Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe
-
Size
453KB
-
MD5
428f9de8c11c350e43f1b64eb48d875e
-
SHA1
661012d75fbda1296eda55a524559adfecec6047
-
SHA256
c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8
-
SHA512
4c742dc6a94c293ad6eec546f69d82a5716b101deeb0001c750554906d748ee2100f776272d534502555985a398b5b71f69879e44aae7e1de9c8ead83008c2b4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbebM:q7Tc2NYHUrAwfMp3CDbM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1408-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-736-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-912-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-1151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-1489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1920 ththbt.exe 804 20044.exe 3216 428026.exe 1396 20042.exe 4216 bnthtn.exe 4540 62282.exe 4388 s4082.exe 4684 rllflxf.exe 1516 lrllffl.exe 1872 864282.exe 3352 m4044.exe 4416 0088608.exe 3124 622604.exe 1780 pdjdd.exe 4092 3jppp.exe 4204 htbnhb.exe 1432 bbhttn.exe 2412 802284.exe 4308 008462.exe 2872 vjjdv.exe 3544 8466004.exe 116 80260.exe 2340 8682888.exe 1600 48226.exe 2032 flrrlrr.exe 4812 428266.exe 2456 7nnnhh.exe 360 vpdvp.exe 3096 0886608.exe 4832 080406.exe 4120 btttnn.exe 5024 pjppj.exe 1440 vdjdp.exe 1936 3ntnhh.exe 3712 o064882.exe 4696 xxffllf.exe 4452 djjdd.exe 1772 40266.exe 2488 64666.exe 3220 7ppdp.exe 4328 464686.exe 3876 9jdpd.exe 3244 xfrlfff.exe 1888 22864.exe 736 486626.exe 1996 64084.exe 2916 lflfffx.exe 2608 frrllfx.exe 636 608844.exe 444 868260.exe 1644 xlrlxff.exe 1360 m8420.exe 4280 866860.exe 4920 2626660.exe 2060 1ddjd.exe 1844 0268084.exe 4652 bttnhn.exe 3284 424844.exe 4636 rrrxrrl.exe 3000 608220.exe 2112 20048.exe 2868 4220860.exe 1780 htbthb.exe 1436 dvjpv.exe -
resource yara_rule behavioral2/memory/1408-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-755-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8482004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w02204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2020482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0644882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 1920 1408 c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe 83 PID 1408 wrote to memory of 1920 1408 c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe 83 PID 1408 wrote to memory of 1920 1408 c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe 83 PID 1920 wrote to memory of 804 1920 ththbt.exe 84 PID 1920 wrote to memory of 804 1920 ththbt.exe 84 PID 1920 wrote to memory of 804 1920 ththbt.exe 84 PID 804 wrote to memory of 3216 804 20044.exe 85 PID 804 wrote to memory of 3216 804 20044.exe 85 PID 804 wrote to memory of 3216 804 20044.exe 85 PID 3216 wrote to memory of 1396 3216 428026.exe 86 PID 3216 wrote to memory of 1396 3216 428026.exe 86 PID 3216 wrote to memory of 1396 3216 428026.exe 86 PID 1396 wrote to memory of 4216 1396 20042.exe 87 PID 1396 wrote to memory of 4216 1396 20042.exe 87 PID 1396 wrote to memory of 4216 1396 20042.exe 87 PID 4216 wrote to memory of 4540 4216 bnthtn.exe 88 PID 4216 wrote to memory of 4540 4216 bnthtn.exe 88 PID 4216 wrote to memory of 4540 4216 bnthtn.exe 88 PID 4540 wrote to memory of 4388 4540 62282.exe 89 PID 4540 wrote to memory of 4388 4540 62282.exe 89 PID 4540 wrote to memory of 4388 4540 62282.exe 89 PID 4388 wrote to memory of 4684 4388 s4082.exe 90 PID 4388 wrote to memory of 4684 4388 s4082.exe 90 PID 4388 wrote to memory of 4684 4388 s4082.exe 90 PID 4684 wrote to memory of 1516 4684 rllflxf.exe 91 PID 4684 wrote to memory of 1516 4684 rllflxf.exe 91 PID 4684 wrote to memory of 1516 4684 rllflxf.exe 91 PID 1516 wrote to memory of 1872 1516 lrllffl.exe 92 PID 1516 wrote to memory of 1872 1516 lrllffl.exe 92 PID 1516 wrote to memory of 1872 1516 lrllffl.exe 92 PID 1872 wrote to memory of 3352 1872 864282.exe 93 PID 1872 wrote to memory of 3352 1872 864282.exe 93 PID 1872 wrote to memory of 3352 1872 864282.exe 93 PID 3352 wrote to memory of 4416 3352 m4044.exe 94 PID 3352 wrote to memory of 4416 3352 m4044.exe 94 PID 3352 wrote to memory of 4416 3352 m4044.exe 94 PID 4416 wrote to memory of 3124 4416 0088608.exe 95 PID 4416 wrote to memory of 3124 4416 0088608.exe 95 PID 4416 wrote to memory of 3124 4416 0088608.exe 95 PID 3124 wrote to memory of 1780 3124 622604.exe 96 PID 3124 wrote to memory of 1780 3124 622604.exe 96 PID 3124 wrote to memory of 1780 3124 622604.exe 96 PID 1780 wrote to memory of 4092 1780 pdjdd.exe 97 PID 1780 wrote to memory of 4092 1780 pdjdd.exe 97 PID 1780 wrote to memory of 4092 1780 pdjdd.exe 97 PID 4092 wrote to memory of 4204 4092 3jppp.exe 98 PID 4092 wrote to memory of 4204 4092 3jppp.exe 98 PID 4092 wrote to memory of 4204 4092 3jppp.exe 98 PID 4204 wrote to memory of 1432 4204 htbnhb.exe 99 PID 4204 wrote to memory of 1432 4204 htbnhb.exe 99 PID 4204 wrote to memory of 1432 4204 htbnhb.exe 99 PID 1432 wrote to memory of 2412 1432 bbhttn.exe 100 PID 1432 wrote to memory of 2412 1432 bbhttn.exe 100 PID 1432 wrote to memory of 2412 1432 bbhttn.exe 100 PID 2412 wrote to memory of 4308 2412 802284.exe 101 PID 2412 wrote to memory of 4308 2412 802284.exe 101 PID 2412 wrote to memory of 4308 2412 802284.exe 101 PID 4308 wrote to memory of 2872 4308 008462.exe 102 PID 4308 wrote to memory of 2872 4308 008462.exe 102 PID 4308 wrote to memory of 2872 4308 008462.exe 102 PID 2872 wrote to memory of 3544 2872 vjjdv.exe 103 PID 2872 wrote to memory of 3544 2872 vjjdv.exe 103 PID 2872 wrote to memory of 3544 2872 vjjdv.exe 103 PID 3544 wrote to memory of 116 3544 8466004.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe"C:\Users\Admin\AppData\Local\Temp\c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\ththbt.exec:\ththbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\20044.exec:\20044.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\428026.exec:\428026.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\20042.exec:\20042.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\bnthtn.exec:\bnthtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\62282.exec:\62282.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\s4082.exec:\s4082.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\rllflxf.exec:\rllflxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\lrllffl.exec:\lrllffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\864282.exec:\864282.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\m4044.exec:\m4044.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\0088608.exec:\0088608.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\622604.exec:\622604.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\pdjdd.exec:\pdjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\3jppp.exec:\3jppp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\htbnhb.exec:\htbnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\bbhttn.exec:\bbhttn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\802284.exec:\802284.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\008462.exec:\008462.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\vjjdv.exec:\vjjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\8466004.exec:\8466004.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\80260.exec:\80260.exe23⤵
- Executes dropped EXE
PID:116 -
\??\c:\8682888.exec:\8682888.exe24⤵
- Executes dropped EXE
PID:2340 -
\??\c:\48226.exec:\48226.exe25⤵
- Executes dropped EXE
PID:1600 -
\??\c:\flrrlrr.exec:\flrrlrr.exe26⤵
- Executes dropped EXE
PID:2032 -
\??\c:\428266.exec:\428266.exe27⤵
- Executes dropped EXE
PID:4812 -
\??\c:\7nnnhh.exec:\7nnnhh.exe28⤵
- Executes dropped EXE
PID:2456 -
\??\c:\vpdvp.exec:\vpdvp.exe29⤵
- Executes dropped EXE
PID:360 -
\??\c:\0886608.exec:\0886608.exe30⤵
- Executes dropped EXE
PID:3096 -
\??\c:\080406.exec:\080406.exe31⤵
- Executes dropped EXE
PID:4832 -
\??\c:\btttnn.exec:\btttnn.exe32⤵
- Executes dropped EXE
PID:4120 -
\??\c:\pjppj.exec:\pjppj.exe33⤵
- Executes dropped EXE
PID:5024 -
\??\c:\vdjdp.exec:\vdjdp.exe34⤵
- Executes dropped EXE
PID:1440 -
\??\c:\3ntnhh.exec:\3ntnhh.exe35⤵
- Executes dropped EXE
PID:1936 -
\??\c:\o064882.exec:\o064882.exe36⤵
- Executes dropped EXE
PID:3712 -
\??\c:\xxffllf.exec:\xxffllf.exe37⤵
- Executes dropped EXE
PID:4696 -
\??\c:\djjdd.exec:\djjdd.exe38⤵
- Executes dropped EXE
PID:4452 -
\??\c:\40266.exec:\40266.exe39⤵
- Executes dropped EXE
PID:1772 -
\??\c:\64666.exec:\64666.exe40⤵
- Executes dropped EXE
PID:2488 -
\??\c:\7ppdp.exec:\7ppdp.exe41⤵
- Executes dropped EXE
PID:3220 -
\??\c:\464686.exec:\464686.exe42⤵
- Executes dropped EXE
PID:4328 -
\??\c:\9jdpd.exec:\9jdpd.exe43⤵
- Executes dropped EXE
PID:3876 -
\??\c:\xfrlfff.exec:\xfrlfff.exe44⤵
- Executes dropped EXE
PID:3244 -
\??\c:\22864.exec:\22864.exe45⤵
- Executes dropped EXE
PID:1888 -
\??\c:\486626.exec:\486626.exe46⤵
- Executes dropped EXE
PID:736 -
\??\c:\64084.exec:\64084.exe47⤵
- Executes dropped EXE
PID:1996 -
\??\c:\lflfffx.exec:\lflfffx.exe48⤵
- Executes dropped EXE
PID:2916 -
\??\c:\frrllfx.exec:\frrllfx.exe49⤵
- Executes dropped EXE
PID:2608 -
\??\c:\608844.exec:\608844.exe50⤵
- Executes dropped EXE
PID:636 -
\??\c:\868260.exec:\868260.exe51⤵
- Executes dropped EXE
PID:444 -
\??\c:\xlrlxff.exec:\xlrlxff.exe52⤵
- Executes dropped EXE
PID:1644 -
\??\c:\m8420.exec:\m8420.exe53⤵
- Executes dropped EXE
PID:1360 -
\??\c:\866860.exec:\866860.exe54⤵
- Executes dropped EXE
PID:4280 -
\??\c:\2626660.exec:\2626660.exe55⤵
- Executes dropped EXE
PID:4920 -
\??\c:\1ddjd.exec:\1ddjd.exe56⤵
- Executes dropped EXE
PID:2060 -
\??\c:\0268084.exec:\0268084.exe57⤵
- Executes dropped EXE
PID:1844 -
\??\c:\bttnhn.exec:\bttnhn.exe58⤵
- Executes dropped EXE
PID:4652 -
\??\c:\424844.exec:\424844.exe59⤵
- Executes dropped EXE
PID:3284 -
\??\c:\rrrxrrl.exec:\rrrxrrl.exe60⤵
- Executes dropped EXE
PID:4636 -
\??\c:\608220.exec:\608220.exe61⤵
- Executes dropped EXE
PID:3000 -
\??\c:\20048.exec:\20048.exe62⤵
- Executes dropped EXE
PID:2112 -
\??\c:\4220860.exec:\4220860.exe63⤵
- Executes dropped EXE
PID:2868 -
\??\c:\htbthb.exec:\htbthb.exe64⤵
- Executes dropped EXE
PID:1780 -
\??\c:\dvjpv.exec:\dvjpv.exe65⤵
- Executes dropped EXE
PID:1436 -
\??\c:\rfxlfrl.exec:\rfxlfrl.exe66⤵PID:1588
-
\??\c:\ddjvj.exec:\ddjvj.exe67⤵PID:2444
-
\??\c:\vppjd.exec:\vppjd.exe68⤵PID:4056
-
\??\c:\q44848.exec:\q44848.exe69⤵PID:2412
-
\??\c:\rflfrrl.exec:\rflfrrl.exe70⤵PID:2380
-
\??\c:\222028.exec:\222028.exe71⤵PID:3236
-
\??\c:\hnbnhh.exec:\hnbnhh.exe72⤵PID:4864
-
\??\c:\vjppj.exec:\vjppj.exe73⤵PID:4556
-
\??\c:\0800000.exec:\0800000.exe74⤵PID:2388
-
\??\c:\86600.exec:\86600.exe75⤵PID:716
-
\??\c:\02482.exec:\02482.exe76⤵PID:3852
-
\??\c:\xlrlfff.exec:\xlrlfff.exe77⤵PID:4464
-
\??\c:\866482.exec:\866482.exe78⤵PID:1152
-
\??\c:\w46082.exec:\w46082.exe79⤵PID:2324
-
\??\c:\224404.exec:\224404.exe80⤵PID:4768
-
\??\c:\224426.exec:\224426.exe81⤵PID:836
-
\??\c:\pjvpv.exec:\pjvpv.exe82⤵PID:4756
-
\??\c:\hnhbtt.exec:\hnhbtt.exe83⤵PID:2600
-
\??\c:\024826.exec:\024826.exe84⤵PID:4796
-
\??\c:\tnthtn.exec:\tnthtn.exe85⤵PID:996
-
\??\c:\26204.exec:\26204.exe86⤵PID:3472
-
\??\c:\lffxrff.exec:\lffxrff.exe87⤵PID:4700
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe88⤵PID:5060
-
\??\c:\ntbtnn.exec:\ntbtnn.exe89⤵PID:1260
-
\??\c:\88480.exec:\88480.exe90⤵PID:5096
-
\??\c:\06820.exec:\06820.exe91⤵PID:2128
-
\??\c:\9xrfxxr.exec:\9xrfxxr.exe92⤵PID:1828
-
\??\c:\hnbttt.exec:\hnbttt.exe93⤵PID:3696
-
\??\c:\bnttnh.exec:\bnttnh.exe94⤵PID:1664
-
\??\c:\6060400.exec:\6060400.exe95⤵PID:2488
-
\??\c:\022604.exec:\022604.exe96⤵PID:3668
-
\??\c:\nhbhnn.exec:\nhbhnn.exe97⤵PID:1608
-
\??\c:\40622.exec:\40622.exe98⤵PID:4364
-
\??\c:\448222.exec:\448222.exe99⤵PID:3952
-
\??\c:\xffxlfx.exec:\xffxlfx.exe100⤵PID:1920
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe101⤵PID:1732
-
\??\c:\rffrlfx.exec:\rffrlfx.exe102⤵PID:8
-
\??\c:\httnhb.exec:\httnhb.exe103⤵PID:1996
-
\??\c:\xlrlffx.exec:\xlrlffx.exe104⤵PID:1252
-
\??\c:\hbtbnh.exec:\hbtbnh.exe105⤵PID:4680
-
\??\c:\5hhnhh.exec:\5hhnhh.exe106⤵PID:944
-
\??\c:\vppdv.exec:\vppdv.exe107⤵PID:1168
-
\??\c:\pdvdj.exec:\pdvdj.exe108⤵PID:4428
-
\??\c:\8466044.exec:\8466044.exe109⤵PID:3676
-
\??\c:\088428.exec:\088428.exe110⤵PID:1876
-
\??\c:\6064860.exec:\6064860.exe111⤵PID:2236
-
\??\c:\446262.exec:\446262.exe112⤵PID:4560
-
\??\c:\840448.exec:\840448.exe113⤵PID:5040
-
\??\c:\882086.exec:\882086.exe114⤵PID:2060
-
\??\c:\40648.exec:\40648.exe115⤵PID:3156
-
\??\c:\5bhbbt.exec:\5bhbbt.exe116⤵PID:4648
-
\??\c:\0242600.exec:\0242600.exe117⤵PID:4668
-
\??\c:\djdvv.exec:\djdvv.exe118⤵PID:3736
-
\??\c:\dpdpv.exec:\dpdpv.exe119⤵PID:3352
-
\??\c:\k68422.exec:\k68422.exe120⤵PID:1480
-
\??\c:\5vjdd.exec:\5vjdd.exe121⤵PID:2220
-
\??\c:\420226.exec:\420226.exe122⤵PID:4752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-