Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 23:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe
-
Size
452KB
-
MD5
62c1d9a088678e1601be87e3a7812ad2
-
SHA1
c9b441abd87a50d43067ce8ba674e5ec29f8dd82
-
SHA256
4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1
-
SHA512
f59ca0e23ae40d9736b31df83161245c6684540259ac8a704c4bec46b228e65ebad1fb5572962b94392af7a992c09f49b5ce52402e0ce023145e168985968f8c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4812-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-1145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-1251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4956 hntthh.exe 3640 lxlllrr.exe 2188 9xfxrrr.exe 4420 lflfxff.exe 3508 7htnnn.exe 2380 bnnhpp.exe 2472 86662.exe 2884 xrlfxxx.exe 5056 vjpjp.exe 2372 tntttb.exe 1424 00444.exe 3696 fxlrrxf.exe 5100 062664.exe 4876 dpvvv.exe 3648 1rfxxff.exe 1368 rllfxfl.exe 2316 vdvvd.exe 4220 0480668.exe 3356 frlffff.exe 1852 hnhtbb.exe 4008 806000.exe 1820 2648606.exe 4236 u264668.exe 2948 0062824.exe 3472 rlflllf.exe 4376 1bnnnn.exe 4796 lffffll.exe 540 w22284.exe 4944 tbhnhh.exe 2436 6202228.exe 532 tbtttt.exe 1264 pjvdp.exe 908 68628.exe 4544 xfxxflx.exe 4180 660028.exe 2028 06686.exe 3428 jjppj.exe 4988 xffxlxf.exe 2932 dvddd.exe 5016 bbnnbh.exe 2952 6666666.exe 4812 flfrxfl.exe 4956 i462222.exe 4148 884204.exe 3060 802228.exe 3468 3vvvv.exe 2188 1xlfflr.exe 2964 hntttb.exe 1964 e60626.exe 5008 lxxrfrl.exe 2708 tbhtnn.exe 1716 846600.exe 380 0800622.exe 4556 684066.exe 3376 7jpjd.exe 2372 464406.exe 1424 tttthh.exe 220 5hhhtt.exe 2440 nhnhbt.exe 3780 0400044.exe 4640 tntntt.exe 2220 jvjdd.exe 3408 4860662.exe 2424 3bbbtt.exe -
resource yara_rule behavioral2/memory/4812-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-991-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i206066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4800666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0682422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4812 wrote to memory of 4956 4812 4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe 83 PID 4812 wrote to memory of 4956 4812 4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe 83 PID 4812 wrote to memory of 4956 4812 4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe 83 PID 4956 wrote to memory of 3640 4956 hntthh.exe 84 PID 4956 wrote to memory of 3640 4956 hntthh.exe 84 PID 4956 wrote to memory of 3640 4956 hntthh.exe 84 PID 3640 wrote to memory of 2188 3640 lxlllrr.exe 85 PID 3640 wrote to memory of 2188 3640 lxlllrr.exe 85 PID 3640 wrote to memory of 2188 3640 lxlllrr.exe 85 PID 2188 wrote to memory of 4420 2188 9xfxrrr.exe 86 PID 2188 wrote to memory of 4420 2188 9xfxrrr.exe 86 PID 2188 wrote to memory of 4420 2188 9xfxrrr.exe 86 PID 4420 wrote to memory of 3508 4420 lflfxff.exe 87 PID 4420 wrote to memory of 3508 4420 lflfxff.exe 87 PID 4420 wrote to memory of 3508 4420 lflfxff.exe 87 PID 3508 wrote to memory of 2380 3508 7htnnn.exe 88 PID 3508 wrote to memory of 2380 3508 7htnnn.exe 88 PID 3508 wrote to memory of 2380 3508 7htnnn.exe 88 PID 2380 wrote to memory of 2472 2380 bnnhpp.exe 89 PID 2380 wrote to memory of 2472 2380 bnnhpp.exe 89 PID 2380 wrote to memory of 2472 2380 bnnhpp.exe 89 PID 2472 wrote to memory of 2884 2472 86662.exe 90 PID 2472 wrote to memory of 2884 2472 86662.exe 90 PID 2472 wrote to memory of 2884 2472 86662.exe 90 PID 2884 wrote to memory of 5056 2884 xrlfxxx.exe 91 PID 2884 wrote to memory of 5056 2884 xrlfxxx.exe 91 PID 2884 wrote to memory of 5056 2884 xrlfxxx.exe 91 PID 5056 wrote to memory of 2372 5056 vjpjp.exe 92 PID 5056 wrote to memory of 2372 5056 vjpjp.exe 92 PID 5056 wrote to memory of 2372 5056 vjpjp.exe 92 PID 2372 wrote to memory of 1424 2372 tntttb.exe 93 PID 2372 wrote to memory of 1424 2372 tntttb.exe 93 PID 2372 wrote to memory of 1424 2372 tntttb.exe 93 PID 1424 wrote to memory of 3696 1424 00444.exe 94 PID 1424 wrote to memory of 3696 1424 00444.exe 94 PID 1424 wrote to memory of 3696 1424 00444.exe 94 PID 3696 wrote to memory of 5100 3696 fxlrrxf.exe 95 PID 3696 wrote to memory of 5100 3696 fxlrrxf.exe 95 PID 3696 wrote to memory of 5100 3696 fxlrrxf.exe 95 PID 5100 wrote to memory of 4876 5100 062664.exe 96 PID 5100 wrote to memory of 4876 5100 062664.exe 96 PID 5100 wrote to memory of 4876 5100 062664.exe 96 PID 4876 wrote to memory of 3648 4876 dpvvv.exe 97 PID 4876 wrote to memory of 3648 4876 dpvvv.exe 97 PID 4876 wrote to memory of 3648 4876 dpvvv.exe 97 PID 3648 wrote to memory of 1368 3648 1rfxxff.exe 98 PID 3648 wrote to memory of 1368 3648 1rfxxff.exe 98 PID 3648 wrote to memory of 1368 3648 1rfxxff.exe 98 PID 1368 wrote to memory of 2316 1368 rllfxfl.exe 99 PID 1368 wrote to memory of 2316 1368 rllfxfl.exe 99 PID 1368 wrote to memory of 2316 1368 rllfxfl.exe 99 PID 2316 wrote to memory of 4220 2316 vdvvd.exe 100 PID 2316 wrote to memory of 4220 2316 vdvvd.exe 100 PID 2316 wrote to memory of 4220 2316 vdvvd.exe 100 PID 4220 wrote to memory of 3356 4220 0480668.exe 101 PID 4220 wrote to memory of 3356 4220 0480668.exe 101 PID 4220 wrote to memory of 3356 4220 0480668.exe 101 PID 3356 wrote to memory of 1852 3356 frlffff.exe 102 PID 3356 wrote to memory of 1852 3356 frlffff.exe 102 PID 3356 wrote to memory of 1852 3356 frlffff.exe 102 PID 1852 wrote to memory of 4008 1852 hnhtbb.exe 103 PID 1852 wrote to memory of 4008 1852 hnhtbb.exe 103 PID 1852 wrote to memory of 4008 1852 hnhtbb.exe 103 PID 4008 wrote to memory of 1820 4008 806000.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe"C:\Users\Admin\AppData\Local\Temp\4d593588e1af4e281b5cab102f5621d4c5dfe61aa60a1eed67089612a138ecb1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\hntthh.exec:\hntthh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\lxlllrr.exec:\lxlllrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\9xfxrrr.exec:\9xfxrrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\lflfxff.exec:\lflfxff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\7htnnn.exec:\7htnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\bnnhpp.exec:\bnnhpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\86662.exec:\86662.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\xrlfxxx.exec:\xrlfxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\vjpjp.exec:\vjpjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\tntttb.exec:\tntttb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\00444.exec:\00444.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\fxlrrxf.exec:\fxlrrxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\062664.exec:\062664.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\dpvvv.exec:\dpvvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\1rfxxff.exec:\1rfxxff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\rllfxfl.exec:\rllfxfl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\vdvvd.exec:\vdvvd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\0480668.exec:\0480668.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\frlffff.exec:\frlffff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\hnhtbb.exec:\hnhtbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\806000.exec:\806000.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\2648606.exec:\2648606.exe23⤵
- Executes dropped EXE
PID:1820 -
\??\c:\u264668.exec:\u264668.exe24⤵
- Executes dropped EXE
PID:4236 -
\??\c:\0062824.exec:\0062824.exe25⤵
- Executes dropped EXE
PID:2948 -
\??\c:\rlflllf.exec:\rlflllf.exe26⤵
- Executes dropped EXE
PID:3472 -
\??\c:\1bnnnn.exec:\1bnnnn.exe27⤵
- Executes dropped EXE
PID:4376 -
\??\c:\lffffll.exec:\lffffll.exe28⤵
- Executes dropped EXE
PID:4796 -
\??\c:\w22284.exec:\w22284.exe29⤵
- Executes dropped EXE
PID:540 -
\??\c:\tbhnhh.exec:\tbhnhh.exe30⤵
- Executes dropped EXE
PID:4944 -
\??\c:\6202228.exec:\6202228.exe31⤵
- Executes dropped EXE
PID:2436 -
\??\c:\tbtttt.exec:\tbtttt.exe32⤵
- Executes dropped EXE
PID:532 -
\??\c:\pjvdp.exec:\pjvdp.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1264 -
\??\c:\68628.exec:\68628.exe34⤵
- Executes dropped EXE
PID:908 -
\??\c:\xfxxflx.exec:\xfxxflx.exe35⤵
- Executes dropped EXE
PID:4544 -
\??\c:\660028.exec:\660028.exe36⤵
- Executes dropped EXE
PID:4180 -
\??\c:\06686.exec:\06686.exe37⤵
- Executes dropped EXE
PID:2028 -
\??\c:\jjppj.exec:\jjppj.exe38⤵
- Executes dropped EXE
PID:3428 -
\??\c:\xffxlxf.exec:\xffxlxf.exe39⤵
- Executes dropped EXE
PID:4988 -
\??\c:\dvddd.exec:\dvddd.exe40⤵
- Executes dropped EXE
PID:2932 -
\??\c:\bbnnbh.exec:\bbnnbh.exe41⤵
- Executes dropped EXE
PID:5016 -
\??\c:\1fllxfr.exec:\1fllxfr.exe42⤵PID:4388
-
\??\c:\6666666.exec:\6666666.exe43⤵
- Executes dropped EXE
PID:2952 -
\??\c:\flfrxfl.exec:\flfrxfl.exe44⤵
- Executes dropped EXE
PID:4812 -
\??\c:\i462222.exec:\i462222.exe45⤵
- Executes dropped EXE
PID:4956 -
\??\c:\884204.exec:\884204.exe46⤵
- Executes dropped EXE
PID:4148 -
\??\c:\802228.exec:\802228.exe47⤵
- Executes dropped EXE
PID:3060 -
\??\c:\3vvvv.exec:\3vvvv.exe48⤵
- Executes dropped EXE
PID:3468 -
\??\c:\1xlfflr.exec:\1xlfflr.exe49⤵
- Executes dropped EXE
PID:2188 -
\??\c:\hntttb.exec:\hntttb.exe50⤵
- Executes dropped EXE
PID:2964 -
\??\c:\e60626.exec:\e60626.exe51⤵
- Executes dropped EXE
PID:1964 -
\??\c:\lxxrfrl.exec:\lxxrfrl.exe52⤵
- Executes dropped EXE
PID:5008 -
\??\c:\tbhtnn.exec:\tbhtnn.exe53⤵
- Executes dropped EXE
PID:2708 -
\??\c:\846600.exec:\846600.exe54⤵
- Executes dropped EXE
PID:1716 -
\??\c:\0800622.exec:\0800622.exe55⤵
- Executes dropped EXE
PID:380 -
\??\c:\684066.exec:\684066.exe56⤵
- Executes dropped EXE
PID:4556 -
\??\c:\7jpjd.exec:\7jpjd.exe57⤵
- Executes dropped EXE
PID:3376 -
\??\c:\464406.exec:\464406.exe58⤵
- Executes dropped EXE
PID:2372 -
\??\c:\tttthh.exec:\tttthh.exe59⤵
- Executes dropped EXE
PID:1424 -
\??\c:\5hhhtt.exec:\5hhhtt.exe60⤵
- Executes dropped EXE
PID:220 -
\??\c:\nhnhbt.exec:\nhnhbt.exe61⤵
- Executes dropped EXE
PID:2440 -
\??\c:\0400044.exec:\0400044.exe62⤵
- Executes dropped EXE
PID:3780 -
\??\c:\tntntt.exec:\tntntt.exe63⤵
- Executes dropped EXE
PID:4640 -
\??\c:\jvjdd.exec:\jvjdd.exe64⤵
- Executes dropped EXE
PID:2220 -
\??\c:\4860662.exec:\4860662.exe65⤵
- Executes dropped EXE
PID:3408 -
\??\c:\3bbbtt.exec:\3bbbtt.exe66⤵
- Executes dropped EXE
PID:2424 -
\??\c:\thnhbb.exec:\thnhbb.exe67⤵PID:1476
-
\??\c:\thtntt.exec:\thtntt.exe68⤵PID:4176
-
\??\c:\2644888.exec:\2644888.exe69⤵PID:4504
-
\??\c:\3nnnhn.exec:\3nnnhn.exe70⤵PID:4140
-
\??\c:\5jjjj.exec:\5jjjj.exe71⤵PID:392
-
\??\c:\64444.exec:\64444.exe72⤵PID:1560
-
\??\c:\vdjdp.exec:\vdjdp.exe73⤵PID:1772
-
\??\c:\dpvpd.exec:\dpvpd.exe74⤵PID:3604
-
\??\c:\402200.exec:\402200.exe75⤵PID:3088
-
\??\c:\1tbtbb.exec:\1tbtbb.exe76⤵PID:2248
-
\??\c:\jvvpp.exec:\jvvpp.exe77⤵PID:4624
-
\??\c:\266404.exec:\266404.exe78⤵PID:4404
-
\??\c:\5rllfff.exec:\5rllfff.exe79⤵PID:4232
-
\??\c:\ttnntt.exec:\ttnntt.exe80⤵PID:2008
-
\??\c:\4806666.exec:\4806666.exe81⤵PID:1416
-
\??\c:\00826.exec:\00826.exe82⤵PID:1608
-
\??\c:\2600882.exec:\2600882.exe83⤵PID:4376
-
\??\c:\2068208.exec:\2068208.exe84⤵PID:4756
-
\??\c:\6822246.exec:\6822246.exe85⤵PID:2460
-
\??\c:\2282222.exec:\2282222.exe86⤵PID:4508
-
\??\c:\tttthh.exec:\tttthh.exe87⤵PID:1932
-
\??\c:\66222.exec:\66222.exe88⤵PID:5020
-
\??\c:\2824228.exec:\2824228.exe89⤵PID:4924
-
\??\c:\80666.exec:\80666.exe90⤵PID:4572
-
\??\c:\btbbbh.exec:\btbbbh.exe91⤵PID:4696
-
\??\c:\2608228.exec:\2608228.exe92⤵PID:1180
-
\??\c:\7ntttt.exec:\7ntttt.exe93⤵PID:4736
-
\??\c:\4482400.exec:\4482400.exe94⤵PID:1264
-
\??\c:\lfrrrrr.exec:\lfrrrrr.exe95⤵PID:3828
-
\??\c:\g6060.exec:\g6060.exe96⤵PID:4636
-
\??\c:\4462244.exec:\4462244.exe97⤵PID:3636
-
\??\c:\228888.exec:\228888.exe98⤵PID:116
-
\??\c:\22048.exec:\22048.exe99⤵PID:1032
-
\??\c:\400802.exec:\400802.exe100⤵PID:2868
-
\??\c:\jvvjv.exec:\jvvjv.exe101⤵PID:1212
-
\??\c:\80624.exec:\80624.exe102⤵PID:2792
-
\??\c:\3vjdp.exec:\3vjdp.exe103⤵PID:4288
-
\??\c:\468688.exec:\468688.exe104⤵PID:1736
-
\??\c:\82884.exec:\82884.exe105⤵PID:3840
-
\??\c:\vvppv.exec:\vvppv.exe106⤵PID:2328
-
\??\c:\pdvdj.exec:\pdvdj.exe107⤵PID:452
-
\??\c:\lxxxllx.exec:\lxxxllx.exe108⤵PID:832
-
\??\c:\222626.exec:\222626.exe109⤵PID:2136
-
\??\c:\604684.exec:\604684.exe110⤵PID:1184
-
\??\c:\2244440.exec:\2244440.exe111⤵PID:3084
-
\??\c:\3jppp.exec:\3jppp.exe112⤵PID:3412
-
\??\c:\c244442.exec:\c244442.exe113⤵PID:3452
-
\??\c:\4862666.exec:\4862666.exe114⤵PID:4500
-
\??\c:\pddvp.exec:\pddvp.exe115⤵
- System Location Discovery: System Language Discovery
PID:3804 -
\??\c:\9rxrfrl.exec:\9rxrfrl.exe116⤵PID:3548
-
\??\c:\jdvpd.exec:\jdvpd.exe117⤵PID:1716
-
\??\c:\tnnhbb.exec:\tnnhbb.exe118⤵PID:5012
-
\??\c:\2288000.exec:\2288000.exe119⤵PID:4764
-
\??\c:\bntnhh.exec:\bntnhh.exe120⤵PID:728
-
\??\c:\820446.exec:\820446.exe121⤵PID:3376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-