Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:20
Behavioral task
behavioral1
Sample
51851b97d775370d03b01fe3ced2ccae4a39acd7ec03829d5441753451c44eabN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
51851b97d775370d03b01fe3ced2ccae4a39acd7ec03829d5441753451c44eabN.exe
-
Size
332KB
-
MD5
49b8cee86dfaeff949bf8517eed8fa10
-
SHA1
a54eca9847be613c4986d29ff4d7c64510f5afb1
-
SHA256
51851b97d775370d03b01fe3ced2ccae4a39acd7ec03829d5441753451c44eab
-
SHA512
42bed9e7d996cc689b08cfb4d2ad817a96296af727f8c69c50c8bcc797fc49c6305eef024fce4f2e6c1117b20d23aa7e5314b723829da82f7835e559a01acb96
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbe4:R4wFHoSHYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2268-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4084-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2580-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3432-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/524-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1172-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2180-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/968-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1696-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2344-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/112-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1412-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2068-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1848-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1648-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1628-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3772-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/884-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1100-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3448-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1856-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3356-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1192-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2396-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2440-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1324-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2504-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2780-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4304-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3408-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1228-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2580-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2368-417-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2860-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2080-672-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4032-677-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/964-744-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2580-1255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4084 0828062.exe 4644 tnhbtt.exe 2580 5xrrrrf.exe 3432 btnbhh.exe 3864 7bbtnh.exe 4372 40600.exe 968 022040.exe 2180 424884.exe 524 806600.exe 1172 88088.exe 1696 0066448.exe 2344 8088826.exe 4300 pjppj.exe 2552 88222.exe 112 dvdvp.exe 1412 lxlllrf.exe 3156 jdjvv.exe 4616 xrxlxfx.exe 2068 206426.exe 5016 040066.exe 1848 nthbbb.exe 5080 ddvpj.exe 2212 rrrxrrf.exe 3376 pdjjj.exe 1648 nnnhhb.exe 1628 tthnnn.exe 1528 2642068.exe 3260 82826.exe 5044 fxrxrff.exe 3792 thhtbb.exe 2860 bthbtn.exe 3796 xrlfxrl.exe 3772 826288.exe 3120 262242.exe 884 vdddj.exe 3828 lxxrllf.exe 3392 848260.exe 4472 480866.exe 3520 4800666.exe 3356 jpvjd.exe 3196 84288.exe 1676 0800468.exe 1100 646400.exe 2696 a6660.exe 4652 4864848.exe 8 w46600.exe 3448 7pvvp.exe 808 46226.exe 1856 2404444.exe 2120 frffxxx.exe 3460 488822.exe 4204 nhbbtb.exe 3332 00826.exe 2280 pddpj.exe 1192 42262.exe 4412 642888.exe 2396 6804446.exe 2440 rfrflrx.exe 4976 260028.exe 1736 vjjjj.exe 4644 pjpvj.exe 5092 q46488.exe 3432 60660.exe 1568 hbbhnn.exe -
resource yara_rule behavioral2/memory/2268-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c52-3.dat upx behavioral2/memory/2268-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cad-8.dat upx behavioral2/memory/4084-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-11.dat upx behavioral2/memory/2580-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4644-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-19.dat upx behavioral2/files/0x0007000000023cb4-24.dat upx behavioral2/files/0x0007000000023cb6-33.dat upx behavioral2/files/0x0007000000023cb5-29.dat upx behavioral2/memory/3432-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-39.dat upx behavioral2/files/0x0007000000023cb8-44.dat upx behavioral2/memory/524-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-49.dat upx behavioral2/memory/1172-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2180-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/968-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4372-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-54.dat upx behavioral2/files/0x0007000000023cbb-57.dat upx behavioral2/memory/1696-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-62.dat upx behavioral2/memory/2344-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cae-67.dat upx behavioral2/memory/4300-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-72.dat upx behavioral2/memory/2552-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-77.dat upx behavioral2/memory/112-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-82.dat upx behavioral2/memory/1412-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-87.dat upx behavioral2/files/0x0007000000023cc2-91.dat upx behavioral2/memory/4616-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2068-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-96.dat upx behavioral2/files/0x0007000000023cc4-101.dat upx behavioral2/memory/1848-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-106.dat upx behavioral2/memory/2212-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-115.dat upx behavioral2/files/0x0007000000023cc6-111.dat upx behavioral2/files/0x0007000000023cc8-119.dat upx behavioral2/memory/1648-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc9-125.dat upx behavioral2/memory/3376-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-129.dat upx behavioral2/memory/1628-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccb-134.dat upx behavioral2/memory/3260-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-139.dat upx behavioral2/files/0x0007000000023ccd-144.dat upx behavioral2/files/0x0007000000023cce-147.dat upx behavioral2/files/0x0007000000023ccf-152.dat upx behavioral2/memory/3796-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3772-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/884-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3520-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4472-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3196-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1100-183-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrllrr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 4084 2268 51851b97d775370d03b01fe3ced2ccae4a39acd7ec03829d5441753451c44eabN.exe 83 PID 2268 wrote to memory of 4084 2268 51851b97d775370d03b01fe3ced2ccae4a39acd7ec03829d5441753451c44eabN.exe 83 PID 2268 wrote to memory of 4084 2268 51851b97d775370d03b01fe3ced2ccae4a39acd7ec03829d5441753451c44eabN.exe 83 PID 4084 wrote to memory of 4644 4084 0828062.exe 84 PID 4084 wrote to memory of 4644 4084 0828062.exe 84 PID 4084 wrote to memory of 4644 4084 0828062.exe 84 PID 4644 wrote to memory of 2580 4644 tnhbtt.exe 85 PID 4644 wrote to memory of 2580 4644 tnhbtt.exe 85 PID 4644 wrote to memory of 2580 4644 tnhbtt.exe 85 PID 2580 wrote to memory of 3432 2580 5xrrrrf.exe 86 PID 2580 wrote to memory of 3432 2580 5xrrrrf.exe 86 PID 2580 wrote to memory of 3432 2580 5xrrrrf.exe 86 PID 3432 wrote to memory of 3864 3432 btnbhh.exe 87 PID 3432 wrote to memory of 3864 3432 btnbhh.exe 87 PID 3432 wrote to memory of 3864 3432 btnbhh.exe 87 PID 3864 wrote to memory of 4372 3864 7bbtnh.exe 88 PID 3864 wrote to memory of 4372 3864 7bbtnh.exe 88 PID 3864 wrote to memory of 4372 3864 7bbtnh.exe 88 PID 4372 wrote to memory of 968 4372 40600.exe 89 PID 4372 wrote to memory of 968 4372 40600.exe 89 PID 4372 wrote to memory of 968 4372 40600.exe 89 PID 968 wrote to memory of 2180 968 022040.exe 90 PID 968 wrote to memory of 2180 968 022040.exe 90 PID 968 wrote to memory of 2180 968 022040.exe 90 PID 2180 wrote to memory of 524 2180 424884.exe 91 PID 2180 wrote to memory of 524 2180 424884.exe 91 PID 2180 wrote to memory of 524 2180 424884.exe 91 PID 524 wrote to memory of 1172 524 806600.exe 92 PID 524 wrote to memory of 1172 524 806600.exe 92 PID 524 wrote to memory of 1172 524 806600.exe 92 PID 1172 wrote to memory of 1696 1172 88088.exe 93 PID 1172 wrote to memory of 1696 1172 88088.exe 93 PID 1172 wrote to memory of 1696 1172 88088.exe 93 PID 1696 wrote to memory of 2344 1696 0066448.exe 94 PID 1696 wrote to memory of 2344 1696 0066448.exe 94 PID 1696 wrote to memory of 2344 1696 0066448.exe 94 PID 2344 wrote to memory of 4300 2344 8088826.exe 95 PID 2344 wrote to memory of 4300 2344 8088826.exe 95 PID 2344 wrote to memory of 4300 2344 8088826.exe 95 PID 4300 wrote to memory of 2552 4300 pjppj.exe 96 PID 4300 wrote to memory of 2552 4300 pjppj.exe 96 PID 4300 wrote to memory of 2552 4300 pjppj.exe 96 PID 2552 wrote to memory of 112 2552 88222.exe 97 PID 2552 wrote to memory of 112 2552 88222.exe 97 PID 2552 wrote to memory of 112 2552 88222.exe 97 PID 112 wrote to memory of 1412 112 dvdvp.exe 98 PID 112 wrote to memory of 1412 112 dvdvp.exe 98 PID 112 wrote to memory of 1412 112 dvdvp.exe 98 PID 1412 wrote to memory of 3156 1412 lxlllrf.exe 99 PID 1412 wrote to memory of 3156 1412 lxlllrf.exe 99 PID 1412 wrote to memory of 3156 1412 lxlllrf.exe 99 PID 3156 wrote to memory of 4616 3156 jdjvv.exe 100 PID 3156 wrote to memory of 4616 3156 jdjvv.exe 100 PID 3156 wrote to memory of 4616 3156 jdjvv.exe 100 PID 4616 wrote to memory of 2068 4616 xrxlxfx.exe 101 PID 4616 wrote to memory of 2068 4616 xrxlxfx.exe 101 PID 4616 wrote to memory of 2068 4616 xrxlxfx.exe 101 PID 2068 wrote to memory of 5016 2068 206426.exe 102 PID 2068 wrote to memory of 5016 2068 206426.exe 102 PID 2068 wrote to memory of 5016 2068 206426.exe 102 PID 5016 wrote to memory of 1848 5016 040066.exe 103 PID 5016 wrote to memory of 1848 5016 040066.exe 103 PID 5016 wrote to memory of 1848 5016 040066.exe 103 PID 1848 wrote to memory of 5080 1848 nthbbb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\51851b97d775370d03b01fe3ced2ccae4a39acd7ec03829d5441753451c44eabN.exe"C:\Users\Admin\AppData\Local\Temp\51851b97d775370d03b01fe3ced2ccae4a39acd7ec03829d5441753451c44eabN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\0828062.exec:\0828062.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\tnhbtt.exec:\tnhbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\5xrrrrf.exec:\5xrrrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\btnbhh.exec:\btnbhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\7bbtnh.exec:\7bbtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\40600.exec:\40600.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\022040.exec:\022040.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\424884.exec:\424884.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\806600.exec:\806600.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
\??\c:\88088.exec:\88088.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\0066448.exec:\0066448.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\8088826.exec:\8088826.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\pjppj.exec:\pjppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\88222.exec:\88222.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\dvdvp.exec:\dvdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\lxlllrf.exec:\lxlllrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\jdjvv.exec:\jdjvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\xrxlxfx.exec:\xrxlxfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\206426.exec:\206426.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\040066.exec:\040066.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\nthbbb.exec:\nthbbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\ddvpj.exec:\ddvpj.exe23⤵
- Executes dropped EXE
PID:5080 -
\??\c:\rrrxrrf.exec:\rrrxrrf.exe24⤵
- Executes dropped EXE
PID:2212 -
\??\c:\pdjjj.exec:\pdjjj.exe25⤵
- Executes dropped EXE
PID:3376 -
\??\c:\nnnhhb.exec:\nnnhhb.exe26⤵
- Executes dropped EXE
PID:1648 -
\??\c:\tthnnn.exec:\tthnnn.exe27⤵
- Executes dropped EXE
PID:1628 -
\??\c:\2642068.exec:\2642068.exe28⤵
- Executes dropped EXE
PID:1528 -
\??\c:\82826.exec:\82826.exe29⤵
- Executes dropped EXE
PID:3260 -
\??\c:\fxrxrff.exec:\fxrxrff.exe30⤵
- Executes dropped EXE
PID:5044 -
\??\c:\thhtbb.exec:\thhtbb.exe31⤵
- Executes dropped EXE
PID:3792 -
\??\c:\bthbtn.exec:\bthbtn.exe32⤵
- Executes dropped EXE
PID:2860 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe33⤵
- Executes dropped EXE
PID:3796 -
\??\c:\826288.exec:\826288.exe34⤵
- Executes dropped EXE
PID:3772 -
\??\c:\262242.exec:\262242.exe35⤵
- Executes dropped EXE
PID:3120 -
\??\c:\vdddj.exec:\vdddj.exe36⤵
- Executes dropped EXE
PID:884 -
\??\c:\lxxrllf.exec:\lxxrllf.exe37⤵
- Executes dropped EXE
PID:3828 -
\??\c:\848260.exec:\848260.exe38⤵
- Executes dropped EXE
PID:3392 -
\??\c:\480866.exec:\480866.exe39⤵
- Executes dropped EXE
PID:4472 -
\??\c:\4800666.exec:\4800666.exe40⤵
- Executes dropped EXE
PID:3520 -
\??\c:\jpvjd.exec:\jpvjd.exe41⤵
- Executes dropped EXE
PID:3356 -
\??\c:\84288.exec:\84288.exe42⤵
- Executes dropped EXE
PID:3196 -
\??\c:\0800468.exec:\0800468.exe43⤵
- Executes dropped EXE
PID:1676 -
\??\c:\646400.exec:\646400.exe44⤵
- Executes dropped EXE
PID:1100 -
\??\c:\a6660.exec:\a6660.exe45⤵
- Executes dropped EXE
PID:2696 -
\??\c:\4864848.exec:\4864848.exe46⤵
- Executes dropped EXE
PID:4652 -
\??\c:\w46600.exec:\w46600.exe47⤵
- Executes dropped EXE
PID:8 -
\??\c:\7pvvp.exec:\7pvvp.exe48⤵
- Executes dropped EXE
PID:3448 -
\??\c:\46226.exec:\46226.exe49⤵
- Executes dropped EXE
PID:808 -
\??\c:\2404444.exec:\2404444.exe50⤵
- Executes dropped EXE
PID:1856 -
\??\c:\frffxxx.exec:\frffxxx.exe51⤵
- Executes dropped EXE
PID:2120 -
\??\c:\488822.exec:\488822.exe52⤵
- Executes dropped EXE
PID:3460 -
\??\c:\nhbbtb.exec:\nhbbtb.exe53⤵
- Executes dropped EXE
PID:4204 -
\??\c:\00826.exec:\00826.exe54⤵
- Executes dropped EXE
PID:3332 -
\??\c:\pddpj.exec:\pddpj.exe55⤵
- Executes dropped EXE
PID:2280 -
\??\c:\42262.exec:\42262.exe56⤵
- Executes dropped EXE
PID:1192 -
\??\c:\642888.exec:\642888.exe57⤵
- Executes dropped EXE
PID:4412 -
\??\c:\6804446.exec:\6804446.exe58⤵
- Executes dropped EXE
PID:2396 -
\??\c:\rfrflrx.exec:\rfrflrx.exe59⤵
- Executes dropped EXE
PID:2440 -
\??\c:\260028.exec:\260028.exe60⤵
- Executes dropped EXE
PID:4976 -
\??\c:\vjjjj.exec:\vjjjj.exe61⤵
- Executes dropped EXE
PID:1736 -
\??\c:\pjpvj.exec:\pjpvj.exe62⤵
- Executes dropped EXE
PID:4644 -
\??\c:\q46488.exec:\q46488.exe63⤵
- Executes dropped EXE
PID:5092 -
\??\c:\60660.exec:\60660.exe64⤵
- Executes dropped EXE
PID:3432 -
\??\c:\hbbhnn.exec:\hbbhnn.exe65⤵
- Executes dropped EXE
PID:1568 -
\??\c:\ntthtb.exec:\ntthtb.exe66⤵PID:3352
-
\??\c:\lrflrff.exec:\lrflrff.exe67⤵PID:1324
-
\??\c:\42066.exec:\42066.exe68⤵PID:2504
-
\??\c:\26420.exec:\26420.exe69⤵PID:1468
-
\??\c:\8288884.exec:\8288884.exe70⤵PID:4192
-
\??\c:\rffxlxf.exec:\rffxlxf.exe71⤵PID:4908
-
\??\c:\04466.exec:\04466.exe72⤵PID:392
-
\??\c:\nnntbh.exec:\nnntbh.exe73⤵PID:3688
-
\??\c:\82604.exec:\82604.exe74⤵PID:2368
-
\??\c:\06260.exec:\06260.exe75⤵PID:448
-
\??\c:\7vjdv.exec:\7vjdv.exe76⤵PID:4116
-
\??\c:\jjpjj.exec:\jjpjj.exe77⤵PID:4996
-
\??\c:\ttnbtb.exec:\ttnbtb.exe78⤵PID:4300
-
\??\c:\lllfrrf.exec:\lllfrrf.exe79⤵PID:4820
-
\??\c:\rrffflf.exec:\rrffflf.exe80⤵PID:2780
-
\??\c:\668604.exec:\668604.exe81⤵PID:112
-
\??\c:\bttnbt.exec:\bttnbt.exe82⤵PID:4304
-
\??\c:\jdddv.exec:\jdddv.exe83⤵PID:1832
-
\??\c:\26820.exec:\26820.exe84⤵PID:3964
-
\??\c:\8886628.exec:\8886628.exe85⤵PID:2672
-
\??\c:\u686000.exec:\u686000.exe86⤵PID:3284
-
\??\c:\60248.exec:\60248.exe87⤵PID:388
-
\??\c:\7tbnnn.exec:\7tbnnn.exe88⤵PID:5016
-
\??\c:\64820.exec:\64820.exe89⤵PID:3648
-
\??\c:\hbnhhh.exec:\hbnhhh.exe90⤵PID:2796
-
\??\c:\bhnhbt.exec:\bhnhbt.exe91⤵PID:5080
-
\??\c:\vddvj.exec:\vddvj.exe92⤵PID:4800
-
\??\c:\488860.exec:\488860.exe93⤵PID:4792
-
\??\c:\1jjjv.exec:\1jjjv.exe94⤵PID:3088
-
\??\c:\hhbttt.exec:\hhbttt.exe95⤵PID:2876
-
\??\c:\c462448.exec:\c462448.exe96⤵PID:2468
-
\??\c:\222204.exec:\222204.exe97⤵PID:3732
-
\??\c:\6604882.exec:\6604882.exe98⤵PID:4948
-
\??\c:\ffxrfff.exec:\ffxrfff.exe99⤵PID:4356
-
\??\c:\40048.exec:\40048.exe100⤵PID:1028
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe101⤵PID:3792
-
\??\c:\tnbtbb.exec:\tnbtbb.exe102⤵PID:4196
-
\??\c:\m2804.exec:\m2804.exe103⤵PID:4324
-
\??\c:\fffrrrf.exec:\fffrrrf.exe104⤵PID:4784
-
\??\c:\60020.exec:\60020.exe105⤵PID:3344
-
\??\c:\ddvpd.exec:\ddvpd.exe106⤵PID:1256
-
\??\c:\04660.exec:\04660.exe107⤵PID:944
-
\??\c:\644426.exec:\644426.exe108⤵PID:3532
-
\??\c:\hbnhbb.exec:\hbnhbb.exe109⤵PID:4088
-
\??\c:\jjjdv.exec:\jjjdv.exe110⤵PID:4484
-
\??\c:\22862.exec:\22862.exe111⤵PID:1960
-
\??\c:\bbhbhh.exec:\bbhbhh.exe112⤵PID:4232
-
\??\c:\8446402.exec:\8446402.exe113⤵PID:3356
-
\??\c:\020640.exec:\020640.exe114⤵PID:1084
-
\??\c:\vjpjp.exec:\vjpjp.exe115⤵PID:2104
-
\??\c:\02620.exec:\02620.exe116⤵PID:4020
-
\??\c:\vvddp.exec:\vvddp.exe117⤵PID:3408
-
\??\c:\jdvvv.exec:\jdvvv.exe118⤵PID:2816
-
\??\c:\6868446.exec:\6868446.exe119⤵PID:2488
-
\??\c:\2880002.exec:\2880002.exe120⤵PID:2940
-
\??\c:\082444.exec:\082444.exe121⤵PID:1724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-