Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 01:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe
-
Size
454KB
-
MD5
aaba414e6944667286578bf8f57ced30
-
SHA1
354293ea0b6bf7d95a283a038c5947fbede39659
-
SHA256
4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3b
-
SHA512
e3d210f78b350b5158b02b9f0eeb471e224f3a8a42a54acce2a6d2cab08d15ef1b41e10198d248ece93c1c689808714d3f855cf32ddbb310e7d38d16cb6577ff
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4596-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-926-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3760 4406682.exe 4664 tnnbhb.exe 5044 08060.exe 4084 lllfxrl.exe 1972 22608.exe 2612 4226442.exe 3068 nhnhhb.exe 4204 60044.exe 3024 9hhnbt.exe 4068 xrxrrrx.exe 2112 8482048.exe 4736 8060886.exe 3592 xrrlffx.exe 2252 04086.exe 408 640482.exe 2544 2288608.exe 2928 0864444.exe 2384 k24888.exe 2016 u064486.exe 748 lxxxrll.exe 4956 pvdpd.exe 2592 6066262.exe 2180 266204.exe 2760 208200.exe 3496 7dvjd.exe 3544 jpvjv.exe 2192 084860.exe 4040 frrrfxr.exe 3272 hbttbt.exe 2972 c460606.exe 1444 26204.exe 3964 ntbnnb.exe 1596 hhnhtt.exe 668 086286.exe 4904 2448260.exe 3396 6086224.exe 5092 dppdv.exe 1620 vdjdp.exe 4844 08426.exe 3108 jpvjv.exe 4588 dvjdp.exe 4404 40420.exe 3708 0420000.exe 4624 lxrlxxr.exe 1380 6226226.exe 2480 7dddv.exe 2056 tbbthb.exe 3460 tbthbb.exe 2104 5rrfxrf.exe 2572 22820.exe 2684 8848604.exe 4368 0408044.exe 4432 g6608.exe 4224 2008604.exe 2412 7pppj.exe 4664 2260482.exe 3372 jppjd.exe 2132 c004826.exe 2764 xfrlxrl.exe 3512 1hnhhh.exe 4824 88260.exe 4204 nbhthb.exe 3668 2664820.exe 3128 084226.exe -
resource yara_rule behavioral2/memory/4596-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-589-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q68288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0462048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4026004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4060066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k88868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0262448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8008608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4596 wrote to memory of 3760 4596 4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe 85 PID 4596 wrote to memory of 3760 4596 4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe 85 PID 4596 wrote to memory of 3760 4596 4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe 85 PID 3760 wrote to memory of 4664 3760 4406682.exe 140 PID 3760 wrote to memory of 4664 3760 4406682.exe 140 PID 3760 wrote to memory of 4664 3760 4406682.exe 140 PID 4664 wrote to memory of 5044 4664 tnnbhb.exe 87 PID 4664 wrote to memory of 5044 4664 tnnbhb.exe 87 PID 4664 wrote to memory of 5044 4664 tnnbhb.exe 87 PID 5044 wrote to memory of 4084 5044 08060.exe 88 PID 5044 wrote to memory of 4084 5044 08060.exe 88 PID 5044 wrote to memory of 4084 5044 08060.exe 88 PID 4084 wrote to memory of 1972 4084 lllfxrl.exe 89 PID 4084 wrote to memory of 1972 4084 lllfxrl.exe 89 PID 4084 wrote to memory of 1972 4084 lllfxrl.exe 89 PID 1972 wrote to memory of 2612 1972 22608.exe 90 PID 1972 wrote to memory of 2612 1972 22608.exe 90 PID 1972 wrote to memory of 2612 1972 22608.exe 90 PID 2612 wrote to memory of 3068 2612 4226442.exe 91 PID 2612 wrote to memory of 3068 2612 4226442.exe 91 PID 2612 wrote to memory of 3068 2612 4226442.exe 91 PID 3068 wrote to memory of 4204 3068 nhnhhb.exe 92 PID 3068 wrote to memory of 4204 3068 nhnhhb.exe 92 PID 3068 wrote to memory of 4204 3068 nhnhhb.exe 92 PID 4204 wrote to memory of 3024 4204 60044.exe 93 PID 4204 wrote to memory of 3024 4204 60044.exe 93 PID 4204 wrote to memory of 3024 4204 60044.exe 93 PID 3024 wrote to memory of 4068 3024 9hhnbt.exe 94 PID 3024 wrote to memory of 4068 3024 9hhnbt.exe 94 PID 3024 wrote to memory of 4068 3024 9hhnbt.exe 94 PID 4068 wrote to memory of 2112 4068 xrxrrrx.exe 95 PID 4068 wrote to memory of 2112 4068 xrxrrrx.exe 95 PID 4068 wrote to memory of 2112 4068 xrxrrrx.exe 95 PID 2112 wrote to memory of 4736 2112 8482048.exe 96 PID 2112 wrote to memory of 4736 2112 8482048.exe 96 PID 2112 wrote to memory of 4736 2112 8482048.exe 96 PID 4736 wrote to memory of 3592 4736 8060886.exe 97 PID 4736 wrote to memory of 3592 4736 8060886.exe 97 PID 4736 wrote to memory of 3592 4736 8060886.exe 97 PID 3592 wrote to memory of 2252 3592 xrrlffx.exe 98 PID 3592 wrote to memory of 2252 3592 xrrlffx.exe 98 PID 3592 wrote to memory of 2252 3592 xrrlffx.exe 98 PID 2252 wrote to memory of 408 2252 04086.exe 99 PID 2252 wrote to memory of 408 2252 04086.exe 99 PID 2252 wrote to memory of 408 2252 04086.exe 99 PID 408 wrote to memory of 2544 408 640482.exe 100 PID 408 wrote to memory of 2544 408 640482.exe 100 PID 408 wrote to memory of 2544 408 640482.exe 100 PID 2544 wrote to memory of 2928 2544 2288608.exe 101 PID 2544 wrote to memory of 2928 2544 2288608.exe 101 PID 2544 wrote to memory of 2928 2544 2288608.exe 101 PID 2928 wrote to memory of 2384 2928 0864444.exe 102 PID 2928 wrote to memory of 2384 2928 0864444.exe 102 PID 2928 wrote to memory of 2384 2928 0864444.exe 102 PID 2384 wrote to memory of 2016 2384 k24888.exe 103 PID 2384 wrote to memory of 2016 2384 k24888.exe 103 PID 2384 wrote to memory of 2016 2384 k24888.exe 103 PID 2016 wrote to memory of 748 2016 u064486.exe 104 PID 2016 wrote to memory of 748 2016 u064486.exe 104 PID 2016 wrote to memory of 748 2016 u064486.exe 104 PID 748 wrote to memory of 4956 748 lxxxrll.exe 105 PID 748 wrote to memory of 4956 748 lxxxrll.exe 105 PID 748 wrote to memory of 4956 748 lxxxrll.exe 105 PID 4956 wrote to memory of 2592 4956 pvdpd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe"C:\Users\Admin\AppData\Local\Temp\4acbd3ae3ea0fd09df4197f6f0a5575fffb12fef3d952041569fea568fe18b3bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\4406682.exec:\4406682.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\tnnbhb.exec:\tnnbhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\08060.exec:\08060.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\lllfxrl.exec:\lllfxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\22608.exec:\22608.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\4226442.exec:\4226442.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\nhnhhb.exec:\nhnhhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\60044.exec:\60044.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\9hhnbt.exec:\9hhnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\xrxrrrx.exec:\xrxrrrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\8482048.exec:\8482048.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\8060886.exec:\8060886.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\xrrlffx.exec:\xrrlffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\04086.exec:\04086.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\640482.exec:\640482.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\2288608.exec:\2288608.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\0864444.exec:\0864444.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\k24888.exec:\k24888.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\u064486.exec:\u064486.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\lxxxrll.exec:\lxxxrll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\pvdpd.exec:\pvdpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\6066262.exec:\6066262.exe23⤵
- Executes dropped EXE
PID:2592 -
\??\c:\266204.exec:\266204.exe24⤵
- Executes dropped EXE
PID:2180 -
\??\c:\208200.exec:\208200.exe25⤵
- Executes dropped EXE
PID:2760 -
\??\c:\7dvjd.exec:\7dvjd.exe26⤵
- Executes dropped EXE
PID:3496 -
\??\c:\jpvjv.exec:\jpvjv.exe27⤵
- Executes dropped EXE
PID:3544 -
\??\c:\084860.exec:\084860.exe28⤵
- Executes dropped EXE
PID:2192 -
\??\c:\frrrfxr.exec:\frrrfxr.exe29⤵
- Executes dropped EXE
PID:4040 -
\??\c:\hbttbt.exec:\hbttbt.exe30⤵
- Executes dropped EXE
PID:3272 -
\??\c:\c460606.exec:\c460606.exe31⤵
- Executes dropped EXE
PID:2972 -
\??\c:\26204.exec:\26204.exe32⤵
- Executes dropped EXE
PID:1444 -
\??\c:\ntbnnb.exec:\ntbnnb.exe33⤵
- Executes dropped EXE
PID:3964 -
\??\c:\hhnhtt.exec:\hhnhtt.exe34⤵
- Executes dropped EXE
PID:1596 -
\??\c:\086286.exec:\086286.exe35⤵
- Executes dropped EXE
PID:668 -
\??\c:\2448260.exec:\2448260.exe36⤵
- Executes dropped EXE
PID:4904 -
\??\c:\6086224.exec:\6086224.exe37⤵
- Executes dropped EXE
PID:3396 -
\??\c:\dppdv.exec:\dppdv.exe38⤵
- Executes dropped EXE
PID:5092 -
\??\c:\vdjdp.exec:\vdjdp.exe39⤵
- Executes dropped EXE
PID:1620 -
\??\c:\08426.exec:\08426.exe40⤵
- Executes dropped EXE
PID:4844 -
\??\c:\jpvjv.exec:\jpvjv.exe41⤵
- Executes dropped EXE
PID:3108 -
\??\c:\dvjdp.exec:\dvjdp.exe42⤵
- Executes dropped EXE
PID:4588 -
\??\c:\40420.exec:\40420.exe43⤵
- Executes dropped EXE
PID:4404 -
\??\c:\0420000.exec:\0420000.exe44⤵
- Executes dropped EXE
PID:3708 -
\??\c:\lxrlxxr.exec:\lxrlxxr.exe45⤵
- Executes dropped EXE
PID:4624 -
\??\c:\6226226.exec:\6226226.exe46⤵
- Executes dropped EXE
PID:1380 -
\??\c:\7dddv.exec:\7dddv.exe47⤵
- Executes dropped EXE
PID:2480 -
\??\c:\tbbthb.exec:\tbbthb.exe48⤵
- Executes dropped EXE
PID:2056 -
\??\c:\tbthbb.exec:\tbthbb.exe49⤵
- Executes dropped EXE
PID:3460 -
\??\c:\5rrfxrf.exec:\5rrfxrf.exe50⤵
- Executes dropped EXE
PID:2104 -
\??\c:\22820.exec:\22820.exe51⤵
- Executes dropped EXE
PID:2572 -
\??\c:\8848604.exec:\8848604.exe52⤵
- Executes dropped EXE
PID:2684 -
\??\c:\0408044.exec:\0408044.exe53⤵
- Executes dropped EXE
PID:4368 -
\??\c:\g6608.exec:\g6608.exe54⤵
- Executes dropped EXE
PID:4432 -
\??\c:\2008604.exec:\2008604.exe55⤵
- Executes dropped EXE
PID:4224 -
\??\c:\7pppj.exec:\7pppj.exe56⤵
- Executes dropped EXE
PID:2412 -
\??\c:\2260482.exec:\2260482.exe57⤵
- Executes dropped EXE
PID:4664 -
\??\c:\jppjd.exec:\jppjd.exe58⤵
- Executes dropped EXE
PID:3372 -
\??\c:\c004826.exec:\c004826.exe59⤵
- Executes dropped EXE
PID:2132 -
\??\c:\xfrlxrl.exec:\xfrlxrl.exe60⤵
- Executes dropped EXE
PID:2764 -
\??\c:\1hnhhh.exec:\1hnhhh.exe61⤵
- Executes dropped EXE
PID:3512 -
\??\c:\88260.exec:\88260.exe62⤵
- Executes dropped EXE
PID:4824 -
\??\c:\nbhthb.exec:\nbhthb.exe63⤵
- Executes dropped EXE
PID:4204 -
\??\c:\2664820.exec:\2664820.exe64⤵
- Executes dropped EXE
PID:3668 -
\??\c:\084226.exec:\084226.exe65⤵
- Executes dropped EXE
PID:3128 -
\??\c:\1xlfrrf.exec:\1xlfrrf.exe66⤵PID:2440
-
\??\c:\thhthb.exec:\thhthb.exe67⤵PID:3504
-
\??\c:\6686820.exec:\6686820.exe68⤵PID:1124
-
\??\c:\6220820.exec:\6220820.exe69⤵PID:3680
-
\??\c:\9xxlxrl.exec:\9xxlxrl.exe70⤵PID:408
-
\??\c:\xflxlfx.exec:\xflxlfx.exe71⤵PID:744
-
\??\c:\4004208.exec:\4004208.exe72⤵PID:812
-
\??\c:\088648.exec:\088648.exe73⤵PID:1860
-
\??\c:\rxxlrrf.exec:\rxxlrrf.exe74⤵PID:464
-
\??\c:\6008440.exec:\6008440.exe75⤵PID:2408
-
\??\c:\0282606.exec:\0282606.exe76⤵PID:4108
-
\??\c:\pjjjd.exec:\pjjjd.exe77⤵PID:4864
-
\??\c:\xlfxlfr.exec:\xlfxlfr.exe78⤵PID:2760
-
\??\c:\08826.exec:\08826.exe79⤵PID:3692
-
\??\c:\vpdvj.exec:\vpdvj.exe80⤵PID:2404
-
\??\c:\hnnhbt.exec:\hnnhbt.exe81⤵PID:3852
-
\??\c:\bnbthb.exec:\bnbthb.exe82⤵PID:4024
-
\??\c:\pjjvp.exec:\pjjvp.exe83⤵PID:2748
-
\??\c:\42000.exec:\42000.exe84⤵PID:4812
-
\??\c:\nbhnnh.exec:\nbhnnh.exe85⤵PID:1856
-
\??\c:\3pdjv.exec:\3pdjv.exe86⤵PID:1596
-
\??\c:\64862.exec:\64862.exe87⤵PID:64
-
\??\c:\286460.exec:\286460.exe88⤵PID:1844
-
\??\c:\8028686.exec:\8028686.exe89⤵PID:5092
-
\??\c:\208886.exec:\208886.exe90⤵PID:2368
-
\??\c:\htbbbt.exec:\htbbbt.exe91⤵PID:3724
-
\??\c:\6486048.exec:\6486048.exe92⤵PID:1108
-
\??\c:\26426.exec:\26426.exe93⤵PID:1528
-
\??\c:\6042264.exec:\6042264.exe94⤵PID:2932
-
\??\c:\46048.exec:\46048.exe95⤵PID:1580
-
\??\c:\k42066.exec:\k42066.exe96⤵PID:4072
-
\??\c:\08864.exec:\08864.exe97⤵PID:4832
-
\??\c:\vpvjp.exec:\vpvjp.exe98⤵PID:3476
-
\??\c:\6664604.exec:\6664604.exe99⤵PID:5024
-
\??\c:\vdjdp.exec:\vdjdp.exe100⤵PID:3632
-
\??\c:\rrflxrl.exec:\rrflxrl.exe101⤵PID:548
-
\??\c:\824200.exec:\824200.exe102⤵PID:4416
-
\??\c:\8484826.exec:\8484826.exe103⤵PID:4808
-
\??\c:\dvpjd.exec:\dvpjd.exe104⤵PID:2348
-
\??\c:\42286.exec:\42286.exe105⤵PID:3760
-
\??\c:\nttnbt.exec:\nttnbt.exe106⤵PID:3392
-
\??\c:\24860.exec:\24860.exe107⤵PID:5044
-
\??\c:\jpvpd.exec:\jpvpd.exe108⤵PID:3652
-
\??\c:\xlxxxfr.exec:\xlxxxfr.exe109⤵PID:3048
-
\??\c:\08464.exec:\08464.exe110⤵PID:2756
-
\??\c:\06462.exec:\06462.exe111⤵PID:5076
-
\??\c:\e22088.exec:\e22088.exe112⤵PID:1428
-
\??\c:\vjjjd.exec:\vjjjd.exe113⤵PID:372
-
\??\c:\nbbttn.exec:\nbbttn.exe114⤵PID:4824
-
\??\c:\bhhbhb.exec:\bhhbhb.exe115⤵PID:3616
-
\??\c:\846026.exec:\846026.exe116⤵PID:1972
-
\??\c:\hbtnbt.exec:\hbtnbt.exe117⤵PID:3436
-
\??\c:\8224626.exec:\8224626.exe118⤵PID:1936
-
\??\c:\ntthtb.exec:\ntthtb.exe119⤵PID:4820
-
\??\c:\rfxflrf.exec:\rfxflrf.exe120⤵PID:1124
-
\??\c:\04420.exec:\04420.exe121⤵PID:2112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-