Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 09:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe
-
Size
454KB
-
MD5
15f59069150485c9e0de9e5242198c80
-
SHA1
964696431b915fc7706bf4bc3120ce1377961645
-
SHA256
9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702
-
SHA512
e9d5407882780a410279f2ee82c8626e37423f6bbeeae6e23abaf7298e1108597ae4fdd310030d90ebf85c20805c5e62f180a2fb5f76cdf9c663f9029a8904d3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1928-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-861-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3944 8622604.exe 1048 22204.exe 2356 nbtnbt.exe 1036 028648.exe 544 xrrfxrl.exe 3488 26604.exe 900 4008266.exe 4788 vjvpj.exe 1396 pjdpd.exe 1548 8220820.exe 4316 bnnhnn.exe 60 nthnbt.exe 4772 7nbnbt.exe 2396 jvddp.exe 2796 400488.exe 4512 6826826.exe 4280 208040.exe 2304 nhthnh.exe 3948 8668260.exe 728 1lrlxrl.exe 4272 jvvjd.exe 772 42204.exe 4236 60048.exe 4836 u226482.exe 4920 lfxlfrl.exe 1544 80246.exe 4348 nhhtnn.exe 216 422604.exe 4828 284860.exe 2080 0888608.exe 1336 28260.exe 4296 a8486.exe 2428 3flrxrf.exe 3684 28648.exe 1456 9ntnhh.exe 2276 djjdd.exe 2900 086060.exe 4396 4260404.exe 4912 tbbtnn.exe 640 ffffxff.exe 4452 htnhtt.exe 4888 40048.exe 3664 62260.exe 752 48046.exe 3676 lxxrffl.exe 4368 4408260.exe 1612 bhthbt.exe 4356 i842600.exe 4324 4660482.exe 2096 vdjdv.exe 1996 ppvdd.exe 4568 064280.exe 3968 5nhbtt.exe 1656 xrrlxxl.exe 5096 8602824.exe 3884 602666.exe 740 40040.exe 5028 7vdvv.exe 3568 e28604.exe 5056 xlllfxr.exe 4788 bbbtnn.exe 2648 e00206.exe 1548 bthnhb.exe 3584 6020486.exe -
resource yara_rule behavioral2/memory/1928-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-538-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6026000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8400000.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1928 wrote to memory of 3944 1928 9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe 83 PID 1928 wrote to memory of 3944 1928 9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe 83 PID 1928 wrote to memory of 3944 1928 9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe 83 PID 3944 wrote to memory of 1048 3944 8622604.exe 84 PID 3944 wrote to memory of 1048 3944 8622604.exe 84 PID 3944 wrote to memory of 1048 3944 8622604.exe 84 PID 1048 wrote to memory of 2356 1048 22204.exe 85 PID 1048 wrote to memory of 2356 1048 22204.exe 85 PID 1048 wrote to memory of 2356 1048 22204.exe 85 PID 2356 wrote to memory of 1036 2356 nbtnbt.exe 86 PID 2356 wrote to memory of 1036 2356 nbtnbt.exe 86 PID 2356 wrote to memory of 1036 2356 nbtnbt.exe 86 PID 1036 wrote to memory of 544 1036 028648.exe 87 PID 1036 wrote to memory of 544 1036 028648.exe 87 PID 1036 wrote to memory of 544 1036 028648.exe 87 PID 544 wrote to memory of 3488 544 xrrfxrl.exe 88 PID 544 wrote to memory of 3488 544 xrrfxrl.exe 88 PID 544 wrote to memory of 3488 544 xrrfxrl.exe 88 PID 3488 wrote to memory of 900 3488 26604.exe 89 PID 3488 wrote to memory of 900 3488 26604.exe 89 PID 3488 wrote to memory of 900 3488 26604.exe 89 PID 900 wrote to memory of 4788 900 4008266.exe 90 PID 900 wrote to memory of 4788 900 4008266.exe 90 PID 900 wrote to memory of 4788 900 4008266.exe 90 PID 4788 wrote to memory of 1396 4788 vjvpj.exe 91 PID 4788 wrote to memory of 1396 4788 vjvpj.exe 91 PID 4788 wrote to memory of 1396 4788 vjvpj.exe 91 PID 1396 wrote to memory of 1548 1396 pjdpd.exe 92 PID 1396 wrote to memory of 1548 1396 pjdpd.exe 92 PID 1396 wrote to memory of 1548 1396 pjdpd.exe 92 PID 1548 wrote to memory of 4316 1548 8220820.exe 93 PID 1548 wrote to memory of 4316 1548 8220820.exe 93 PID 1548 wrote to memory of 4316 1548 8220820.exe 93 PID 4316 wrote to memory of 60 4316 bnnhnn.exe 94 PID 4316 wrote to memory of 60 4316 bnnhnn.exe 94 PID 4316 wrote to memory of 60 4316 bnnhnn.exe 94 PID 60 wrote to memory of 4772 60 nthnbt.exe 95 PID 60 wrote to memory of 4772 60 nthnbt.exe 95 PID 60 wrote to memory of 4772 60 nthnbt.exe 95 PID 4772 wrote to memory of 2396 4772 7nbnbt.exe 96 PID 4772 wrote to memory of 2396 4772 7nbnbt.exe 96 PID 4772 wrote to memory of 2396 4772 7nbnbt.exe 96 PID 2396 wrote to memory of 2796 2396 jvddp.exe 97 PID 2396 wrote to memory of 2796 2396 jvddp.exe 97 PID 2396 wrote to memory of 2796 2396 jvddp.exe 97 PID 2796 wrote to memory of 4512 2796 400488.exe 98 PID 2796 wrote to memory of 4512 2796 400488.exe 98 PID 2796 wrote to memory of 4512 2796 400488.exe 98 PID 4512 wrote to memory of 4280 4512 6826826.exe 99 PID 4512 wrote to memory of 4280 4512 6826826.exe 99 PID 4512 wrote to memory of 4280 4512 6826826.exe 99 PID 4280 wrote to memory of 2304 4280 208040.exe 100 PID 4280 wrote to memory of 2304 4280 208040.exe 100 PID 4280 wrote to memory of 2304 4280 208040.exe 100 PID 2304 wrote to memory of 3948 2304 nhthnh.exe 101 PID 2304 wrote to memory of 3948 2304 nhthnh.exe 101 PID 2304 wrote to memory of 3948 2304 nhthnh.exe 101 PID 3948 wrote to memory of 728 3948 8668260.exe 102 PID 3948 wrote to memory of 728 3948 8668260.exe 102 PID 3948 wrote to memory of 728 3948 8668260.exe 102 PID 728 wrote to memory of 4272 728 1lrlxrl.exe 103 PID 728 wrote to memory of 4272 728 1lrlxrl.exe 103 PID 728 wrote to memory of 4272 728 1lrlxrl.exe 103 PID 4272 wrote to memory of 772 4272 jvvjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe"C:\Users\Admin\AppData\Local\Temp\9e9e861ff44f33289c66abaee0825aa1c7480d9a562e45e240886d2f758da702N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\8622604.exec:\8622604.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\22204.exec:\22204.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\nbtnbt.exec:\nbtnbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\028648.exec:\028648.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\26604.exec:\26604.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\4008266.exec:\4008266.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\vjvpj.exec:\vjvpj.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\pjdpd.exec:\pjdpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\8220820.exec:\8220820.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\bnnhnn.exec:\bnnhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\nthnbt.exec:\nthnbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\7nbnbt.exec:\7nbnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\jvddp.exec:\jvddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\400488.exec:\400488.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\6826826.exec:\6826826.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\208040.exec:\208040.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\nhthnh.exec:\nhthnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\8668260.exec:\8668260.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\1lrlxrl.exec:\1lrlxrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728 -
\??\c:\jvvjd.exec:\jvvjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\42204.exec:\42204.exe23⤵
- Executes dropped EXE
PID:772 -
\??\c:\60048.exec:\60048.exe24⤵
- Executes dropped EXE
PID:4236 -
\??\c:\u226482.exec:\u226482.exe25⤵
- Executes dropped EXE
PID:4836 -
\??\c:\lfxlfrl.exec:\lfxlfrl.exe26⤵
- Executes dropped EXE
PID:4920 -
\??\c:\80246.exec:\80246.exe27⤵
- Executes dropped EXE
PID:1544 -
\??\c:\nhhtnn.exec:\nhhtnn.exe28⤵
- Executes dropped EXE
PID:4348 -
\??\c:\422604.exec:\422604.exe29⤵
- Executes dropped EXE
PID:216 -
\??\c:\284860.exec:\284860.exe30⤵
- Executes dropped EXE
PID:4828 -
\??\c:\0888608.exec:\0888608.exe31⤵
- Executes dropped EXE
PID:2080 -
\??\c:\28260.exec:\28260.exe32⤵
- Executes dropped EXE
PID:1336 -
\??\c:\a8486.exec:\a8486.exe33⤵
- Executes dropped EXE
PID:4296 -
\??\c:\3flrxrf.exec:\3flrxrf.exe34⤵
- Executes dropped EXE
PID:2428 -
\??\c:\28648.exec:\28648.exe35⤵
- Executes dropped EXE
PID:3684 -
\??\c:\9ntnhh.exec:\9ntnhh.exe36⤵
- Executes dropped EXE
PID:1456 -
\??\c:\djjdd.exec:\djjdd.exe37⤵
- Executes dropped EXE
PID:2276 -
\??\c:\086060.exec:\086060.exe38⤵
- Executes dropped EXE
PID:2900 -
\??\c:\4260404.exec:\4260404.exe39⤵
- Executes dropped EXE
PID:4396 -
\??\c:\tbbtnn.exec:\tbbtnn.exe40⤵
- Executes dropped EXE
PID:4912 -
\??\c:\ffffxff.exec:\ffffxff.exe41⤵
- Executes dropped EXE
PID:640 -
\??\c:\htnhtt.exec:\htnhtt.exe42⤵
- Executes dropped EXE
PID:4452 -
\??\c:\40048.exec:\40048.exe43⤵
- Executes dropped EXE
PID:4888 -
\??\c:\62260.exec:\62260.exe44⤵
- Executes dropped EXE
PID:3664 -
\??\c:\48046.exec:\48046.exe45⤵
- Executes dropped EXE
PID:752 -
\??\c:\lxxrffl.exec:\lxxrffl.exe46⤵
- Executes dropped EXE
PID:3676 -
\??\c:\4408260.exec:\4408260.exe47⤵
- Executes dropped EXE
PID:4368 -
\??\c:\bhthbt.exec:\bhthbt.exe48⤵
- Executes dropped EXE
PID:1612 -
\??\c:\i842600.exec:\i842600.exe49⤵
- Executes dropped EXE
PID:4356 -
\??\c:\4660482.exec:\4660482.exe50⤵
- Executes dropped EXE
PID:4324 -
\??\c:\vdjdv.exec:\vdjdv.exe51⤵
- Executes dropped EXE
PID:2096 -
\??\c:\ppvdd.exec:\ppvdd.exe52⤵
- Executes dropped EXE
PID:1996 -
\??\c:\064280.exec:\064280.exe53⤵
- Executes dropped EXE
PID:4568 -
\??\c:\5nhbtt.exec:\5nhbtt.exe54⤵
- Executes dropped EXE
PID:3968 -
\??\c:\xrrlxxl.exec:\xrrlxxl.exe55⤵
- Executes dropped EXE
PID:1656 -
\??\c:\8602824.exec:\8602824.exe56⤵
- Executes dropped EXE
PID:5096 -
\??\c:\602666.exec:\602666.exe57⤵
- Executes dropped EXE
PID:3884 -
\??\c:\40040.exec:\40040.exe58⤵
- Executes dropped EXE
PID:740 -
\??\c:\7vdvv.exec:\7vdvv.exe59⤵
- Executes dropped EXE
PID:5028 -
\??\c:\e28604.exec:\e28604.exe60⤵
- Executes dropped EXE
PID:3568 -
\??\c:\xlllfxr.exec:\xlllfxr.exe61⤵
- Executes dropped EXE
PID:5056 -
\??\c:\bbbtnn.exec:\bbbtnn.exe62⤵
- Executes dropped EXE
PID:4788 -
\??\c:\e00206.exec:\e00206.exe63⤵
- Executes dropped EXE
PID:2648 -
\??\c:\bthnhb.exec:\bthnhb.exe64⤵
- Executes dropped EXE
PID:1548 -
\??\c:\6020486.exec:\6020486.exe65⤵
- Executes dropped EXE
PID:3584 -
\??\c:\424860.exec:\424860.exe66⤵PID:4940
-
\??\c:\6022804.exec:\6022804.exe67⤵PID:1204
-
\??\c:\tnhbtn.exec:\tnhbtn.exe68⤵PID:4108
-
\??\c:\46048.exec:\46048.exe69⤵PID:3088
-
\??\c:\6622604.exec:\6622604.exe70⤵PID:1572
-
\??\c:\xxrrlff.exec:\xxrrlff.exe71⤵PID:3332
-
\??\c:\6282600.exec:\6282600.exe72⤵PID:1300
-
\??\c:\jdvpd.exec:\jdvpd.exe73⤵
- System Location Discovery: System Language Discovery
PID:2444 -
\??\c:\s6864.exec:\s6864.exe74⤵PID:1160
-
\??\c:\0840666.exec:\0840666.exe75⤵PID:1552
-
\??\c:\tnnhbb.exec:\tnnhbb.exe76⤵PID:2896
-
\??\c:\002648.exec:\002648.exe77⤵PID:4528
-
\??\c:\vpdvp.exec:\vpdvp.exe78⤵PID:3732
-
\??\c:\88264.exec:\88264.exe79⤵PID:2508
-
\??\c:\c000006.exec:\c000006.exe80⤵PID:2628
-
\??\c:\pppjd.exec:\pppjd.exe81⤵PID:2424
-
\??\c:\vjjpd.exec:\vjjpd.exe82⤵PID:4988
-
\??\c:\9bbnnb.exec:\9bbnnb.exe83⤵PID:4920
-
\??\c:\880004.exec:\880004.exe84⤵PID:4308
-
\??\c:\flfxlll.exec:\flfxlll.exe85⤵PID:4348
-
\??\c:\426266.exec:\426266.exe86⤵PID:1064
-
\??\c:\020484.exec:\020484.exe87⤵PID:4828
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe88⤵PID:2080
-
\??\c:\frxrrrl.exec:\frxrrrl.exe89⤵PID:2084
-
\??\c:\vvvpp.exec:\vvvpp.exe90⤵PID:4016
-
\??\c:\vdddv.exec:\vdddv.exe91⤵PID:5076
-
\??\c:\822266.exec:\822266.exe92⤵PID:3684
-
\??\c:\406044.exec:\406044.exe93⤵PID:1456
-
\??\c:\2402280.exec:\2402280.exe94⤵PID:468
-
\??\c:\48480.exec:\48480.exe95⤵PID:4688
-
\??\c:\844400.exec:\844400.exe96⤵PID:4912
-
\??\c:\48004.exec:\48004.exe97⤵PID:1284
-
\??\c:\6066008.exec:\6066008.exe98⤵PID:3068
-
\??\c:\vdjjj.exec:\vdjjj.exe99⤵PID:5112
-
\??\c:\pjvjv.exec:\pjvjv.exe100⤵PID:2044
-
\??\c:\2642468.exec:\2642468.exe101⤵PID:3160
-
\??\c:\06400.exec:\06400.exe102⤵PID:3676
-
\??\c:\jdddv.exec:\jdddv.exe103⤵PID:1136
-
\??\c:\s0626.exec:\s0626.exe104⤵PID:4864
-
\??\c:\rlrrlll.exec:\rlrrlll.exe105⤵PID:4340
-
\??\c:\0404444.exec:\0404444.exe106⤵PID:1388
-
\??\c:\m6082.exec:\m6082.exe107⤵PID:1412
-
\??\c:\thhhbb.exec:\thhhbb.exe108⤵PID:3908
-
\??\c:\9vvpd.exec:\9vvpd.exe109⤵PID:4084
-
\??\c:\u240864.exec:\u240864.exe110⤵PID:3944
-
\??\c:\frlffxr.exec:\frlffxr.exe111⤵PID:4996
-
\??\c:\rlfxllf.exec:\rlfxllf.exe112⤵PID:3952
-
\??\c:\60840.exec:\60840.exe113⤵PID:5008
-
\??\c:\4244460.exec:\4244460.exe114⤵PID:1948
-
\??\c:\llxxffl.exec:\llxxffl.exe115⤵PID:3936
-
\??\c:\5lrlflf.exec:\5lrlflf.exe116⤵PID:3096
-
\??\c:\tttnnh.exec:\tttnnh.exe117⤵PID:3136
-
\??\c:\thhnhh.exec:\thhnhh.exe118⤵PID:4552
-
\??\c:\thhhhh.exec:\thhhhh.exe119⤵PID:5056
-
\??\c:\00886.exec:\00886.exe120⤵PID:4788
-
\??\c:\266602.exec:\266602.exe121⤵PID:2332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-