Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 04:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9ae46914fe157432acfb03c34205e73a89ac3c2273027cd35985c521fcad4520N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9ae46914fe157432acfb03c34205e73a89ac3c2273027cd35985c521fcad4520N.exe
-
Size
453KB
-
MD5
0e73d3ca2faabc9ba0edaaba7bfa7e80
-
SHA1
ddacec81e9e6a2912a435fe79d48577b698c04f2
-
SHA256
9ae46914fe157432acfb03c34205e73a89ac3c2273027cd35985c521fcad4520
-
SHA512
820890d580d47724654fcce581283535210e596197e273d714229873a12dc03fdd9558e64be6ffdf5b96a0524e3ab90dc761df64175baf462a5358bc948dd800
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4224-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-1019-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-1114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-1266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-1574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4592 xrxrrrr.exe 3700 46604.exe 5004 pjjdj.exe 1292 868884.exe 1488 84004.exe 1696 7xrrllr.exe 2680 680044.exe 428 s0664.exe 5000 44004.exe 3616 hbtbtb.exe 3156 9xrrxxf.exe 1648 jjvpv.exe 2272 nhnhbh.exe 1464 nhhhtt.exe 3412 5lrfxxr.exe 4668 nbhbtt.exe 3120 xxxxxxf.exe 2100 3vjdv.exe 932 5hbtnn.exe 4864 3jddp.exe 3852 fxfxllr.exe 4732 xllfffx.exe 3640 2466600.exe 1088 9jppj.exe 4816 hhbtbt.exe 4460 hbnhtt.exe 1540 0408882.exe 1460 bhnnhh.exe 2996 tbnhbb.exe 404 jpdvj.exe 5092 dpvjv.exe 4072 00048.exe 3892 u064426.exe 4616 64642.exe 2064 xlrfxrl.exe 2552 e82008.exe 1376 rxfxfrf.exe 1756 1ffrrlx.exe 3492 0008642.exe 4836 08864.exe 556 1ddpj.exe 4840 nhtntn.exe 928 btnbht.exe 1312 4404822.exe 4380 rrflllf.exe 3584 2086048.exe 4332 rxfrfxr.exe 2800 i260486.exe 1972 rflflfl.exe 960 ntnbnh.exe 1608 7ththh.exe 1776 ppvjv.exe 4184 66602.exe 4204 hbbthh.exe 4468 86860.exe 3440 jvvjj.exe 3168 s0604.exe 5040 lfrffxl.exe 3948 o848824.exe 2060 thnbnb.exe 4736 3hbnbt.exe 1096 3hthbt.exe 3616 btbttt.exe 3652 thnttt.exe -
resource yara_rule behavioral2/memory/4592-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-614-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8668260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u004826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c060220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q68200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8286226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8842086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 664826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4224 wrote to memory of 4592 4224 9ae46914fe157432acfb03c34205e73a89ac3c2273027cd35985c521fcad4520N.exe 85 PID 4224 wrote to memory of 4592 4224 9ae46914fe157432acfb03c34205e73a89ac3c2273027cd35985c521fcad4520N.exe 85 PID 4224 wrote to memory of 4592 4224 9ae46914fe157432acfb03c34205e73a89ac3c2273027cd35985c521fcad4520N.exe 85 PID 4592 wrote to memory of 3700 4592 xrxrrrr.exe 86 PID 4592 wrote to memory of 3700 4592 xrxrrrr.exe 86 PID 4592 wrote to memory of 3700 4592 xrxrrrr.exe 86 PID 3700 wrote to memory of 5004 3700 46604.exe 87 PID 3700 wrote to memory of 5004 3700 46604.exe 87 PID 3700 wrote to memory of 5004 3700 46604.exe 87 PID 5004 wrote to memory of 1292 5004 pjjdj.exe 88 PID 5004 wrote to memory of 1292 5004 pjjdj.exe 88 PID 5004 wrote to memory of 1292 5004 pjjdj.exe 88 PID 1292 wrote to memory of 1488 1292 868884.exe 89 PID 1292 wrote to memory of 1488 1292 868884.exe 89 PID 1292 wrote to memory of 1488 1292 868884.exe 89 PID 1488 wrote to memory of 1696 1488 84004.exe 90 PID 1488 wrote to memory of 1696 1488 84004.exe 90 PID 1488 wrote to memory of 1696 1488 84004.exe 90 PID 1696 wrote to memory of 2680 1696 7xrrllr.exe 91 PID 1696 wrote to memory of 2680 1696 7xrrllr.exe 91 PID 1696 wrote to memory of 2680 1696 7xrrllr.exe 91 PID 2680 wrote to memory of 428 2680 680044.exe 92 PID 2680 wrote to memory of 428 2680 680044.exe 92 PID 2680 wrote to memory of 428 2680 680044.exe 92 PID 428 wrote to memory of 5000 428 s0664.exe 93 PID 428 wrote to memory of 5000 428 s0664.exe 93 PID 428 wrote to memory of 5000 428 s0664.exe 93 PID 5000 wrote to memory of 3616 5000 44004.exe 94 PID 5000 wrote to memory of 3616 5000 44004.exe 94 PID 5000 wrote to memory of 3616 5000 44004.exe 94 PID 3616 wrote to memory of 3156 3616 hbtbtb.exe 95 PID 3616 wrote to memory of 3156 3616 hbtbtb.exe 95 PID 3616 wrote to memory of 3156 3616 hbtbtb.exe 95 PID 3156 wrote to memory of 1648 3156 9xrrxxf.exe 96 PID 3156 wrote to memory of 1648 3156 9xrrxxf.exe 96 PID 3156 wrote to memory of 1648 3156 9xrrxxf.exe 96 PID 1648 wrote to memory of 2272 1648 jjvpv.exe 97 PID 1648 wrote to memory of 2272 1648 jjvpv.exe 97 PID 1648 wrote to memory of 2272 1648 jjvpv.exe 97 PID 2272 wrote to memory of 1464 2272 nhnhbh.exe 98 PID 2272 wrote to memory of 1464 2272 nhnhbh.exe 98 PID 2272 wrote to memory of 1464 2272 nhnhbh.exe 98 PID 1464 wrote to memory of 3412 1464 nhhhtt.exe 99 PID 1464 wrote to memory of 3412 1464 nhhhtt.exe 99 PID 1464 wrote to memory of 3412 1464 nhhhtt.exe 99 PID 3412 wrote to memory of 4668 3412 5lrfxxr.exe 100 PID 3412 wrote to memory of 4668 3412 5lrfxxr.exe 100 PID 3412 wrote to memory of 4668 3412 5lrfxxr.exe 100 PID 4668 wrote to memory of 3120 4668 nbhbtt.exe 101 PID 4668 wrote to memory of 3120 4668 nbhbtt.exe 101 PID 4668 wrote to memory of 3120 4668 nbhbtt.exe 101 PID 3120 wrote to memory of 2100 3120 xxxxxxf.exe 102 PID 3120 wrote to memory of 2100 3120 xxxxxxf.exe 102 PID 3120 wrote to memory of 2100 3120 xxxxxxf.exe 102 PID 2100 wrote to memory of 932 2100 3vjdv.exe 103 PID 2100 wrote to memory of 932 2100 3vjdv.exe 103 PID 2100 wrote to memory of 932 2100 3vjdv.exe 103 PID 932 wrote to memory of 4864 932 5hbtnn.exe 104 PID 932 wrote to memory of 4864 932 5hbtnn.exe 104 PID 932 wrote to memory of 4864 932 5hbtnn.exe 104 PID 4864 wrote to memory of 3852 4864 3jddp.exe 105 PID 4864 wrote to memory of 3852 4864 3jddp.exe 105 PID 4864 wrote to memory of 3852 4864 3jddp.exe 105 PID 3852 wrote to memory of 4732 3852 fxfxllr.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ae46914fe157432acfb03c34205e73a89ac3c2273027cd35985c521fcad4520N.exe"C:\Users\Admin\AppData\Local\Temp\9ae46914fe157432acfb03c34205e73a89ac3c2273027cd35985c521fcad4520N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\46604.exec:\46604.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\pjjdj.exec:\pjjdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\868884.exec:\868884.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\84004.exec:\84004.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\7xrrllr.exec:\7xrrllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\680044.exec:\680044.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\s0664.exec:\s0664.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\44004.exec:\44004.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\hbtbtb.exec:\hbtbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\9xrrxxf.exec:\9xrrxxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\jjvpv.exec:\jjvpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\nhnhbh.exec:\nhnhbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\nhhhtt.exec:\nhhhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\5lrfxxr.exec:\5lrfxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\nbhbtt.exec:\nbhbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\xxxxxxf.exec:\xxxxxxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\3vjdv.exec:\3vjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\5hbtnn.exec:\5hbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\3jddp.exec:\3jddp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\fxfxllr.exec:\fxfxllr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\xllfffx.exec:\xllfffx.exe23⤵
- Executes dropped EXE
PID:4732 -
\??\c:\2466600.exec:\2466600.exe24⤵
- Executes dropped EXE
PID:3640 -
\??\c:\9jppj.exec:\9jppj.exe25⤵
- Executes dropped EXE
PID:1088 -
\??\c:\hhbtbt.exec:\hhbtbt.exe26⤵
- Executes dropped EXE
PID:4816 -
\??\c:\hbnhtt.exec:\hbnhtt.exe27⤵
- Executes dropped EXE
PID:4460 -
\??\c:\0408882.exec:\0408882.exe28⤵
- Executes dropped EXE
PID:1540 -
\??\c:\bhnnhh.exec:\bhnnhh.exe29⤵
- Executes dropped EXE
PID:1460 -
\??\c:\tbnhbb.exec:\tbnhbb.exe30⤵
- Executes dropped EXE
PID:2996 -
\??\c:\jpdvj.exec:\jpdvj.exe31⤵
- Executes dropped EXE
PID:404 -
\??\c:\dpvjv.exec:\dpvjv.exe32⤵
- Executes dropped EXE
PID:5092 -
\??\c:\00048.exec:\00048.exe33⤵
- Executes dropped EXE
PID:4072 -
\??\c:\u064426.exec:\u064426.exe34⤵
- Executes dropped EXE
PID:3892 -
\??\c:\64642.exec:\64642.exe35⤵
- Executes dropped EXE
PID:4616 -
\??\c:\xlrfxrl.exec:\xlrfxrl.exe36⤵
- Executes dropped EXE
PID:2064 -
\??\c:\e82008.exec:\e82008.exe37⤵
- Executes dropped EXE
PID:2552 -
\??\c:\rxfxfrf.exec:\rxfxfrf.exe38⤵
- Executes dropped EXE
PID:1376 -
\??\c:\1ffrrlx.exec:\1ffrrlx.exe39⤵
- Executes dropped EXE
PID:1756 -
\??\c:\0008642.exec:\0008642.exe40⤵
- Executes dropped EXE
PID:3492 -
\??\c:\08864.exec:\08864.exe41⤵
- Executes dropped EXE
PID:4836 -
\??\c:\1ddpj.exec:\1ddpj.exe42⤵
- Executes dropped EXE
PID:556 -
\??\c:\nhtntn.exec:\nhtntn.exe43⤵
- Executes dropped EXE
PID:4840 -
\??\c:\btnbht.exec:\btnbht.exe44⤵
- Executes dropped EXE
PID:928 -
\??\c:\4404822.exec:\4404822.exe45⤵
- Executes dropped EXE
PID:1312 -
\??\c:\rrflllf.exec:\rrflllf.exe46⤵
- Executes dropped EXE
PID:4380 -
\??\c:\2086048.exec:\2086048.exe47⤵
- Executes dropped EXE
PID:3584 -
\??\c:\rxfrfxr.exec:\rxfrfxr.exe48⤵
- Executes dropped EXE
PID:4332 -
\??\c:\i260486.exec:\i260486.exe49⤵
- Executes dropped EXE
PID:2800 -
\??\c:\rflflfl.exec:\rflflfl.exe50⤵
- Executes dropped EXE
PID:1972 -
\??\c:\ntnbnh.exec:\ntnbnh.exe51⤵
- Executes dropped EXE
PID:960 -
\??\c:\7ththh.exec:\7ththh.exe52⤵
- Executes dropped EXE
PID:1608 -
\??\c:\ppvjv.exec:\ppvjv.exe53⤵
- Executes dropped EXE
PID:1776 -
\??\c:\66602.exec:\66602.exe54⤵
- Executes dropped EXE
PID:4184 -
\??\c:\hbbthh.exec:\hbbthh.exe55⤵
- Executes dropped EXE
PID:4204 -
\??\c:\86860.exec:\86860.exe56⤵
- Executes dropped EXE
PID:4468 -
\??\c:\jvvjj.exec:\jvvjj.exe57⤵
- Executes dropped EXE
PID:3440 -
\??\c:\s0604.exec:\s0604.exe58⤵
- Executes dropped EXE
PID:3168 -
\??\c:\lfrffxl.exec:\lfrffxl.exe59⤵
- Executes dropped EXE
PID:5040 -
\??\c:\o848824.exec:\o848824.exe60⤵
- Executes dropped EXE
PID:3948 -
\??\c:\thnbnb.exec:\thnbnb.exe61⤵
- Executes dropped EXE
PID:2060 -
\??\c:\3hbnbt.exec:\3hbnbt.exe62⤵
- Executes dropped EXE
PID:4736 -
\??\c:\3hthbt.exec:\3hthbt.exe63⤵
- Executes dropped EXE
PID:1096 -
\??\c:\btbttt.exec:\btbttt.exe64⤵
- Executes dropped EXE
PID:3616 -
\??\c:\thnttt.exec:\thnttt.exe65⤵
- Executes dropped EXE
PID:3652 -
\??\c:\1pjdj.exec:\1pjdj.exe66⤵PID:1648
-
\??\c:\3dpjd.exec:\3dpjd.exe67⤵PID:2272
-
\??\c:\rfrlllr.exec:\rfrlllr.exe68⤵PID:5032
-
\??\c:\ddvvp.exec:\ddvvp.exe69⤵PID:212
-
\??\c:\446088.exec:\446088.exe70⤵PID:2520
-
\??\c:\thnbtn.exec:\thnbtn.exe71⤵
- System Location Discovery: System Language Discovery
PID:208 -
\??\c:\lllffxr.exec:\lllffxr.exe72⤵PID:2016
-
\??\c:\40626.exec:\40626.exe73⤵PID:3120
-
\??\c:\2848660.exec:\2848660.exe74⤵PID:1328
-
\??\c:\26604.exec:\26604.exe75⤵PID:3676
-
\??\c:\84048.exec:\84048.exe76⤵PID:1040
-
\??\c:\24040.exec:\24040.exe77⤵PID:2444
-
\??\c:\s6266.exec:\s6266.exe78⤵PID:4612
-
\??\c:\bnnbnh.exec:\bnnbnh.exe79⤵PID:3320
-
\??\c:\k44024.exec:\k44024.exe80⤵PID:4516
-
\??\c:\q02868.exec:\q02868.exe81⤵PID:4152
-
\??\c:\pvjdp.exec:\pvjdp.exe82⤵PID:4092
-
\??\c:\426862.exec:\426862.exe83⤵PID:1088
-
\??\c:\26860.exec:\26860.exe84⤵PID:1444
-
\??\c:\w44822.exec:\w44822.exe85⤵PID:644
-
\??\c:\pdddv.exec:\pdddv.exe86⤵PID:3964
-
\??\c:\thbntn.exec:\thbntn.exe87⤵PID:668
-
\??\c:\2206048.exec:\2206048.exe88⤵PID:4980
-
\??\c:\pddpd.exec:\pddpd.exe89⤵PID:3396
-
\??\c:\64006.exec:\64006.exe90⤵PID:3588
-
\??\c:\q28660.exec:\q28660.exe91⤵PID:3932
-
\??\c:\vddpv.exec:\vddpv.exe92⤵PID:4748
-
\??\c:\ddvpj.exec:\ddvpj.exe93⤵PID:2284
-
\??\c:\hthnnn.exec:\hthnnn.exe94⤵PID:3108
-
\??\c:\bntnhn.exec:\bntnhn.exe95⤵PID:4856
-
\??\c:\lffffrl.exec:\lffffrl.exe96⤵PID:3632
-
\??\c:\djjvj.exec:\djjvj.exe97⤵PID:1060
-
\??\c:\9bhtnn.exec:\9bhtnn.exe98⤵PID:4624
-
\??\c:\606080.exec:\606080.exe99⤵PID:2456
-
\??\c:\888044.exec:\888044.exe100⤵PID:2072
-
\??\c:\82604.exec:\82604.exe101⤵PID:3880
-
\??\c:\02226.exec:\02226.exe102⤵PID:3996
-
\??\c:\lxrlffx.exec:\lxrlffx.exe103⤵PID:632
-
\??\c:\s4644.exec:\s4644.exe104⤵PID:4840
-
\??\c:\066226.exec:\066226.exe105⤵PID:928
-
\??\c:\1rrlxxr.exec:\1rrlxxr.exe106⤵PID:4372
-
\??\c:\26884.exec:\26884.exe107⤵PID:4380
-
\??\c:\a6220.exec:\a6220.exe108⤵PID:3740
-
\??\c:\vppjj.exec:\vppjj.exe109⤵PID:5044
-
\??\c:\lrrrlxx.exec:\lrrrlxx.exe110⤵PID:2248
-
\??\c:\0460662.exec:\0460662.exe111⤵PID:1360
-
\??\c:\a4422.exec:\a4422.exe112⤵PID:960
-
\??\c:\9rxrffr.exec:\9rxrffr.exe113⤵PID:1608
-
\??\c:\fxxrrrl.exec:\fxxrrrl.exe114⤵PID:1776
-
\??\c:\60604.exec:\60604.exe115⤵PID:4184
-
\??\c:\6844226.exec:\6844226.exe116⤵PID:4204
-
\??\c:\a0604.exec:\a0604.exe117⤵PID:2112
-
\??\c:\4288226.exec:\4288226.exe118⤵PID:3440
-
\??\c:\nhhhhh.exec:\nhhhhh.exe119⤵PID:3732
-
\??\c:\2004444.exec:\2004444.exe120⤵PID:1188
-
\??\c:\8624882.exec:\8624882.exe121⤵PID:3344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-