Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
17ce41e2302954c4cf2a71fc85e6a1438f6010dd0aafe0b9a032dc53541d7e48.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
17ce41e2302954c4cf2a71fc85e6a1438f6010dd0aafe0b9a032dc53541d7e48.exe
-
Size
453KB
-
MD5
04fc4f3237ec8bfb841a240dd4235a2c
-
SHA1
a70ee0996f9b06cf76ba95f19de28126c2c78bf1
-
SHA256
17ce41e2302954c4cf2a71fc85e6a1438f6010dd0aafe0b9a032dc53541d7e48
-
SHA512
2ea2754785469ee527d7398cb05a7f7cbb49c6660963a6b906a7133aba47ff75b31099ce8f01e910bf8545a721cc74c46f560dcc295c696d1bc9f76e72f855f2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1432-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/204-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/508-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-935-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-980-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-1077-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 860 s2282.exe 204 lrlflfx.exe 1344 xfxlrlr.exe 2488 rxrlxrf.exe 3064 068260.exe 4196 rlfrlff.exe 3712 hhhbth.exe 3972 084222.exe 1532 htnhbt.exe 508 3vvvv.exe 2176 u220426.exe 4920 082626.exe 2804 vvvdv.exe 536 pjdvp.exe 4704 42264.exe 3232 nhnbnh.exe 1036 rflllfl.exe 1588 flrrxrl.exe 524 fxxrrrl.exe 4228 vdjpp.exe 4868 dpdjd.exe 3344 262668.exe 3816 426260.exe 1544 s4082.exe 460 08486.exe 4812 40048.exe 1256 vddvp.exe 4464 bhnbtn.exe 3912 dpdvp.exe 4408 02426.exe 4764 xxrllrl.exe 4432 8804608.exe 5008 1xxrffx.exe 4588 rffrllr.exe 1948 0408004.exe 5104 lrlxxlx.exe 2840 dpjpj.exe 4384 vjdvp.exe 4596 7pddv.exe 3320 24604.exe 2376 tnhbtn.exe 2344 bbhbtn.exe 3284 jdddv.exe 2788 pjppv.exe 2372 dpvpd.exe 368 thbtht.exe 2860 406082.exe 4972 1xrxllf.exe 1520 866668.exe 4560 884884.exe 2868 ppjdv.exe 4516 3bnhth.exe 3388 dpvpj.exe 2052 3xxfxxr.exe 3996 4868226.exe 4536 pdddv.exe 1532 htbnbb.exe 4836 4226048.exe 1020 tbbbtb.exe 3872 1hbbnb.exe 3968 062200.exe 4120 a6046.exe 996 lxfrrrr.exe 2412 xrxlfxl.exe -
resource yara_rule behavioral2/memory/1432-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/204-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/508-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-935-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-951-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0282048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q46064.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1432 wrote to memory of 860 1432 17ce41e2302954c4cf2a71fc85e6a1438f6010dd0aafe0b9a032dc53541d7e48.exe 83 PID 1432 wrote to memory of 860 1432 17ce41e2302954c4cf2a71fc85e6a1438f6010dd0aafe0b9a032dc53541d7e48.exe 83 PID 1432 wrote to memory of 860 1432 17ce41e2302954c4cf2a71fc85e6a1438f6010dd0aafe0b9a032dc53541d7e48.exe 83 PID 860 wrote to memory of 204 860 s2282.exe 84 PID 860 wrote to memory of 204 860 s2282.exe 84 PID 860 wrote to memory of 204 860 s2282.exe 84 PID 204 wrote to memory of 1344 204 lrlflfx.exe 85 PID 204 wrote to memory of 1344 204 lrlflfx.exe 85 PID 204 wrote to memory of 1344 204 lrlflfx.exe 85 PID 1344 wrote to memory of 2488 1344 xfxlrlr.exe 86 PID 1344 wrote to memory of 2488 1344 xfxlrlr.exe 86 PID 1344 wrote to memory of 2488 1344 xfxlrlr.exe 86 PID 2488 wrote to memory of 3064 2488 rxrlxrf.exe 87 PID 2488 wrote to memory of 3064 2488 rxrlxrf.exe 87 PID 2488 wrote to memory of 3064 2488 rxrlxrf.exe 87 PID 3064 wrote to memory of 4196 3064 068260.exe 88 PID 3064 wrote to memory of 4196 3064 068260.exe 88 PID 3064 wrote to memory of 4196 3064 068260.exe 88 PID 4196 wrote to memory of 3712 4196 rlfrlff.exe 89 PID 4196 wrote to memory of 3712 4196 rlfrlff.exe 89 PID 4196 wrote to memory of 3712 4196 rlfrlff.exe 89 PID 3712 wrote to memory of 3972 3712 hhhbth.exe 90 PID 3712 wrote to memory of 3972 3712 hhhbth.exe 90 PID 3712 wrote to memory of 3972 3712 hhhbth.exe 90 PID 3972 wrote to memory of 1532 3972 084222.exe 91 PID 3972 wrote to memory of 1532 3972 084222.exe 91 PID 3972 wrote to memory of 1532 3972 084222.exe 91 PID 1532 wrote to memory of 508 1532 htnhbt.exe 92 PID 1532 wrote to memory of 508 1532 htnhbt.exe 92 PID 1532 wrote to memory of 508 1532 htnhbt.exe 92 PID 508 wrote to memory of 2176 508 3vvvv.exe 93 PID 508 wrote to memory of 2176 508 3vvvv.exe 93 PID 508 wrote to memory of 2176 508 3vvvv.exe 93 PID 2176 wrote to memory of 4920 2176 u220426.exe 94 PID 2176 wrote to memory of 4920 2176 u220426.exe 94 PID 2176 wrote to memory of 4920 2176 u220426.exe 94 PID 4920 wrote to memory of 2804 4920 082626.exe 95 PID 4920 wrote to memory of 2804 4920 082626.exe 95 PID 4920 wrote to memory of 2804 4920 082626.exe 95 PID 2804 wrote to memory of 536 2804 vvvdv.exe 96 PID 2804 wrote to memory of 536 2804 vvvdv.exe 96 PID 2804 wrote to memory of 536 2804 vvvdv.exe 96 PID 536 wrote to memory of 4704 536 pjdvp.exe 97 PID 536 wrote to memory of 4704 536 pjdvp.exe 97 PID 536 wrote to memory of 4704 536 pjdvp.exe 97 PID 4704 wrote to memory of 3232 4704 42264.exe 98 PID 4704 wrote to memory of 3232 4704 42264.exe 98 PID 4704 wrote to memory of 3232 4704 42264.exe 98 PID 3232 wrote to memory of 1036 3232 nhnbnh.exe 99 PID 3232 wrote to memory of 1036 3232 nhnbnh.exe 99 PID 3232 wrote to memory of 1036 3232 nhnbnh.exe 99 PID 1036 wrote to memory of 1588 1036 rflllfl.exe 100 PID 1036 wrote to memory of 1588 1036 rflllfl.exe 100 PID 1036 wrote to memory of 1588 1036 rflllfl.exe 100 PID 1588 wrote to memory of 524 1588 flrrxrl.exe 101 PID 1588 wrote to memory of 524 1588 flrrxrl.exe 101 PID 1588 wrote to memory of 524 1588 flrrxrl.exe 101 PID 524 wrote to memory of 4228 524 fxxrrrl.exe 102 PID 524 wrote to memory of 4228 524 fxxrrrl.exe 102 PID 524 wrote to memory of 4228 524 fxxrrrl.exe 102 PID 4228 wrote to memory of 4868 4228 vdjpp.exe 103 PID 4228 wrote to memory of 4868 4228 vdjpp.exe 103 PID 4228 wrote to memory of 4868 4228 vdjpp.exe 103 PID 4868 wrote to memory of 3344 4868 dpdjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\17ce41e2302954c4cf2a71fc85e6a1438f6010dd0aafe0b9a032dc53541d7e48.exe"C:\Users\Admin\AppData\Local\Temp\17ce41e2302954c4cf2a71fc85e6a1438f6010dd0aafe0b9a032dc53541d7e48.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\s2282.exec:\s2282.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\lrlflfx.exec:\lrlflfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:204 -
\??\c:\xfxlrlr.exec:\xfxlrlr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\rxrlxrf.exec:\rxrlxrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\068260.exec:\068260.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\rlfrlff.exec:\rlfrlff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\hhhbth.exec:\hhhbth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\084222.exec:\084222.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\htnhbt.exec:\htnhbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\3vvvv.exec:\3vvvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:508 -
\??\c:\u220426.exec:\u220426.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\082626.exec:\082626.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\vvvdv.exec:\vvvdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\pjdvp.exec:\pjdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\42264.exec:\42264.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\nhnbnh.exec:\nhnbnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\rflllfl.exec:\rflllfl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\flrrxrl.exec:\flrrxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
\??\c:\vdjpp.exec:\vdjpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\dpdjd.exec:\dpdjd.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\262668.exec:\262668.exe23⤵
- Executes dropped EXE
PID:3344 -
\??\c:\426260.exec:\426260.exe24⤵
- Executes dropped EXE
PID:3816 -
\??\c:\s4082.exec:\s4082.exe25⤵
- Executes dropped EXE
PID:1544 -
\??\c:\08486.exec:\08486.exe26⤵
- Executes dropped EXE
PID:460 -
\??\c:\40048.exec:\40048.exe27⤵
- Executes dropped EXE
PID:4812 -
\??\c:\vddvp.exec:\vddvp.exe28⤵
- Executes dropped EXE
PID:1256 -
\??\c:\bhnbtn.exec:\bhnbtn.exe29⤵
- Executes dropped EXE
PID:4464 -
\??\c:\dpdvp.exec:\dpdvp.exe30⤵
- Executes dropped EXE
PID:3912 -
\??\c:\02426.exec:\02426.exe31⤵
- Executes dropped EXE
PID:4408 -
\??\c:\xxrllrl.exec:\xxrllrl.exe32⤵
- Executes dropped EXE
PID:4764 -
\??\c:\8804608.exec:\8804608.exe33⤵
- Executes dropped EXE
PID:4432 -
\??\c:\1xxrffx.exec:\1xxrffx.exe34⤵
- Executes dropped EXE
PID:5008 -
\??\c:\rffrllr.exec:\rffrllr.exe35⤵
- Executes dropped EXE
PID:4588 -
\??\c:\0408004.exec:\0408004.exe36⤵
- Executes dropped EXE
PID:1948 -
\??\c:\lrlxxlx.exec:\lrlxxlx.exe37⤵
- Executes dropped EXE
PID:5104 -
\??\c:\dpjpj.exec:\dpjpj.exe38⤵
- Executes dropped EXE
PID:2840 -
\??\c:\vjdvp.exec:\vjdvp.exe39⤵
- Executes dropped EXE
PID:4384 -
\??\c:\7pddv.exec:\7pddv.exe40⤵
- Executes dropped EXE
PID:4596 -
\??\c:\24604.exec:\24604.exe41⤵
- Executes dropped EXE
PID:3320 -
\??\c:\tnhbtn.exec:\tnhbtn.exe42⤵
- Executes dropped EXE
PID:2376 -
\??\c:\bbhbtn.exec:\bbhbtn.exe43⤵
- Executes dropped EXE
PID:2344 -
\??\c:\jdddv.exec:\jdddv.exe44⤵
- Executes dropped EXE
PID:3284 -
\??\c:\pjppv.exec:\pjppv.exe45⤵
- Executes dropped EXE
PID:2788 -
\??\c:\dpvpd.exec:\dpvpd.exe46⤵
- Executes dropped EXE
PID:2372 -
\??\c:\thbtht.exec:\thbtht.exe47⤵
- Executes dropped EXE
PID:368 -
\??\c:\406082.exec:\406082.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860 -
\??\c:\1xrxllf.exec:\1xrxllf.exe49⤵
- Executes dropped EXE
PID:4972 -
\??\c:\866668.exec:\866668.exe50⤵
- Executes dropped EXE
PID:1520 -
\??\c:\884884.exec:\884884.exe51⤵
- Executes dropped EXE
PID:4560 -
\??\c:\ppjdv.exec:\ppjdv.exe52⤵
- Executes dropped EXE
PID:2868 -
\??\c:\3bnhth.exec:\3bnhth.exe53⤵
- Executes dropped EXE
PID:4516 -
\??\c:\dpvpj.exec:\dpvpj.exe54⤵
- Executes dropped EXE
PID:3388 -
\??\c:\3xxfxxr.exec:\3xxfxxr.exe55⤵
- Executes dropped EXE
PID:2052 -
\??\c:\4868226.exec:\4868226.exe56⤵
- Executes dropped EXE
PID:3996 -
\??\c:\pdddv.exec:\pdddv.exe57⤵
- Executes dropped EXE
PID:4536 -
\??\c:\htbnbb.exec:\htbnbb.exe58⤵
- Executes dropped EXE
PID:1532 -
\??\c:\4226048.exec:\4226048.exe59⤵
- Executes dropped EXE
PID:4836 -
\??\c:\tbbbtb.exec:\tbbbtb.exe60⤵
- Executes dropped EXE
PID:1020 -
\??\c:\1hbbnb.exec:\1hbbnb.exe61⤵
- Executes dropped EXE
PID:3872 -
\??\c:\062200.exec:\062200.exe62⤵
- Executes dropped EXE
PID:3968 -
\??\c:\a6046.exec:\a6046.exe63⤵
- Executes dropped EXE
PID:4120 -
\??\c:\lxfrrrr.exec:\lxfrrrr.exe64⤵
- Executes dropped EXE
PID:996 -
\??\c:\xrxlfxl.exec:\xrxlfxl.exe65⤵
- Executes dropped EXE
PID:2412 -
\??\c:\2848220.exec:\2848220.exe66⤵PID:4336
-
\??\c:\thnbht.exec:\thnbht.exe67⤵PID:3068
-
\??\c:\646004.exec:\646004.exe68⤵PID:220
-
\??\c:\i448604.exec:\i448604.exe69⤵PID:4704
-
\??\c:\nbhbtb.exec:\nbhbtb.exe70⤵PID:3516
-
\??\c:\088260.exec:\088260.exe71⤵PID:2240
-
\??\c:\tnhbbt.exec:\tnhbbt.exe72⤵PID:1036
-
\??\c:\60642.exec:\60642.exe73⤵PID:3660
-
\??\c:\202042.exec:\202042.exe74⤵PID:400
-
\??\c:\7bthtn.exec:\7bthtn.exe75⤵PID:524
-
\??\c:\tntnhb.exec:\tntnhb.exe76⤵PID:1124
-
\??\c:\0882882.exec:\0882882.exe77⤵PID:4288
-
\??\c:\8886082.exec:\8886082.exe78⤵PID:2292
-
\??\c:\lxffrrl.exec:\lxffrrl.exe79⤵PID:3668
-
\??\c:\flrlfxr.exec:\flrlfxr.exe80⤵
- System Location Discovery: System Language Discovery
PID:432 -
\??\c:\nthtnt.exec:\nthtnt.exe81⤵PID:1116
-
\??\c:\046426.exec:\046426.exe82⤵PID:2932
-
\??\c:\frlflfr.exec:\frlflfr.exe83⤵PID:3940
-
\??\c:\406262.exec:\406262.exe84⤵PID:2148
-
\??\c:\06282.exec:\06282.exe85⤵PID:3100
-
\??\c:\fxrlxrl.exec:\fxrlxrl.exe86⤵PID:4812
-
\??\c:\dddpd.exec:\dddpd.exe87⤵PID:4712
-
\??\c:\6064004.exec:\6064004.exe88⤵PID:3396
-
\??\c:\0246606.exec:\0246606.exe89⤵PID:4136
-
\??\c:\ttbnhb.exec:\ttbnhb.exe90⤵PID:60
-
\??\c:\c808648.exec:\c808648.exe91⤵PID:904
-
\??\c:\5nhtnh.exec:\5nhtnh.exe92⤵PID:824
-
\??\c:\tnttnb.exec:\tnttnb.exe93⤵PID:4448
-
\??\c:\fxfrllf.exec:\fxfrllf.exe94⤵PID:4968
-
\??\c:\vpvpp.exec:\vpvpp.exe95⤵PID:540
-
\??\c:\628200.exec:\628200.exe96⤵PID:964
-
\??\c:\bnbtnn.exec:\bnbtnn.exe97⤵PID:3504
-
\??\c:\dvddd.exec:\dvddd.exe98⤵PID:4344
-
\??\c:\vjvpp.exec:\vjvpp.exe99⤵PID:4996
-
\??\c:\426422.exec:\426422.exe100⤵PID:1008
-
\??\c:\jvpjv.exec:\jvpjv.exe101⤵PID:2296
-
\??\c:\flfrfxr.exec:\flfrfxr.exe102⤵PID:3884
-
\??\c:\9xfxfff.exec:\9xfxfff.exe103⤵PID:1068
-
\??\c:\006482.exec:\006482.exe104⤵PID:2396
-
\??\c:\bhnnhb.exec:\bhnnhb.exe105⤵PID:3320
-
\??\c:\o848660.exec:\o848660.exe106⤵PID:4928
-
\??\c:\u086004.exec:\u086004.exe107⤵PID:4852
-
\??\c:\k62606.exec:\k62606.exe108⤵PID:3760
-
\??\c:\84264.exec:\84264.exe109⤵PID:3168
-
\??\c:\ntbhtt.exec:\ntbhtt.exe110⤵PID:324
-
\??\c:\a6608.exec:\a6608.exe111⤵PID:3748
-
\??\c:\4842260.exec:\4842260.exe112⤵PID:2860
-
\??\c:\lflrlll.exec:\lflrlll.exe113⤵PID:1744
-
\??\c:\28482.exec:\28482.exe114⤵PID:3044
-
\??\c:\4248600.exec:\4248600.exe115⤵PID:2576
-
\??\c:\82282.exec:\82282.exe116⤵PID:2544
-
\??\c:\8846442.exec:\8846442.exe117⤵PID:764
-
\??\c:\htbnbt.exec:\htbnbt.exe118⤵PID:3712
-
\??\c:\844208.exec:\844208.exe119⤵PID:464
-
\??\c:\40042.exec:\40042.exe120⤵PID:2068
-
\??\c:\04080.exec:\04080.exe121⤵PID:1476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-