Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad399a5aa03ad40a4bc6fe48e2cfc8a512dd7f6cab8a354fe2f879faf599b0f1.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ad399a5aa03ad40a4bc6fe48e2cfc8a512dd7f6cab8a354fe2f879faf599b0f1.exe
-
Size
454KB
-
MD5
45858355b85bf9dc53a423f89ccc0add
-
SHA1
4aceff0e0fb5f9a0945a21e9d6123cb9f5b5e077
-
SHA256
ad399a5aa03ad40a4bc6fe48e2cfc8a512dd7f6cab8a354fe2f879faf599b0f1
-
SHA512
1ef45b6b3bb93df36a2569e3abaf505445828cba3edfbcaabd937d27226b6c33b7c6c7921e1c323836eb0f38a90cba6f0d7e37676dd11b166b39f2ff517ce34f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1944-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-932-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-1201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-1211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-1315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-1530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3576 w62660.exe 1484 thhbtn.exe 2360 u226048.exe 4656 rlfxlxr.exe 2628 w82048.exe 2144 hhthtn.exe 3936 86800.exe 3344 9lxflll.exe 4008 q24084.exe 3628 dpjpj.exe 1608 dvvpj.exe 2432 488880.exe 4176 htbttn.exe 636 btbbtb.exe 1508 k06044.exe 3120 8882606.exe 2776 20226.exe 3608 3hhnht.exe 2912 066688.exe 3548 48048.exe 4836 6882266.exe 3504 022600.exe 3572 9fxxrrr.exe 2128 06444.exe 4184 484860.exe 4880 xffrfxl.exe 4160 jpvdv.exe 2624 1lxrffr.exe 1404 622826.exe 2268 pvjjd.exe 4556 62820.exe 780 424006.exe 1512 5lfrlfr.exe 1200 24082.exe 3424 3btnbt.exe 1288 frlfxlx.exe 2152 k62604.exe 5052 880040.exe 5076 4608260.exe 764 xffxlfl.exe 4872 5hhbnh.exe 2036 q62648.exe 2272 684204.exe 3124 fxxrxrr.exe 3736 9hthhb.exe 5020 nhnbbb.exe 1684 lxxlfxl.exe 692 82264.exe 4636 jpvjv.exe 3948 djjjv.exe 4000 jpddd.exe 1312 6008208.exe 3368 6000448.exe 1484 1nnhhb.exe 1604 vdddj.exe 2088 lrrlflf.exe 4060 q28288.exe 4512 lxxlffx.exe 2628 nbbnnh.exe 1360 2888260.exe 4372 9vvpj.exe 1688 xlxlxrf.exe 3344 bthbnh.exe 1488 64206.exe -
resource yara_rule behavioral2/memory/1944-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-932-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-1201-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6060266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0240202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0682042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u060260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8082042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e24604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1944 wrote to memory of 3576 1944 ad399a5aa03ad40a4bc6fe48e2cfc8a512dd7f6cab8a354fe2f879faf599b0f1.exe 83 PID 1944 wrote to memory of 3576 1944 ad399a5aa03ad40a4bc6fe48e2cfc8a512dd7f6cab8a354fe2f879faf599b0f1.exe 83 PID 1944 wrote to memory of 3576 1944 ad399a5aa03ad40a4bc6fe48e2cfc8a512dd7f6cab8a354fe2f879faf599b0f1.exe 83 PID 3576 wrote to memory of 1484 3576 w62660.exe 84 PID 3576 wrote to memory of 1484 3576 w62660.exe 84 PID 3576 wrote to memory of 1484 3576 w62660.exe 84 PID 1484 wrote to memory of 2360 1484 thhbtn.exe 85 PID 1484 wrote to memory of 2360 1484 thhbtn.exe 85 PID 1484 wrote to memory of 2360 1484 thhbtn.exe 85 PID 2360 wrote to memory of 4656 2360 u226048.exe 86 PID 2360 wrote to memory of 4656 2360 u226048.exe 86 PID 2360 wrote to memory of 4656 2360 u226048.exe 86 PID 4656 wrote to memory of 2628 4656 rlfxlxr.exe 87 PID 4656 wrote to memory of 2628 4656 rlfxlxr.exe 87 PID 4656 wrote to memory of 2628 4656 rlfxlxr.exe 87 PID 2628 wrote to memory of 2144 2628 w82048.exe 88 PID 2628 wrote to memory of 2144 2628 w82048.exe 88 PID 2628 wrote to memory of 2144 2628 w82048.exe 88 PID 2144 wrote to memory of 3936 2144 hhthtn.exe 89 PID 2144 wrote to memory of 3936 2144 hhthtn.exe 89 PID 2144 wrote to memory of 3936 2144 hhthtn.exe 89 PID 3936 wrote to memory of 3344 3936 86800.exe 90 PID 3936 wrote to memory of 3344 3936 86800.exe 90 PID 3936 wrote to memory of 3344 3936 86800.exe 90 PID 3344 wrote to memory of 4008 3344 9lxflll.exe 91 PID 3344 wrote to memory of 4008 3344 9lxflll.exe 91 PID 3344 wrote to memory of 4008 3344 9lxflll.exe 91 PID 4008 wrote to memory of 3628 4008 q24084.exe 92 PID 4008 wrote to memory of 3628 4008 q24084.exe 92 PID 4008 wrote to memory of 3628 4008 q24084.exe 92 PID 3628 wrote to memory of 1608 3628 dpjpj.exe 93 PID 3628 wrote to memory of 1608 3628 dpjpj.exe 93 PID 3628 wrote to memory of 1608 3628 dpjpj.exe 93 PID 1608 wrote to memory of 2432 1608 dvvpj.exe 94 PID 1608 wrote to memory of 2432 1608 dvvpj.exe 94 PID 1608 wrote to memory of 2432 1608 dvvpj.exe 94 PID 2432 wrote to memory of 4176 2432 488880.exe 95 PID 2432 wrote to memory of 4176 2432 488880.exe 95 PID 2432 wrote to memory of 4176 2432 488880.exe 95 PID 4176 wrote to memory of 636 4176 htbttn.exe 96 PID 4176 wrote to memory of 636 4176 htbttn.exe 96 PID 4176 wrote to memory of 636 4176 htbttn.exe 96 PID 636 wrote to memory of 1508 636 btbbtb.exe 97 PID 636 wrote to memory of 1508 636 btbbtb.exe 97 PID 636 wrote to memory of 1508 636 btbbtb.exe 97 PID 1508 wrote to memory of 3120 1508 k06044.exe 98 PID 1508 wrote to memory of 3120 1508 k06044.exe 98 PID 1508 wrote to memory of 3120 1508 k06044.exe 98 PID 3120 wrote to memory of 2776 3120 8882606.exe 99 PID 3120 wrote to memory of 2776 3120 8882606.exe 99 PID 3120 wrote to memory of 2776 3120 8882606.exe 99 PID 2776 wrote to memory of 3608 2776 20226.exe 100 PID 2776 wrote to memory of 3608 2776 20226.exe 100 PID 2776 wrote to memory of 3608 2776 20226.exe 100 PID 3608 wrote to memory of 2912 3608 3hhnht.exe 101 PID 3608 wrote to memory of 2912 3608 3hhnht.exe 101 PID 3608 wrote to memory of 2912 3608 3hhnht.exe 101 PID 2912 wrote to memory of 3548 2912 066688.exe 102 PID 2912 wrote to memory of 3548 2912 066688.exe 102 PID 2912 wrote to memory of 3548 2912 066688.exe 102 PID 3548 wrote to memory of 4836 3548 48048.exe 103 PID 3548 wrote to memory of 4836 3548 48048.exe 103 PID 3548 wrote to memory of 4836 3548 48048.exe 103 PID 4836 wrote to memory of 3504 4836 6882266.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad399a5aa03ad40a4bc6fe48e2cfc8a512dd7f6cab8a354fe2f879faf599b0f1.exe"C:\Users\Admin\AppData\Local\Temp\ad399a5aa03ad40a4bc6fe48e2cfc8a512dd7f6cab8a354fe2f879faf599b0f1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\w62660.exec:\w62660.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\thhbtn.exec:\thhbtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\u226048.exec:\u226048.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\rlfxlxr.exec:\rlfxlxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\w82048.exec:\w82048.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\hhthtn.exec:\hhthtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\86800.exec:\86800.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\9lxflll.exec:\9lxflll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\q24084.exec:\q24084.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\dpjpj.exec:\dpjpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\dvvpj.exec:\dvvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\488880.exec:\488880.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\htbttn.exec:\htbttn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\btbbtb.exec:\btbbtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\k06044.exec:\k06044.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\8882606.exec:\8882606.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\20226.exec:\20226.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\3hhnht.exec:\3hhnht.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\066688.exec:\066688.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\48048.exec:\48048.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\6882266.exec:\6882266.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\022600.exec:\022600.exe23⤵
- Executes dropped EXE
PID:3504 -
\??\c:\9fxxrrr.exec:\9fxxrrr.exe24⤵
- Executes dropped EXE
PID:3572 -
\??\c:\06444.exec:\06444.exe25⤵
- Executes dropped EXE
PID:2128 -
\??\c:\484860.exec:\484860.exe26⤵
- Executes dropped EXE
PID:4184 -
\??\c:\xffrfxl.exec:\xffrfxl.exe27⤵
- Executes dropped EXE
PID:4880 -
\??\c:\jpvdv.exec:\jpvdv.exe28⤵
- Executes dropped EXE
PID:4160 -
\??\c:\1lxrffr.exec:\1lxrffr.exe29⤵
- Executes dropped EXE
PID:2624 -
\??\c:\622826.exec:\622826.exe30⤵
- Executes dropped EXE
PID:1404 -
\??\c:\pvjjd.exec:\pvjjd.exe31⤵
- Executes dropped EXE
PID:2268 -
\??\c:\62820.exec:\62820.exe32⤵
- Executes dropped EXE
PID:4556 -
\??\c:\424006.exec:\424006.exe33⤵
- Executes dropped EXE
PID:780 -
\??\c:\5lfrlfr.exec:\5lfrlfr.exe34⤵
- Executes dropped EXE
PID:1512 -
\??\c:\24082.exec:\24082.exe35⤵
- Executes dropped EXE
PID:1200 -
\??\c:\3btnbt.exec:\3btnbt.exe36⤵
- Executes dropped EXE
PID:3424 -
\??\c:\frlfxlx.exec:\frlfxlx.exe37⤵
- Executes dropped EXE
PID:1288 -
\??\c:\k62604.exec:\k62604.exe38⤵
- Executes dropped EXE
PID:2152 -
\??\c:\880040.exec:\880040.exe39⤵
- Executes dropped EXE
PID:5052 -
\??\c:\4608260.exec:\4608260.exe40⤵
- Executes dropped EXE
PID:5076 -
\??\c:\xffxlfl.exec:\xffxlfl.exe41⤵
- Executes dropped EXE
PID:764 -
\??\c:\5hhbnh.exec:\5hhbnh.exe42⤵
- Executes dropped EXE
PID:4872 -
\??\c:\q62648.exec:\q62648.exe43⤵
- Executes dropped EXE
PID:2036 -
\??\c:\684204.exec:\684204.exe44⤵
- Executes dropped EXE
PID:2272 -
\??\c:\fxxrxrr.exec:\fxxrxrr.exe45⤵
- Executes dropped EXE
PID:3124 -
\??\c:\9hthhb.exec:\9hthhb.exe46⤵
- Executes dropped EXE
PID:3736 -
\??\c:\nhnbbb.exec:\nhnbbb.exe47⤵
- Executes dropped EXE
PID:5020 -
\??\c:\lxxlfxl.exec:\lxxlfxl.exe48⤵
- Executes dropped EXE
PID:1684 -
\??\c:\82264.exec:\82264.exe49⤵
- Executes dropped EXE
PID:692 -
\??\c:\jpvjv.exec:\jpvjv.exe50⤵
- Executes dropped EXE
PID:4636 -
\??\c:\djjjv.exec:\djjjv.exe51⤵
- Executes dropped EXE
PID:3948 -
\??\c:\m8864.exec:\m8864.exe52⤵PID:4536
-
\??\c:\jpddd.exec:\jpddd.exe53⤵
- Executes dropped EXE
PID:4000 -
\??\c:\6008208.exec:\6008208.exe54⤵
- Executes dropped EXE
PID:1312 -
\??\c:\6000448.exec:\6000448.exe55⤵
- Executes dropped EXE
PID:3368 -
\??\c:\1nnhhb.exec:\1nnhhb.exe56⤵
- Executes dropped EXE
PID:1484 -
\??\c:\vdddj.exec:\vdddj.exe57⤵
- Executes dropped EXE
PID:1604 -
\??\c:\lrrlflf.exec:\lrrlflf.exe58⤵
- Executes dropped EXE
PID:2088 -
\??\c:\q28288.exec:\q28288.exe59⤵
- Executes dropped EXE
PID:4060 -
\??\c:\lxxlffx.exec:\lxxlffx.exe60⤵
- Executes dropped EXE
PID:4512 -
\??\c:\nbbnnh.exec:\nbbnnh.exe61⤵
- Executes dropped EXE
PID:2628 -
\??\c:\2888260.exec:\2888260.exe62⤵
- Executes dropped EXE
PID:1360 -
\??\c:\9vvpj.exec:\9vvpj.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4372 -
\??\c:\xlxlxrf.exec:\xlxlxrf.exe64⤵
- Executes dropped EXE
PID:1688 -
\??\c:\bthbnh.exec:\bthbnh.exe65⤵
- Executes dropped EXE
PID:3344 -
\??\c:\64206.exec:\64206.exe66⤵
- Executes dropped EXE
PID:1488 -
\??\c:\6200262.exec:\6200262.exe67⤵PID:944
-
\??\c:\o242048.exec:\o242048.exe68⤵PID:2500
-
\??\c:\5vvjj.exec:\5vvjj.exe69⤵PID:1608
-
\??\c:\82226.exec:\82226.exe70⤵PID:2640
-
\??\c:\800048.exec:\800048.exe71⤵PID:2228
-
\??\c:\rlrfrlf.exec:\rlrfrlf.exe72⤵PID:3520
-
\??\c:\9lrllff.exec:\9lrllff.exe73⤵PID:3960
-
\??\c:\vppjd.exec:\vppjd.exe74⤵PID:1508
-
\??\c:\bnbtnn.exec:\bnbtnn.exe75⤵PID:3380
-
\??\c:\682048.exec:\682048.exe76⤵PID:2864
-
\??\c:\s2846.exec:\s2846.exe77⤵PID:4944
-
\??\c:\pppdd.exec:\pppdd.exe78⤵PID:2912
-
\??\c:\9dddj.exec:\9dddj.exe79⤵PID:2560
-
\??\c:\2626604.exec:\2626604.exe80⤵PID:3548
-
\??\c:\flxxxfx.exec:\flxxxfx.exe81⤵PID:4592
-
\??\c:\462604.exec:\462604.exe82⤵PID:1556
-
\??\c:\tbthbt.exec:\tbthbt.exe83⤵PID:5012
-
\??\c:\lxflrff.exec:\lxflrff.exe84⤵PID:1792
-
\??\c:\w44860.exec:\w44860.exe85⤵PID:2812
-
\??\c:\htthht.exec:\htthht.exe86⤵PID:2128
-
\??\c:\jdjdv.exec:\jdjdv.exe87⤵PID:436
-
\??\c:\2464826.exec:\2464826.exe88⤵PID:3632
-
\??\c:\nnthth.exec:\nnthth.exe89⤵PID:1700
-
\??\c:\m4004.exec:\m4004.exe90⤵PID:3112
-
\??\c:\dddjv.exec:\dddjv.exe91⤵PID:1980
-
\??\c:\frxlfxr.exec:\frxlfxr.exe92⤵PID:1492
-
\??\c:\7ppdv.exec:\7ppdv.exe93⤵PID:2416
-
\??\c:\262040.exec:\262040.exe94⤵PID:5008
-
\??\c:\nhhbtt.exec:\nhhbtt.exe95⤵PID:548
-
\??\c:\tbbnhb.exec:\tbbnhb.exe96⤵PID:1536
-
\??\c:\ffxrfrl.exec:\ffxrfrl.exe97⤵PID:2976
-
\??\c:\flfrllf.exec:\flfrllf.exe98⤵PID:856
-
\??\c:\0082060.exec:\0082060.exe99⤵PID:3208
-
\??\c:\482646.exec:\482646.exe100⤵PID:2136
-
\??\c:\i886486.exec:\i886486.exe101⤵PID:1776
-
\??\c:\ttbnnh.exec:\ttbnnh.exe102⤵PID:1836
-
\??\c:\844888.exec:\844888.exe103⤵PID:2868
-
\??\c:\4646460.exec:\4646460.exe104⤵PID:3508
-
\??\c:\lfxlfrl.exec:\lfxlfrl.exe105⤵PID:764
-
\??\c:\6864248.exec:\6864248.exe106⤵PID:4872
-
\??\c:\vpjdd.exec:\vpjdd.exe107⤵PID:1748
-
\??\c:\6004084.exec:\6004084.exe108⤵PID:1736
-
\??\c:\282082.exec:\282082.exe109⤵PID:752
-
\??\c:\dvdpv.exec:\dvdpv.exe110⤵PID:2664
-
\??\c:\5rxxrrr.exec:\5rxxrrr.exe111⤵PID:988
-
\??\c:\thntbh.exec:\thntbh.exe112⤵
- System Location Discovery: System Language Discovery
PID:4804 -
\??\c:\vppdp.exec:\vppdp.exe113⤵PID:2264
-
\??\c:\thbnbt.exec:\thbnbt.exe114⤵PID:4472
-
\??\c:\xrrlrfx.exec:\xrrlrfx.exe115⤵PID:3568
-
\??\c:\7lrffxl.exec:\7lrffxl.exe116⤵PID:4536
-
\??\c:\bbbbbt.exec:\bbbbbt.exe117⤵PID:4616
-
\??\c:\206048.exec:\206048.exe118⤵PID:3576
-
\??\c:\7lffxxx.exec:\7lffxxx.exe119⤵PID:2808
-
\??\c:\48420.exec:\48420.exe120⤵PID:2892
-
\??\c:\5pppd.exec:\5pppd.exe121⤵PID:4840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-