Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 00:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
48b52a531bb1cf147bb9a60e7fb7bcc5b24b2b81bf45c8ff3bbc5986c2d93b09N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
48b52a531bb1cf147bb9a60e7fb7bcc5b24b2b81bf45c8ff3bbc5986c2d93b09N.exe
-
Size
453KB
-
MD5
649c4192a242d7162a70baf2eeff2bf0
-
SHA1
2883eb2173b05c490367dcd9c0c20af9ddbdabac
-
SHA256
48b52a531bb1cf147bb9a60e7fb7bcc5b24b2b81bf45c8ff3bbc5986c2d93b09
-
SHA512
54600462fedcf7b92dd33e7febc82bc642a33d46d81e7bb3d5463fc95da30f7f8e46d21acfd12633531d2aa5d4569c8f3ae8ca6f7d824c102fb4dd3e360065cc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/628-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-845-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-1117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-1136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-1759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-1867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1128 lffxxxr.exe 1676 1jvpj.exe 4932 pvjjj.exe 548 vdpjd.exe 1692 jpdpj.exe 1708 pjjjd.exe 4572 642222.exe 2116 k28844.exe 4064 66280.exe 2104 w80048.exe 5084 8460482.exe 3604 s0264.exe 3004 3djdv.exe 1932 btbttn.exe 1592 bttbtn.exe 4516 w06480.exe 2368 ffxrxxf.exe 4444 60402.exe 3960 7xffffl.exe 3860 3tttnn.exe 3612 444444.exe 212 i666044.exe 4956 lflxllx.exe 1444 3tnhht.exe 1044 jddvp.exe 5004 xrxrrlr.exe 4976 dpdvj.exe 1920 422264.exe 1972 xxlfxrl.exe 1648 0220820.exe 916 5jdpj.exe 3208 6280820.exe 4556 6448200.exe 1908 m6884.exe 3300 868682.exe 4732 88422.exe 868 606048.exe 3228 4028284.exe 2536 42488.exe 4412 a6226.exe 4428 c226000.exe 4448 htnhbh.exe 3288 822266.exe 4588 04448.exe 2240 tbhbtn.exe 4672 882064.exe 888 xrfxxrx.exe 2392 dpvjd.exe 4920 20260.exe 1708 4200000.exe 4220 06800.exe 1996 5xffffl.exe 1452 4004242.exe 3088 424444.exe 2564 bhtnbt.exe 5084 lrxrllf.exe 3604 02440.exe 2560 dvpdv.exe 380 ffllfxl.exe 4632 nnnbtb.exe 1004 0448226.exe 4868 3lfxxxx.exe 2324 u400400.exe 3012 rflxrrl.exe -
resource yara_rule behavioral2/memory/628-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-823-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 400026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0060040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2608604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4286044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o044000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48b52a531bb1cf147bb9a60e7fb7bcc5b24b2b81bf45c8ff3bbc5986c2d93b09N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48482.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 628 wrote to memory of 1128 628 48b52a531bb1cf147bb9a60e7fb7bcc5b24b2b81bf45c8ff3bbc5986c2d93b09N.exe 84 PID 628 wrote to memory of 1128 628 48b52a531bb1cf147bb9a60e7fb7bcc5b24b2b81bf45c8ff3bbc5986c2d93b09N.exe 84 PID 628 wrote to memory of 1128 628 48b52a531bb1cf147bb9a60e7fb7bcc5b24b2b81bf45c8ff3bbc5986c2d93b09N.exe 84 PID 1128 wrote to memory of 1676 1128 lffxxxr.exe 85 PID 1128 wrote to memory of 1676 1128 lffxxxr.exe 85 PID 1128 wrote to memory of 1676 1128 lffxxxr.exe 85 PID 1676 wrote to memory of 4932 1676 1jvpj.exe 86 PID 1676 wrote to memory of 4932 1676 1jvpj.exe 86 PID 1676 wrote to memory of 4932 1676 1jvpj.exe 86 PID 4932 wrote to memory of 548 4932 pvjjj.exe 87 PID 4932 wrote to memory of 548 4932 pvjjj.exe 87 PID 4932 wrote to memory of 548 4932 pvjjj.exe 87 PID 548 wrote to memory of 1692 548 vdpjd.exe 88 PID 548 wrote to memory of 1692 548 vdpjd.exe 88 PID 548 wrote to memory of 1692 548 vdpjd.exe 88 PID 1692 wrote to memory of 1708 1692 jpdpj.exe 89 PID 1692 wrote to memory of 1708 1692 jpdpj.exe 89 PID 1692 wrote to memory of 1708 1692 jpdpj.exe 89 PID 1708 wrote to memory of 4572 1708 pjjjd.exe 90 PID 1708 wrote to memory of 4572 1708 pjjjd.exe 90 PID 1708 wrote to memory of 4572 1708 pjjjd.exe 90 PID 4572 wrote to memory of 2116 4572 642222.exe 91 PID 4572 wrote to memory of 2116 4572 642222.exe 91 PID 4572 wrote to memory of 2116 4572 642222.exe 91 PID 2116 wrote to memory of 4064 2116 k28844.exe 92 PID 2116 wrote to memory of 4064 2116 k28844.exe 92 PID 2116 wrote to memory of 4064 2116 k28844.exe 92 PID 4064 wrote to memory of 2104 4064 66280.exe 93 PID 4064 wrote to memory of 2104 4064 66280.exe 93 PID 4064 wrote to memory of 2104 4064 66280.exe 93 PID 2104 wrote to memory of 5084 2104 w80048.exe 94 PID 2104 wrote to memory of 5084 2104 w80048.exe 94 PID 2104 wrote to memory of 5084 2104 w80048.exe 94 PID 5084 wrote to memory of 3604 5084 8460482.exe 95 PID 5084 wrote to memory of 3604 5084 8460482.exe 95 PID 5084 wrote to memory of 3604 5084 8460482.exe 95 PID 3604 wrote to memory of 3004 3604 s0264.exe 96 PID 3604 wrote to memory of 3004 3604 s0264.exe 96 PID 3604 wrote to memory of 3004 3604 s0264.exe 96 PID 3004 wrote to memory of 1932 3004 3djdv.exe 97 PID 3004 wrote to memory of 1932 3004 3djdv.exe 97 PID 3004 wrote to memory of 1932 3004 3djdv.exe 97 PID 1932 wrote to memory of 1592 1932 btbttn.exe 98 PID 1932 wrote to memory of 1592 1932 btbttn.exe 98 PID 1932 wrote to memory of 1592 1932 btbttn.exe 98 PID 1592 wrote to memory of 4516 1592 bttbtn.exe 99 PID 1592 wrote to memory of 4516 1592 bttbtn.exe 99 PID 1592 wrote to memory of 4516 1592 bttbtn.exe 99 PID 4516 wrote to memory of 2368 4516 w06480.exe 100 PID 4516 wrote to memory of 2368 4516 w06480.exe 100 PID 4516 wrote to memory of 2368 4516 w06480.exe 100 PID 2368 wrote to memory of 4444 2368 ffxrxxf.exe 101 PID 2368 wrote to memory of 4444 2368 ffxrxxf.exe 101 PID 2368 wrote to memory of 4444 2368 ffxrxxf.exe 101 PID 4444 wrote to memory of 3960 4444 60402.exe 102 PID 4444 wrote to memory of 3960 4444 60402.exe 102 PID 4444 wrote to memory of 3960 4444 60402.exe 102 PID 3960 wrote to memory of 3860 3960 7xffffl.exe 103 PID 3960 wrote to memory of 3860 3960 7xffffl.exe 103 PID 3960 wrote to memory of 3860 3960 7xffffl.exe 103 PID 3860 wrote to memory of 3612 3860 3tttnn.exe 104 PID 3860 wrote to memory of 3612 3860 3tttnn.exe 104 PID 3860 wrote to memory of 3612 3860 3tttnn.exe 104 PID 3612 wrote to memory of 212 3612 444444.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\48b52a531bb1cf147bb9a60e7fb7bcc5b24b2b81bf45c8ff3bbc5986c2d93b09N.exe"C:\Users\Admin\AppData\Local\Temp\48b52a531bb1cf147bb9a60e7fb7bcc5b24b2b81bf45c8ff3bbc5986c2d93b09N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\lffxxxr.exec:\lffxxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\1jvpj.exec:\1jvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\pvjjj.exec:\pvjjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\vdpjd.exec:\vdpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\jpdpj.exec:\jpdpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\pjjjd.exec:\pjjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\642222.exec:\642222.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\k28844.exec:\k28844.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\66280.exec:\66280.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\w80048.exec:\w80048.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\8460482.exec:\8460482.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\s0264.exec:\s0264.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\3djdv.exec:\3djdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\btbttn.exec:\btbttn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\bttbtn.exec:\bttbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\w06480.exec:\w06480.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\ffxrxxf.exec:\ffxrxxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\60402.exec:\60402.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\7xffffl.exec:\7xffffl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\3tttnn.exec:\3tttnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\444444.exec:\444444.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\i666044.exec:\i666044.exe23⤵
- Executes dropped EXE
PID:212 -
\??\c:\lflxllx.exec:\lflxllx.exe24⤵
- Executes dropped EXE
PID:4956 -
\??\c:\3tnhht.exec:\3tnhht.exe25⤵
- Executes dropped EXE
PID:1444 -
\??\c:\jddvp.exec:\jddvp.exe26⤵
- Executes dropped EXE
PID:1044 -
\??\c:\xrxrrlr.exec:\xrxrrlr.exe27⤵
- Executes dropped EXE
PID:5004 -
\??\c:\dpdvj.exec:\dpdvj.exe28⤵
- Executes dropped EXE
PID:4976 -
\??\c:\422264.exec:\422264.exe29⤵
- Executes dropped EXE
PID:1920 -
\??\c:\xxlfxrl.exec:\xxlfxrl.exe30⤵
- Executes dropped EXE
PID:1972 -
\??\c:\0220820.exec:\0220820.exe31⤵
- Executes dropped EXE
PID:1648 -
\??\c:\5jdpj.exec:\5jdpj.exe32⤵
- Executes dropped EXE
PID:916 -
\??\c:\6280820.exec:\6280820.exe33⤵
- Executes dropped EXE
PID:3208 -
\??\c:\6448200.exec:\6448200.exe34⤵
- Executes dropped EXE
PID:4556 -
\??\c:\m6884.exec:\m6884.exe35⤵
- Executes dropped EXE
PID:1908 -
\??\c:\868682.exec:\868682.exe36⤵
- Executes dropped EXE
PID:3300 -
\??\c:\88422.exec:\88422.exe37⤵
- Executes dropped EXE
PID:4732 -
\??\c:\606048.exec:\606048.exe38⤵
- Executes dropped EXE
PID:868 -
\??\c:\4028284.exec:\4028284.exe39⤵
- Executes dropped EXE
PID:3228 -
\??\c:\42488.exec:\42488.exe40⤵
- Executes dropped EXE
PID:2536 -
\??\c:\a6226.exec:\a6226.exe41⤵
- Executes dropped EXE
PID:4412 -
\??\c:\c226000.exec:\c226000.exe42⤵
- Executes dropped EXE
PID:4428 -
\??\c:\htnhbh.exec:\htnhbh.exe43⤵
- Executes dropped EXE
PID:4448 -
\??\c:\822266.exec:\822266.exe44⤵
- Executes dropped EXE
PID:3288 -
\??\c:\04448.exec:\04448.exe45⤵
- Executes dropped EXE
PID:4588 -
\??\c:\tbhbtn.exec:\tbhbtn.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2240 -
\??\c:\882064.exec:\882064.exe47⤵
- Executes dropped EXE
PID:4672 -
\??\c:\xrfxxrx.exec:\xrfxxrx.exe48⤵
- Executes dropped EXE
PID:888 -
\??\c:\dpvjd.exec:\dpvjd.exe49⤵
- Executes dropped EXE
PID:2392 -
\??\c:\20260.exec:\20260.exe50⤵
- Executes dropped EXE
PID:4920 -
\??\c:\4200000.exec:\4200000.exe51⤵
- Executes dropped EXE
PID:1708 -
\??\c:\06800.exec:\06800.exe52⤵
- Executes dropped EXE
PID:4220 -
\??\c:\5xffffl.exec:\5xffffl.exe53⤵
- Executes dropped EXE
PID:1996 -
\??\c:\4004242.exec:\4004242.exe54⤵
- Executes dropped EXE
PID:1452 -
\??\c:\424444.exec:\424444.exe55⤵
- Executes dropped EXE
PID:3088 -
\??\c:\bhtnbt.exec:\bhtnbt.exe56⤵
- Executes dropped EXE
PID:2564 -
\??\c:\lrxrllf.exec:\lrxrllf.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5084 -
\??\c:\02440.exec:\02440.exe58⤵
- Executes dropped EXE
PID:3604 -
\??\c:\dvpdv.exec:\dvpdv.exe59⤵
- Executes dropped EXE
PID:2560 -
\??\c:\ffllfxl.exec:\ffllfxl.exe60⤵
- Executes dropped EXE
PID:380 -
\??\c:\nnnbtb.exec:\nnnbtb.exe61⤵
- Executes dropped EXE
PID:4632 -
\??\c:\0448226.exec:\0448226.exe62⤵
- Executes dropped EXE
PID:1004 -
\??\c:\3lfxxxx.exec:\3lfxxxx.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4868 -
\??\c:\u400400.exec:\u400400.exe64⤵
- Executes dropped EXE
PID:2324 -
\??\c:\rflxrrl.exec:\rflxrrl.exe65⤵
- Executes dropped EXE
PID:3012 -
\??\c:\646600.exec:\646600.exe66⤵PID:3792
-
\??\c:\842882.exec:\842882.exe67⤵PID:2284
-
\??\c:\nbhtnh.exec:\nbhtnh.exe68⤵PID:4792
-
\??\c:\0066442.exec:\0066442.exe69⤵PID:3864
-
\??\c:\w22260.exec:\w22260.exe70⤵PID:4132
-
\??\c:\62840.exec:\62840.exe71⤵PID:3612
-
\??\c:\240466.exec:\240466.exe72⤵PID:3656
-
\??\c:\8822048.exec:\8822048.exe73⤵PID:1608
-
\??\c:\vjdvp.exec:\vjdvp.exe74⤵PID:536
-
\??\c:\e40604.exec:\e40604.exe75⤵PID:1732
-
\??\c:\606000.exec:\606000.exe76⤵PID:1072
-
\??\c:\9vpjd.exec:\9vpjd.exe77⤵PID:4860
-
\??\c:\e86206.exec:\e86206.exe78⤵PID:4476
-
\??\c:\htthtn.exec:\htthtn.exe79⤵PID:4660
-
\??\c:\428262.exec:\428262.exe80⤵PID:4676
-
\??\c:\4244040.exec:\4244040.exe81⤵PID:1944
-
\??\c:\jvpjj.exec:\jvpjj.exe82⤵PID:2200
-
\??\c:\rlrfxll.exec:\rlrfxll.exe83⤵PID:4580
-
\??\c:\684848.exec:\684848.exe84⤵PID:4400
-
\??\c:\jvvpp.exec:\jvvpp.exe85⤵PID:916
-
\??\c:\btthhn.exec:\btthhn.exe86⤵PID:1596
-
\??\c:\pvdvp.exec:\pvdvp.exe87⤵PID:4784
-
\??\c:\fxrrxff.exec:\fxrrxff.exe88⤵PID:3696
-
\??\c:\e62600.exec:\e62600.exe89⤵PID:3564
-
\??\c:\frxfffx.exec:\frxfffx.exe90⤵PID:3300
-
\??\c:\4888226.exec:\4888226.exe91⤵PID:4732
-
\??\c:\s4420.exec:\s4420.exe92⤵PID:868
-
\??\c:\c008608.exec:\c008608.exe93⤵PID:3052
-
\??\c:\c060882.exec:\c060882.exe94⤵PID:2536
-
\??\c:\vdjvp.exec:\vdjvp.exe95⤵PID:844
-
\??\c:\ppjvj.exec:\ppjvj.exe96⤵PID:4428
-
\??\c:\0444822.exec:\0444822.exe97⤵PID:3804
-
\??\c:\djvjd.exec:\djvjd.exe98⤵PID:1168
-
\??\c:\hnhtth.exec:\hnhtth.exe99⤵PID:4552
-
\??\c:\xrfrfxr.exec:\xrfrfxr.exe100⤵PID:1912
-
\??\c:\bthntn.exec:\bthntn.exe101⤵PID:1848
-
\??\c:\624860.exec:\624860.exe102⤵PID:4672
-
\??\c:\vvdvj.exec:\vvdvj.exe103⤵PID:888
-
\??\c:\62082.exec:\62082.exe104⤵PID:2868
-
\??\c:\k82048.exec:\k82048.exe105⤵PID:4812
-
\??\c:\ppjpp.exec:\ppjpp.exe106⤵PID:4308
-
\??\c:\xxlxlfx.exec:\xxlxlfx.exe107⤵PID:4572
-
\??\c:\7tbnbt.exec:\7tbnbt.exe108⤵PID:952
-
\??\c:\5hhtnn.exec:\5hhtnn.exe109⤵PID:4220
-
\??\c:\426480.exec:\426480.exe110⤵
- System Location Discovery: System Language Discovery
PID:3312 -
\??\c:\k66486.exec:\k66486.exe111⤵PID:1836
-
\??\c:\xrlfrxr.exec:\xrlfrxr.exe112⤵PID:1632
-
\??\c:\thtbtn.exec:\thtbtn.exe113⤵PID:4592
-
\??\c:\vdvpj.exec:\vdvpj.exe114⤵PID:5012
-
\??\c:\ddpdd.exec:\ddpdd.exe115⤵PID:2532
-
\??\c:\o486482.exec:\o486482.exe116⤵PID:3124
-
\??\c:\jddpp.exec:\jddpp.exe117⤵PID:1468
-
\??\c:\hhtbtb.exec:\hhtbtb.exe118⤵PID:4512
-
\??\c:\60886.exec:\60886.exe119⤵PID:4972
-
\??\c:\fxlffff.exec:\fxlffff.exe120⤵PID:208
-
\??\c:\lxfflll.exec:\lxfflll.exe121⤵PID:1680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-