Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 16:12
Behavioral task
behavioral1
Sample
9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe
-
Size
72KB
-
MD5
b6d86dcfe7d47193a7f1517565780fe0
-
SHA1
b822495ffbe9a3f3a50f3c115a49420cd4e090c6
-
SHA256
9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544
-
SHA512
86cd5fea8f4c330aa218ed67315059791a59ee1fc4a5078c56218728dc1a6d11a09c26c0650400bd6f0463e73e0e7572222c75d726a084b12da6111604246691
-
SSDEEP
1536:zvQBeOGtrYS3srx93UBWfwC6Ggnouy8iT4+IJPkffW2Vl4zQ3y3:zhOmTsF93UYfwC6GIoutiTm5kfuGC3
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3720-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/904-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3856-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2312-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/184-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/668-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4056-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3124-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1956-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4668-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2868-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1328-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3268-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4672-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/584-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4784-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2348-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4256-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1632-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3164-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1600-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1684-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1232-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1856-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1740-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3704-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/664-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2592-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1376-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2144-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3016-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/668-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1928-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3272-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1768-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1516-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1752-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3356-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/792-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1672-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3384-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4916-449-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-603-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-756-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3384-855-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-1222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3928-1405-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 904 xlfxxxx.exe 3856 804444.exe 2312 682082.exe 184 2800444.exe 4240 4480068.exe 668 86222.exe 4056 80802.exe 3124 pdjjj.exe 1956 xrffxlr.exe 4668 m2862.exe 2868 00288.exe 232 24848.exe 1328 7dpjp.exe 3268 04608.exe 2464 44248.exe 4672 btbhtb.exe 3456 ffxxllx.exe 1072 jjdpp.exe 2376 842666.exe 584 8060066.exe 4252 2026884.exe 4784 808648.exe 2348 5dddv.exe 848 rrrxxxx.exe 3184 vdvvd.exe 4256 vdjjd.exe 3020 bththt.exe 1632 xffrxxl.exe 3164 flfxlfr.exe 1600 bnnntt.exe 4644 1jppp.exe 1684 06802.exe 2788 4226044.exe 4964 688208.exe 1232 0202862.exe 1856 086240.exe 872 088244.exe 1164 btbttb.exe 2184 666044.exe 4016 884866.exe 1740 hbtnhh.exe 3432 xrrfrfx.exe 3704 88662.exe 664 vvdvp.exe 2592 hnnhbt.exe 1344 xfxrlrx.exe 5096 rflxrlf.exe 1376 nttnnh.exe 2120 0848266.exe 2144 420864.exe 3016 jvvpj.exe 2856 484860.exe 4024 i444826.exe 4776 nhhhtn.exe 3596 c666422.exe 3420 q40826.exe 668 062644.exe 4056 4088226.exe 1220 82666.exe 2132 hbtnbt.exe 2332 hbtnhb.exe 4876 048884.exe 3488 xrllllf.exe 2240 8022626.exe -
resource yara_rule behavioral2/memory/3720-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c6b-4.dat upx behavioral2/memory/3720-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cbb-8.dat upx behavioral2/memory/904-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-11.dat upx behavioral2/memory/3856-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-18.dat upx behavioral2/memory/2312-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-25.dat upx behavioral2/memory/184-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-29.dat upx behavioral2/memory/668-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-33.dat upx behavioral2/memory/4056-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-38.dat upx behavioral2/memory/3124-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-43.dat upx behavioral2/memory/1956-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-49.dat upx behavioral2/memory/1956-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc8-53.dat upx behavioral2/memory/4668-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc9-58.dat upx behavioral2/memory/2868-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-63.dat upx behavioral2/memory/1328-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/232-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccb-69.dat upx behavioral2/memory/1328-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-74.dat upx behavioral2/memory/3268-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccd-79.dat upx behavioral2/memory/2464-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cce-84.dat upx behavioral2/memory/4672-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccf-89.dat upx behavioral2/files/0x0007000000023cd0-93.dat upx behavioral2/files/0x0007000000023cd1-97.dat upx behavioral2/memory/2376-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/584-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd2-103.dat upx behavioral2/files/0x0008000000023cbc-107.dat upx behavioral2/memory/4252-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd3-112.dat upx behavioral2/memory/4784-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd4-118.dat upx behavioral2/memory/848-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2348-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd5-123.dat upx behavioral2/memory/3184-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd6-128.dat upx behavioral2/files/0x0007000000023cd7-132.dat upx behavioral2/memory/4256-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd8-138.dat upx behavioral2/files/0x0007000000023cd9-141.dat upx behavioral2/memory/1632-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3164-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cda-146.dat upx behavioral2/files/0x0007000000023cdc-151.dat upx behavioral2/memory/1600-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cdd-156.dat upx behavioral2/memory/1684-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4964-165-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0488260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 088080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 464860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4000400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k46000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3720 wrote to memory of 904 3720 9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe 84 PID 3720 wrote to memory of 904 3720 9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe 84 PID 3720 wrote to memory of 904 3720 9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe 84 PID 904 wrote to memory of 3856 904 xlfxxxx.exe 85 PID 904 wrote to memory of 3856 904 xlfxxxx.exe 85 PID 904 wrote to memory of 3856 904 xlfxxxx.exe 85 PID 3856 wrote to memory of 2312 3856 804444.exe 86 PID 3856 wrote to memory of 2312 3856 804444.exe 86 PID 3856 wrote to memory of 2312 3856 804444.exe 86 PID 2312 wrote to memory of 184 2312 682082.exe 87 PID 2312 wrote to memory of 184 2312 682082.exe 87 PID 2312 wrote to memory of 184 2312 682082.exe 87 PID 184 wrote to memory of 4240 184 2800444.exe 88 PID 184 wrote to memory of 4240 184 2800444.exe 88 PID 184 wrote to memory of 4240 184 2800444.exe 88 PID 4240 wrote to memory of 668 4240 4480068.exe 89 PID 4240 wrote to memory of 668 4240 4480068.exe 89 PID 4240 wrote to memory of 668 4240 4480068.exe 89 PID 668 wrote to memory of 4056 668 86222.exe 90 PID 668 wrote to memory of 4056 668 86222.exe 90 PID 668 wrote to memory of 4056 668 86222.exe 90 PID 4056 wrote to memory of 3124 4056 80802.exe 91 PID 4056 wrote to memory of 3124 4056 80802.exe 91 PID 4056 wrote to memory of 3124 4056 80802.exe 91 PID 3124 wrote to memory of 1956 3124 pdjjj.exe 92 PID 3124 wrote to memory of 1956 3124 pdjjj.exe 92 PID 3124 wrote to memory of 1956 3124 pdjjj.exe 92 PID 1956 wrote to memory of 4668 1956 xrffxlr.exe 93 PID 1956 wrote to memory of 4668 1956 xrffxlr.exe 93 PID 1956 wrote to memory of 4668 1956 xrffxlr.exe 93 PID 4668 wrote to memory of 2868 4668 m2862.exe 94 PID 4668 wrote to memory of 2868 4668 m2862.exe 94 PID 4668 wrote to memory of 2868 4668 m2862.exe 94 PID 2868 wrote to memory of 232 2868 00288.exe 95 PID 2868 wrote to memory of 232 2868 00288.exe 95 PID 2868 wrote to memory of 232 2868 00288.exe 95 PID 232 wrote to memory of 1328 232 24848.exe 96 PID 232 wrote to memory of 1328 232 24848.exe 96 PID 232 wrote to memory of 1328 232 24848.exe 96 PID 1328 wrote to memory of 3268 1328 7dpjp.exe 97 PID 1328 wrote to memory of 3268 1328 7dpjp.exe 97 PID 1328 wrote to memory of 3268 1328 7dpjp.exe 97 PID 3268 wrote to memory of 2464 3268 04608.exe 98 PID 3268 wrote to memory of 2464 3268 04608.exe 98 PID 3268 wrote to memory of 2464 3268 04608.exe 98 PID 2464 wrote to memory of 4672 2464 44248.exe 99 PID 2464 wrote to memory of 4672 2464 44248.exe 99 PID 2464 wrote to memory of 4672 2464 44248.exe 99 PID 4672 wrote to memory of 3456 4672 btbhtb.exe 100 PID 4672 wrote to memory of 3456 4672 btbhtb.exe 100 PID 4672 wrote to memory of 3456 4672 btbhtb.exe 100 PID 3456 wrote to memory of 1072 3456 ffxxllx.exe 101 PID 3456 wrote to memory of 1072 3456 ffxxllx.exe 101 PID 3456 wrote to memory of 1072 3456 ffxxllx.exe 101 PID 1072 wrote to memory of 2376 1072 jjdpp.exe 102 PID 1072 wrote to memory of 2376 1072 jjdpp.exe 102 PID 1072 wrote to memory of 2376 1072 jjdpp.exe 102 PID 2376 wrote to memory of 584 2376 842666.exe 103 PID 2376 wrote to memory of 584 2376 842666.exe 103 PID 2376 wrote to memory of 584 2376 842666.exe 103 PID 584 wrote to memory of 4252 584 8060066.exe 105 PID 584 wrote to memory of 4252 584 8060066.exe 105 PID 584 wrote to memory of 4252 584 8060066.exe 105 PID 4252 wrote to memory of 4784 4252 2026884.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe"C:\Users\Admin\AppData\Local\Temp\9b3539e2ac6c27eb9cef2729b56860b174f72d6817ebf9eee14f8b5d0f754544N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\xlfxxxx.exec:\xlfxxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\804444.exec:\804444.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\682082.exec:\682082.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\2800444.exec:\2800444.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\4480068.exec:\4480068.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\86222.exec:\86222.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\80802.exec:\80802.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\pdjjj.exec:\pdjjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\xrffxlr.exec:\xrffxlr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\m2862.exec:\m2862.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\00288.exec:\00288.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\24848.exec:\24848.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\7dpjp.exec:\7dpjp.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\04608.exec:\04608.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\44248.exec:\44248.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\btbhtb.exec:\btbhtb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\ffxxllx.exec:\ffxxllx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\jjdpp.exec:\jjdpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\842666.exec:\842666.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\8060066.exec:\8060066.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\2026884.exec:\2026884.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\808648.exec:\808648.exe23⤵
- Executes dropped EXE
PID:4784 -
\??\c:\5dddv.exec:\5dddv.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
\??\c:\rrrxxxx.exec:\rrrxxxx.exe25⤵
- Executes dropped EXE
PID:848 -
\??\c:\vdvvd.exec:\vdvvd.exe26⤵
- Executes dropped EXE
PID:3184 -
\??\c:\vdjjd.exec:\vdjjd.exe27⤵
- Executes dropped EXE
PID:4256 -
\??\c:\bththt.exec:\bththt.exe28⤵
- Executes dropped EXE
PID:3020 -
\??\c:\xffrxxl.exec:\xffrxxl.exe29⤵
- Executes dropped EXE
PID:1632 -
\??\c:\flfxlfr.exec:\flfxlfr.exe30⤵
- Executes dropped EXE
PID:3164 -
\??\c:\bnnntt.exec:\bnnntt.exe31⤵
- Executes dropped EXE
PID:1600 -
\??\c:\1jppp.exec:\1jppp.exe32⤵
- Executes dropped EXE
PID:4644 -
\??\c:\06802.exec:\06802.exe33⤵
- Executes dropped EXE
PID:1684 -
\??\c:\4226044.exec:\4226044.exe34⤵
- Executes dropped EXE
PID:2788 -
\??\c:\688208.exec:\688208.exe35⤵
- Executes dropped EXE
PID:4964 -
\??\c:\0202862.exec:\0202862.exe36⤵
- Executes dropped EXE
PID:1232 -
\??\c:\086240.exec:\086240.exe37⤵
- Executes dropped EXE
PID:1856 -
\??\c:\088244.exec:\088244.exe38⤵
- Executes dropped EXE
PID:872 -
\??\c:\btbttb.exec:\btbttb.exe39⤵
- Executes dropped EXE
PID:1164 -
\??\c:\666044.exec:\666044.exe40⤵
- Executes dropped EXE
PID:2184 -
\??\c:\884866.exec:\884866.exe41⤵
- Executes dropped EXE
PID:4016 -
\??\c:\hbtnhh.exec:\hbtnhh.exe42⤵
- Executes dropped EXE
PID:1740 -
\??\c:\xrrfrfx.exec:\xrrfrfx.exe43⤵
- Executes dropped EXE
PID:3432 -
\??\c:\88662.exec:\88662.exe44⤵
- Executes dropped EXE
PID:3704 -
\??\c:\vvdvp.exec:\vvdvp.exe45⤵
- Executes dropped EXE
PID:664 -
\??\c:\hnnhbt.exec:\hnnhbt.exe46⤵
- Executes dropped EXE
PID:2592 -
\??\c:\xfxrlrx.exec:\xfxrlrx.exe47⤵
- Executes dropped EXE
PID:1344 -
\??\c:\rflxrlf.exec:\rflxrlf.exe48⤵
- Executes dropped EXE
PID:5096 -
\??\c:\nttnnh.exec:\nttnnh.exe49⤵
- Executes dropped EXE
PID:1376 -
\??\c:\000048.exec:\000048.exe50⤵PID:4376
-
\??\c:\0848266.exec:\0848266.exe51⤵
- Executes dropped EXE
PID:2120 -
\??\c:\420864.exec:\420864.exe52⤵
- Executes dropped EXE
PID:2144 -
\??\c:\jvvpj.exec:\jvvpj.exe53⤵
- Executes dropped EXE
PID:3016 -
\??\c:\484860.exec:\484860.exe54⤵
- Executes dropped EXE
PID:2856 -
\??\c:\i444826.exec:\i444826.exe55⤵
- Executes dropped EXE
PID:4024 -
\??\c:\nhhhtn.exec:\nhhhtn.exe56⤵
- Executes dropped EXE
PID:4776 -
\??\c:\c666422.exec:\c666422.exe57⤵
- Executes dropped EXE
PID:3596 -
\??\c:\q40826.exec:\q40826.exe58⤵
- Executes dropped EXE
PID:3420 -
\??\c:\062644.exec:\062644.exe59⤵
- Executes dropped EXE
PID:668 -
\??\c:\4088226.exec:\4088226.exe60⤵
- Executes dropped EXE
PID:4056 -
\??\c:\82666.exec:\82666.exe61⤵
- Executes dropped EXE
PID:1220 -
\??\c:\hbtnbt.exec:\hbtnbt.exe62⤵
- Executes dropped EXE
PID:2132 -
\??\c:\hbtnhb.exec:\hbtnhb.exe63⤵
- Executes dropped EXE
PID:2332 -
\??\c:\048884.exec:\048884.exe64⤵
- Executes dropped EXE
PID:4876 -
\??\c:\xrllllf.exec:\xrllllf.exe65⤵
- Executes dropped EXE
PID:3488 -
\??\c:\8022626.exec:\8022626.exe66⤵
- Executes dropped EXE
PID:2240 -
\??\c:\5frxlrf.exec:\5frxlrf.exe67⤵PID:232
-
\??\c:\04004.exec:\04004.exe68⤵PID:1928
-
\??\c:\60402.exec:\60402.exe69⤵PID:1392
-
\??\c:\802886.exec:\802886.exe70⤵PID:3272
-
\??\c:\826088.exec:\826088.exe71⤵PID:2464
-
\??\c:\nbbnhn.exec:\nbbnhn.exe72⤵PID:2264
-
\??\c:\hhbbnt.exec:\hhbbnt.exe73⤵PID:1356
-
\??\c:\68288.exec:\68288.exe74⤵PID:1072
-
\??\c:\vjvpj.exec:\vjvpj.exe75⤵PID:4448
-
\??\c:\lllfrrr.exec:\lllfrrr.exe76⤵PID:4812
-
\??\c:\0624828.exec:\0624828.exe77⤵PID:1768
-
\??\c:\28004.exec:\28004.exe78⤵PID:2808
-
\??\c:\lrlfllf.exec:\lrlfllf.exe79⤵PID:728
-
\??\c:\jjdvj.exec:\jjdvj.exe80⤵PID:1516
-
\??\c:\xrfxllx.exec:\xrfxllx.exe81⤵
- System Location Discovery: System Language Discovery
PID:4380 -
\??\c:\lxrffff.exec:\lxrffff.exe82⤵PID:4468
-
\??\c:\2688888.exec:\2688888.exe83⤵PID:4852
-
\??\c:\40622.exec:\40622.exe84⤵PID:4288
-
\??\c:\1pjpp.exec:\1pjpp.exe85⤵PID:464
-
\??\c:\5lxlxlf.exec:\5lxlxlf.exe86⤵PID:1696
-
\??\c:\lfllflf.exec:\lfllflf.exe87⤵PID:740
-
\??\c:\662822.exec:\662822.exe88⤵PID:932
-
\??\c:\ppvdd.exec:\ppvdd.exe89⤵PID:748
-
\??\c:\vjppj.exec:\vjppj.exe90⤵PID:4644
-
\??\c:\0040000.exec:\0040000.exe91⤵PID:1752
-
\??\c:\48000.exec:\48000.exe92⤵PID:4368
-
\??\c:\jvddd.exec:\jvddd.exe93⤵PID:3764
-
\??\c:\42042.exec:\42042.exe94⤵PID:4168
-
\??\c:\04000.exec:\04000.exe95⤵PID:3120
-
\??\c:\ppjdv.exec:\ppjdv.exe96⤵PID:3732
-
\??\c:\82888.exec:\82888.exe97⤵PID:3308
-
\??\c:\tnbtbh.exec:\tnbtbh.exe98⤵PID:3408
-
\??\c:\lfxrrrr.exec:\lfxrrrr.exe99⤵PID:944
-
\??\c:\tbhbtt.exec:\tbhbtt.exe100⤵PID:3104
-
\??\c:\hhnnth.exec:\hhnnth.exe101⤵PID:3356
-
\??\c:\826200.exec:\826200.exe102⤵PID:3004
-
\??\c:\682284.exec:\682284.exe103⤵PID:2384
-
\??\c:\040488.exec:\040488.exe104⤵PID:3520
-
\??\c:\0482648.exec:\0482648.exe105⤵PID:2728
-
\??\c:\6466444.exec:\6466444.exe106⤵PID:924
-
\??\c:\hhbtbn.exec:\hhbtbn.exe107⤵PID:3864
-
\??\c:\042840.exec:\042840.exe108⤵PID:1936
-
\??\c:\q84844.exec:\q84844.exe109⤵PID:792
-
\??\c:\086620.exec:\086620.exe110⤵PID:3064
-
\??\c:\vpjvj.exec:\vpjvj.exe111⤵PID:4796
-
\??\c:\fxrlfxl.exec:\fxrlfxl.exe112⤵PID:2144
-
\??\c:\dpvpv.exec:\dpvpv.exe113⤵PID:3016
-
\??\c:\622644.exec:\622644.exe114⤵PID:3148
-
\??\c:\9xfxrxl.exec:\9xfxrxl.exe115⤵PID:4780
-
\??\c:\2660006.exec:\2660006.exe116⤵PID:3156
-
\??\c:\hhthtn.exec:\hhthtn.exe117⤵PID:3512
-
\??\c:\rrrlfrl.exec:\rrrlfrl.exe118⤵PID:668
-
\??\c:\k46000.exec:\k46000.exe119⤵
- System Location Discovery: System Language Discovery
PID:1836 -
\??\c:\262480.exec:\262480.exe120⤵PID:4668
-
\??\c:\4800044.exec:\4800044.exe121⤵PID:4136
-
\??\c:\60260.exec:\60260.exe122⤵PID:2868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-