Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 06:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe
-
Size
453KB
-
MD5
97baf383e69e610c067501a786f27fd0
-
SHA1
8efd084169d886c481d101fc7489c6ade4c416cc
-
SHA256
efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65
-
SHA512
c5ce3a570fde8a15262ac27e224e91e74f0d9bcdb68c21e977d0fc911e1e70213400ec1a5c359f60c31b989cc3bf2625662baad47b8343f16f14b6c2621e1979
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1356-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-810-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-871-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-1537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3244 4286048.exe 2024 046048.exe 3216 hthhhh.exe 8 4624686.exe 4216 a8688.exe 4540 062888.exe 1080 8604482.exe 4280 600600.exe 2236 nbhbtb.exe 3592 828222.exe 4608 46826.exe 2532 fxxrxlr.exe 2220 hbhbbb.exe 2596 4802660.exe 992 pjjjd.exe 1488 frxxrrr.exe 2280 0686488.exe 2444 rfrlfff.exe 1244 hnnhhh.exe 2872 e28826.exe 1056 llrxrlf.exe 4864 nbthnb.exe 1628 hhtnnn.exe 540 0046426.exe 1152 frffxxx.exe 4040 48866.exe 3508 ppvjv.exe 836 4688220.exe 4756 jvdvp.exe 3832 088864.exe 4592 8848664.exe 2276 64486.exe 5056 40262.exe 4520 6226044.exe 1240 0026008.exe 2528 26880.exe 4268 dddjv.exe 4564 thbhnh.exe 2708 xlffrll.exe 1772 4426004.exe 4328 nhbtnh.exe 960 fxlfrlx.exe 1356 808048.exe 804 ppvpj.exe 2908 7dvpj.exe 2608 s4082.exe 4972 42264.exe 2648 60082.exe 1168 284444.exe 944 nntnbb.exe 4628 pjddp.exe 4536 nbnbtt.exe 1360 vppdv.exe 4920 rxlxrrf.exe 2640 024822.exe 3352 9jvvd.exe 3856 jppjd.exe 3772 xlllffx.exe 1480 5hbtnh.exe 3404 htntnh.exe 3584 224820.exe 3760 688204.exe 2972 nbnhbb.exe 4172 5fxllfx.exe -
resource yara_rule behavioral2/memory/1356-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-544-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 688204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u826042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0448260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q06660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4022848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w84826.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1356 wrote to memory of 3244 1356 efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe 83 PID 1356 wrote to memory of 3244 1356 efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe 83 PID 1356 wrote to memory of 3244 1356 efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe 83 PID 3244 wrote to memory of 2024 3244 4286048.exe 84 PID 3244 wrote to memory of 2024 3244 4286048.exe 84 PID 3244 wrote to memory of 2024 3244 4286048.exe 84 PID 2024 wrote to memory of 3216 2024 046048.exe 85 PID 2024 wrote to memory of 3216 2024 046048.exe 85 PID 2024 wrote to memory of 3216 2024 046048.exe 85 PID 3216 wrote to memory of 8 3216 hthhhh.exe 86 PID 3216 wrote to memory of 8 3216 hthhhh.exe 86 PID 3216 wrote to memory of 8 3216 hthhhh.exe 86 PID 8 wrote to memory of 4216 8 4624686.exe 87 PID 8 wrote to memory of 4216 8 4624686.exe 87 PID 8 wrote to memory of 4216 8 4624686.exe 87 PID 4216 wrote to memory of 4540 4216 a8688.exe 88 PID 4216 wrote to memory of 4540 4216 a8688.exe 88 PID 4216 wrote to memory of 4540 4216 a8688.exe 88 PID 4540 wrote to memory of 1080 4540 062888.exe 89 PID 4540 wrote to memory of 1080 4540 062888.exe 89 PID 4540 wrote to memory of 1080 4540 062888.exe 89 PID 1080 wrote to memory of 4280 1080 8604482.exe 90 PID 1080 wrote to memory of 4280 1080 8604482.exe 90 PID 1080 wrote to memory of 4280 1080 8604482.exe 90 PID 4280 wrote to memory of 2236 4280 600600.exe 91 PID 4280 wrote to memory of 2236 4280 600600.exe 91 PID 4280 wrote to memory of 2236 4280 600600.exe 91 PID 2236 wrote to memory of 3592 2236 nbhbtb.exe 92 PID 2236 wrote to memory of 3592 2236 nbhbtb.exe 92 PID 2236 wrote to memory of 3592 2236 nbhbtb.exe 92 PID 3592 wrote to memory of 4608 3592 828222.exe 93 PID 3592 wrote to memory of 4608 3592 828222.exe 93 PID 3592 wrote to memory of 4608 3592 828222.exe 93 PID 4608 wrote to memory of 2532 4608 46826.exe 94 PID 4608 wrote to memory of 2532 4608 46826.exe 94 PID 4608 wrote to memory of 2532 4608 46826.exe 94 PID 2532 wrote to memory of 2220 2532 fxxrxlr.exe 95 PID 2532 wrote to memory of 2220 2532 fxxrxlr.exe 95 PID 2532 wrote to memory of 2220 2532 fxxrxlr.exe 95 PID 2220 wrote to memory of 2596 2220 hbhbbb.exe 96 PID 2220 wrote to memory of 2596 2220 hbhbbb.exe 96 PID 2220 wrote to memory of 2596 2220 hbhbbb.exe 96 PID 2596 wrote to memory of 992 2596 4802660.exe 97 PID 2596 wrote to memory of 992 2596 4802660.exe 97 PID 2596 wrote to memory of 992 2596 4802660.exe 97 PID 992 wrote to memory of 1488 992 pjjjd.exe 98 PID 992 wrote to memory of 1488 992 pjjjd.exe 98 PID 992 wrote to memory of 1488 992 pjjjd.exe 98 PID 1488 wrote to memory of 2280 1488 frxxrrr.exe 99 PID 1488 wrote to memory of 2280 1488 frxxrrr.exe 99 PID 1488 wrote to memory of 2280 1488 frxxrrr.exe 99 PID 2280 wrote to memory of 2444 2280 0686488.exe 100 PID 2280 wrote to memory of 2444 2280 0686488.exe 100 PID 2280 wrote to memory of 2444 2280 0686488.exe 100 PID 2444 wrote to memory of 1244 2444 rfrlfff.exe 101 PID 2444 wrote to memory of 1244 2444 rfrlfff.exe 101 PID 2444 wrote to memory of 1244 2444 rfrlfff.exe 101 PID 1244 wrote to memory of 2872 1244 hnnhhh.exe 102 PID 1244 wrote to memory of 2872 1244 hnnhhh.exe 102 PID 1244 wrote to memory of 2872 1244 hnnhhh.exe 102 PID 2872 wrote to memory of 1056 2872 e28826.exe 103 PID 2872 wrote to memory of 1056 2872 e28826.exe 103 PID 2872 wrote to memory of 1056 2872 e28826.exe 103 PID 1056 wrote to memory of 4864 1056 llrxrlf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe"C:\Users\Admin\AppData\Local\Temp\efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\4286048.exec:\4286048.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\046048.exec:\046048.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\hthhhh.exec:\hthhhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\4624686.exec:\4624686.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\a8688.exec:\a8688.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\062888.exec:\062888.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\8604482.exec:\8604482.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\600600.exec:\600600.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\nbhbtb.exec:\nbhbtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\828222.exec:\828222.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\46826.exec:\46826.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\fxxrxlr.exec:\fxxrxlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\hbhbbb.exec:\hbhbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\4802660.exec:\4802660.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\pjjjd.exec:\pjjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\frxxrrr.exec:\frxxrrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\0686488.exec:\0686488.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\rfrlfff.exec:\rfrlfff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\hnnhhh.exec:\hnnhhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\e28826.exec:\e28826.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\llrxrlf.exec:\llrxrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\nbthnb.exec:\nbthnb.exe23⤵
- Executes dropped EXE
PID:4864 -
\??\c:\hhtnnn.exec:\hhtnnn.exe24⤵
- Executes dropped EXE
PID:1628 -
\??\c:\0046426.exec:\0046426.exe25⤵
- Executes dropped EXE
PID:540 -
\??\c:\frffxxx.exec:\frffxxx.exe26⤵
- Executes dropped EXE
PID:1152 -
\??\c:\48866.exec:\48866.exe27⤵
- Executes dropped EXE
PID:4040 -
\??\c:\ppvjv.exec:\ppvjv.exe28⤵
- Executes dropped EXE
PID:3508 -
\??\c:\4688220.exec:\4688220.exe29⤵
- Executes dropped EXE
PID:836 -
\??\c:\jvdvp.exec:\jvdvp.exe30⤵
- Executes dropped EXE
PID:4756 -
\??\c:\088864.exec:\088864.exe31⤵
- Executes dropped EXE
PID:3832 -
\??\c:\8848664.exec:\8848664.exe32⤵
- Executes dropped EXE
PID:4592 -
\??\c:\64486.exec:\64486.exe33⤵
- Executes dropped EXE
PID:2276 -
\??\c:\40262.exec:\40262.exe34⤵
- Executes dropped EXE
PID:5056 -
\??\c:\6226044.exec:\6226044.exe35⤵
- Executes dropped EXE
PID:4520 -
\??\c:\0026008.exec:\0026008.exe36⤵
- Executes dropped EXE
PID:1240 -
\??\c:\26880.exec:\26880.exe37⤵
- Executes dropped EXE
PID:2528 -
\??\c:\dddjv.exec:\dddjv.exe38⤵
- Executes dropped EXE
PID:4268 -
\??\c:\thbhnh.exec:\thbhnh.exe39⤵
- Executes dropped EXE
PID:4564 -
\??\c:\xlffrll.exec:\xlffrll.exe40⤵
- Executes dropped EXE
PID:2708 -
\??\c:\4426004.exec:\4426004.exe41⤵
- Executes dropped EXE
PID:1772 -
\??\c:\nhbtnh.exec:\nhbtnh.exe42⤵
- Executes dropped EXE
PID:4328 -
\??\c:\fxlfrlx.exec:\fxlfrlx.exe43⤵
- Executes dropped EXE
PID:960 -
\??\c:\808048.exec:\808048.exe44⤵
- Executes dropped EXE
PID:1356 -
\??\c:\ppvpj.exec:\ppvpj.exe45⤵
- Executes dropped EXE
PID:804 -
\??\c:\7dvpj.exec:\7dvpj.exe46⤵
- Executes dropped EXE
PID:2908 -
\??\c:\s4082.exec:\s4082.exe47⤵
- Executes dropped EXE
PID:2608 -
\??\c:\42264.exec:\42264.exe48⤵
- Executes dropped EXE
PID:4972 -
\??\c:\60082.exec:\60082.exe49⤵
- Executes dropped EXE
PID:2648 -
\??\c:\284444.exec:\284444.exe50⤵
- Executes dropped EXE
PID:1168 -
\??\c:\nntnbb.exec:\nntnbb.exe51⤵
- Executes dropped EXE
PID:944 -
\??\c:\pjddp.exec:\pjddp.exe52⤵
- Executes dropped EXE
PID:4628 -
\??\c:\nbnbtt.exec:\nbnbtt.exe53⤵
- Executes dropped EXE
PID:4536 -
\??\c:\vppdv.exec:\vppdv.exe54⤵
- Executes dropped EXE
PID:1360 -
\??\c:\rxlxrrf.exec:\rxlxrrf.exe55⤵
- Executes dropped EXE
PID:4920 -
\??\c:\024822.exec:\024822.exe56⤵
- Executes dropped EXE
PID:2640 -
\??\c:\9jvvd.exec:\9jvvd.exe57⤵
- Executes dropped EXE
PID:3352 -
\??\c:\jppjd.exec:\jppjd.exe58⤵
- Executes dropped EXE
PID:3856 -
\??\c:\xlllffx.exec:\xlllffx.exe59⤵
- Executes dropped EXE
PID:3772 -
\??\c:\5hbtnh.exec:\5hbtnh.exe60⤵
- Executes dropped EXE
PID:1480 -
\??\c:\htntnh.exec:\htntnh.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3404 -
\??\c:\224820.exec:\224820.exe62⤵
- Executes dropped EXE
PID:3584 -
\??\c:\688204.exec:\688204.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3760 -
\??\c:\nbnhbb.exec:\nbnhbb.exe64⤵
- Executes dropped EXE
PID:2972 -
\??\c:\5fxllfx.exec:\5fxllfx.exe65⤵
- Executes dropped EXE
PID:4172 -
\??\c:\rxfxrrf.exec:\rxfxrrf.exe66⤵PID:3152
-
\??\c:\480448.exec:\480448.exe67⤵PID:4844
-
\??\c:\3xfrllf.exec:\3xfrllf.exe68⤵
- System Location Discovery: System Language Discovery
PID:3100 -
\??\c:\hnbhbb.exec:\hnbhbb.exe69⤵PID:800
-
\??\c:\vdppj.exec:\vdppj.exe70⤵PID:4476
-
\??\c:\i004882.exec:\i004882.exe71⤵PID:3984
-
\??\c:\0060446.exec:\0060446.exe72⤵PID:4556
-
\??\c:\rlfrxlx.exec:\rlfrxlx.exe73⤵PID:4864
-
\??\c:\hbnbhb.exec:\hbnbhb.exe74⤵PID:1344
-
\??\c:\djpjd.exec:\djpjd.exe75⤵PID:3408
-
\??\c:\4008264.exec:\4008264.exe76⤵PID:5020
-
\??\c:\nhbbtt.exec:\nhbbtt.exe77⤵PID:3928
-
\??\c:\ntnhtb.exec:\ntnhtb.exe78⤵
- System Location Discovery: System Language Discovery
PID:1884 -
\??\c:\6626408.exec:\6626408.exe79⤵PID:3604
-
\??\c:\48482.exec:\48482.exe80⤵PID:4908
-
\??\c:\266644.exec:\266644.exe81⤵PID:740
-
\??\c:\xrfrxlf.exec:\xrfrxlf.exe82⤵
- System Location Discovery: System Language Discovery
PID:1688 -
\??\c:\o408260.exec:\o408260.exe83⤵PID:5100
-
\??\c:\bhtnhh.exec:\bhtnhh.exe84⤵PID:3380
-
\??\c:\w02606.exec:\w02606.exe85⤵PID:4592
-
\??\c:\6280244.exec:\6280244.exe86⤵PID:772
-
\??\c:\w62808.exec:\w62808.exe87⤵PID:1936
-
\??\c:\rffxrlf.exec:\rffxrlf.exe88⤵PID:2320
-
\??\c:\8684208.exec:\8684208.exe89⤵PID:4500
-
\??\c:\rxxrlrl.exec:\rxxrlrl.exe90⤵PID:1740
-
\??\c:\1pjpd.exec:\1pjpd.exe91⤵PID:640
-
\??\c:\8400448.exec:\8400448.exe92⤵PID:1768
-
\??\c:\200404.exec:\200404.exe93⤵PID:4564
-
\??\c:\1pjvp.exec:\1pjvp.exe94⤵
- System Location Discovery: System Language Discovery
PID:4532 -
\??\c:\s2084.exec:\s2084.exe95⤵PID:372
-
\??\c:\3hnhhb.exec:\3hnhhb.exe96⤵PID:3504
-
\??\c:\040444.exec:\040444.exe97⤵PID:1608
-
\??\c:\1tttnt.exec:\1tttnt.exe98⤵PID:1920
-
\??\c:\ddppj.exec:\ddppj.exe99⤵PID:4364
-
\??\c:\3bthbb.exec:\3bthbb.exe100⤵PID:1996
-
\??\c:\vpvpj.exec:\vpvpj.exe101⤵PID:804
-
\??\c:\42226.exec:\42226.exe102⤵PID:1252
-
\??\c:\4460262.exec:\4460262.exe103⤵PID:2976
-
\??\c:\8288440.exec:\8288440.exe104⤵PID:2356
-
\??\c:\m6860.exec:\m6860.exe105⤵PID:4692
-
\??\c:\nnhntn.exec:\nnhntn.exe106⤵PID:2648
-
\??\c:\hhnhnh.exec:\hhnhnh.exe107⤵PID:3516
-
\??\c:\282222.exec:\282222.exe108⤵PID:3048
-
\??\c:\lffxrrx.exec:\lffxrrx.exe109⤵PID:748
-
\??\c:\tbttnn.exec:\tbttnn.exe110⤵PID:4424
-
\??\c:\hbhbbh.exec:\hbhbbh.exe111⤵PID:4604
-
\??\c:\u462604.exec:\u462604.exe112⤵PID:3940
-
\??\c:\48426.exec:\48426.exe113⤵PID:1360
-
\??\c:\nhhbtt.exec:\nhhbtt.exe114⤵PID:1220
-
\??\c:\8466008.exec:\8466008.exe115⤵PID:3256
-
\??\c:\06228.exec:\06228.exe116⤵PID:3352
-
\??\c:\424888.exec:\424888.exe117⤵PID:2200
-
\??\c:\246604.exec:\246604.exe118⤵PID:1872
-
\??\c:\2404466.exec:\2404466.exe119⤵PID:2064
-
\??\c:\26688.exec:\26688.exe120⤵PID:2112
-
\??\c:\btbbtn.exec:\btbbtn.exe121⤵PID:1788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-