Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
27f73525473d5452f49f3a83f9f5cc40807e2698fb2b10874102d50a2418df76N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
27f73525473d5452f49f3a83f9f5cc40807e2698fb2b10874102d50a2418df76N.exe
-
Size
453KB
-
MD5
a22c5c169451666606e982783cc49800
-
SHA1
54abeaed1f7f2814f8f422e44a02ecbc1b127afe
-
SHA256
27f73525473d5452f49f3a83f9f5cc40807e2698fb2b10874102d50a2418df76
-
SHA512
9002653850b8728437b1ef89c6afd7f0b5b14a15f4a5241bf07c5f296be066a7a68202128926fafcfc98b9231019a238b1afdfb77a744c6917eda7fa030c4234
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbee:q7Tc2NYHUrAwfMp3CDe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1944-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-852-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-931-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-1300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-1494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-1567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1104 42200.exe 4848 i688266.exe 3716 o446420.exe 4820 648204.exe 2628 62420.exe 3564 6226048.exe 3936 404664.exe 3344 k00486.exe 1552 0882086.exe 2364 3frlxxr.exe 2200 66208.exe 4100 5hnthn.exe 4176 62208.exe 1576 pjdvp.exe 3496 0486486.exe 3684 hhnnbn.exe 4944 66608.exe 3860 64664.exe 4252 3nhhtn.exe 2800 48464.exe 4292 044864.exe 1696 dpjvj.exe 4332 80486.exe 4084 rxrlxrl.exe 4904 llllfxr.exe 5100 e84006.exe 2332 5tnbtn.exe 2880 nbnbbt.exe 3900 rrrfrlx.exe 4556 1xfffxl.exe 780 6026482.exe 1512 86264.exe 2976 5ppdv.exe 856 3vpdv.exe 5060 hbbnhh.exe 3128 rfxrfxr.exe 1820 9lfrlfx.exe 4552 xlfxfff.exe 3212 pvpdp.exe 2612 9bbnhb.exe 1084 44042.exe 4788 868822.exe 1412 2200404.exe 2000 ffxfrlf.exe 1016 tnthhh.exe 5000 s2400.exe 2468 602266.exe 4040 tnhhbb.exe 4468 24204.exe 4452 s0282.exe 2948 vvjdj.exe 1104 nnhbtt.exe 3176 1rrffff.exe 3368 48448.exe 4868 086262.exe 4820 8282226.exe 876 xrxxllr.exe 2828 xrxrlll.exe 4644 htbnnh.exe 4220 9jjdd.exe 4148 i628248.exe 1688 pjpdj.exe 3468 66480.exe 2756 1xxlxxr.exe -
resource yara_rule behavioral2/memory/1944-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-852-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c066044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4026660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e42200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4286644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2600444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w24260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2244866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i444208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u226486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0282604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8620826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i048048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1944 wrote to memory of 1104 1944 27f73525473d5452f49f3a83f9f5cc40807e2698fb2b10874102d50a2418df76N.exe 83 PID 1944 wrote to memory of 1104 1944 27f73525473d5452f49f3a83f9f5cc40807e2698fb2b10874102d50a2418df76N.exe 83 PID 1944 wrote to memory of 1104 1944 27f73525473d5452f49f3a83f9f5cc40807e2698fb2b10874102d50a2418df76N.exe 83 PID 1104 wrote to memory of 4848 1104 42200.exe 84 PID 1104 wrote to memory of 4848 1104 42200.exe 84 PID 1104 wrote to memory of 4848 1104 42200.exe 84 PID 4848 wrote to memory of 3716 4848 i688266.exe 85 PID 4848 wrote to memory of 3716 4848 i688266.exe 85 PID 4848 wrote to memory of 3716 4848 i688266.exe 85 PID 3716 wrote to memory of 4820 3716 o446420.exe 86 PID 3716 wrote to memory of 4820 3716 o446420.exe 86 PID 3716 wrote to memory of 4820 3716 o446420.exe 86 PID 4820 wrote to memory of 2628 4820 648204.exe 87 PID 4820 wrote to memory of 2628 4820 648204.exe 87 PID 4820 wrote to memory of 2628 4820 648204.exe 87 PID 2628 wrote to memory of 3564 2628 62420.exe 88 PID 2628 wrote to memory of 3564 2628 62420.exe 88 PID 2628 wrote to memory of 3564 2628 62420.exe 88 PID 3564 wrote to memory of 3936 3564 6226048.exe 89 PID 3564 wrote to memory of 3936 3564 6226048.exe 89 PID 3564 wrote to memory of 3936 3564 6226048.exe 89 PID 3936 wrote to memory of 3344 3936 404664.exe 90 PID 3936 wrote to memory of 3344 3936 404664.exe 90 PID 3936 wrote to memory of 3344 3936 404664.exe 90 PID 3344 wrote to memory of 1552 3344 k00486.exe 91 PID 3344 wrote to memory of 1552 3344 k00486.exe 91 PID 3344 wrote to memory of 1552 3344 k00486.exe 91 PID 1552 wrote to memory of 2364 1552 0882086.exe 92 PID 1552 wrote to memory of 2364 1552 0882086.exe 92 PID 1552 wrote to memory of 2364 1552 0882086.exe 92 PID 2364 wrote to memory of 2200 2364 3frlxxr.exe 93 PID 2364 wrote to memory of 2200 2364 3frlxxr.exe 93 PID 2364 wrote to memory of 2200 2364 3frlxxr.exe 93 PID 2200 wrote to memory of 4100 2200 66208.exe 94 PID 2200 wrote to memory of 4100 2200 66208.exe 94 PID 2200 wrote to memory of 4100 2200 66208.exe 94 PID 4100 wrote to memory of 4176 4100 5hnthn.exe 95 PID 4100 wrote to memory of 4176 4100 5hnthn.exe 95 PID 4100 wrote to memory of 4176 4100 5hnthn.exe 95 PID 4176 wrote to memory of 1576 4176 62208.exe 96 PID 4176 wrote to memory of 1576 4176 62208.exe 96 PID 4176 wrote to memory of 1576 4176 62208.exe 96 PID 1576 wrote to memory of 3496 1576 pjdvp.exe 97 PID 1576 wrote to memory of 3496 1576 pjdvp.exe 97 PID 1576 wrote to memory of 3496 1576 pjdvp.exe 97 PID 3496 wrote to memory of 3684 3496 0486486.exe 98 PID 3496 wrote to memory of 3684 3496 0486486.exe 98 PID 3496 wrote to memory of 3684 3496 0486486.exe 98 PID 3684 wrote to memory of 4944 3684 hhnnbn.exe 99 PID 3684 wrote to memory of 4944 3684 hhnnbn.exe 99 PID 3684 wrote to memory of 4944 3684 hhnnbn.exe 99 PID 4944 wrote to memory of 3860 4944 66608.exe 100 PID 4944 wrote to memory of 3860 4944 66608.exe 100 PID 4944 wrote to memory of 3860 4944 66608.exe 100 PID 3860 wrote to memory of 4252 3860 64664.exe 101 PID 3860 wrote to memory of 4252 3860 64664.exe 101 PID 3860 wrote to memory of 4252 3860 64664.exe 101 PID 4252 wrote to memory of 2800 4252 3nhhtn.exe 102 PID 4252 wrote to memory of 2800 4252 3nhhtn.exe 102 PID 4252 wrote to memory of 2800 4252 3nhhtn.exe 102 PID 2800 wrote to memory of 4292 2800 48464.exe 103 PID 2800 wrote to memory of 4292 2800 48464.exe 103 PID 2800 wrote to memory of 4292 2800 48464.exe 103 PID 4292 wrote to memory of 1696 4292 044864.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\27f73525473d5452f49f3a83f9f5cc40807e2698fb2b10874102d50a2418df76N.exe"C:\Users\Admin\AppData\Local\Temp\27f73525473d5452f49f3a83f9f5cc40807e2698fb2b10874102d50a2418df76N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\42200.exec:\42200.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\i688266.exec:\i688266.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\o446420.exec:\o446420.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\648204.exec:\648204.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\62420.exec:\62420.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\6226048.exec:\6226048.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\404664.exec:\404664.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\k00486.exec:\k00486.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\0882086.exec:\0882086.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\3frlxxr.exec:\3frlxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\66208.exec:\66208.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\5hnthn.exec:\5hnthn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\62208.exec:\62208.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\pjdvp.exec:\pjdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\0486486.exec:\0486486.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\hhnnbn.exec:\hhnnbn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\66608.exec:\66608.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\64664.exec:\64664.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\3nhhtn.exec:\3nhhtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\48464.exec:\48464.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\044864.exec:\044864.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\dpjvj.exec:\dpjvj.exe23⤵
- Executes dropped EXE
PID:1696 -
\??\c:\80486.exec:\80486.exe24⤵
- Executes dropped EXE
PID:4332 -
\??\c:\rxrlxrl.exec:\rxrlxrl.exe25⤵
- Executes dropped EXE
PID:4084 -
\??\c:\llllfxr.exec:\llllfxr.exe26⤵
- Executes dropped EXE
PID:4904 -
\??\c:\e84006.exec:\e84006.exe27⤵
- Executes dropped EXE
PID:5100 -
\??\c:\5tnbtn.exec:\5tnbtn.exe28⤵
- Executes dropped EXE
PID:2332 -
\??\c:\nbnbbt.exec:\nbnbbt.exe29⤵
- Executes dropped EXE
PID:2880 -
\??\c:\rrrfrlx.exec:\rrrfrlx.exe30⤵
- Executes dropped EXE
PID:3900 -
\??\c:\1xfffxl.exec:\1xfffxl.exe31⤵
- Executes dropped EXE
PID:4556 -
\??\c:\6026482.exec:\6026482.exe32⤵
- Executes dropped EXE
PID:780 -
\??\c:\86264.exec:\86264.exe33⤵
- Executes dropped EXE
PID:1512 -
\??\c:\5ppdv.exec:\5ppdv.exe34⤵
- Executes dropped EXE
PID:2976 -
\??\c:\3vpdv.exec:\3vpdv.exe35⤵
- Executes dropped EXE
PID:856 -
\??\c:\hbbnhh.exec:\hbbnhh.exe36⤵
- Executes dropped EXE
PID:5060 -
\??\c:\rfxrfxr.exec:\rfxrfxr.exe37⤵
- Executes dropped EXE
PID:3128 -
\??\c:\9lfrlfx.exec:\9lfrlfx.exe38⤵
- Executes dropped EXE
PID:1820 -
\??\c:\xlfxfff.exec:\xlfxfff.exe39⤵
- Executes dropped EXE
PID:4552 -
\??\c:\pvpdp.exec:\pvpdp.exe40⤵
- Executes dropped EXE
PID:3212 -
\??\c:\9bbnhb.exec:\9bbnhb.exe41⤵
- Executes dropped EXE
PID:2612 -
\??\c:\44042.exec:\44042.exe42⤵
- Executes dropped EXE
PID:1084 -
\??\c:\868822.exec:\868822.exe43⤵
- Executes dropped EXE
PID:4788 -
\??\c:\2200404.exec:\2200404.exe44⤵
- Executes dropped EXE
PID:1412 -
\??\c:\ffxfrlf.exec:\ffxfrlf.exe45⤵
- Executes dropped EXE
PID:2000 -
\??\c:\tnthhh.exec:\tnthhh.exe46⤵
- Executes dropped EXE
PID:1016 -
\??\c:\s2400.exec:\s2400.exe47⤵
- Executes dropped EXE
PID:5000 -
\??\c:\602266.exec:\602266.exe48⤵
- Executes dropped EXE
PID:2468 -
\??\c:\tnhhbb.exec:\tnhhbb.exe49⤵
- Executes dropped EXE
PID:4040 -
\??\c:\24204.exec:\24204.exe50⤵
- Executes dropped EXE
PID:4468 -
\??\c:\s0282.exec:\s0282.exe51⤵
- Executes dropped EXE
PID:4452 -
\??\c:\vvjdj.exec:\vvjdj.exe52⤵
- Executes dropped EXE
PID:2948 -
\??\c:\nnhbtt.exec:\nnhbtt.exe53⤵
- Executes dropped EXE
PID:1104 -
\??\c:\1rrffff.exec:\1rrffff.exe54⤵
- Executes dropped EXE
PID:3176 -
\??\c:\48448.exec:\48448.exe55⤵
- Executes dropped EXE
PID:3368 -
\??\c:\086262.exec:\086262.exe56⤵
- Executes dropped EXE
PID:4868 -
\??\c:\8282226.exec:\8282226.exe57⤵
- Executes dropped EXE
PID:4820 -
\??\c:\xrxxllr.exec:\xrxxllr.exe58⤵
- Executes dropped EXE
PID:876 -
\??\c:\xrxrlll.exec:\xrxrlll.exe59⤵
- Executes dropped EXE
PID:2828 -
\??\c:\htbnnh.exec:\htbnnh.exe60⤵
- Executes dropped EXE
PID:4644 -
\??\c:\9jjdd.exec:\9jjdd.exe61⤵
- Executes dropped EXE
PID:4220 -
\??\c:\i628248.exec:\i628248.exe62⤵
- Executes dropped EXE
PID:4148 -
\??\c:\pjpdj.exec:\pjpdj.exe63⤵
- Executes dropped EXE
PID:1688 -
\??\c:\66480.exec:\66480.exe64⤵
- Executes dropped EXE
PID:3468 -
\??\c:\1xxlxxr.exec:\1xxlxxr.exe65⤵
- Executes dropped EXE
PID:2756 -
\??\c:\pjppv.exec:\pjppv.exe66⤵PID:4728
-
\??\c:\2682484.exec:\2682484.exe67⤵PID:2380
-
\??\c:\m4048.exec:\m4048.exe68⤵
- System Location Discovery: System Language Discovery
PID:652 -
\??\c:\64006.exec:\64006.exe69⤵PID:2640
-
\??\c:\xrxrrff.exec:\xrxrrff.exe70⤵PID:4268
-
\??\c:\fffxrff.exec:\fffxrff.exe71⤵PID:4464
-
\??\c:\vddvv.exec:\vddvv.exe72⤵PID:1576
-
\??\c:\djppv.exec:\djppv.exe73⤵PID:2308
-
\??\c:\6660482.exec:\6660482.exe74⤵PID:5004
-
\??\c:\7ntntt.exec:\7ntntt.exe75⤵PID:3152
-
\??\c:\o060828.exec:\o060828.exe76⤵PID:3608
-
\??\c:\9fxlfxl.exec:\9fxlfxl.exe77⤵PID:208
-
\??\c:\08826.exec:\08826.exe78⤵PID:3860
-
\??\c:\84486.exec:\84486.exe79⤵PID:3092
-
\??\c:\k00486.exec:\k00486.exe80⤵PID:2800
-
\??\c:\thtthh.exec:\thtthh.exe81⤵PID:4292
-
\??\c:\6888220.exec:\6888220.exe82⤵PID:4168
-
\??\c:\42426.exec:\42426.exe83⤵PID:4336
-
\??\c:\1rlrlrl.exec:\1rlrlrl.exe84⤵PID:640
-
\??\c:\htnhbb.exec:\htnhbb.exe85⤵PID:368
-
\??\c:\0822086.exec:\0822086.exe86⤵PID:4952
-
\??\c:\26646.exec:\26646.exe87⤵PID:3560
-
\??\c:\20666.exec:\20666.exe88⤵PID:2340
-
\??\c:\60080.exec:\60080.exe89⤵PID:676
-
\??\c:\jjjvd.exec:\jjjvd.exe90⤵PID:1980
-
\??\c:\bhnbtn.exec:\bhnbtn.exe91⤵PID:1284
-
\??\c:\640204.exec:\640204.exe92⤵PID:2880
-
\??\c:\2008044.exec:\2008044.exe93⤵PID:4092
-
\??\c:\004264.exec:\004264.exe94⤵PID:1524
-
\??\c:\bnttbb.exec:\bnttbb.exe95⤵PID:4992
-
\??\c:\1ppvp.exec:\1ppvp.exe96⤵PID:1352
-
\??\c:\9nhtbt.exec:\9nhtbt.exe97⤵PID:2056
-
\??\c:\vpvvp.exec:\vpvvp.exe98⤵PID:1288
-
\??\c:\48040.exec:\48040.exe99⤵PID:848
-
\??\c:\i660826.exec:\i660826.exe100⤵PID:1920
-
\??\c:\ntbbhh.exec:\ntbbhh.exe101⤵PID:3128
-
\??\c:\lfrfxlf.exec:\lfrfxlf.exe102⤵PID:1820
-
\??\c:\624844.exec:\624844.exe103⤵PID:4552
-
\??\c:\q28626.exec:\q28626.exe104⤵PID:3168
-
\??\c:\5jdvj.exec:\5jdvj.exe105⤵PID:2532
-
\??\c:\u628244.exec:\u628244.exe106⤵PID:4772
-
\??\c:\hntnhh.exec:\hntnhh.exe107⤵PID:3124
-
\??\c:\3flfxxf.exec:\3flfxxf.exe108⤵PID:2024
-
\??\c:\ntbthh.exec:\ntbthh.exe109⤵PID:2752
-
\??\c:\btbntt.exec:\btbntt.exe110⤵PID:1588
-
\??\c:\40482.exec:\40482.exe111⤵PID:3788
-
\??\c:\nntnnb.exec:\nntnnb.exe112⤵PID:988
-
\??\c:\80600.exec:\80600.exe113⤵PID:4524
-
\??\c:\02826.exec:\02826.exe114⤵PID:3384
-
\??\c:\08804.exec:\08804.exe115⤵PID:3636
-
\??\c:\a8008.exec:\a8008.exe116⤵PID:3200
-
\??\c:\8660482.exec:\8660482.exe117⤵PID:4812
-
\??\c:\hntnbt.exec:\hntnbt.exe118⤵PID:3716
-
\??\c:\628266.exec:\628266.exe119⤵PID:3096
-
\??\c:\c282660.exec:\c282660.exe120⤵PID:2088
-
\??\c:\bbhbhb.exec:\bbhbhb.exe121⤵PID:4548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-