Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 02:39
Behavioral task
behavioral1
Sample
42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe
-
Size
3.7MB
-
MD5
ea4ba7e109b21421ef014dfdc5704070
-
SHA1
3d84fc1d28303a2ac15ab8ea6ed332314ffba027
-
SHA256
42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08e
-
SHA512
dc83c2a355e82f400a40a9816285902c466df103bea5793fccc20eec1145100fc9132db232c38ba47b695286af89fd8f8659d20cbff6a7328c7374dfa1d28844
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98V:U6XLq/qPPslzKx/dJg1ErmNE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/3692-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3112-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4588-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4132-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1704-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2360-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2696-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3220-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/748-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/540-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/436-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1964-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4960-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/380-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3640-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4052-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1060-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1208-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2320-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1020-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1620-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1704-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2596-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1140-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1168-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1604-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4924-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1260-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1456-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3944-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-493-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3928-497-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-519-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4108-547-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1620-582-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/540-610-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2176-695-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2328-702-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-760-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2500-782-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1212-1333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 3112 004044.exe 4528 046488.exe 4588 44060.exe 552 bttbtb.exe 4132 xlxrxrr.exe 4284 466460.exe 4204 7xxxrxx.exe 1368 82260.exe 3368 lllffxl.exe 2360 nhthnn.exe 1704 rffxlrx.exe 2696 6862262.exe 3220 068808.exe 748 w22664.exe 2316 248480.exe 3980 pddpj.exe 540 a0886.exe 212 frxllfx.exe 2556 jdddd.exe 2500 vpvjd.exe 2248 2486486.exe 5076 84008.exe 436 bhnbtn.exe 1964 2282640.exe 5052 jvvjv.exe 3032 8024864.exe 4252 rlrllff.exe 4960 lxfxrfx.exe 2288 vpjdp.exe 5108 1nhbnh.exe 3344 44408.exe 380 vdvjd.exe 3640 42486.exe 4052 0240486.exe 1060 xlxlrff.exe 1208 btnbtn.exe 1608 pppjd.exe 3612 xrrffxl.exe 508 c842042.exe 1492 086042.exe 2388 2068886.exe 3312 3lrlfff.exe 4108 868282.exe 1644 28666.exe 1104 2088288.exe 5060 3hbtnh.exe 3276 nntnhb.exe 2320 2280066.exe 4304 7djpp.exe 4284 bhbtnt.exe 1524 6204826.exe 1820 xrrrllf.exe 3656 pvjpd.exe 1020 8660600.exe 1620 9vvvp.exe 1704 868888.exe 3116 9ddvd.exe 2596 428220.exe 2624 2862604.exe 3108 jvjvp.exe 1140 2622228.exe 2284 20482.exe 5084 806644.exe 3080 tnhhbt.exe -
resource yara_rule behavioral2/memory/3692-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b99-2.dat upx behavioral2/memory/3692-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c90-9.dat upx behavioral2/memory/3112-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c8d-13.dat upx behavioral2/memory/4528-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-21.dat upx behavioral2/memory/4588-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-27.dat upx behavioral2/memory/4132-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4132-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-36.dat upx behavioral2/files/0x0007000000023c94-40.dat upx behavioral2/memory/4204-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4284-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4204-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-46.dat upx behavioral2/memory/1368-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-52.dat upx behavioral2/files/0x0007000000023c97-58.dat upx behavioral2/memory/3368-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-64.dat upx behavioral2/memory/1704-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2360-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-73.dat upx behavioral2/memory/2696-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-79.dat upx behavioral2/files/0x0007000000023c9c-82.dat upx behavioral2/memory/3220-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-88.dat upx behavioral2/memory/748-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-94.dat upx behavioral2/memory/2316-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-100.dat upx behavioral2/memory/540-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3980-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-107.dat upx behavioral2/files/0x0007000000023ca1-112.dat upx behavioral2/files/0x0007000000023ca2-117.dat upx behavioral2/files/0x0007000000023ca3-123.dat upx behavioral2/files/0x0007000000023ca4-127.dat upx behavioral2/memory/2248-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5076-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-135.dat upx behavioral2/files/0x0007000000023ca6-139.dat upx behavioral2/memory/436-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-145.dat upx behavioral2/memory/1964-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-151.dat upx behavioral2/files/0x0007000000023ca9-156.dat upx behavioral2/files/0x000200000001e748-161.dat upx behavioral2/memory/4252-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4960-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-167.dat upx behavioral2/files/0x0007000000023cad-173.dat upx behavioral2/files/0x0007000000023cae-178.dat upx behavioral2/files/0x0007000000023caf-183.dat upx behavioral2/memory/380-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3640-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4052-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1060-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1208-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1608-209-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 248480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6448060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2808608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o444444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8664860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e22866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6442642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlllxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8608220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfflrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w82828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2844882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0244822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6444882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c282004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlfxr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3692 wrote to memory of 3112 3692 42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe 83 PID 3692 wrote to memory of 3112 3692 42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe 83 PID 3692 wrote to memory of 3112 3692 42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe 83 PID 3112 wrote to memory of 4528 3112 004044.exe 84 PID 3112 wrote to memory of 4528 3112 004044.exe 84 PID 3112 wrote to memory of 4528 3112 004044.exe 84 PID 4528 wrote to memory of 4588 4528 046488.exe 85 PID 4528 wrote to memory of 4588 4528 046488.exe 85 PID 4528 wrote to memory of 4588 4528 046488.exe 85 PID 4588 wrote to memory of 552 4588 44060.exe 86 PID 4588 wrote to memory of 552 4588 44060.exe 86 PID 4588 wrote to memory of 552 4588 44060.exe 86 PID 552 wrote to memory of 4132 552 bttbtb.exe 87 PID 552 wrote to memory of 4132 552 bttbtb.exe 87 PID 552 wrote to memory of 4132 552 bttbtb.exe 87 PID 4132 wrote to memory of 4284 4132 xlxrxrr.exe 88 PID 4132 wrote to memory of 4284 4132 xlxrxrr.exe 88 PID 4132 wrote to memory of 4284 4132 xlxrxrr.exe 88 PID 4284 wrote to memory of 4204 4284 466460.exe 89 PID 4284 wrote to memory of 4204 4284 466460.exe 89 PID 4284 wrote to memory of 4204 4284 466460.exe 89 PID 4204 wrote to memory of 1368 4204 7xxxrxx.exe 90 PID 4204 wrote to memory of 1368 4204 7xxxrxx.exe 90 PID 4204 wrote to memory of 1368 4204 7xxxrxx.exe 90 PID 1368 wrote to memory of 3368 1368 82260.exe 91 PID 1368 wrote to memory of 3368 1368 82260.exe 91 PID 1368 wrote to memory of 3368 1368 82260.exe 91 PID 3368 wrote to memory of 2360 3368 lllffxl.exe 92 PID 3368 wrote to memory of 2360 3368 lllffxl.exe 92 PID 3368 wrote to memory of 2360 3368 lllffxl.exe 92 PID 2360 wrote to memory of 1704 2360 nhthnn.exe 93 PID 2360 wrote to memory of 1704 2360 nhthnn.exe 93 PID 2360 wrote to memory of 1704 2360 nhthnn.exe 93 PID 1704 wrote to memory of 2696 1704 rffxlrx.exe 94 PID 1704 wrote to memory of 2696 1704 rffxlrx.exe 94 PID 1704 wrote to memory of 2696 1704 rffxlrx.exe 94 PID 2696 wrote to memory of 3220 2696 6862262.exe 95 PID 2696 wrote to memory of 3220 2696 6862262.exe 95 PID 2696 wrote to memory of 3220 2696 6862262.exe 95 PID 3220 wrote to memory of 748 3220 068808.exe 96 PID 3220 wrote to memory of 748 3220 068808.exe 96 PID 3220 wrote to memory of 748 3220 068808.exe 96 PID 748 wrote to memory of 2316 748 w22664.exe 97 PID 748 wrote to memory of 2316 748 w22664.exe 97 PID 748 wrote to memory of 2316 748 w22664.exe 97 PID 2316 wrote to memory of 3980 2316 248480.exe 98 PID 2316 wrote to memory of 3980 2316 248480.exe 98 PID 2316 wrote to memory of 3980 2316 248480.exe 98 PID 3980 wrote to memory of 540 3980 pddpj.exe 99 PID 3980 wrote to memory of 540 3980 pddpj.exe 99 PID 3980 wrote to memory of 540 3980 pddpj.exe 99 PID 540 wrote to memory of 212 540 a0886.exe 100 PID 540 wrote to memory of 212 540 a0886.exe 100 PID 540 wrote to memory of 212 540 a0886.exe 100 PID 212 wrote to memory of 2556 212 frxllfx.exe 101 PID 212 wrote to memory of 2556 212 frxllfx.exe 101 PID 212 wrote to memory of 2556 212 frxllfx.exe 101 PID 2556 wrote to memory of 2500 2556 jdddd.exe 102 PID 2556 wrote to memory of 2500 2556 jdddd.exe 102 PID 2556 wrote to memory of 2500 2556 jdddd.exe 102 PID 2500 wrote to memory of 2248 2500 vpvjd.exe 103 PID 2500 wrote to memory of 2248 2500 vpvjd.exe 103 PID 2500 wrote to memory of 2248 2500 vpvjd.exe 103 PID 2248 wrote to memory of 5076 2248 2486486.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe"C:\Users\Admin\AppData\Local\Temp\42ce4e207acb9418f80ae68b37b2c974cdaa43c01529033404cc0092b374c08eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\004044.exec:\004044.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\046488.exec:\046488.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\44060.exec:\44060.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\bttbtb.exec:\bttbtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\xlxrxrr.exec:\xlxrxrr.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\466460.exec:\466460.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\7xxxrxx.exec:\7xxxrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\82260.exec:\82260.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\lllffxl.exec:\lllffxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\nhthnn.exec:\nhthnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\rffxlrx.exec:\rffxlrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\6862262.exec:\6862262.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\068808.exec:\068808.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\w22664.exec:\w22664.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\248480.exec:\248480.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\pddpj.exec:\pddpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\a0886.exec:\a0886.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\frxllfx.exec:\frxllfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\jdddd.exec:\jdddd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\vpvjd.exec:\vpvjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\2486486.exec:\2486486.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\84008.exec:\84008.exe23⤵
- Executes dropped EXE
PID:5076 -
\??\c:\bhnbtn.exec:\bhnbtn.exe24⤵
- Executes dropped EXE
PID:436 -
\??\c:\2282640.exec:\2282640.exe25⤵
- Executes dropped EXE
PID:1964 -
\??\c:\jvvjv.exec:\jvvjv.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5052 -
\??\c:\8024864.exec:\8024864.exe27⤵
- Executes dropped EXE
PID:3032 -
\??\c:\rlrllff.exec:\rlrllff.exe28⤵
- Executes dropped EXE
PID:4252 -
\??\c:\lxfxrfx.exec:\lxfxrfx.exe29⤵
- Executes dropped EXE
PID:4960 -
\??\c:\vpjdp.exec:\vpjdp.exe30⤵
- Executes dropped EXE
PID:2288 -
\??\c:\1nhbnh.exec:\1nhbnh.exe31⤵
- Executes dropped EXE
PID:5108 -
\??\c:\44408.exec:\44408.exe32⤵
- Executes dropped EXE
PID:3344 -
\??\c:\vdvjd.exec:\vdvjd.exe33⤵
- Executes dropped EXE
PID:380 -
\??\c:\42486.exec:\42486.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3640 -
\??\c:\0240486.exec:\0240486.exe35⤵
- Executes dropped EXE
PID:4052 -
\??\c:\xlxlrff.exec:\xlxlrff.exe36⤵
- Executes dropped EXE
PID:1060 -
\??\c:\btnbtn.exec:\btnbtn.exe37⤵
- Executes dropped EXE
PID:1208 -
\??\c:\pppjd.exec:\pppjd.exe38⤵
- Executes dropped EXE
PID:1608 -
\??\c:\xrrffxl.exec:\xrrffxl.exe39⤵
- Executes dropped EXE
PID:3612 -
\??\c:\c842042.exec:\c842042.exe40⤵
- Executes dropped EXE
PID:508 -
\??\c:\086042.exec:\086042.exe41⤵
- Executes dropped EXE
PID:1492 -
\??\c:\2068886.exec:\2068886.exe42⤵
- Executes dropped EXE
PID:2388 -
\??\c:\3lrlfff.exec:\3lrlfff.exe43⤵
- Executes dropped EXE
PID:3312 -
\??\c:\868282.exec:\868282.exe44⤵
- Executes dropped EXE
PID:4108 -
\??\c:\28666.exec:\28666.exe45⤵
- Executes dropped EXE
PID:1644 -
\??\c:\2088288.exec:\2088288.exe46⤵
- Executes dropped EXE
PID:1104 -
\??\c:\3hbtnh.exec:\3hbtnh.exe47⤵
- Executes dropped EXE
PID:5060 -
\??\c:\nntnhb.exec:\nntnhb.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3276 -
\??\c:\2280066.exec:\2280066.exe49⤵
- Executes dropped EXE
PID:2320 -
\??\c:\7djpp.exec:\7djpp.exe50⤵
- Executes dropped EXE
PID:4304 -
\??\c:\bhbtnt.exec:\bhbtnt.exe51⤵
- Executes dropped EXE
PID:4284 -
\??\c:\6204826.exec:\6204826.exe52⤵
- Executes dropped EXE
PID:1524 -
\??\c:\xrrrllf.exec:\xrrrllf.exe53⤵
- Executes dropped EXE
PID:1820 -
\??\c:\pvjpd.exec:\pvjpd.exe54⤵
- Executes dropped EXE
PID:3656 -
\??\c:\8660600.exec:\8660600.exe55⤵
- Executes dropped EXE
PID:1020 -
\??\c:\9vvvp.exec:\9vvvp.exe56⤵
- Executes dropped EXE
PID:1620 -
\??\c:\868888.exec:\868888.exe57⤵
- Executes dropped EXE
PID:1704 -
\??\c:\9ddvd.exec:\9ddvd.exe58⤵
- Executes dropped EXE
PID:3116 -
\??\c:\428220.exec:\428220.exe59⤵
- Executes dropped EXE
PID:2596 -
\??\c:\2862604.exec:\2862604.exe60⤵
- Executes dropped EXE
PID:2624 -
\??\c:\jvjvp.exec:\jvjvp.exe61⤵
- Executes dropped EXE
PID:3108 -
\??\c:\2622228.exec:\2622228.exe62⤵
- Executes dropped EXE
PID:1140 -
\??\c:\20482.exec:\20482.exe63⤵
- Executes dropped EXE
PID:2284 -
\??\c:\806644.exec:\806644.exe64⤵
- Executes dropped EXE
PID:5084 -
\??\c:\tnhhbt.exec:\tnhhbt.exe65⤵
- Executes dropped EXE
PID:3080 -
\??\c:\pdppj.exec:\pdppj.exe66⤵PID:4520
-
\??\c:\8406448.exec:\8406448.exe67⤵PID:540
-
\??\c:\06886.exec:\06886.exe68⤵PID:532
-
\??\c:\jvdjd.exec:\jvdjd.exe69⤵PID:4240
-
\??\c:\lfrrlff.exec:\lfrrlff.exe70⤵PID:1168
-
\??\c:\vjppp.exec:\vjppp.exe71⤵
- System Location Discovery: System Language Discovery
PID:1972 -
\??\c:\nhhhhh.exec:\nhhhhh.exe72⤵PID:1604
-
\??\c:\5nhtnh.exec:\5nhtnh.exe73⤵PID:4748
-
\??\c:\ppvpj.exec:\ppvpj.exe74⤵PID:4020
-
\??\c:\vvpjd.exec:\vvpjd.exe75⤵PID:4272
-
\??\c:\rrrrxxf.exec:\rrrrxxf.exe76⤵PID:664
-
\??\c:\lfxrxxx.exec:\lfxrxxx.exe77⤵PID:4924
-
\??\c:\pjvpp.exec:\pjvpp.exe78⤵PID:5016
-
\??\c:\tttnhb.exec:\tttnhb.exe79⤵PID:3532
-
\??\c:\thhbtn.exec:\thhbtn.exe80⤵PID:220
-
\??\c:\488822.exec:\488822.exe81⤵PID:5108
-
\??\c:\hbbbhb.exec:\hbbbhb.exe82⤵PID:1260
-
\??\c:\btntnt.exec:\btntnt.exe83⤵
- System Location Discovery: System Language Discovery
PID:2008 -
\??\c:\846004.exec:\846004.exe84⤵PID:1388
-
\??\c:\vjjdd.exec:\vjjdd.exe85⤵PID:1576
-
\??\c:\w46604.exec:\w46604.exe86⤵PID:720
-
\??\c:\84004.exec:\84004.exe87⤵PID:1900
-
\??\c:\dpjjj.exec:\dpjjj.exe88⤵PID:2140
-
\??\c:\044888.exec:\044888.exe89⤵PID:3700
-
\??\c:\660286.exec:\660286.exe90⤵PID:1264
-
\??\c:\1ppjd.exec:\1ppjd.exe91⤵PID:4828
-
\??\c:\m4486.exec:\m4486.exe92⤵PID:1276
-
\??\c:\q22648.exec:\q22648.exe93⤵PID:388
-
\??\c:\vvdvp.exec:\vvdvp.exe94⤵PID:4256
-
\??\c:\86826.exec:\86826.exe95⤵PID:5072
-
\??\c:\66660.exec:\66660.exe96⤵PID:1456
-
\??\c:\xrfxxxl.exec:\xrfxxxl.exe97⤵PID:3724
-
\??\c:\dpppj.exec:\dpppj.exe98⤵PID:4080
-
\??\c:\rrrlrlr.exec:\rrrlrlr.exe99⤵
- System Location Discovery: System Language Discovery
PID:4304 -
\??\c:\7ttntn.exec:\7ttntn.exe100⤵PID:4284
-
\??\c:\2660448.exec:\2660448.exe101⤵PID:2096
-
\??\c:\44004.exec:\44004.exe102⤵PID:2380
-
\??\c:\6628288.exec:\6628288.exe103⤵PID:684
-
\??\c:\68426.exec:\68426.exe104⤵PID:716
-
\??\c:\262604.exec:\262604.exe105⤵PID:4780
-
\??\c:\vvddv.exec:\vvddv.exe106⤵PID:312
-
\??\c:\3ddpj.exec:\3ddpj.exe107⤵PID:1484
-
\??\c:\60600.exec:\60600.exe108⤵PID:4168
-
\??\c:\jpvpp.exec:\jpvpp.exe109⤵PID:4260
-
\??\c:\jddjd.exec:\jddjd.exe110⤵PID:2516
-
\??\c:\2060482.exec:\2060482.exe111⤵PID:3944
-
\??\c:\w48888.exec:\w48888.exe112⤵PID:2080
-
\??\c:\848204.exec:\848204.exe113⤵PID:3980
-
\??\c:\06808.exec:\06808.exe114⤵PID:5084
-
\??\c:\xrlxrfx.exec:\xrlxrfx.exe115⤵PID:3080
-
\??\c:\bnhthb.exec:\bnhthb.exe116⤵PID:2988
-
\??\c:\httnhh.exec:\httnhh.exe117⤵PID:2604
-
\??\c:\046482.exec:\046482.exe118⤵PID:4112
-
\??\c:\86828.exec:\86828.exe119⤵PID:1824
-
\??\c:\0448604.exec:\0448604.exe120⤵PID:3620
-
\??\c:\7flxlfx.exec:\7flxlfx.exe121⤵
- System Location Discovery: System Language Discovery
PID:2524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-