Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:51
Behavioral task
behavioral1
Sample
a357d1cf9a73373b436220c52a127800fca57127b6479653db3a90e08b894806N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a357d1cf9a73373b436220c52a127800fca57127b6479653db3a90e08b894806N.exe
-
Size
79KB
-
MD5
8ea95fca637773558f2e3d4360a02ed0
-
SHA1
7ca368a7397acf854d954f326d381118530ac5b9
-
SHA256
a357d1cf9a73373b436220c52a127800fca57127b6479653db3a90e08b894806
-
SHA512
203b0c42d48ae823b5ee657d709b0fd0d9ac966208318d0f1fe2371ad5bdbd8c852b83a3791cc51f98a92740e36a7a0e0dfd7a731b33865e9994983888738095
-
SSDEEP
1536:xvQBeOGtrYS3srx93UBWfwC6Ggnouy82F13w1rCJtzx8/p7ke2f:xhOmTsF93UYfwC6GIout03LzGFK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4656-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/692-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2956-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4664-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2060-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1204-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1432-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4312-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3840-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/928-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3672-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1692-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4052-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1164-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1636-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4324-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1320-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2492-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/872-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2532-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/972-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2032-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2788-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2672-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2888-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2300-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3408-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3464-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3624-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2304-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1752-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1048-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-441-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3148-481-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2156-497-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-528-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1104-532-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-563-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1968-573-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2988-658-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1364-1302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-1330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 692 u826200.exe 2956 e86826.exe 2024 28860.exe 4664 e28282.exe 1204 440426.exe 2060 hbthtn.exe 1432 xxfrfxr.exe 2468 llfllrf.exe 4312 486046.exe 3900 xxxflll.exe 3840 c260426.exe 3548 6686482.exe 5080 7ttnhh.exe 3228 bbbnbt.exe 4636 xxxrfxl.exe 3464 08420.exe 4652 9llxlfr.exe 1700 g2820.exe 928 btthtb.exe 4436 60224.exe 3672 frrfxxr.exe 1096 860648.exe 1692 dvdpd.exe 1696 hbhhnb.exe 2316 lxlxxlx.exe 4052 nbnhtn.exe 1164 q20482.exe 5064 nntnbt.exe 1636 428286.exe 4324 dpvjv.exe 1320 lfxlxrf.exe 2492 9lxlxlf.exe 4980 82882.exe 872 c242648.exe 2532 08822.exe 960 3ntnbt.exe 2336 00820.exe 972 bnhbnh.exe 2288 4288482.exe 4480 hhnbnh.exe 2032 vpjvj.exe 2796 pvvjp.exe 4188 5xrlxlf.exe 2788 hhhtnh.exe 4792 g2208.exe 2188 xrfrfxl.exe 2672 48886.exe 4580 u620860.exe 3600 jppdv.exe 720 lxlfrrl.exe 224 7rxlrlr.exe 4464 88288.exe 2084 282260.exe 2956 2066226.exe 2024 lxxxlfr.exe 2888 4020448.exe 2472 nhbttn.exe 3940 4826262.exe 2724 884448.exe 4292 04660.exe 3812 k24826.exe 1960 g2488.exe 2300 068200.exe 4312 pvpjd.exe -
resource yara_rule behavioral2/memory/4656-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b27-3.dat upx behavioral2/memory/4656-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-9.dat upx behavioral2/memory/692-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2956-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-11.dat upx behavioral2/memory/2956-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2024-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-24.dat upx behavioral2/memory/2024-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-29.dat upx behavioral2/memory/4664-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-36.dat upx behavioral2/memory/2060-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-42.dat upx behavioral2/memory/1204-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-47.dat upx behavioral2/memory/1432-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-53.dat upx behavioral2/memory/2468-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-59.dat upx behavioral2/memory/4312-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3900-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-67.dat upx behavioral2/files/0x000a000000023b8e-71.dat upx behavioral2/memory/3548-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3840-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-78.dat upx behavioral2/files/0x000a000000023b90-83.dat upx behavioral2/memory/5080-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-89.dat upx behavioral2/memory/3228-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-95.dat upx behavioral2/memory/4636-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b93-101.dat upx behavioral2/files/0x000a000000023b94-106.dat upx behavioral2/memory/4652-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1700-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-113.dat upx behavioral2/memory/928-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-118.dat upx behavioral2/memory/4436-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-123.dat upx behavioral2/memory/3672-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-129.dat upx behavioral2/files/0x000b000000023b81-134.dat upx behavioral2/memory/1692-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b99-142.dat upx behavioral2/memory/1692-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9a-146.dat upx behavioral2/files/0x000a000000023b9b-151.dat upx behavioral2/memory/2316-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9c-157.dat upx behavioral2/memory/4052-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1164-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9d-165.dat upx behavioral2/files/0x000a000000023b9e-170.dat upx behavioral2/files/0x000a000000023b9f-174.dat upx behavioral2/memory/1636-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023ba0-180.dat upx behavioral2/memory/4324-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1320-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023ba1-186.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2804000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0288882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2800000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4656 wrote to memory of 692 4656 a357d1cf9a73373b436220c52a127800fca57127b6479653db3a90e08b894806N.exe 83 PID 4656 wrote to memory of 692 4656 a357d1cf9a73373b436220c52a127800fca57127b6479653db3a90e08b894806N.exe 83 PID 4656 wrote to memory of 692 4656 a357d1cf9a73373b436220c52a127800fca57127b6479653db3a90e08b894806N.exe 83 PID 692 wrote to memory of 2956 692 u826200.exe 84 PID 692 wrote to memory of 2956 692 u826200.exe 84 PID 692 wrote to memory of 2956 692 u826200.exe 84 PID 2956 wrote to memory of 2024 2956 e86826.exe 85 PID 2956 wrote to memory of 2024 2956 e86826.exe 85 PID 2956 wrote to memory of 2024 2956 e86826.exe 85 PID 2024 wrote to memory of 4664 2024 28860.exe 86 PID 2024 wrote to memory of 4664 2024 28860.exe 86 PID 2024 wrote to memory of 4664 2024 28860.exe 86 PID 4664 wrote to memory of 1204 4664 e28282.exe 87 PID 4664 wrote to memory of 1204 4664 e28282.exe 87 PID 4664 wrote to memory of 1204 4664 e28282.exe 87 PID 1204 wrote to memory of 2060 1204 440426.exe 88 PID 1204 wrote to memory of 2060 1204 440426.exe 88 PID 1204 wrote to memory of 2060 1204 440426.exe 88 PID 2060 wrote to memory of 1432 2060 hbthtn.exe 89 PID 2060 wrote to memory of 1432 2060 hbthtn.exe 89 PID 2060 wrote to memory of 1432 2060 hbthtn.exe 89 PID 1432 wrote to memory of 2468 1432 xxfrfxr.exe 90 PID 1432 wrote to memory of 2468 1432 xxfrfxr.exe 90 PID 1432 wrote to memory of 2468 1432 xxfrfxr.exe 90 PID 2468 wrote to memory of 4312 2468 llfllrf.exe 91 PID 2468 wrote to memory of 4312 2468 llfllrf.exe 91 PID 2468 wrote to memory of 4312 2468 llfllrf.exe 91 PID 4312 wrote to memory of 3900 4312 486046.exe 92 PID 4312 wrote to memory of 3900 4312 486046.exe 92 PID 4312 wrote to memory of 3900 4312 486046.exe 92 PID 3900 wrote to memory of 3840 3900 xxxflll.exe 93 PID 3900 wrote to memory of 3840 3900 xxxflll.exe 93 PID 3900 wrote to memory of 3840 3900 xxxflll.exe 93 PID 3840 wrote to memory of 3548 3840 c260426.exe 94 PID 3840 wrote to memory of 3548 3840 c260426.exe 94 PID 3840 wrote to memory of 3548 3840 c260426.exe 94 PID 3548 wrote to memory of 5080 3548 6686482.exe 95 PID 3548 wrote to memory of 5080 3548 6686482.exe 95 PID 3548 wrote to memory of 5080 3548 6686482.exe 95 PID 5080 wrote to memory of 3228 5080 7ttnhh.exe 96 PID 5080 wrote to memory of 3228 5080 7ttnhh.exe 96 PID 5080 wrote to memory of 3228 5080 7ttnhh.exe 96 PID 3228 wrote to memory of 4636 3228 bbbnbt.exe 97 PID 3228 wrote to memory of 4636 3228 bbbnbt.exe 97 PID 3228 wrote to memory of 4636 3228 bbbnbt.exe 97 PID 4636 wrote to memory of 3464 4636 xxxrfxl.exe 98 PID 4636 wrote to memory of 3464 4636 xxxrfxl.exe 98 PID 4636 wrote to memory of 3464 4636 xxxrfxl.exe 98 PID 3464 wrote to memory of 4652 3464 08420.exe 99 PID 3464 wrote to memory of 4652 3464 08420.exe 99 PID 3464 wrote to memory of 4652 3464 08420.exe 99 PID 4652 wrote to memory of 1700 4652 9llxlfr.exe 100 PID 4652 wrote to memory of 1700 4652 9llxlfr.exe 100 PID 4652 wrote to memory of 1700 4652 9llxlfr.exe 100 PID 1700 wrote to memory of 928 1700 g2820.exe 101 PID 1700 wrote to memory of 928 1700 g2820.exe 101 PID 1700 wrote to memory of 928 1700 g2820.exe 101 PID 928 wrote to memory of 4436 928 btthtb.exe 102 PID 928 wrote to memory of 4436 928 btthtb.exe 102 PID 928 wrote to memory of 4436 928 btthtb.exe 102 PID 4436 wrote to memory of 3672 4436 60224.exe 103 PID 4436 wrote to memory of 3672 4436 60224.exe 103 PID 4436 wrote to memory of 3672 4436 60224.exe 103 PID 3672 wrote to memory of 1096 3672 frrfxxr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a357d1cf9a73373b436220c52a127800fca57127b6479653db3a90e08b894806N.exe"C:\Users\Admin\AppData\Local\Temp\a357d1cf9a73373b436220c52a127800fca57127b6479653db3a90e08b894806N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\u826200.exec:\u826200.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\e86826.exec:\e86826.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\28860.exec:\28860.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\e28282.exec:\e28282.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\440426.exec:\440426.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\hbthtn.exec:\hbthtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\xxfrfxr.exec:\xxfrfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\llfllrf.exec:\llfllrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\486046.exec:\486046.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\xxxflll.exec:\xxxflll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\c260426.exec:\c260426.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\6686482.exec:\6686482.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\7ttnhh.exec:\7ttnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\bbbnbt.exec:\bbbnbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\xxxrfxl.exec:\xxxrfxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\08420.exec:\08420.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\9llxlfr.exec:\9llxlfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\g2820.exec:\g2820.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\btthtb.exec:\btthtb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
\??\c:\60224.exec:\60224.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\frrfxxr.exec:\frrfxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\860648.exec:\860648.exe23⤵
- Executes dropped EXE
PID:1096 -
\??\c:\dvdpd.exec:\dvdpd.exe24⤵
- Executes dropped EXE
PID:1692 -
\??\c:\hbhhnb.exec:\hbhhnb.exe25⤵
- Executes dropped EXE
PID:1696 -
\??\c:\lxlxxlx.exec:\lxlxxlx.exe26⤵
- Executes dropped EXE
PID:2316 -
\??\c:\nbnhtn.exec:\nbnhtn.exe27⤵
- Executes dropped EXE
PID:4052 -
\??\c:\q20482.exec:\q20482.exe28⤵
- Executes dropped EXE
PID:1164 -
\??\c:\nntnbt.exec:\nntnbt.exe29⤵
- Executes dropped EXE
PID:5064 -
\??\c:\428286.exec:\428286.exe30⤵
- Executes dropped EXE
PID:1636 -
\??\c:\dpvjv.exec:\dpvjv.exe31⤵
- Executes dropped EXE
PID:4324 -
\??\c:\lfxlxrf.exec:\lfxlxrf.exe32⤵
- Executes dropped EXE
PID:1320 -
\??\c:\9lxlxlf.exec:\9lxlxlf.exe33⤵
- Executes dropped EXE
PID:2492 -
\??\c:\82882.exec:\82882.exe34⤵
- Executes dropped EXE
PID:4980 -
\??\c:\c242648.exec:\c242648.exe35⤵
- Executes dropped EXE
PID:872 -
\??\c:\08822.exec:\08822.exe36⤵
- Executes dropped EXE
PID:2532 -
\??\c:\3ntnbt.exec:\3ntnbt.exe37⤵
- Executes dropped EXE
PID:960 -
\??\c:\00820.exec:\00820.exe38⤵
- Executes dropped EXE
PID:2336 -
\??\c:\bnhbnh.exec:\bnhbnh.exe39⤵
- Executes dropped EXE
PID:972 -
\??\c:\4288482.exec:\4288482.exe40⤵
- Executes dropped EXE
PID:2288 -
\??\c:\hhnbnh.exec:\hhnbnh.exe41⤵
- Executes dropped EXE
PID:4480 -
\??\c:\vpjvj.exec:\vpjvj.exe42⤵
- Executes dropped EXE
PID:2032 -
\??\c:\pvvjp.exec:\pvvjp.exe43⤵
- Executes dropped EXE
PID:2796 -
\??\c:\5xrlxlf.exec:\5xrlxlf.exe44⤵
- Executes dropped EXE
PID:4188 -
\??\c:\hhhtnh.exec:\hhhtnh.exe45⤵
- Executes dropped EXE
PID:2788 -
\??\c:\g2208.exec:\g2208.exe46⤵
- Executes dropped EXE
PID:4792 -
\??\c:\xrfrfxl.exec:\xrfrfxl.exe47⤵
- Executes dropped EXE
PID:2188 -
\??\c:\48886.exec:\48886.exe48⤵
- Executes dropped EXE
PID:2672 -
\??\c:\u620860.exec:\u620860.exe49⤵
- Executes dropped EXE
PID:4580 -
\??\c:\jppdv.exec:\jppdv.exe50⤵
- Executes dropped EXE
PID:3600 -
\??\c:\lxlfrrl.exec:\lxlfrrl.exe51⤵
- Executes dropped EXE
PID:720 -
\??\c:\7rxlrlr.exec:\7rxlrlr.exe52⤵
- Executes dropped EXE
PID:224 -
\??\c:\88288.exec:\88288.exe53⤵
- Executes dropped EXE
PID:4464 -
\??\c:\282260.exec:\282260.exe54⤵
- Executes dropped EXE
PID:2084 -
\??\c:\2066226.exec:\2066226.exe55⤵
- Executes dropped EXE
PID:2956 -
\??\c:\lxxxlfr.exec:\lxxxlfr.exe56⤵
- Executes dropped EXE
PID:2024 -
\??\c:\4020448.exec:\4020448.exe57⤵
- Executes dropped EXE
PID:2888 -
\??\c:\nhbttn.exec:\nhbttn.exe58⤵
- Executes dropped EXE
PID:2472 -
\??\c:\4826262.exec:\4826262.exe59⤵
- Executes dropped EXE
PID:3940 -
\??\c:\884448.exec:\884448.exe60⤵
- Executes dropped EXE
PID:2724 -
\??\c:\04660.exec:\04660.exe61⤵
- Executes dropped EXE
PID:4292 -
\??\c:\k24826.exec:\k24826.exe62⤵
- Executes dropped EXE
PID:3812 -
\??\c:\g2488.exec:\g2488.exe63⤵
- Executes dropped EXE
PID:1960 -
\??\c:\068200.exec:\068200.exe64⤵
- Executes dropped EXE
PID:2300 -
\??\c:\pvpjd.exec:\pvpjd.exe65⤵
- Executes dropped EXE
PID:4312 -
\??\c:\tbbbtt.exec:\tbbbtt.exe66⤵PID:1424
-
\??\c:\22488.exec:\22488.exe67⤵PID:4260
-
\??\c:\rfllfrr.exec:\rfllfrr.exe68⤵PID:3408
-
\??\c:\0222668.exec:\0222668.exe69⤵PID:4556
-
\??\c:\2804000.exec:\2804000.exe70⤵
- System Location Discovery: System Language Discovery
PID:3596 -
\??\c:\0244882.exec:\0244882.exe71⤵PID:5068
-
\??\c:\flxxrrl.exec:\flxxrrl.exe72⤵PID:4472
-
\??\c:\20606.exec:\20606.exe73⤵
- System Location Discovery: System Language Discovery
PID:800 -
\??\c:\044822.exec:\044822.exe74⤵PID:3464
-
\??\c:\httnbt.exec:\httnbt.exe75⤵PID:876
-
\??\c:\lxxlflr.exec:\lxxlflr.exe76⤵PID:1700
-
\??\c:\rxffxxr.exec:\rxffxxr.exe77⤵PID:3624
-
\??\c:\fffxrlf.exec:\fffxrlf.exe78⤵PID:3024
-
\??\c:\242288.exec:\242288.exe79⤵PID:2444
-
\??\c:\dppdp.exec:\dppdp.exe80⤵PID:2960
-
\??\c:\1nnhtt.exec:\1nnhtt.exe81⤵PID:4328
-
\??\c:\jvdvj.exec:\jvdvj.exe82⤵PID:1504
-
\??\c:\m0066.exec:\m0066.exe83⤵PID:1440
-
\??\c:\rxfffrx.exec:\rxfffrx.exe84⤵PID:4684
-
\??\c:\26660.exec:\26660.exe85⤵
- System Location Discovery: System Language Discovery
PID:1680 -
\??\c:\866648.exec:\866648.exe86⤵PID:2304
-
\??\c:\dpjdp.exec:\dpjdp.exe87⤵PID:2572
-
\??\c:\g8066.exec:\g8066.exe88⤵PID:4224
-
\??\c:\lffxllf.exec:\lffxllf.exe89⤵PID:1164
-
\??\c:\824400.exec:\824400.exe90⤵PID:5056
-
\??\c:\jdpjd.exec:\jdpjd.exe91⤵PID:3452
-
\??\c:\4082666.exec:\4082666.exe92⤵PID:1752
-
\??\c:\tnnnnn.exec:\tnnnnn.exe93⤵PID:2216
-
\??\c:\82660.exec:\82660.exe94⤵PID:1004
-
\??\c:\xffrlxl.exec:\xffrlxl.exe95⤵PID:1048
-
\??\c:\tnbthh.exec:\tnbthh.exe96⤵PID:404
-
\??\c:\222226.exec:\222226.exe97⤵PID:4568
-
\??\c:\82820.exec:\82820.exe98⤵PID:3944
-
\??\c:\vppjd.exec:\vppjd.exe99⤵PID:2012
-
\??\c:\hbnhbt.exec:\hbnhbt.exe100⤵PID:2332
-
\??\c:\64008.exec:\64008.exe101⤵PID:3316
-
\??\c:\42268.exec:\42268.exe102⤵PID:3108
-
\??\c:\8608608.exec:\8608608.exe103⤵PID:2176
-
\??\c:\1jppj.exec:\1jppj.exe104⤵PID:1748
-
\??\c:\bhhthb.exec:\bhhthb.exe105⤵PID:2032
-
\??\c:\vdpjd.exec:\vdpjd.exe106⤵PID:2796
-
\??\c:\6260426.exec:\6260426.exe107⤵PID:4188
-
\??\c:\6482048.exec:\6482048.exe108⤵PID:1448
-
\??\c:\vjdvj.exec:\vjdvj.exe109⤵PID:2036
-
\??\c:\1bhbhh.exec:\1bhbhh.exe110⤵PID:2988
-
\??\c:\bhttnt.exec:\bhttnt.exe111⤵PID:4840
-
\??\c:\5tbbbh.exec:\5tbbbh.exe112⤵PID:860
-
\??\c:\vdjvj.exec:\vdjvj.exe113⤵PID:4388
-
\??\c:\dpjdj.exec:\dpjdj.exe114⤵PID:1580
-
\??\c:\7rrlrlx.exec:\7rrlrlx.exe115⤵PID:4656
-
\??\c:\tnhbbb.exec:\tnhbbb.exe116⤵PID:3592
-
\??\c:\0442004.exec:\0442004.exe117⤵PID:3892
-
\??\c:\vjvdv.exec:\vjvdv.exe118⤵PID:4244
-
\??\c:\nhhbbb.exec:\nhhbbb.exe119⤵PID:4512
-
\??\c:\ddvjj.exec:\ddvjj.exe120⤵PID:3148
-
\??\c:\84880.exec:\84880.exe121⤵PID:2680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-