Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2024, 02:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe
-
Size
454KB
-
MD5
dcc0713afae461656b0300b7f0c71ce0
-
SHA1
511a84f3d09b24835861c6915225c65ad1c0b444
-
SHA256
f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65
-
SHA512
fb543600d2a271ab833bb1e02dad1f81b7c3f1d02bd9034c3e61d2783090fb2fc30811506e5fd51b3dca2d935c38b859a343daa18b40b51710505c768d90825b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3120-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4320 ntnhbt.exe 1656 xffffrx.exe 4508 dppjv.exe 684 vddvj.exe 4688 260426.exe 3440 42682.exe 3788 806044.exe 3952 xrfrfrf.exe 396 jjjvd.exe 404 htbntn.exe 536 btthbn.exe 4528 jdjvj.exe 2256 6648642.exe 4884 jdvpd.exe 3040 20022.exe 1048 llfrxxr.exe 5040 020622.exe 1928 lxxllfx.exe 1480 084488.exe 5052 3tnnhn.exe 2180 26840.exe 4208 486608.exe 3716 hbbttt.exe 2444 xlrlfrl.exe 3388 hnnhbb.exe 400 040444.exe 4784 xxxlfrx.exe 864 a0000.exe 2380 lxrlfxr.exe 916 jdjvv.exe 1880 vjddd.exe 2252 4280660.exe 4020 8444844.exe 2620 1tbhnt.exe 3116 604864.exe 632 28822.exe 3980 0682888.exe 3684 nhhhbh.exe 3164 pvvdp.exe 316 dvvpj.exe 3328 dvdvv.exe 3988 24266.exe 1860 rxxxrrl.exe 3092 42622.exe 4696 llrlfxr.exe 1692 dvdpj.exe 704 nthbtt.exe 3384 nhhhbn.exe 1888 tttnnn.exe 1756 66666.exe 5080 7lrllrl.exe 4484 e06044.exe 1656 pvjjp.exe 4104 4060442.exe 4552 9hhhbb.exe 3672 80860.exe 1312 xlrlfxr.exe 3592 0826880.exe 2904 u244002.exe 1676 62802.exe 3788 lrrxlxl.exe 1392 1ppdv.exe 4356 488260.exe 3496 4222004.exe -
resource yara_rule behavioral2/memory/3120-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-541-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2666004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0208866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2442042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w40060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2040240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4622600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3120 wrote to memory of 4320 3120 f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe 83 PID 3120 wrote to memory of 4320 3120 f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe 83 PID 3120 wrote to memory of 4320 3120 f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe 83 PID 4320 wrote to memory of 1656 4320 ntnhbt.exe 84 PID 4320 wrote to memory of 1656 4320 ntnhbt.exe 84 PID 4320 wrote to memory of 1656 4320 ntnhbt.exe 84 PID 1656 wrote to memory of 4508 1656 xffffrx.exe 85 PID 1656 wrote to memory of 4508 1656 xffffrx.exe 85 PID 1656 wrote to memory of 4508 1656 xffffrx.exe 85 PID 4508 wrote to memory of 684 4508 dppjv.exe 86 PID 4508 wrote to memory of 684 4508 dppjv.exe 86 PID 4508 wrote to memory of 684 4508 dppjv.exe 86 PID 684 wrote to memory of 4688 684 vddvj.exe 87 PID 684 wrote to memory of 4688 684 vddvj.exe 87 PID 684 wrote to memory of 4688 684 vddvj.exe 87 PID 4688 wrote to memory of 3440 4688 260426.exe 88 PID 4688 wrote to memory of 3440 4688 260426.exe 88 PID 4688 wrote to memory of 3440 4688 260426.exe 88 PID 3440 wrote to memory of 3788 3440 42682.exe 89 PID 3440 wrote to memory of 3788 3440 42682.exe 89 PID 3440 wrote to memory of 3788 3440 42682.exe 89 PID 3788 wrote to memory of 3952 3788 806044.exe 90 PID 3788 wrote to memory of 3952 3788 806044.exe 90 PID 3788 wrote to memory of 3952 3788 806044.exe 90 PID 3952 wrote to memory of 396 3952 xrfrfrf.exe 91 PID 3952 wrote to memory of 396 3952 xrfrfrf.exe 91 PID 3952 wrote to memory of 396 3952 xrfrfrf.exe 91 PID 396 wrote to memory of 404 396 jjjvd.exe 92 PID 396 wrote to memory of 404 396 jjjvd.exe 92 PID 396 wrote to memory of 404 396 jjjvd.exe 92 PID 404 wrote to memory of 536 404 htbntn.exe 93 PID 404 wrote to memory of 536 404 htbntn.exe 93 PID 404 wrote to memory of 536 404 htbntn.exe 93 PID 536 wrote to memory of 4528 536 btthbn.exe 94 PID 536 wrote to memory of 4528 536 btthbn.exe 94 PID 536 wrote to memory of 4528 536 btthbn.exe 94 PID 4528 wrote to memory of 2256 4528 jdjvj.exe 95 PID 4528 wrote to memory of 2256 4528 jdjvj.exe 95 PID 4528 wrote to memory of 2256 4528 jdjvj.exe 95 PID 2256 wrote to memory of 4884 2256 6648642.exe 96 PID 2256 wrote to memory of 4884 2256 6648642.exe 96 PID 2256 wrote to memory of 4884 2256 6648642.exe 96 PID 4884 wrote to memory of 3040 4884 jdvpd.exe 97 PID 4884 wrote to memory of 3040 4884 jdvpd.exe 97 PID 4884 wrote to memory of 3040 4884 jdvpd.exe 97 PID 3040 wrote to memory of 1048 3040 20022.exe 98 PID 3040 wrote to memory of 1048 3040 20022.exe 98 PID 3040 wrote to memory of 1048 3040 20022.exe 98 PID 1048 wrote to memory of 5040 1048 llfrxxr.exe 99 PID 1048 wrote to memory of 5040 1048 llfrxxr.exe 99 PID 1048 wrote to memory of 5040 1048 llfrxxr.exe 99 PID 5040 wrote to memory of 1928 5040 020622.exe 100 PID 5040 wrote to memory of 1928 5040 020622.exe 100 PID 5040 wrote to memory of 1928 5040 020622.exe 100 PID 1928 wrote to memory of 1480 1928 lxxllfx.exe 101 PID 1928 wrote to memory of 1480 1928 lxxllfx.exe 101 PID 1928 wrote to memory of 1480 1928 lxxllfx.exe 101 PID 1480 wrote to memory of 5052 1480 084488.exe 102 PID 1480 wrote to memory of 5052 1480 084488.exe 102 PID 1480 wrote to memory of 5052 1480 084488.exe 102 PID 5052 wrote to memory of 2180 5052 3tnnhn.exe 103 PID 5052 wrote to memory of 2180 5052 3tnnhn.exe 103 PID 5052 wrote to memory of 2180 5052 3tnnhn.exe 103 PID 2180 wrote to memory of 4208 2180 26840.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe"C:\Users\Admin\AppData\Local\Temp\f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\ntnhbt.exec:\ntnhbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\xffffrx.exec:\xffffrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\dppjv.exec:\dppjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\vddvj.exec:\vddvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\260426.exec:\260426.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\42682.exec:\42682.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\806044.exec:\806044.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\xrfrfrf.exec:\xrfrfrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\jjjvd.exec:\jjjvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\htbntn.exec:\htbntn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\btthbn.exec:\btthbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\jdjvj.exec:\jdjvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\6648642.exec:\6648642.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\jdvpd.exec:\jdvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\20022.exec:\20022.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\llfrxxr.exec:\llfrxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\020622.exec:\020622.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\lxxllfx.exec:\lxxllfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\084488.exec:\084488.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\3tnnhn.exec:\3tnnhn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\26840.exec:\26840.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\486608.exec:\486608.exe23⤵
- Executes dropped EXE
PID:4208 -
\??\c:\hbbttt.exec:\hbbttt.exe24⤵
- Executes dropped EXE
PID:3716 -
\??\c:\xlrlfrl.exec:\xlrlfrl.exe25⤵
- Executes dropped EXE
PID:2444 -
\??\c:\hnnhbb.exec:\hnnhbb.exe26⤵
- Executes dropped EXE
PID:3388 -
\??\c:\040444.exec:\040444.exe27⤵
- Executes dropped EXE
PID:400 -
\??\c:\xxxlfrx.exec:\xxxlfrx.exe28⤵
- Executes dropped EXE
PID:4784 -
\??\c:\a0000.exec:\a0000.exe29⤵
- Executes dropped EXE
PID:864 -
\??\c:\lxrlfxr.exec:\lxrlfxr.exe30⤵
- Executes dropped EXE
PID:2380 -
\??\c:\jdjvv.exec:\jdjvv.exe31⤵
- Executes dropped EXE
PID:916 -
\??\c:\vjddd.exec:\vjddd.exe32⤵
- Executes dropped EXE
PID:1880 -
\??\c:\4280660.exec:\4280660.exe33⤵
- Executes dropped EXE
PID:2252 -
\??\c:\8444844.exec:\8444844.exe34⤵
- Executes dropped EXE
PID:4020 -
\??\c:\1tbhnt.exec:\1tbhnt.exe35⤵
- Executes dropped EXE
PID:2620 -
\??\c:\604864.exec:\604864.exe36⤵
- Executes dropped EXE
PID:3116 -
\??\c:\28822.exec:\28822.exe37⤵
- Executes dropped EXE
PID:632 -
\??\c:\0682888.exec:\0682888.exe38⤵
- Executes dropped EXE
PID:3980 -
\??\c:\nhhhbh.exec:\nhhhbh.exe39⤵
- Executes dropped EXE
PID:3684 -
\??\c:\pvvdp.exec:\pvvdp.exe40⤵
- Executes dropped EXE
PID:3164 -
\??\c:\dvvpj.exec:\dvvpj.exe41⤵
- Executes dropped EXE
PID:316 -
\??\c:\dvdvv.exec:\dvdvv.exe42⤵
- Executes dropped EXE
PID:3328 -
\??\c:\24266.exec:\24266.exe43⤵
- Executes dropped EXE
PID:3988 -
\??\c:\rxxxrrl.exec:\rxxxrrl.exe44⤵
- Executes dropped EXE
PID:1860 -
\??\c:\42622.exec:\42622.exe45⤵
- Executes dropped EXE
PID:3092 -
\??\c:\llrlfxr.exec:\llrlfxr.exe46⤵
- Executes dropped EXE
PID:4696 -
\??\c:\dvdpj.exec:\dvdpj.exe47⤵
- Executes dropped EXE
PID:1692 -
\??\c:\nthbtt.exec:\nthbtt.exe48⤵
- Executes dropped EXE
PID:704 -
\??\c:\nhhhbn.exec:\nhhhbn.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3384 -
\??\c:\tttnnn.exec:\tttnnn.exe50⤵
- Executes dropped EXE
PID:1888 -
\??\c:\06442.exec:\06442.exe51⤵PID:1328
-
\??\c:\66666.exec:\66666.exe52⤵
- Executes dropped EXE
PID:1756 -
\??\c:\7lrllrl.exec:\7lrllrl.exe53⤵
- Executes dropped EXE
PID:5080 -
\??\c:\e06044.exec:\e06044.exe54⤵
- Executes dropped EXE
PID:4484 -
\??\c:\pvjjp.exec:\pvjjp.exe55⤵
- Executes dropped EXE
PID:1656 -
\??\c:\4060442.exec:\4060442.exe56⤵
- Executes dropped EXE
PID:4104 -
\??\c:\9hhhbb.exec:\9hhhbb.exe57⤵
- Executes dropped EXE
PID:4552 -
\??\c:\80860.exec:\80860.exe58⤵
- Executes dropped EXE
PID:3672 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe59⤵
- Executes dropped EXE
PID:1312 -
\??\c:\0826880.exec:\0826880.exe60⤵
- Executes dropped EXE
PID:3592 -
\??\c:\u244002.exec:\u244002.exe61⤵
- Executes dropped EXE
PID:2904 -
\??\c:\62802.exec:\62802.exe62⤵
- Executes dropped EXE
PID:1676 -
\??\c:\lrrxlxl.exec:\lrrxlxl.exe63⤵
- Executes dropped EXE
PID:3788 -
\??\c:\1ppdv.exec:\1ppdv.exe64⤵
- Executes dropped EXE
PID:1392 -
\??\c:\488260.exec:\488260.exe65⤵
- Executes dropped EXE
PID:4356 -
\??\c:\4222004.exec:\4222004.exe66⤵
- Executes dropped EXE
PID:3496 -
\??\c:\6240442.exec:\6240442.exe67⤵PID:1600
-
\??\c:\9xrrlxr.exec:\9xrrlxr.exe68⤵PID:1884
-
\??\c:\nbbttt.exec:\nbbttt.exe69⤵PID:4172
-
\??\c:\82482.exec:\82482.exe70⤵PID:4112
-
\??\c:\622648.exec:\622648.exe71⤵PID:4448
-
\??\c:\vpjjv.exec:\vpjjv.exe72⤵PID:1048
-
\??\c:\28660.exec:\28660.exe73⤵PID:4636
-
\??\c:\82668.exec:\82668.exe74⤵PID:4504
-
\??\c:\nbnnhn.exec:\nbnnhn.exe75⤵PID:4092
-
\??\c:\26220.exec:\26220.exe76⤵PID:920
-
\??\c:\2882604.exec:\2882604.exe77⤵PID:452
-
\??\c:\pjjvd.exec:\pjjvd.exe78⤵PID:4796
-
\??\c:\820288.exec:\820288.exe79⤵PID:440
-
\??\c:\608626.exec:\608626.exe80⤵
- System Location Discovery: System Language Discovery
PID:4824 -
\??\c:\4488684.exec:\4488684.exe81⤵PID:3792
-
\??\c:\bhtnhh.exec:\bhtnhh.exe82⤵PID:4028
-
\??\c:\04604.exec:\04604.exe83⤵PID:1060
-
\??\c:\g0088.exec:\g0088.exe84⤵PID:1848
-
\??\c:\tnnhhn.exec:\tnnhhn.exe85⤵PID:2404
-
\??\c:\g2888.exec:\g2888.exe86⤵PID:3388
-
\??\c:\420640.exec:\420640.exe87⤵PID:3552
-
\??\c:\lxfxrrr.exec:\lxfxrrr.exe88⤵PID:2400
-
\??\c:\thttnn.exec:\thttnn.exe89⤵PID:848
-
\??\c:\0440044.exec:\0440044.exe90⤵PID:3860
-
\??\c:\pdjjd.exec:\pdjjd.exe91⤵PID:520
-
\??\c:\0282226.exec:\0282226.exe92⤵PID:1432
-
\??\c:\40260.exec:\40260.exe93⤵PID:916
-
\??\c:\vjpdp.exec:\vjpdp.exe94⤵PID:1880
-
\??\c:\ppddv.exec:\ppddv.exe95⤵PID:3096
-
\??\c:\204282.exec:\204282.exe96⤵PID:1504
-
\??\c:\pdddp.exec:\pdddp.exe97⤵PID:1840
-
\??\c:\048266.exec:\048266.exe98⤵PID:2280
-
\??\c:\8648260.exec:\8648260.exe99⤵PID:456
-
\??\c:\066604.exec:\066604.exe100⤵PID:2564
-
\??\c:\468222.exec:\468222.exe101⤵PID:4840
-
\??\c:\002600.exec:\002600.exe102⤵PID:3344
-
\??\c:\w84226.exec:\w84226.exe103⤵PID:2816
-
\??\c:\606060.exec:\606060.exe104⤵PID:264
-
\??\c:\600822.exec:\600822.exe105⤵PID:1796
-
\??\c:\3bnnhh.exec:\3bnnhh.exe106⤵PID:1280
-
\??\c:\rfrlfxr.exec:\rfrlfxr.exe107⤵PID:2004
-
\??\c:\vpppj.exec:\vpppj.exe108⤵PID:4280
-
\??\c:\00000.exec:\00000.exe109⤵PID:216
-
\??\c:\s0660.exec:\s0660.exe110⤵PID:4332
-
\??\c:\6004822.exec:\6004822.exe111⤵PID:704
-
\??\c:\862660.exec:\862660.exe112⤵PID:4368
-
\??\c:\xflffff.exec:\xflffff.exe113⤵PID:4256
-
\??\c:\dvvvp.exec:\dvvvp.exe114⤵PID:2524
-
\??\c:\jddvp.exec:\jddvp.exe115⤵PID:2616
-
\??\c:\flxxrfx.exec:\flxxrfx.exe116⤵PID:4788
-
\??\c:\40668.exec:\40668.exe117⤵PID:772
-
\??\c:\44228.exec:\44228.exe118⤵PID:4156
-
\??\c:\bbbbbt.exec:\bbbbbt.exe119⤵PID:3488
-
\??\c:\tnhbtt.exec:\tnhbtt.exe120⤵PID:4104
-
\??\c:\nhhhbb.exec:\nhhhbb.exe121⤵PID:4552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-