Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4af653f435ceae94aa365d444f57ec8e84c27fe90ec010da16e43fa1f87dda5aN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4af653f435ceae94aa365d444f57ec8e84c27fe90ec010da16e43fa1f87dda5aN.exe
-
Size
454KB
-
MD5
895a77012d6ec7146ac4a0d6ac1d4930
-
SHA1
4ea999bfa42bf441fb15172e1d11657fa72497b0
-
SHA256
4af653f435ceae94aa365d444f57ec8e84c27fe90ec010da16e43fa1f87dda5a
-
SHA512
555a3d5d56d760fb8eb88a513ab09e6408beaec685df8acb691e6df55a64e15f91ad39a5c885c40061b108e6fb32f81c249a3068a79de177b06327eb5a4c23cf
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3024-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-888-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-933-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-1043-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-1173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4912 04262.exe 208 hntnbb.exe 2380 lxffxxr.exe 4972 5lrxrfx.exe 3480 9nbtnn.exe 1080 7jdvd.exe 4388 fffxxrr.exe 4484 0244884.exe 4952 nnnnbn.exe 2856 6286420.exe 624 hntnnn.exe 3932 bbtnhn.exe 4400 802460.exe 2696 5hnhhh.exe 3272 hbtntb.exe 1780 llrrlfl.exe 224 c022226.exe 752 284488.exe 2156 w28682.exe 3568 3nhtnh.exe 984 fxlxfrf.exe 4740 466048.exe 3544 7jdvp.exe 4916 062088.exe 1064 e04804.exe 3992 7bthtb.exe 4384 k44260.exe 2940 thnbbt.exe 3704 vpjvp.exe 1628 846048.exe 3756 vjjdd.exe 512 pjjdv.exe 1716 tttnnb.exe 1404 tnthhn.exe 2840 lrfrlff.exe 3268 02860.exe 2764 84000.exe 4012 6060884.exe 2300 2286042.exe 2992 thnnnh.exe 4928 000042.exe 4980 djpdv.exe 1468 c686868.exe 636 nhhtbn.exe 3024 86648.exe 2352 jvjpv.exe 1632 8662640.exe 5068 bhnhtn.exe 2776 20026.exe 5060 664040.exe 3204 htnbbb.exe 3480 xrxlrlx.exe 2160 fxxrrrr.exe 4748 lrlfxll.exe 3740 4286262.exe 1968 662648.exe 4192 448644.exe 2932 62886.exe 4392 9bthtn.exe 1564 666082.exe 980 20046.exe 4468 pdvpv.exe 624 pjdpd.exe 5116 60608.exe -
resource yara_rule behavioral2/memory/3024-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-888-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4666000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 020600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 440066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8260402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0804488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8662640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 4912 3024 4af653f435ceae94aa365d444f57ec8e84c27fe90ec010da16e43fa1f87dda5aN.exe 85 PID 3024 wrote to memory of 4912 3024 4af653f435ceae94aa365d444f57ec8e84c27fe90ec010da16e43fa1f87dda5aN.exe 85 PID 3024 wrote to memory of 4912 3024 4af653f435ceae94aa365d444f57ec8e84c27fe90ec010da16e43fa1f87dda5aN.exe 85 PID 4912 wrote to memory of 208 4912 04262.exe 86 PID 4912 wrote to memory of 208 4912 04262.exe 86 PID 4912 wrote to memory of 208 4912 04262.exe 86 PID 208 wrote to memory of 2380 208 hntnbb.exe 87 PID 208 wrote to memory of 2380 208 hntnbb.exe 87 PID 208 wrote to memory of 2380 208 hntnbb.exe 87 PID 2380 wrote to memory of 4972 2380 lxffxxr.exe 88 PID 2380 wrote to memory of 4972 2380 lxffxxr.exe 88 PID 2380 wrote to memory of 4972 2380 lxffxxr.exe 88 PID 4972 wrote to memory of 3480 4972 5lrxrfx.exe 89 PID 4972 wrote to memory of 3480 4972 5lrxrfx.exe 89 PID 4972 wrote to memory of 3480 4972 5lrxrfx.exe 89 PID 3480 wrote to memory of 1080 3480 9nbtnn.exe 90 PID 3480 wrote to memory of 1080 3480 9nbtnn.exe 90 PID 3480 wrote to memory of 1080 3480 9nbtnn.exe 90 PID 1080 wrote to memory of 4388 1080 7jdvd.exe 91 PID 1080 wrote to memory of 4388 1080 7jdvd.exe 91 PID 1080 wrote to memory of 4388 1080 7jdvd.exe 91 PID 4388 wrote to memory of 4484 4388 fffxxrr.exe 92 PID 4388 wrote to memory of 4484 4388 fffxxrr.exe 92 PID 4388 wrote to memory of 4484 4388 fffxxrr.exe 92 PID 4484 wrote to memory of 4952 4484 0244884.exe 93 PID 4484 wrote to memory of 4952 4484 0244884.exe 93 PID 4484 wrote to memory of 4952 4484 0244884.exe 93 PID 4952 wrote to memory of 2856 4952 nnnnbn.exe 94 PID 4952 wrote to memory of 2856 4952 nnnnbn.exe 94 PID 4952 wrote to memory of 2856 4952 nnnnbn.exe 94 PID 2856 wrote to memory of 624 2856 6286420.exe 95 PID 2856 wrote to memory of 624 2856 6286420.exe 95 PID 2856 wrote to memory of 624 2856 6286420.exe 95 PID 624 wrote to memory of 3932 624 hntnnn.exe 96 PID 624 wrote to memory of 3932 624 hntnnn.exe 96 PID 624 wrote to memory of 3932 624 hntnnn.exe 96 PID 3932 wrote to memory of 4400 3932 bbtnhn.exe 97 PID 3932 wrote to memory of 4400 3932 bbtnhn.exe 97 PID 3932 wrote to memory of 4400 3932 bbtnhn.exe 97 PID 4400 wrote to memory of 2696 4400 802460.exe 98 PID 4400 wrote to memory of 2696 4400 802460.exe 98 PID 4400 wrote to memory of 2696 4400 802460.exe 98 PID 2696 wrote to memory of 3272 2696 5hnhhh.exe 99 PID 2696 wrote to memory of 3272 2696 5hnhhh.exe 99 PID 2696 wrote to memory of 3272 2696 5hnhhh.exe 99 PID 3272 wrote to memory of 1780 3272 hbtntb.exe 100 PID 3272 wrote to memory of 1780 3272 hbtntb.exe 100 PID 3272 wrote to memory of 1780 3272 hbtntb.exe 100 PID 1780 wrote to memory of 224 1780 llrrlfl.exe 101 PID 1780 wrote to memory of 224 1780 llrrlfl.exe 101 PID 1780 wrote to memory of 224 1780 llrrlfl.exe 101 PID 224 wrote to memory of 752 224 c022226.exe 102 PID 224 wrote to memory of 752 224 c022226.exe 102 PID 224 wrote to memory of 752 224 c022226.exe 102 PID 752 wrote to memory of 2156 752 284488.exe 103 PID 752 wrote to memory of 2156 752 284488.exe 103 PID 752 wrote to memory of 2156 752 284488.exe 103 PID 2156 wrote to memory of 3568 2156 w28682.exe 104 PID 2156 wrote to memory of 3568 2156 w28682.exe 104 PID 2156 wrote to memory of 3568 2156 w28682.exe 104 PID 3568 wrote to memory of 984 3568 3nhtnh.exe 105 PID 3568 wrote to memory of 984 3568 3nhtnh.exe 105 PID 3568 wrote to memory of 984 3568 3nhtnh.exe 105 PID 984 wrote to memory of 4740 984 fxlxfrf.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\4af653f435ceae94aa365d444f57ec8e84c27fe90ec010da16e43fa1f87dda5aN.exe"C:\Users\Admin\AppData\Local\Temp\4af653f435ceae94aa365d444f57ec8e84c27fe90ec010da16e43fa1f87dda5aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\04262.exec:\04262.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\hntnbb.exec:\hntnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\lxffxxr.exec:\lxffxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\5lrxrfx.exec:\5lrxrfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\9nbtnn.exec:\9nbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\7jdvd.exec:\7jdvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\fffxxrr.exec:\fffxxrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\0244884.exec:\0244884.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\nnnnbn.exec:\nnnnbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\6286420.exec:\6286420.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\hntnnn.exec:\hntnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\bbtnhn.exec:\bbtnhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\802460.exec:\802460.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\5hnhhh.exec:\5hnhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\hbtntb.exec:\hbtntb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\llrrlfl.exec:\llrrlfl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\c022226.exec:\c022226.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\284488.exec:\284488.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\w28682.exec:\w28682.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\3nhtnh.exec:\3nhtnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\fxlxfrf.exec:\fxlxfrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\466048.exec:\466048.exe23⤵
- Executes dropped EXE
PID:4740 -
\??\c:\7jdvp.exec:\7jdvp.exe24⤵
- Executes dropped EXE
PID:3544 -
\??\c:\062088.exec:\062088.exe25⤵
- Executes dropped EXE
PID:4916 -
\??\c:\e04804.exec:\e04804.exe26⤵
- Executes dropped EXE
PID:1064 -
\??\c:\7bthtb.exec:\7bthtb.exe27⤵
- Executes dropped EXE
PID:3992 -
\??\c:\k44260.exec:\k44260.exe28⤵
- Executes dropped EXE
PID:4384 -
\??\c:\thnbbt.exec:\thnbbt.exe29⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vpjvp.exec:\vpjvp.exe30⤵
- Executes dropped EXE
PID:3704 -
\??\c:\846048.exec:\846048.exe31⤵
- Executes dropped EXE
PID:1628 -
\??\c:\vjjdd.exec:\vjjdd.exe32⤵
- Executes dropped EXE
PID:3756 -
\??\c:\pjjdv.exec:\pjjdv.exe33⤵
- Executes dropped EXE
PID:512 -
\??\c:\tttnnb.exec:\tttnnb.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716 -
\??\c:\tnthhn.exec:\tnthhn.exe35⤵
- Executes dropped EXE
PID:1404 -
\??\c:\lrfrlff.exec:\lrfrlff.exe36⤵
- Executes dropped EXE
PID:2840 -
\??\c:\02860.exec:\02860.exe37⤵
- Executes dropped EXE
PID:3268 -
\??\c:\84000.exec:\84000.exe38⤵
- Executes dropped EXE
PID:2764 -
\??\c:\6060884.exec:\6060884.exe39⤵
- Executes dropped EXE
PID:4012 -
\??\c:\2286042.exec:\2286042.exe40⤵
- Executes dropped EXE
PID:2300 -
\??\c:\thnnnh.exec:\thnnnh.exe41⤵
- Executes dropped EXE
PID:2992 -
\??\c:\000042.exec:\000042.exe42⤵
- Executes dropped EXE
PID:4928 -
\??\c:\djpdv.exec:\djpdv.exe43⤵
- Executes dropped EXE
PID:4980 -
\??\c:\c686868.exec:\c686868.exe44⤵
- Executes dropped EXE
PID:1468 -
\??\c:\nhhtbn.exec:\nhhtbn.exe45⤵
- Executes dropped EXE
PID:636 -
\??\c:\86648.exec:\86648.exe46⤵
- Executes dropped EXE
PID:3024 -
\??\c:\jvjpv.exec:\jvjpv.exe47⤵
- Executes dropped EXE
PID:2352 -
\??\c:\8662640.exec:\8662640.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632 -
\??\c:\bhnhtn.exec:\bhnhtn.exe49⤵
- Executes dropped EXE
PID:5068 -
\??\c:\20026.exec:\20026.exe50⤵
- Executes dropped EXE
PID:2776 -
\??\c:\664040.exec:\664040.exe51⤵
- Executes dropped EXE
PID:5060 -
\??\c:\htnbbb.exec:\htnbbb.exe52⤵
- Executes dropped EXE
PID:3204 -
\??\c:\xrxlrlx.exec:\xrxlrlx.exe53⤵
- Executes dropped EXE
PID:3480 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe54⤵
- Executes dropped EXE
PID:2160 -
\??\c:\lrlfxll.exec:\lrlfxll.exe55⤵
- Executes dropped EXE
PID:4748 -
\??\c:\4286262.exec:\4286262.exe56⤵
- Executes dropped EXE
PID:3740 -
\??\c:\662648.exec:\662648.exe57⤵
- Executes dropped EXE
PID:1968 -
\??\c:\448644.exec:\448644.exe58⤵
- Executes dropped EXE
PID:4192 -
\??\c:\62886.exec:\62886.exe59⤵
- Executes dropped EXE
PID:2932 -
\??\c:\9bthtn.exec:\9bthtn.exe60⤵
- Executes dropped EXE
PID:4392 -
\??\c:\666082.exec:\666082.exe61⤵
- Executes dropped EXE
PID:1564 -
\??\c:\20046.exec:\20046.exe62⤵
- Executes dropped EXE
PID:980 -
\??\c:\pdvpv.exec:\pdvpv.exe63⤵
- Executes dropped EXE
PID:4468 -
\??\c:\pjdpd.exec:\pjdpd.exe64⤵
- Executes dropped EXE
PID:624 -
\??\c:\60608.exec:\60608.exe65⤵
- Executes dropped EXE
PID:5116 -
\??\c:\lrlfxll.exec:\lrlfxll.exe66⤵PID:4104
-
\??\c:\42864.exec:\42864.exe67⤵PID:4720
-
\??\c:\jddvp.exec:\jddvp.exe68⤵PID:4048
-
\??\c:\vdpjj.exec:\vdpjj.exe69⤵PID:2936
-
\??\c:\66660.exec:\66660.exe70⤵PID:1936
-
\??\c:\864848.exec:\864848.exe71⤵PID:4072
-
\??\c:\8608682.exec:\8608682.exe72⤵PID:752
-
\??\c:\666062.exec:\666062.exe73⤵PID:368
-
\??\c:\dppjj.exec:\dppjj.exe74⤵PID:2664
-
\??\c:\jvdpd.exec:\jvdpd.exe75⤵PID:3116
-
\??\c:\646048.exec:\646048.exe76⤵PID:4804
-
\??\c:\40648.exec:\40648.exe77⤵PID:1452
-
\??\c:\thhbnh.exec:\thhbnh.exe78⤵PID:4740
-
\??\c:\q06040.exec:\q06040.exe79⤵PID:4504
-
\??\c:\0848626.exec:\0848626.exe80⤵PID:4916
-
\??\c:\28482.exec:\28482.exe81⤵PID:1480
-
\??\c:\rffxlfr.exec:\rffxlfr.exe82⤵PID:3628
-
\??\c:\xrfxxfr.exec:\xrfxxfr.exe83⤵PID:1940
-
\??\c:\8240662.exec:\8240662.exe84⤵PID:820
-
\??\c:\fxfxfxf.exec:\fxfxfxf.exe85⤵PID:3940
-
\??\c:\7hbthh.exec:\7hbthh.exe86⤵PID:2940
-
\??\c:\26884.exec:\26884.exe87⤵PID:1944
-
\??\c:\0408604.exec:\0408604.exe88⤵PID:1756
-
\??\c:\82482.exec:\82482.exe89⤵PID:1776
-
\??\c:\htnbhb.exec:\htnbhb.exe90⤵PID:1004
-
\??\c:\tnthht.exec:\tnthht.exe91⤵PID:4088
-
\??\c:\9bbntn.exec:\9bbntn.exe92⤵PID:4364
-
\??\c:\62448.exec:\62448.exe93⤵PID:1392
-
\??\c:\rlfxrxr.exec:\rlfxrxr.exe94⤵PID:3632
-
\??\c:\04426.exec:\04426.exe95⤵PID:5000
-
\??\c:\bbtttn.exec:\bbtttn.exe96⤵PID:1400
-
\??\c:\hhhthh.exec:\hhhthh.exe97⤵PID:904
-
\??\c:\0404260.exec:\0404260.exe98⤵PID:1904
-
\??\c:\hhbtnt.exec:\hhbtnt.exe99⤵PID:2324
-
\??\c:\pdddj.exec:\pdddj.exe100⤵PID:4432
-
\??\c:\82684.exec:\82684.exe101⤵PID:4928
-
\??\c:\3bnbnh.exec:\3bnbnh.exe102⤵PID:4312
-
\??\c:\xrxlxxl.exec:\xrxlxxl.exe103⤵PID:2788
-
\??\c:\8848606.exec:\8848606.exe104⤵PID:636
-
\??\c:\5rrfrlf.exec:\5rrfrlf.exe105⤵PID:3732
-
\??\c:\e82642.exec:\e82642.exe106⤵PID:1632
-
\??\c:\q44860.exec:\q44860.exe107⤵PID:3688
-
\??\c:\xxffxfx.exec:\xxffxfx.exe108⤵PID:2776
-
\??\c:\jpvpd.exec:\jpvpd.exe109⤵PID:5060
-
\??\c:\3bhthb.exec:\3bhthb.exe110⤵PID:3204
-
\??\c:\vjpdd.exec:\vjpdd.exe111⤵PID:1956
-
\??\c:\htbnhb.exec:\htbnhb.exe112⤵PID:1512
-
\??\c:\3vjdp.exec:\3vjdp.exe113⤵PID:2040
-
\??\c:\g8864.exec:\g8864.exe114⤵PID:1892
-
\??\c:\062086.exec:\062086.exe115⤵PID:3588
-
\??\c:\4220820.exec:\4220820.exe116⤵PID:3336
-
\??\c:\8848664.exec:\8848664.exe117⤵PID:1596
-
\??\c:\vjpdd.exec:\vjpdd.exe118⤵PID:1396
-
\??\c:\lfrlfxx.exec:\lfrlfxx.exe119⤵PID:4144
-
\??\c:\42248.exec:\42248.exe120⤵PID:4500
-
\??\c:\fllfrlf.exec:\fllfrlf.exe121⤵PID:5064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-