx.exec:\xrllfxx.exe85⤵PID:1820
-
\??\c:\xlrlffx.exec:\xlrlffx.exe86⤵PID:4340
-
\??\c:\jvdjd.exec:\jvdjd.exe87⤵PID:4848
-
\??\c:\rxrlxxr.exec:\rxrlxxr.exe88⤵PID:768
-
\??\c:\044882.exec:\044882.exe89⤵PID:2428
-
\??\c:\1vvpd.exec:\1vvpd.exe90⤵PID:1068
-
\??\c:\4464482.exec:\4464482.exe91⤵PID:1384
-
\??\c:\9ffxrxr.exec:\9ffxrxr.exe92⤵PID:3484
-
\??\c:\1djdv.exec:\1djdv.exe93⤵PID:3904
-
\??\c:\280866.exec:\280866.exe94⤵PID:868
-
\??\c:\bttnhb.exec:\bttnhb.exe95⤵PID:3068
-
\??\c:\0428002.exec:\0428002.exe96⤵PID:2276
-
\??\c:\26600.exec:\26600.exe97⤵PID:4996
-
\??\c:\0882266.exec:\0882266.exe98⤵PID:4208
-
\??\c:\nnttnn.exec:\nnttnn.exe99⤵PID:1292
-
\??\c:\4466048.exec:\4466048.exe100⤵PID:4980
-
\??\c:\hnbhnt.exec:\hnbhnt.exe101⤵PID:1604
-
\??\c:\1xlxxrl.exec:\1xlxxrl.exe102⤵PID:3964
-
\??\c:\dpjdd.exec:\dpjdd.exe103⤵PID:680
-
\??\c:\4226484.exec:\4226484.exe104⤵PID:4368
-
\??\c:\e64828.exec:\e64828.exe105⤵PID:3144
-
\??\c:\80048.exec:\80048.exe106⤵PID:2820
-
\??\c:\6882200.exec:\6882200.exe107⤵PID:3968
-
\??\c:\1ddvj.exec:\1ddvj.exe108⤵PID:3868
-
\??\c:\hhthtt.exec:\hhthtt.exe109⤵PID:552
-
\??\c:\0848822.exec:\0848822.exe110⤵PID:872
-
\??\c:\fxrrlll.exec:\fxrrlll.exe111⤵PID:3908
-
\??\c:\9tbtnb.exec:\9tbtnb.exe112⤵PID:4256
-
\??\c:\004848.exec:\004848.exe113⤵PID:1816
-
\??\c:\5rlxfxr.exec:\5rlxfxr.exe114⤵PID:3936
-
\??\c:\llffxxr.exec:\llffxxr.exe115⤵PID:3488
-
\??\c:\dvpjd.exec:\dvpjd.exe116⤵PID:4204
-
\??\c:\nttnnn.exec:\nttnnn.exe117⤵PID:900
-
\??\c:\xflfxxx.exec:\xflfxxx.exe118⤵PID:3276
-
\??\c:\5ntntt.exec:\5ntntt.exe119⤵
- System Location Discovery: System Language Discovery
PID:4908 -
\??\c:\22802.exec:\22802.exe120⤵PID:2644
-
\??\c:\htthbt.exec:\htthbt.exe121⤵PID:4552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-