Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe
-
Size
454KB
-
MD5
3469b33bcb32417fee8d75ba4b2e7500
-
SHA1
107c8370d6e4a7efa1951ca1a63389d453ce9d9b
-
SHA256
1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686
-
SHA512
69a220bbc47cd3af2483d2f6c82dcf64d95f6a2d0a46c1a9a229d3a856ff96fe55cd0d7485afb44af30846f3e71b4599a2f2f3a97e54490281c56d4c4fde4e43
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1928-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-778-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-816-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-935-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1096 2888222.exe 4880 86888.exe 1276 60044.exe 3516 nnnhbh.exe 5036 k24822.exe 4040 44048.exe 3160 860444.exe 2140 bnbtbb.exe 2424 pvvvv.exe 4124 806666.exe 984 6004848.exe 4380 0626680.exe 3292 8848220.exe 3652 tbtnhh.exe 2892 662622.exe 4756 02888.exe 2336 lrxrrrr.exe 2532 288640.exe 2808 pdpjj.exe 1532 8226660.exe 3780 vpvvv.exe 1448 tnnttn.exe 3984 ffllrxr.exe 2888 c242682.exe 4720 7jvvp.exe 3248 4682060.exe 4276 ntntbn.exe 2776 frrrlff.exe 4836 frxrfff.exe 448 q42482.exe 1584 jvppd.exe 1960 thhtht.exe 1688 k28244.exe 1856 828000.exe 1956 7ppjv.exe 2412 6842202.exe 212 1hthtn.exe 780 064266.exe 4416 k46046.exe 1596 82082.exe 844 ppdpj.exe 3240 64044.exe 3216 0048620.exe 4336 0826026.exe 2356 q80006.exe 1760 04488.exe 2900 lfxrlfr.exe 4948 08482.exe 2632 rxrlxrl.exe 4956 hthbnn.exe 2300 3dpjv.exe 4880 xrfxflr.exe 1488 pjdvd.exe 3772 httbnt.exe 4216 g0642.exe 4816 88826.exe 2756 bhbtbh.exe 3460 08420.exe 388 dvvpj.exe 1736 jjdpd.exe 4572 jjjvj.exe 4936 7ttnnh.exe 2072 4248040.exe 2008 hnnbnn.exe -
resource yara_rule behavioral2/memory/1928-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-549-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2224800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o448228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 680242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6004848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w84668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0826482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8846064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4882226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 244448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q44428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64820.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1928 wrote to memory of 1096 1928 1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe 83 PID 1928 wrote to memory of 1096 1928 1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe 83 PID 1928 wrote to memory of 1096 1928 1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe 83 PID 1096 wrote to memory of 4880 1096 2888222.exe 84 PID 1096 wrote to memory of 4880 1096 2888222.exe 84 PID 1096 wrote to memory of 4880 1096 2888222.exe 84 PID 4880 wrote to memory of 1276 4880 86888.exe 85 PID 4880 wrote to memory of 1276 4880 86888.exe 85 PID 4880 wrote to memory of 1276 4880 86888.exe 85 PID 1276 wrote to memory of 3516 1276 60044.exe 86 PID 1276 wrote to memory of 3516 1276 60044.exe 86 PID 1276 wrote to memory of 3516 1276 60044.exe 86 PID 3516 wrote to memory of 5036 3516 nnnhbh.exe 87 PID 3516 wrote to memory of 5036 3516 nnnhbh.exe 87 PID 3516 wrote to memory of 5036 3516 nnnhbh.exe 87 PID 5036 wrote to memory of 4040 5036 k24822.exe 88 PID 5036 wrote to memory of 4040 5036 k24822.exe 88 PID 5036 wrote to memory of 4040 5036 k24822.exe 88 PID 4040 wrote to memory of 3160 4040 44048.exe 89 PID 4040 wrote to memory of 3160 4040 44048.exe 89 PID 4040 wrote to memory of 3160 4040 44048.exe 89 PID 3160 wrote to memory of 2140 3160 860444.exe 90 PID 3160 wrote to memory of 2140 3160 860444.exe 90 PID 3160 wrote to memory of 2140 3160 860444.exe 90 PID 2140 wrote to memory of 2424 2140 bnbtbb.exe 91 PID 2140 wrote to memory of 2424 2140 bnbtbb.exe 91 PID 2140 wrote to memory of 2424 2140 bnbtbb.exe 91 PID 2424 wrote to memory of 4124 2424 pvvvv.exe 92 PID 2424 wrote to memory of 4124 2424 pvvvv.exe 92 PID 2424 wrote to memory of 4124 2424 pvvvv.exe 92 PID 4124 wrote to memory of 984 4124 806666.exe 93 PID 4124 wrote to memory of 984 4124 806666.exe 93 PID 4124 wrote to memory of 984 4124 806666.exe 93 PID 984 wrote to memory of 4380 984 6004848.exe 94 PID 984 wrote to memory of 4380 984 6004848.exe 94 PID 984 wrote to memory of 4380 984 6004848.exe 94 PID 4380 wrote to memory of 3292 4380 0626680.exe 95 PID 4380 wrote to memory of 3292 4380 0626680.exe 95 PID 4380 wrote to memory of 3292 4380 0626680.exe 95 PID 3292 wrote to memory of 3652 3292 8848220.exe 96 PID 3292 wrote to memory of 3652 3292 8848220.exe 96 PID 3292 wrote to memory of 3652 3292 8848220.exe 96 PID 3652 wrote to memory of 2892 3652 tbtnhh.exe 97 PID 3652 wrote to memory of 2892 3652 tbtnhh.exe 97 PID 3652 wrote to memory of 2892 3652 tbtnhh.exe 97 PID 2892 wrote to memory of 4756 2892 662622.exe 98 PID 2892 wrote to memory of 4756 2892 662622.exe 98 PID 2892 wrote to memory of 4756 2892 662622.exe 98 PID 4756 wrote to memory of 2336 4756 02888.exe 99 PID 4756 wrote to memory of 2336 4756 02888.exe 99 PID 4756 wrote to memory of 2336 4756 02888.exe 99 PID 2336 wrote to memory of 2532 2336 lrxrrrr.exe 100 PID 2336 wrote to memory of 2532 2336 lrxrrrr.exe 100 PID 2336 wrote to memory of 2532 2336 lrxrrrr.exe 100 PID 2532 wrote to memory of 2808 2532 288640.exe 101 PID 2532 wrote to memory of 2808 2532 288640.exe 101 PID 2532 wrote to memory of 2808 2532 288640.exe 101 PID 2808 wrote to memory of 1532 2808 pdpjj.exe 102 PID 2808 wrote to memory of 1532 2808 pdpjj.exe 102 PID 2808 wrote to memory of 1532 2808 pdpjj.exe 102 PID 1532 wrote to memory of 3780 1532 8226660.exe 103 PID 1532 wrote to memory of 3780 1532 8226660.exe 103 PID 1532 wrote to memory of 3780 1532 8226660.exe 103 PID 3780 wrote to memory of 1448 3780 vpvvv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe"C:\Users\Admin\AppData\Local\Temp\1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\2888222.exec:\2888222.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\86888.exec:\86888.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\60044.exec:\60044.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\nnnhbh.exec:\nnnhbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\k24822.exec:\k24822.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\44048.exec:\44048.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\860444.exec:\860444.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
\??\c:\bnbtbb.exec:\bnbtbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\pvvvv.exec:\pvvvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\806666.exec:\806666.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\6004848.exec:\6004848.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\0626680.exec:\0626680.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\8848220.exec:\8848220.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\tbtnhh.exec:\tbtnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\662622.exec:\662622.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\02888.exec:\02888.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\lrxrrrr.exec:\lrxrrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\288640.exec:\288640.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\pdpjj.exec:\pdpjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\8226660.exec:\8226660.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\vpvvv.exec:\vpvvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\tnnttn.exec:\tnnttn.exe23⤵
- Executes dropped EXE
PID:1448 -
\??\c:\ffllrxr.exec:\ffllrxr.exe24⤵
- Executes dropped EXE
PID:3984 -
\??\c:\c242682.exec:\c242682.exe25⤵
- Executes dropped EXE
PID:2888 -
\??\c:\7jvvp.exec:\7jvvp.exe26⤵
- Executes dropped EXE
PID:4720 -
\??\c:\4682060.exec:\4682060.exe27⤵
- Executes dropped EXE
PID:3248 -
\??\c:\ntntbn.exec:\ntntbn.exe28⤵
- Executes dropped EXE
PID:4276 -
\??\c:\frrrlff.exec:\frrrlff.exe29⤵
- Executes dropped EXE
PID:2776 -
\??\c:\frxrfff.exec:\frxrfff.exe30⤵
- Executes dropped EXE
PID:4836 -
\??\c:\q42482.exec:\q42482.exe31⤵
- Executes dropped EXE
PID:448 -
\??\c:\jvppd.exec:\jvppd.exe32⤵
- Executes dropped EXE
PID:1584 -
\??\c:\thhtht.exec:\thhtht.exe33⤵
- Executes dropped EXE
PID:1960 -
\??\c:\k28244.exec:\k28244.exe34⤵
- Executes dropped EXE
PID:1688 -
\??\c:\828000.exec:\828000.exe35⤵
- Executes dropped EXE
PID:1856 -
\??\c:\7ppjv.exec:\7ppjv.exe36⤵
- Executes dropped EXE
PID:1956 -
\??\c:\6842202.exec:\6842202.exe37⤵
- Executes dropped EXE
PID:2412 -
\??\c:\1hthtn.exec:\1hthtn.exe38⤵
- Executes dropped EXE
PID:212 -
\??\c:\064266.exec:\064266.exe39⤵
- Executes dropped EXE
PID:780 -
\??\c:\k46046.exec:\k46046.exe40⤵
- Executes dropped EXE
PID:4416 -
\??\c:\82082.exec:\82082.exe41⤵
- Executes dropped EXE
PID:1596 -
\??\c:\ppdpj.exec:\ppdpj.exe42⤵
- Executes dropped EXE
PID:844 -
\??\c:\64044.exec:\64044.exe43⤵
- Executes dropped EXE
PID:3240 -
\??\c:\0048620.exec:\0048620.exe44⤵
- Executes dropped EXE
PID:3216 -
\??\c:\0826026.exec:\0826026.exe45⤵
- Executes dropped EXE
PID:4336 -
\??\c:\q80006.exec:\q80006.exe46⤵
- Executes dropped EXE
PID:2356 -
\??\c:\04488.exec:\04488.exe47⤵
- Executes dropped EXE
PID:1760 -
\??\c:\lfxrlfr.exec:\lfxrlfr.exe48⤵
- Executes dropped EXE
PID:2900 -
\??\c:\08482.exec:\08482.exe49⤵
- Executes dropped EXE
PID:4948 -
\??\c:\rxrlxrl.exec:\rxrlxrl.exe50⤵
- Executes dropped EXE
PID:2632 -
\??\c:\hthbnn.exec:\hthbnn.exe51⤵
- Executes dropped EXE
PID:4956 -
\??\c:\3dpjv.exec:\3dpjv.exe52⤵
- Executes dropped EXE
PID:2300 -
\??\c:\xrfxflr.exec:\xrfxflr.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4880 -
\??\c:\pjdvd.exec:\pjdvd.exe54⤵
- Executes dropped EXE
PID:1488 -
\??\c:\httbnt.exec:\httbnt.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3772 -
\??\c:\g0642.exec:\g0642.exe56⤵
- Executes dropped EXE
PID:4216 -
\??\c:\88826.exec:\88826.exe57⤵
- Executes dropped EXE
PID:4816 -
\??\c:\bhbtbh.exec:\bhbtbh.exe58⤵
- Executes dropped EXE
PID:2756 -
\??\c:\08420.exec:\08420.exe59⤵
- Executes dropped EXE
PID:3460 -
\??\c:\dvvpj.exec:\dvvpj.exe60⤵
- Executes dropped EXE
PID:388 -
\??\c:\jjdpd.exec:\jjdpd.exe61⤵
- Executes dropped EXE
PID:1736 -
\??\c:\jjjvj.exec:\jjjvj.exe62⤵
- Executes dropped EXE
PID:4572 -
\??\c:\7ttnnh.exec:\7ttnnh.exe63⤵
- Executes dropped EXE
PID:4936 -
\??\c:\4248040.exec:\4248040.exe64⤵
- Executes dropped EXE
PID:2072 -
\??\c:\hnnbnn.exec:\hnnbnn.exe65⤵
- Executes dropped EXE
PID:2008 -
\??\c:\thnhbh.exec:\thnhbh.exe66⤵PID:1436
-
\??\c:\a8226.exec:\a8226.exe67⤵PID:3260
-
\??\c:\hnbhth.exec:\hnbhth.exe68⤵PID:4664
-
\??\c:\8860442.exec:\8860442.exe69⤵PID:4380
-
\??\c:\a0042.exec:\a0042.exe70⤵PID:3292
-
\??\c:\u806660.exec:\u806660.exe71⤵PID:3016
-
\??\c:\884826.exec:\884826.exe72⤵PID:3004
-
\??\c:\s6064.exec:\s6064.exe73⤵PID:3224
-
\??\c:\a2040.exec:\a2040.exe74⤵PID:1648
-
\??\c:\844826.exec:\844826.exe75⤵PID:2160
-
\??\c:\08826.exec:\08826.exe76⤵PID:4256
-
\??\c:\thhhhb.exec:\thhhhb.exe77⤵PID:3264
-
\??\c:\a8826.exec:\a8826.exe78⤵PID:2952
-
\??\c:\nbbtnn.exec:\nbbtnn.exe79⤵PID:4828
-
\??\c:\0062206.exec:\0062206.exe80⤵PID:5020
-
\??\c:\xfrlffx.exec:\xfrlffx.exe81⤵PID:2464
-
\??\c:\rllllff.exec:\rllllff.exe82⤵PID:3756
-
\??\c:\8280420.exec:\8280420.exe83⤵PID:3844
-
\??\c:\bbnhhh.exec:\bbnhhh.exe84⤵PID:3604
-
\??\c:\ntbtnn.exec:\ntbtnn.exe85⤵PID:2888
-
\??\c:\5dddv.exec:\5dddv.exe86⤵PID:1136
-
\??\c:\0222666.exec:\0222666.exe87⤵PID:4236
-
\??\c:\o062222.exec:\o062222.exe88⤵PID:4676
-
\??\c:\0002440.exec:\0002440.exe89⤵PID:1028
-
\??\c:\3tnbnh.exec:\3tnbnh.exe90⤵PID:4736
-
\??\c:\tbbnbt.exec:\tbbnbt.exe91⤵PID:2776
-
\??\c:\nbnnhb.exec:\nbnnhb.exe92⤵PID:3348
-
\??\c:\pjvjd.exec:\pjvjd.exe93⤵PID:448
-
\??\c:\7ddpv.exec:\7ddpv.exe94⤵PID:3052
-
\??\c:\24086.exec:\24086.exe95⤵PID:1584
-
\??\c:\08028.exec:\08028.exe96⤵PID:4432
-
\??\c:\44426.exec:\44426.exe97⤵PID:1688
-
\??\c:\llrfrlf.exec:\llrfrlf.exe98⤵PID:1224
-
\??\c:\4260422.exec:\4260422.exe99⤵PID:4472
-
\??\c:\pdjdd.exec:\pdjdd.exe100⤵PID:3600
-
\??\c:\26828.exec:\26828.exe101⤵PID:2500
-
\??\c:\28004.exec:\28004.exe102⤵PID:4952
-
\??\c:\4000048.exec:\4000048.exe103⤵PID:732
-
\??\c:\40660.exec:\40660.exe104⤵PID:860
-
\??\c:\44468.exec:\44468.exe105⤵PID:536
-
\??\c:\200042.exec:\200042.exe106⤵PID:3968
-
\??\c:\004248.exec:\004248.exe107⤵PID:4892
-
\??\c:\u282042.exec:\u282042.exe108⤵PID:1132
-
\??\c:\0204266.exec:\0204266.exe109⤵PID:4488
-
\??\c:\200440.exec:\200440.exe110⤵PID:4540
-
\??\c:\62864.exec:\62864.exe111⤵PID:1760
-
\??\c:\2804664.exec:\2804664.exe112⤵PID:2900
-
\??\c:\nhbthh.exec:\nhbthh.exe113⤵PID:1928
-
\??\c:\66048.exec:\66048.exe114⤵PID:2632
-
\??\c:\64260.exec:\64260.exe115⤵PID:852
-
\??\c:\6408488.exec:\6408488.exe116⤵PID:2300
-
\??\c:\40626.exec:\40626.exe117⤵PID:4880
-
\??\c:\hbbtnn.exec:\hbbtnn.exe118⤵PID:4020
-
\??\c:\rlfrfxr.exec:\rlfrfxr.exe119⤵PID:2896
-
\??\c:\tntnhh.exec:\tntnhh.exe120⤵PID:4568
-
\??\c:\1lllxxx.exec:\1lllxxx.exe121⤵PID:4996
-
\??\c:\008686.exec:\008686.exe122⤵PID:2024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-