Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 06:06
Behavioral task
behavioral1
Sample
a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe
-
Size
376KB
-
MD5
a06c7869f429375d6375bf32e50c8f9d
-
SHA1
cd7b62adeb9128eb0f6b237099ea70837f36c9a1
-
SHA256
a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1
-
SHA512
f14d7f35ba3f5230e5ba1e8e14c3fef54181015ea09d169ed9701e41fadf3b5693bbc9f3e7f85e0259cb5790ff08e41d3aff1356f5ca96bb085228a8430292a0
-
SSDEEP
6144:0cm4FmowdHoSHWVs+QEoD/dL/4oSlCIqbKRs4EkfRDaPRrnVkWHQmQ:C4wFHoS2Vs+IdMoSzqkR5RWVVWmQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/8-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4216-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1156-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4236-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3352-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3540-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4020-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/744-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2528-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1288-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2836-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3124-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4048-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3796-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4240-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2984-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1976-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4044-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4628-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2776-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4108-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4664-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4236-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/932-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4136-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4352-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2580-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1808-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4176-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2560-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-430-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3680-440-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/616-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2668-497-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-522-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4524-580-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3896-626-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3912-660-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/372-682-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2796-695-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4052-759-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/900-814-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-1611-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 8 frxrlfx.exe 1156 xrrlflf.exe 5056 vvvvp.exe 4236 thnhbt.exe 932 8248440.exe 3252 2202824.exe 3352 xrrfxrx.exe 640 c082000.exe 3540 624044.exe 4020 nhttbb.exe 4420 440444.exe 744 jjdvp.exe 2528 jjdvj.exe 4388 646048.exe 3000 xfrrrrx.exe 1288 fxllfff.exe 208 82840.exe 4368 284486.exe 1472 htbhbb.exe 2836 6284620.exe 4812 68466.exe 1436 04488.exe 1504 s2826.exe 4652 8840048.exe 4592 m0488.exe 4048 64640.exe 3124 462200.exe 4984 fxfxlrl.exe 3796 frlfxrl.exe 4240 62826.exe 2984 3xxrffx.exe 2572 240822.exe 3676 66282.exe 1976 dvpjd.exe 4448 4288266.exe 4044 xxflxrx.exe 4488 48884.exe 4628 pdpjj.exe 2776 60608.exe 2024 7tnhbt.exe 4108 q66224.exe 4980 ddjjd.exe 2056 xlfxrrf.exe 4748 jjdvv.exe 4424 82408.exe 4412 88482.exe 4664 7nnhnh.exe 3536 c228226.exe 4008 g4048.exe 4940 w02260.exe 1832 hbhbbb.exe 1156 68228.exe 4340 htbttt.exe 4236 026082.exe 2164 lxlfrlr.exe 932 vpddj.exe 2308 lrxlxrl.exe 220 8060482.exe 2368 5bthbn.exe 4136 rfrlrrx.exe 2372 q80202.exe 1680 846260.exe 64 lxxlxrf.exe 4684 822622.exe -
resource yara_rule behavioral2/memory/4216-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023a3b-3.dat upx behavioral2/memory/8-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4216-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023a68-11.dat upx behavioral2/files/0x000c000000023a72-13.dat upx behavioral2/memory/1156-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5056-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023a73-22.dat upx behavioral2/memory/4236-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023a9f-29.dat upx behavioral2/files/0x0008000000023ace-33.dat upx behavioral2/files/0x0008000000023ad0-38.dat upx behavioral2/files/0x0009000000023ad4-43.dat upx behavioral2/memory/3352-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023adf-49.dat upx behavioral2/memory/3540-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023ae0-57.dat upx behavioral2/memory/4020-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/640-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4420-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4020-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023ae1-63.dat upx behavioral2/files/0x000d000000023a69-69.dat upx behavioral2/files/0x000c000000023ae2-74.dat upx behavioral2/memory/744-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-81.dat upx behavioral2/memory/2528-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-87.dat upx behavioral2/files/0x000a000000023b86-92.dat upx behavioral2/memory/1288-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-98.dat upx behavioral2/files/0x000a000000023b88-105.dat upx behavioral2/files/0x000a000000023b89-109.dat upx behavioral2/memory/208-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-113.dat upx behavioral2/files/0x000a000000023b8b-118.dat upx behavioral2/memory/2836-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-125.dat upx behavioral2/files/0x000a000000023b8d-131.dat upx behavioral2/memory/1436-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-135.dat upx behavioral2/memory/1504-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-140.dat upx behavioral2/files/0x000a000000023b91-146.dat upx behavioral2/files/0x000a000000023b92-151.dat upx behavioral2/memory/3124-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b93-158.dat upx behavioral2/memory/4048-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-162.dat upx behavioral2/memory/3796-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4984-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-169.dat upx behavioral2/memory/4240-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-176.dat upx behavioral2/memory/2984-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2984-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-183.dat upx behavioral2/memory/1976-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4044-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4628-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2776-212-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2024-216-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4108-220-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6288248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4222264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4848226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 880082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 686048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2648260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2004260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4216 wrote to memory of 8 4216 a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe 84 PID 4216 wrote to memory of 8 4216 a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe 84 PID 4216 wrote to memory of 8 4216 a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe 84 PID 8 wrote to memory of 1156 8 frxrlfx.exe 85 PID 8 wrote to memory of 1156 8 frxrlfx.exe 85 PID 8 wrote to memory of 1156 8 frxrlfx.exe 85 PID 1156 wrote to memory of 5056 1156 xrrlflf.exe 86 PID 1156 wrote to memory of 5056 1156 xrrlflf.exe 86 PID 1156 wrote to memory of 5056 1156 xrrlflf.exe 86 PID 5056 wrote to memory of 4236 5056 vvvvp.exe 87 PID 5056 wrote to memory of 4236 5056 vvvvp.exe 87 PID 5056 wrote to memory of 4236 5056 vvvvp.exe 87 PID 4236 wrote to memory of 932 4236 thnhbt.exe 88 PID 4236 wrote to memory of 932 4236 thnhbt.exe 88 PID 4236 wrote to memory of 932 4236 thnhbt.exe 88 PID 932 wrote to memory of 3252 932 8248440.exe 89 PID 932 wrote to memory of 3252 932 8248440.exe 89 PID 932 wrote to memory of 3252 932 8248440.exe 89 PID 3252 wrote to memory of 3352 3252 2202824.exe 90 PID 3252 wrote to memory of 3352 3252 2202824.exe 90 PID 3252 wrote to memory of 3352 3252 2202824.exe 90 PID 3352 wrote to memory of 640 3352 xrrfxrx.exe 91 PID 3352 wrote to memory of 640 3352 xrrfxrx.exe 91 PID 3352 wrote to memory of 640 3352 xrrfxrx.exe 91 PID 640 wrote to memory of 3540 640 c082000.exe 92 PID 640 wrote to memory of 3540 640 c082000.exe 92 PID 640 wrote to memory of 3540 640 c082000.exe 92 PID 3540 wrote to memory of 4020 3540 624044.exe 93 PID 3540 wrote to memory of 4020 3540 624044.exe 93 PID 3540 wrote to memory of 4020 3540 624044.exe 93 PID 4020 wrote to memory of 4420 4020 nhttbb.exe 94 PID 4020 wrote to memory of 4420 4020 nhttbb.exe 94 PID 4020 wrote to memory of 4420 4020 nhttbb.exe 94 PID 4420 wrote to memory of 744 4420 440444.exe 95 PID 4420 wrote to memory of 744 4420 440444.exe 95 PID 4420 wrote to memory of 744 4420 440444.exe 95 PID 744 wrote to memory of 2528 744 jjdvp.exe 96 PID 744 wrote to memory of 2528 744 jjdvp.exe 96 PID 744 wrote to memory of 2528 744 jjdvp.exe 96 PID 2528 wrote to memory of 4388 2528 jjdvj.exe 97 PID 2528 wrote to memory of 4388 2528 jjdvj.exe 97 PID 2528 wrote to memory of 4388 2528 jjdvj.exe 97 PID 4388 wrote to memory of 3000 4388 646048.exe 98 PID 4388 wrote to memory of 3000 4388 646048.exe 98 PID 4388 wrote to memory of 3000 4388 646048.exe 98 PID 3000 wrote to memory of 1288 3000 xfrrrrx.exe 99 PID 3000 wrote to memory of 1288 3000 xfrrrrx.exe 99 PID 3000 wrote to memory of 1288 3000 xfrrrrx.exe 99 PID 1288 wrote to memory of 208 1288 fxllfff.exe 100 PID 1288 wrote to memory of 208 1288 fxllfff.exe 100 PID 1288 wrote to memory of 208 1288 fxllfff.exe 100 PID 208 wrote to memory of 4368 208 82840.exe 101 PID 208 wrote to memory of 4368 208 82840.exe 101 PID 208 wrote to memory of 4368 208 82840.exe 101 PID 4368 wrote to memory of 1472 4368 284486.exe 102 PID 4368 wrote to memory of 1472 4368 284486.exe 102 PID 4368 wrote to memory of 1472 4368 284486.exe 102 PID 1472 wrote to memory of 2836 1472 htbhbb.exe 103 PID 1472 wrote to memory of 2836 1472 htbhbb.exe 103 PID 1472 wrote to memory of 2836 1472 htbhbb.exe 103 PID 2836 wrote to memory of 4812 2836 6284620.exe 104 PID 2836 wrote to memory of 4812 2836 6284620.exe 104 PID 2836 wrote to memory of 4812 2836 6284620.exe 104 PID 4812 wrote to memory of 1436 4812 68466.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe"C:\Users\Admin\AppData\Local\Temp\a4cf50085eb460de7843e8bc237b5a9508b11ed0ed995f61d839cf74032de8a1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\frxrlfx.exec:\frxrlfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\xrrlflf.exec:\xrrlflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\vvvvp.exec:\vvvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\thnhbt.exec:\thnhbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\8248440.exec:\8248440.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\2202824.exec:\2202824.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\xrrfxrx.exec:\xrrfxrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\c082000.exec:\c082000.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\624044.exec:\624044.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\nhttbb.exec:\nhttbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\440444.exec:\440444.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\jjdvp.exec:\jjdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\jjdvj.exec:\jjdvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\646048.exec:\646048.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\xfrrrrx.exec:\xfrrrrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\fxllfff.exec:\fxllfff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\82840.exec:\82840.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\284486.exec:\284486.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\htbhbb.exec:\htbhbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\6284620.exec:\6284620.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\68466.exec:\68466.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\04488.exec:\04488.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1436 -
\??\c:\s2826.exec:\s2826.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504 -
\??\c:\8840048.exec:\8840048.exe25⤵
- Executes dropped EXE
PID:4652 -
\??\c:\m0488.exec:\m0488.exe26⤵
- Executes dropped EXE
PID:4592 -
\??\c:\64640.exec:\64640.exe27⤵
- Executes dropped EXE
PID:4048 -
\??\c:\462200.exec:\462200.exe28⤵
- Executes dropped EXE
PID:3124 -
\??\c:\fxfxlrl.exec:\fxfxlrl.exe29⤵
- Executes dropped EXE
PID:4984 -
\??\c:\frlfxrl.exec:\frlfxrl.exe30⤵
- Executes dropped EXE
PID:3796 -
\??\c:\62826.exec:\62826.exe31⤵
- Executes dropped EXE
PID:4240 -
\??\c:\3xxrffx.exec:\3xxrffx.exe32⤵
- Executes dropped EXE
PID:2984 -
\??\c:\240822.exec:\240822.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2572 -
\??\c:\66282.exec:\66282.exe34⤵
- Executes dropped EXE
PID:3676 -
\??\c:\dvpjd.exec:\dvpjd.exe35⤵
- Executes dropped EXE
PID:1976 -
\??\c:\4288266.exec:\4288266.exe36⤵
- Executes dropped EXE
PID:4448 -
\??\c:\xxflxrx.exec:\xxflxrx.exe37⤵
- Executes dropped EXE
PID:4044 -
\??\c:\48884.exec:\48884.exe38⤵
- Executes dropped EXE
PID:4488 -
\??\c:\pdpjj.exec:\pdpjj.exe39⤵
- Executes dropped EXE
PID:4628 -
\??\c:\60608.exec:\60608.exe40⤵
- Executes dropped EXE
PID:2776 -
\??\c:\7tnhbt.exec:\7tnhbt.exe41⤵
- Executes dropped EXE
PID:2024 -
\??\c:\q66224.exec:\q66224.exe42⤵
- Executes dropped EXE
PID:4108 -
\??\c:\ddjjd.exec:\ddjjd.exe43⤵
- Executes dropped EXE
PID:4980 -
\??\c:\xlfxrrf.exec:\xlfxrrf.exe44⤵
- Executes dropped EXE
PID:2056 -
\??\c:\jjdvv.exec:\jjdvv.exe45⤵
- Executes dropped EXE
PID:4748 -
\??\c:\82408.exec:\82408.exe46⤵
- Executes dropped EXE
PID:4424 -
\??\c:\88482.exec:\88482.exe47⤵
- Executes dropped EXE
PID:4412 -
\??\c:\7nnhnh.exec:\7nnhnh.exe48⤵
- Executes dropped EXE
PID:4664 -
\??\c:\c228226.exec:\c228226.exe49⤵
- Executes dropped EXE
PID:3536 -
\??\c:\g4048.exec:\g4048.exe50⤵
- Executes dropped EXE
PID:4008 -
\??\c:\w02260.exec:\w02260.exe51⤵
- Executes dropped EXE
PID:4940 -
\??\c:\hbhbbb.exec:\hbhbbb.exe52⤵
- Executes dropped EXE
PID:1832 -
\??\c:\68228.exec:\68228.exe53⤵
- Executes dropped EXE
PID:1156 -
\??\c:\htbttt.exec:\htbttt.exe54⤵
- Executes dropped EXE
PID:4340 -
\??\c:\026082.exec:\026082.exe55⤵
- Executes dropped EXE
PID:4236 -
\??\c:\lxlfrlr.exec:\lxlfrlr.exe56⤵
- Executes dropped EXE
PID:2164 -
\??\c:\vpddj.exec:\vpddj.exe57⤵
- Executes dropped EXE
PID:932 -
\??\c:\lrxlxrl.exec:\lrxlxrl.exe58⤵
- Executes dropped EXE
PID:2308 -
\??\c:\8060482.exec:\8060482.exe59⤵
- Executes dropped EXE
PID:220 -
\??\c:\5bthbn.exec:\5bthbn.exe60⤵
- Executes dropped EXE
PID:2368 -
\??\c:\rfrlrrx.exec:\rfrlrrx.exe61⤵
- Executes dropped EXE
PID:4136 -
\??\c:\q80202.exec:\q80202.exe62⤵
- Executes dropped EXE
PID:2372 -
\??\c:\846260.exec:\846260.exe63⤵
- Executes dropped EXE
PID:1680 -
\??\c:\lxxlxrf.exec:\lxxlxrf.exe64⤵
- Executes dropped EXE
PID:64 -
\??\c:\822622.exec:\822622.exe65⤵
- Executes dropped EXE
PID:4684 -
\??\c:\bbthhh.exec:\bbthhh.exe66⤵PID:4804
-
\??\c:\lxrllfx.exec:\lxrllfx.exe67⤵PID:4844
-
\??\c:\hhnbbt.exec:\hhnbbt.exe68⤵PID:4076
-
\??\c:\028226.exec:\028226.exe69⤵PID:4496
-
\??\c:\tbbtbt.exec:\tbbtbt.exe70⤵PID:4072
-
\??\c:\bntnbt.exec:\bntnbt.exe71⤵PID:1796
-
\??\c:\pjjdj.exec:\pjjdj.exe72⤵PID:4520
-
\??\c:\5tthbt.exec:\5tthbt.exe73⤵PID:4668
-
\??\c:\q68682.exec:\q68682.exe74⤵PID:4352
-
\??\c:\486000.exec:\486000.exe75⤵PID:3968
-
\??\c:\jvdvp.exec:\jvdvp.exe76⤵PID:2580
-
\??\c:\2626666.exec:\2626666.exe77⤵PID:2284
-
\??\c:\2844822.exec:\2844822.exe78⤵PID:2576
-
\??\c:\nbhnnn.exec:\nbhnnn.exe79⤵PID:4812
-
\??\c:\2084040.exec:\2084040.exe80⤵PID:1436
-
\??\c:\jjjpj.exec:\jjjpj.exe81⤵PID:3156
-
\??\c:\tnthbt.exec:\tnthbt.exe82⤵PID:4620
-
\??\c:\q84886.exec:\q84886.exe83⤵PID:4056
-
\??\c:\ffllffx.exec:\ffllffx.exe84⤵PID:1808
-
\??\c:\xflrxxf.exec:\xflrxxf.exe85⤵PID:4048
-
\??\c:\lxrlxxf.exec:\lxrlxxf.exe86⤵PID:916
-
\??\c:\46282.exec:\46282.exe87⤵PID:1676
-
\??\c:\60228.exec:\60228.exe88⤵PID:2488
-
\??\c:\62420.exec:\62420.exe89⤵PID:4536
-
\??\c:\rfrrrxx.exec:\rfrrrxx.exe90⤵PID:4176
-
\??\c:\064822.exec:\064822.exe91⤵PID:3412
-
\??\c:\xrxrlrl.exec:\xrxrlrl.exe92⤵PID:3948
-
\??\c:\2866226.exec:\2866226.exe93⤵PID:2984
-
\??\c:\jvjdd.exec:\jvjdd.exe94⤵PID:2572
-
\??\c:\dvjjd.exec:\dvjjd.exe95⤵
- System Location Discovery: System Language Discovery
PID:2172 -
\??\c:\i282682.exec:\i282682.exe96⤵PID:3488
-
\??\c:\c204002.exec:\c204002.exe97⤵PID:4104
-
\??\c:\9tnbth.exec:\9tnbth.exe98⤵PID:1208
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe99⤵PID:4952
-
\??\c:\bnnhbb.exec:\bnnhbb.exe100⤵PID:2560
-
\??\c:\tnnnhh.exec:\tnnnhh.exe101⤵PID:2744
-
\??\c:\rxrxrlx.exec:\rxrxrlx.exe102⤵PID:1556
-
\??\c:\066044.exec:\066044.exe103⤵PID:3624
-
\??\c:\dvddv.exec:\dvddv.exe104⤵PID:4380
-
\??\c:\6400824.exec:\6400824.exe105⤵PID:1948
-
\??\c:\tntthh.exec:\tntthh.exe106⤵PID:2056
-
\??\c:\0602064.exec:\0602064.exe107⤵PID:4532
-
\??\c:\622604.exec:\622604.exe108⤵PID:3680
-
\??\c:\42486.exec:\42486.exe109⤵PID:4880
-
\??\c:\llrrlfx.exec:\llrrlfx.exe110⤵PID:616
-
\??\c:\nhnhhb.exec:\nhnhhb.exe111⤵PID:716
-
\??\c:\htbttt.exec:\htbttt.exe112⤵PID:3912
-
\??\c:\dvpjj.exec:\dvpjj.exe113⤵PID:3504
-
\??\c:\7vvvj.exec:\7vvvj.exe114⤵PID:1832
-
\??\c:\vjvdp.exec:\vjvdp.exe115⤵PID:3576
-
\??\c:\640488.exec:\640488.exe116⤵PID:2292
-
\??\c:\ntbbtb.exec:\ntbbtb.exe117⤵PID:548
-
\??\c:\2004264.exec:\2004264.exe118⤵PID:4820
-
\??\c:\0226048.exec:\0226048.exe119⤵PID:4724
-
\??\c:\q22082.exec:\q22082.exe120⤵PID:3352
-
\??\c:\pvjdj.exec:\pvjdj.exe121⤵PID:3612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-