Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe
-
Size
453KB
-
MD5
4304bb1ac409f30a064f5c9bd4ee0455
-
SHA1
543744d7798a3b9d98f4f4c5257011b9d177c32b
-
SHA256
945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f
-
SHA512
de92ec0bcaf96184c6369058fbed7b287f9a865441007037969d793d1fe2263a407b7a0f66fd76fd6276edff7d634cc2eea5fa42fea86b40ba93b446786ad589
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/728-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-963-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-988-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4860 6022604.exe 2160 tnnnbb.exe 4692 602262.exe 3716 846046.exe 324 08080.exe 1592 ddvpd.exe 1744 xrllxrl.exe 4936 642460.exe 3148 rlrrxrx.exe 464 4848284.exe 4052 rrxlfrr.exe 4536 08426.exe 1700 nnthbt.exe 996 pdvpd.exe 1528 q62648.exe 3228 xllfxxr.exe 3068 4420242.exe 3332 4882482.exe 3412 208606.exe 4856 84482.exe 2768 4060886.exe 2532 pjjdp.exe 2604 pjdpd.exe 2884 062208.exe 3348 s0648.exe 3568 thhbtt.exe 1544 u288042.exe 460 xrrfxrl.exe 3100 hhbhth.exe 3136 6260482.exe 2300 bbtnnb.exe 3912 c006048.exe 3132 jdjdd.exe 872 066260.exe 3796 248440.exe 4432 7lfrxfx.exe 2952 jdddv.exe 5092 4060482.exe 4256 thtntn.exe 4560 684882.exe 4080 224006.exe 4032 42822.exe 2848 m6860.exe 4716 642848.exe 4476 vpppj.exe 2396 680004.exe 2160 nhbtnh.exe 3760 pddvp.exe 368 a0862.exe 4796 ntnbtt.exe 216 dpjdd.exe 4900 frrllxx.exe 1172 jjjdv.exe 1328 fxxrxxr.exe 624 6628226.exe 3456 tnthbb.exe 2152 s0260.exe 2724 htbbtt.exe 4264 02486.exe 5028 606604.exe 4800 vppjv.exe 764 htbtnh.exe 1712 28044.exe 3412 djvpp.exe -
resource yara_rule behavioral2/memory/728-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-559-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w88220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 060826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i266888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4406226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6422222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6448222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhtn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 728 wrote to memory of 4860 728 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 83 PID 728 wrote to memory of 4860 728 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 83 PID 728 wrote to memory of 4860 728 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 83 PID 4860 wrote to memory of 2160 4860 6022604.exe 129 PID 4860 wrote to memory of 2160 4860 6022604.exe 129 PID 4860 wrote to memory of 2160 4860 6022604.exe 129 PID 2160 wrote to memory of 4692 2160 tnnnbb.exe 85 PID 2160 wrote to memory of 4692 2160 tnnnbb.exe 85 PID 2160 wrote to memory of 4692 2160 tnnnbb.exe 85 PID 4692 wrote to memory of 3716 4692 602262.exe 86 PID 4692 wrote to memory of 3716 4692 602262.exe 86 PID 4692 wrote to memory of 3716 4692 602262.exe 86 PID 3716 wrote to memory of 324 3716 846046.exe 87 PID 3716 wrote to memory of 324 3716 846046.exe 87 PID 3716 wrote to memory of 324 3716 846046.exe 87 PID 324 wrote to memory of 1592 324 08080.exe 88 PID 324 wrote to memory of 1592 324 08080.exe 88 PID 324 wrote to memory of 1592 324 08080.exe 88 PID 1592 wrote to memory of 1744 1592 ddvpd.exe 89 PID 1592 wrote to memory of 1744 1592 ddvpd.exe 89 PID 1592 wrote to memory of 1744 1592 ddvpd.exe 89 PID 1744 wrote to memory of 4936 1744 xrllxrl.exe 90 PID 1744 wrote to memory of 4936 1744 xrllxrl.exe 90 PID 1744 wrote to memory of 4936 1744 xrllxrl.exe 90 PID 4936 wrote to memory of 3148 4936 642460.exe 91 PID 4936 wrote to memory of 3148 4936 642460.exe 91 PID 4936 wrote to memory of 3148 4936 642460.exe 91 PID 3148 wrote to memory of 464 3148 rlrrxrx.exe 92 PID 3148 wrote to memory of 464 3148 rlrrxrx.exe 92 PID 3148 wrote to memory of 464 3148 rlrrxrx.exe 92 PID 464 wrote to memory of 4052 464 4848284.exe 93 PID 464 wrote to memory of 4052 464 4848284.exe 93 PID 464 wrote to memory of 4052 464 4848284.exe 93 PID 4052 wrote to memory of 4536 4052 rrxlfrr.exe 94 PID 4052 wrote to memory of 4536 4052 rrxlfrr.exe 94 PID 4052 wrote to memory of 4536 4052 rrxlfrr.exe 94 PID 4536 wrote to memory of 1700 4536 08426.exe 95 PID 4536 wrote to memory of 1700 4536 08426.exe 95 PID 4536 wrote to memory of 1700 4536 08426.exe 95 PID 1700 wrote to memory of 996 1700 nnthbt.exe 96 PID 1700 wrote to memory of 996 1700 nnthbt.exe 96 PID 1700 wrote to memory of 996 1700 nnthbt.exe 96 PID 996 wrote to memory of 1528 996 pdvpd.exe 97 PID 996 wrote to memory of 1528 996 pdvpd.exe 97 PID 996 wrote to memory of 1528 996 pdvpd.exe 97 PID 1528 wrote to memory of 3228 1528 q62648.exe 98 PID 1528 wrote to memory of 3228 1528 q62648.exe 98 PID 1528 wrote to memory of 3228 1528 q62648.exe 98 PID 3228 wrote to memory of 3068 3228 xllfxxr.exe 99 PID 3228 wrote to memory of 3068 3228 xllfxxr.exe 99 PID 3228 wrote to memory of 3068 3228 xllfxxr.exe 99 PID 3068 wrote to memory of 3332 3068 4420242.exe 100 PID 3068 wrote to memory of 3332 3068 4420242.exe 100 PID 3068 wrote to memory of 3332 3068 4420242.exe 100 PID 3332 wrote to memory of 3412 3332 4882482.exe 101 PID 3332 wrote to memory of 3412 3332 4882482.exe 101 PID 3332 wrote to memory of 3412 3332 4882482.exe 101 PID 3412 wrote to memory of 4856 3412 208606.exe 102 PID 3412 wrote to memory of 4856 3412 208606.exe 102 PID 3412 wrote to memory of 4856 3412 208606.exe 102 PID 4856 wrote to memory of 2768 4856 84482.exe 103 PID 4856 wrote to memory of 2768 4856 84482.exe 103 PID 4856 wrote to memory of 2768 4856 84482.exe 103 PID 2768 wrote to memory of 2532 2768 4060886.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe"C:\Users\Admin\AppData\Local\Temp\945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:728 -
\??\c:\6022604.exec:\6022604.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\tnnnbb.exec:\tnnnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\602262.exec:\602262.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\846046.exec:\846046.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\08080.exec:\08080.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\ddvpd.exec:\ddvpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\xrllxrl.exec:\xrllxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\642460.exec:\642460.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\rlrrxrx.exec:\rlrrxrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\4848284.exec:\4848284.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\rrxlfrr.exec:\rrxlfrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\08426.exec:\08426.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\nnthbt.exec:\nnthbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\pdvpd.exec:\pdvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\q62648.exec:\q62648.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\xllfxxr.exec:\xllfxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\4420242.exec:\4420242.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\4882482.exec:\4882482.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\208606.exec:\208606.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\84482.exec:\84482.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\4060886.exec:\4060886.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\pjjdp.exec:\pjjdp.exe23⤵
- Executes dropped EXE
PID:2532 -
\??\c:\pjdpd.exec:\pjdpd.exe24⤵
- Executes dropped EXE
PID:2604 -
\??\c:\062208.exec:\062208.exe25⤵
- Executes dropped EXE
PID:2884 -
\??\c:\s0648.exec:\s0648.exe26⤵
- Executes dropped EXE
PID:3348 -
\??\c:\thhbtt.exec:\thhbtt.exe27⤵
- Executes dropped EXE
PID:3568 -
\??\c:\u288042.exec:\u288042.exe28⤵
- Executes dropped EXE
PID:1544 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe29⤵
- Executes dropped EXE
PID:460 -
\??\c:\hhbhth.exec:\hhbhth.exe30⤵
- Executes dropped EXE
PID:3100 -
\??\c:\6260482.exec:\6260482.exe31⤵
- Executes dropped EXE
PID:3136 -
\??\c:\bbtnnb.exec:\bbtnnb.exe32⤵
- Executes dropped EXE
PID:2300 -
\??\c:\c006048.exec:\c006048.exe33⤵
- Executes dropped EXE
PID:3912 -
\??\c:\jdjdd.exec:\jdjdd.exe34⤵
- Executes dropped EXE
PID:3132 -
\??\c:\066260.exec:\066260.exe35⤵
- Executes dropped EXE
PID:872 -
\??\c:\248440.exec:\248440.exe36⤵
- Executes dropped EXE
PID:3796 -
\??\c:\7lfrxfx.exec:\7lfrxfx.exe37⤵
- Executes dropped EXE
PID:4432 -
\??\c:\jdddv.exec:\jdddv.exe38⤵
- Executes dropped EXE
PID:2952 -
\??\c:\4060482.exec:\4060482.exe39⤵
- Executes dropped EXE
PID:5092 -
\??\c:\thtntn.exec:\thtntn.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4256 -
\??\c:\684882.exec:\684882.exe41⤵
- Executes dropped EXE
PID:4560 -
\??\c:\224006.exec:\224006.exe42⤵
- Executes dropped EXE
PID:4080 -
\??\c:\42822.exec:\42822.exe43⤵
- Executes dropped EXE
PID:4032 -
\??\c:\m6860.exec:\m6860.exe44⤵
- Executes dropped EXE
PID:2848 -
\??\c:\642848.exec:\642848.exe45⤵
- Executes dropped EXE
PID:4716 -
\??\c:\vpppj.exec:\vpppj.exe46⤵
- Executes dropped EXE
PID:4476 -
\??\c:\680004.exec:\680004.exe47⤵
- Executes dropped EXE
PID:2396 -
\??\c:\nhbtnh.exec:\nhbtnh.exe48⤵
- Executes dropped EXE
PID:2160 -
\??\c:\pddvp.exec:\pddvp.exe49⤵
- Executes dropped EXE
PID:3760 -
\??\c:\a0862.exec:\a0862.exe50⤵
- Executes dropped EXE
PID:368 -
\??\c:\ntnbtt.exec:\ntnbtt.exe51⤵
- Executes dropped EXE
PID:4796 -
\??\c:\dpjdd.exec:\dpjdd.exe52⤵
- Executes dropped EXE
PID:216 -
\??\c:\frrllxx.exec:\frrllxx.exe53⤵
- Executes dropped EXE
PID:4900 -
\??\c:\jjjdv.exec:\jjjdv.exe54⤵
- Executes dropped EXE
PID:1172 -
\??\c:\fxxrxxr.exec:\fxxrxxr.exe55⤵
- Executes dropped EXE
PID:1328 -
\??\c:\6628226.exec:\6628226.exe56⤵
- Executes dropped EXE
PID:624 -
\??\c:\tnthbb.exec:\tnthbb.exe57⤵
- Executes dropped EXE
PID:3456 -
\??\c:\s0260.exec:\s0260.exe58⤵
- Executes dropped EXE
PID:2152 -
\??\c:\htbbtt.exec:\htbbtt.exe59⤵
- Executes dropped EXE
PID:2724 -
\??\c:\02486.exec:\02486.exe60⤵
- Executes dropped EXE
PID:4264 -
\??\c:\606604.exec:\606604.exe61⤵
- Executes dropped EXE
PID:5028 -
\??\c:\vppjv.exec:\vppjv.exe62⤵
- Executes dropped EXE
PID:4800 -
\??\c:\htbtnh.exec:\htbtnh.exe63⤵
- Executes dropped EXE
PID:764 -
\??\c:\28044.exec:\28044.exe64⤵
- Executes dropped EXE
PID:1712 -
\??\c:\djvpp.exec:\djvpp.exe65⤵
- Executes dropped EXE
PID:3412 -
\??\c:\xflfllf.exec:\xflfllf.exe66⤵PID:544
-
\??\c:\htbttt.exec:\htbttt.exe67⤵PID:5116
-
\??\c:\lfrlrrr.exec:\lfrlrrr.exe68⤵PID:2828
-
\??\c:\dvddj.exec:\dvddj.exe69⤵PID:4580
-
\??\c:\nbhbtn.exec:\nbhbtn.exe70⤵PID:2884
-
\??\c:\xflfrlf.exec:\xflfrlf.exe71⤵PID:3816
-
\??\c:\xlrxrrl.exec:\xlrxrrl.exe72⤵PID:5020
-
\??\c:\260426.exec:\260426.exe73⤵PID:4724
-
\??\c:\pvvjd.exec:\pvvjd.exe74⤵PID:4956
-
\??\c:\64660.exec:\64660.exe75⤵PID:3100
-
\??\c:\ffxlfrl.exec:\ffxlfrl.exe76⤵PID:3136
-
\??\c:\822820.exec:\822820.exe77⤵PID:2020
-
\??\c:\422080.exec:\422080.exe78⤵PID:2320
-
\??\c:\08480.exec:\08480.exe79⤵PID:3132
-
\??\c:\42020.exec:\42020.exe80⤵PID:1916
-
\??\c:\4620826.exec:\4620826.exe81⤵PID:4432
-
\??\c:\xrlfrlx.exec:\xrlfrlx.exe82⤵PID:3504
-
\??\c:\662082.exec:\662082.exe83⤵PID:1076
-
\??\c:\48064.exec:\48064.exe84⤵PID:636
-
\??\c:\bttnhh.exec:\bttnhh.exe85⤵PID:4412
-
\??\c:\nbtbnt.exec:\nbtbnt.exe86⤵PID:3124
-
\??\c:\vjpjd.exec:\vjpjd.exe87⤵PID:3780
-
\??\c:\jvpjd.exec:\jvpjd.exe88⤵PID:2624
-
\??\c:\486466.exec:\486466.exe89⤵PID:4716
-
\??\c:\k42640.exec:\k42640.exe90⤵PID:4692
-
\??\c:\hnttnn.exec:\hnttnn.exe91⤵PID:2396
-
\??\c:\8882048.exec:\8882048.exe92⤵PID:3620
-
\??\c:\vpvjp.exec:\vpvjp.exe93⤵PID:5112
-
\??\c:\bhbtnh.exec:\bhbtnh.exe94⤵PID:1496
-
\??\c:\004686.exec:\004686.exe95⤵PID:1068
-
\??\c:\hthhhb.exec:\hthhhb.exe96⤵PID:4760
-
\??\c:\rflfrxr.exec:\rflfrxr.exe97⤵PID:1416
-
\??\c:\0404448.exec:\0404448.exe98⤵PID:1420
-
\??\c:\lxfxrll.exec:\lxfxrll.exe99⤵PID:1476
-
\??\c:\llxrxxf.exec:\llxrxxf.exe100⤵PID:1500
-
\??\c:\ttthbh.exec:\ttthbh.exe101⤵PID:3872
-
\??\c:\htthtn.exec:\htthtn.exe102⤵PID:2224
-
\??\c:\vppjd.exec:\vppjd.exe103⤵PID:1436
-
\??\c:\62426.exec:\62426.exe104⤵PID:4264
-
\??\c:\1fxlffx.exec:\1fxlffx.exe105⤵PID:5028
-
\??\c:\0626604.exec:\0626604.exe106⤵PID:4928
-
\??\c:\262288.exec:\262288.exe107⤵PID:2364
-
\??\c:\7hhbbb.exec:\7hhbbb.exe108⤵PID:4536
-
\??\c:\9rrlflf.exec:\9rrlflf.exe109⤵PID:4920
-
\??\c:\jppvj.exec:\jppvj.exe110⤵PID:3412
-
\??\c:\dpddv.exec:\dpddv.exe111⤵PID:544
-
\??\c:\9jpjj.exec:\9jpjj.exe112⤵PID:3228
-
\??\c:\thhbtt.exec:\thhbtt.exe113⤵PID:3292
-
\??\c:\pvdvp.exec:\pvdvp.exe114⤵PID:2928
-
\??\c:\q00644.exec:\q00644.exe115⤵PID:3348
-
\??\c:\2848822.exec:\2848822.exe116⤵PID:1648
-
\??\c:\8406062.exec:\8406062.exe117⤵PID:2384
-
\??\c:\pvjdv.exec:\pvjdv.exe118⤵PID:3116
-
\??\c:\a8840.exec:\a8840.exe119⤵PID:2484
-
\??\c:\44004.exec:\44004.exe120⤵PID:224
-
\??\c:\m8200.exec:\m8200.exe121⤵PID:4512
-
\??\c:\9nhbbb.exec:\9nhbbb.exe122⤵PID:4792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-