Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1821c84c1caa70d90b5ea715dcf3d3e40f3e69e8424dbd9b091debbb62e9cda9N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1821c84c1caa70d90b5ea715dcf3d3e40f3e69e8424dbd9b091debbb62e9cda9N.exe
-
Size
455KB
-
MD5
63735d0109649ba5a13d48129ba5c330
-
SHA1
d594f5e63043be232c1989e88b866e6f8ac79d31
-
SHA256
1821c84c1caa70d90b5ea715dcf3d3e40f3e69e8424dbd9b091debbb62e9cda9
-
SHA512
ce5602b3bd7857190572092a1f611449ea96300176920a53008386b4865c870be247cd5e5d1c9b501b9c57be35fe66d014b130ee88d3ab672d02c70701d9121b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2872-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-813-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-1137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-1744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3880 6806644.exe 1156 ppddv.exe 964 thtnbt.exe 4264 028888.exe 4268 rxrxllr.exe 3652 fxrlflf.exe 2416 9tbttb.exe 1416 thttnn.exe 764 2626220.exe 1668 o404888.exe 2400 4888042.exe 1860 xrxrrrl.exe 976 nnhttt.exe 2660 80648.exe 2908 60600.exe 664 4800000.exe 5108 2002244.exe 2584 64026.exe 1988 jdpdv.exe 3184 028262.exe 1628 bhhbbn.exe 3996 68600.exe 1800 046628.exe 528 00260.exe 3896 840004.exe 1560 a2220.exe 3924 m6626.exe 3656 ttbbbb.exe 2960 m4622.exe 636 htbbnt.exe 1552 244888.exe 1952 20648.exe 4352 284844.exe 4804 xfllrxx.exe 4856 hhbbtb.exe 4692 84404.exe 4940 ffxrxxr.exe 3908 8662808.exe 736 4442066.exe 3736 xlxrllr.exe 4888 66484.exe 2396 0404822.exe 3424 8000444.exe 3448 2004848.exe 1440 7ppjd.exe 4220 3jpjd.exe 4384 nnnnht.exe 4188 pdjjj.exe 2816 6082884.exe 3880 hhbtnn.exe 880 08844.exe 964 frlrfrf.exe 3376 00262.exe 2540 40266.exe 4268 thhnnn.exe 3652 42444.exe 3036 82668.exe 2436 2020888.exe 3820 8226866.exe 4860 04004.exe 4884 5ppjd.exe 4740 866044.exe 4744 o888666.exe 4252 208608.exe -
resource yara_rule behavioral2/memory/3880-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-813-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8886464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4644488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 688826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0426082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2222288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o620882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2002244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266088.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 3880 2872 1821c84c1caa70d90b5ea715dcf3d3e40f3e69e8424dbd9b091debbb62e9cda9N.exe 85 PID 2872 wrote to memory of 3880 2872 1821c84c1caa70d90b5ea715dcf3d3e40f3e69e8424dbd9b091debbb62e9cda9N.exe 85 PID 2872 wrote to memory of 3880 2872 1821c84c1caa70d90b5ea715dcf3d3e40f3e69e8424dbd9b091debbb62e9cda9N.exe 85 PID 3880 wrote to memory of 1156 3880 6806644.exe 86 PID 3880 wrote to memory of 1156 3880 6806644.exe 86 PID 3880 wrote to memory of 1156 3880 6806644.exe 86 PID 1156 wrote to memory of 964 1156 ppddv.exe 87 PID 1156 wrote to memory of 964 1156 ppddv.exe 87 PID 1156 wrote to memory of 964 1156 ppddv.exe 87 PID 964 wrote to memory of 4264 964 thtnbt.exe 88 PID 964 wrote to memory of 4264 964 thtnbt.exe 88 PID 964 wrote to memory of 4264 964 thtnbt.exe 88 PID 4264 wrote to memory of 4268 4264 028888.exe 89 PID 4264 wrote to memory of 4268 4264 028888.exe 89 PID 4264 wrote to memory of 4268 4264 028888.exe 89 PID 4268 wrote to memory of 3652 4268 rxrxllr.exe 90 PID 4268 wrote to memory of 3652 4268 rxrxllr.exe 90 PID 4268 wrote to memory of 3652 4268 rxrxllr.exe 90 PID 3652 wrote to memory of 2416 3652 fxrlflf.exe 91 PID 3652 wrote to memory of 2416 3652 fxrlflf.exe 91 PID 3652 wrote to memory of 2416 3652 fxrlflf.exe 91 PID 2416 wrote to memory of 1416 2416 9tbttb.exe 92 PID 2416 wrote to memory of 1416 2416 9tbttb.exe 92 PID 2416 wrote to memory of 1416 2416 9tbttb.exe 92 PID 1416 wrote to memory of 764 1416 thttnn.exe 93 PID 1416 wrote to memory of 764 1416 thttnn.exe 93 PID 1416 wrote to memory of 764 1416 thttnn.exe 93 PID 764 wrote to memory of 1668 764 2626220.exe 94 PID 764 wrote to memory of 1668 764 2626220.exe 94 PID 764 wrote to memory of 1668 764 2626220.exe 94 PID 1668 wrote to memory of 2400 1668 o404888.exe 95 PID 1668 wrote to memory of 2400 1668 o404888.exe 95 PID 1668 wrote to memory of 2400 1668 o404888.exe 95 PID 2400 wrote to memory of 1860 2400 4888042.exe 96 PID 2400 wrote to memory of 1860 2400 4888042.exe 96 PID 2400 wrote to memory of 1860 2400 4888042.exe 96 PID 1860 wrote to memory of 976 1860 xrxrrrl.exe 97 PID 1860 wrote to memory of 976 1860 xrxrrrl.exe 97 PID 1860 wrote to memory of 976 1860 xrxrrrl.exe 97 PID 976 wrote to memory of 2660 976 nnhttt.exe 98 PID 976 wrote to memory of 2660 976 nnhttt.exe 98 PID 976 wrote to memory of 2660 976 nnhttt.exe 98 PID 2660 wrote to memory of 2908 2660 80648.exe 99 PID 2660 wrote to memory of 2908 2660 80648.exe 99 PID 2660 wrote to memory of 2908 2660 80648.exe 99 PID 2908 wrote to memory of 664 2908 60600.exe 100 PID 2908 wrote to memory of 664 2908 60600.exe 100 PID 2908 wrote to memory of 664 2908 60600.exe 100 PID 664 wrote to memory of 5108 664 4800000.exe 101 PID 664 wrote to memory of 5108 664 4800000.exe 101 PID 664 wrote to memory of 5108 664 4800000.exe 101 PID 5108 wrote to memory of 2584 5108 2002244.exe 102 PID 5108 wrote to memory of 2584 5108 2002244.exe 102 PID 5108 wrote to memory of 2584 5108 2002244.exe 102 PID 2584 wrote to memory of 1988 2584 64026.exe 103 PID 2584 wrote to memory of 1988 2584 64026.exe 103 PID 2584 wrote to memory of 1988 2584 64026.exe 103 PID 1988 wrote to memory of 3184 1988 jdpdv.exe 104 PID 1988 wrote to memory of 3184 1988 jdpdv.exe 104 PID 1988 wrote to memory of 3184 1988 jdpdv.exe 104 PID 3184 wrote to memory of 1628 3184 028262.exe 105 PID 3184 wrote to memory of 1628 3184 028262.exe 105 PID 3184 wrote to memory of 1628 3184 028262.exe 105 PID 1628 wrote to memory of 3996 1628 bhhbbn.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\1821c84c1caa70d90b5ea715dcf3d3e40f3e69e8424dbd9b091debbb62e9cda9N.exe"C:\Users\Admin\AppData\Local\Temp\1821c84c1caa70d90b5ea715dcf3d3e40f3e69e8424dbd9b091debbb62e9cda9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\6806644.exec:\6806644.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\ppddv.exec:\ppddv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\thtnbt.exec:\thtnbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\028888.exec:\028888.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\rxrxllr.exec:\rxrxllr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\fxrlflf.exec:\fxrlflf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\9tbttb.exec:\9tbttb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\thttnn.exec:\thttnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\2626220.exec:\2626220.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\o404888.exec:\o404888.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\4888042.exec:\4888042.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\xrxrrrl.exec:\xrxrrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\nnhttt.exec:\nnhttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\80648.exec:\80648.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\60600.exec:\60600.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\4800000.exec:\4800000.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\2002244.exec:\2002244.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\64026.exec:\64026.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\jdpdv.exec:\jdpdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\028262.exec:\028262.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\bhhbbn.exec:\bhhbbn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\68600.exec:\68600.exe23⤵
- Executes dropped EXE
PID:3996 -
\??\c:\046628.exec:\046628.exe24⤵
- Executes dropped EXE
PID:1800 -
\??\c:\00260.exec:\00260.exe25⤵
- Executes dropped EXE
PID:528 -
\??\c:\840004.exec:\840004.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3896 -
\??\c:\a2220.exec:\a2220.exe27⤵
- Executes dropped EXE
PID:1560 -
\??\c:\m6626.exec:\m6626.exe28⤵
- Executes dropped EXE
PID:3924 -
\??\c:\ttbbbb.exec:\ttbbbb.exe29⤵
- Executes dropped EXE
PID:3656 -
\??\c:\m4622.exec:\m4622.exe30⤵
- Executes dropped EXE
PID:2960 -
\??\c:\htbbnt.exec:\htbbnt.exe31⤵
- Executes dropped EXE
PID:636 -
\??\c:\244888.exec:\244888.exe32⤵
- Executes dropped EXE
PID:1552 -
\??\c:\20648.exec:\20648.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1952 -
\??\c:\284844.exec:\284844.exe34⤵
- Executes dropped EXE
PID:4352 -
\??\c:\xfllrxx.exec:\xfllrxx.exe35⤵
- Executes dropped EXE
PID:4804 -
\??\c:\hhbbtb.exec:\hhbbtb.exe36⤵
- Executes dropped EXE
PID:4856 -
\??\c:\84404.exec:\84404.exe37⤵
- Executes dropped EXE
PID:4692 -
\??\c:\ffxrxxr.exec:\ffxrxxr.exe38⤵
- Executes dropped EXE
PID:4940 -
\??\c:\8662808.exec:\8662808.exe39⤵
- Executes dropped EXE
PID:3908 -
\??\c:\4442066.exec:\4442066.exe40⤵
- Executes dropped EXE
PID:736 -
\??\c:\xlxrllr.exec:\xlxrllr.exe41⤵
- Executes dropped EXE
PID:3736 -
\??\c:\66484.exec:\66484.exe42⤵
- Executes dropped EXE
PID:4888 -
\??\c:\0404822.exec:\0404822.exe43⤵
- Executes dropped EXE
PID:2396 -
\??\c:\8000444.exec:\8000444.exe44⤵
- Executes dropped EXE
PID:3424 -
\??\c:\2004848.exec:\2004848.exe45⤵
- Executes dropped EXE
PID:3448 -
\??\c:\7ppjd.exec:\7ppjd.exe46⤵
- Executes dropped EXE
PID:1440 -
\??\c:\3jpjd.exec:\3jpjd.exe47⤵
- Executes dropped EXE
PID:4220 -
\??\c:\nnnnht.exec:\nnnnht.exe48⤵
- Executes dropped EXE
PID:4384 -
\??\c:\pdjjj.exec:\pdjjj.exe49⤵
- Executes dropped EXE
PID:4188 -
\??\c:\6082884.exec:\6082884.exe50⤵
- Executes dropped EXE
PID:2816 -
\??\c:\hhbtnn.exec:\hhbtnn.exe51⤵
- Executes dropped EXE
PID:3880 -
\??\c:\08844.exec:\08844.exe52⤵
- Executes dropped EXE
PID:880 -
\??\c:\frlrfrf.exec:\frlrfrf.exe53⤵
- Executes dropped EXE
PID:964 -
\??\c:\00262.exec:\00262.exe54⤵
- Executes dropped EXE
PID:3376 -
\??\c:\40266.exec:\40266.exe55⤵
- Executes dropped EXE
PID:2540 -
\??\c:\thhnnn.exec:\thhnnn.exe56⤵
- Executes dropped EXE
PID:4268 -
\??\c:\42444.exec:\42444.exe57⤵
- Executes dropped EXE
PID:3652 -
\??\c:\82668.exec:\82668.exe58⤵
- Executes dropped EXE
PID:3036 -
\??\c:\2020888.exec:\2020888.exe59⤵
- Executes dropped EXE
PID:2436 -
\??\c:\8226866.exec:\8226866.exe60⤵
- Executes dropped EXE
PID:3820 -
\??\c:\04004.exec:\04004.exe61⤵
- Executes dropped EXE
PID:4860 -
\??\c:\5ppjd.exec:\5ppjd.exe62⤵
- Executes dropped EXE
PID:4884 -
\??\c:\866044.exec:\866044.exe63⤵
- Executes dropped EXE
PID:4740 -
\??\c:\o888666.exec:\o888666.exe64⤵
- Executes dropped EXE
PID:4744 -
\??\c:\208608.exec:\208608.exe65⤵
- Executes dropped EXE
PID:4252 -
\??\c:\bnnhhh.exec:\bnnhhh.exe66⤵PID:548
-
\??\c:\2460448.exec:\2460448.exe67⤵PID:4128
-
\??\c:\02822.exec:\02822.exe68⤵PID:1500
-
\??\c:\62222.exec:\62222.exe69⤵PID:2412
-
\??\c:\6046000.exec:\6046000.exe70⤵PID:5076
-
\??\c:\9bbnbt.exec:\9bbnbt.exe71⤵PID:3064
-
\??\c:\686284.exec:\686284.exe72⤵PID:4576
-
\??\c:\4260228.exec:\4260228.exe73⤵PID:2364
-
\??\c:\46260.exec:\46260.exe74⤵PID:1580
-
\??\c:\hhbbtt.exec:\hhbbtt.exe75⤵PID:3380
-
\??\c:\vpddj.exec:\vpddj.exe76⤵PID:1988
-
\??\c:\246048.exec:\246048.exe77⤵PID:1216
-
\??\c:\vvppj.exec:\vvppj.exe78⤵PID:4964
-
\??\c:\pjpjd.exec:\pjpjd.exe79⤵PID:3800
-
\??\c:\2866662.exec:\2866662.exe80⤵PID:1188
-
\??\c:\82282.exec:\82282.exe81⤵PID:1248
-
\??\c:\444866.exec:\444866.exe82⤵PID:2332
-
\??\c:\024266.exec:\024266.exe83⤵PID:1424
-
\??\c:\nnhhbb.exec:\nnhhbb.exe84⤵PID:4392
-
\??\c:\6022606.exec:\6022606.exe85⤵PID:1428
-
\??\c:\266482.exec:\266482.exe86⤵PID:1960
-
\??\c:\q26004.exec:\q26004.exe87⤵PID:3952
-
\??\c:\04442.exec:\04442.exe88⤵PID:4912
-
\??\c:\6604848.exec:\6604848.exe89⤵PID:2372
-
\??\c:\2444882.exec:\2444882.exe90⤵PID:2960
-
\??\c:\tnnhbh.exec:\tnnhbh.exe91⤵PID:4800
-
\??\c:\9vdjd.exec:\9vdjd.exe92⤵PID:1836
-
\??\c:\jvdvv.exec:\jvdvv.exe93⤵PID:3956
-
\??\c:\260048.exec:\260048.exe94⤵PID:2212
-
\??\c:\hbhbtt.exec:\hbhbtt.exe95⤵PID:4772
-
\??\c:\ttbtnn.exec:\ttbtnn.exe96⤵PID:4724
-
\??\c:\04042.exec:\04042.exe97⤵PID:1252
-
\??\c:\1hhbtt.exec:\1hhbtt.exe98⤵PID:440
-
\??\c:\a8226.exec:\a8226.exe99⤵PID:4940
-
\??\c:\802044.exec:\802044.exe100⤵PID:2916
-
\??\c:\880080.exec:\880080.exe101⤵PID:736
-
\??\c:\ppvpd.exec:\ppvpd.exe102⤵PID:3192
-
\??\c:\266600.exec:\266600.exe103⤵PID:4536
-
\??\c:\86826.exec:\86826.exe104⤵PID:2008
-
\??\c:\3thnhb.exec:\3thnhb.exe105⤵PID:2612
-
\??\c:\280644.exec:\280644.exe106⤵PID:3448
-
\??\c:\9lrlxxr.exec:\9lrlxxr.exe107⤵
- System Location Discovery: System Language Discovery
PID:4332 -
\??\c:\8288660.exec:\8288660.exe108⤵PID:3944
-
\??\c:\5tttnh.exec:\5tttnh.exe109⤵PID:1224
-
\??\c:\tnhnbb.exec:\tnhnbb.exe110⤵PID:2704
-
\??\c:\ppjvp.exec:\ppjvp.exe111⤵PID:1608
-
\??\c:\jddvv.exec:\jddvv.exe112⤵PID:3584
-
\??\c:\xxxlfff.exec:\xxxlfff.exe113⤵PID:1156
-
\??\c:\pjpjd.exec:\pjpjd.exe114⤵PID:3636
-
\??\c:\c826048.exec:\c826048.exe115⤵PID:3432
-
\??\c:\204828.exec:\204828.exe116⤵PID:3912
-
\??\c:\8404226.exec:\8404226.exe117⤵PID:3376
-
\??\c:\4882488.exec:\4882488.exe118⤵PID:756
-
\??\c:\tnnhbb.exec:\tnnhbb.exe119⤵PID:1312
-
\??\c:\lxrllfx.exec:\lxrllfx.exe120⤵PID:4268
-
\??\c:\ppvpv.exec:\ppvpv.exe121⤵PID:1772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-