Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 03:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe
-
Size
454KB
-
MD5
2b4459e27da1049220207176c17f50d2
-
SHA1
7f59eb24954ad250efdaec961443b87efb91b4f1
-
SHA256
114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7
-
SHA512
5d4358f477f9b89ffd89adad2fe9ce226525f5006d4757b2bc61adc556555083dce4d5755aeea282f991f90826ccc173aae54e82659b7e4a046c6dd49a8c3553
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3868-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-831-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-920-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-987-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-1010-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-1115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-1322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-1383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-1805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2024 llffffx.exe 1892 628206.exe 1136 thhhhb.exe 4944 bthnhb.exe 1048 9bbnbt.exe 4060 bnnbtn.exe 3216 xflrlfr.exe 4796 nbthbb.exe 3412 xxxrlff.exe 800 ddvpd.exe 3876 1fxrffx.exe 448 022088.exe 4996 0862042.exe 3352 48424.exe 228 3hthtn.exe 2460 hhthnb.exe 3780 jvdpd.exe 4628 fllxflf.exe 4816 8620484.exe 1780 8088848.exe 4840 66620.exe 2772 frrfxlf.exe 4732 40266.exe 3424 86824.exe 2700 rrrrrrl.exe 4080 5bhbbn.exe 3436 5jddv.exe 1004 vjpjd.exe 2300 28826.exe 4600 hhnhtt.exe 4220 lfrxfll.exe 1288 ppvjv.exe 4896 hhhthb.exe 4744 nbbnhb.exe 1828 jvvjv.exe 2164 3vpjv.exe 2076 q44200.exe 1924 hhbhbb.exe 3948 3vpdp.exe 3140 484248.exe 1968 bnhbnh.exe 4580 lrxlfxx.exe 1864 4622000.exe 2184 u482642.exe 1640 ddvpj.exe 8 vjvvj.exe 1940 628200.exe 4872 3vvpd.exe 396 826260.exe 4496 864220.exe 4472 7hnbhh.exe 4800 bbhthb.exe 4904 200804.exe 856 nbtbnb.exe 2728 lxlxxrr.exe 2896 xllxxrf.exe 2396 7bthbt.exe 3036 1lfrfxl.exe 1048 nbtnbt.exe 380 lfffxlf.exe 1596 fxxrrrx.exe 2364 000482.exe 1448 444426.exe 1628 462048.exe -
resource yara_rule behavioral2/memory/3868-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-831-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-920-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-987-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2000460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8264826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c882086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28660.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3868 wrote to memory of 2024 3868 114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe 83 PID 3868 wrote to memory of 2024 3868 114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe 83 PID 3868 wrote to memory of 2024 3868 114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe 83 PID 2024 wrote to memory of 1892 2024 llffffx.exe 84 PID 2024 wrote to memory of 1892 2024 llffffx.exe 84 PID 2024 wrote to memory of 1892 2024 llffffx.exe 84 PID 1892 wrote to memory of 1136 1892 628206.exe 85 PID 1892 wrote to memory of 1136 1892 628206.exe 85 PID 1892 wrote to memory of 1136 1892 628206.exe 85 PID 1136 wrote to memory of 4944 1136 thhhhb.exe 86 PID 1136 wrote to memory of 4944 1136 thhhhb.exe 86 PID 1136 wrote to memory of 4944 1136 thhhhb.exe 86 PID 4944 wrote to memory of 1048 4944 bthnhb.exe 87 PID 4944 wrote to memory of 1048 4944 bthnhb.exe 87 PID 4944 wrote to memory of 1048 4944 bthnhb.exe 87 PID 1048 wrote to memory of 4060 1048 9bbnbt.exe 88 PID 1048 wrote to memory of 4060 1048 9bbnbt.exe 88 PID 1048 wrote to memory of 4060 1048 9bbnbt.exe 88 PID 4060 wrote to memory of 3216 4060 bnnbtn.exe 89 PID 4060 wrote to memory of 3216 4060 bnnbtn.exe 89 PID 4060 wrote to memory of 3216 4060 bnnbtn.exe 89 PID 3216 wrote to memory of 4796 3216 xflrlfr.exe 90 PID 3216 wrote to memory of 4796 3216 xflrlfr.exe 90 PID 3216 wrote to memory of 4796 3216 xflrlfr.exe 90 PID 4796 wrote to memory of 3412 4796 nbthbb.exe 91 PID 4796 wrote to memory of 3412 4796 nbthbb.exe 91 PID 4796 wrote to memory of 3412 4796 nbthbb.exe 91 PID 3412 wrote to memory of 800 3412 xxxrlff.exe 92 PID 3412 wrote to memory of 800 3412 xxxrlff.exe 92 PID 3412 wrote to memory of 800 3412 xxxrlff.exe 92 PID 800 wrote to memory of 3876 800 ddvpd.exe 93 PID 800 wrote to memory of 3876 800 ddvpd.exe 93 PID 800 wrote to memory of 3876 800 ddvpd.exe 93 PID 3876 wrote to memory of 448 3876 1fxrffx.exe 94 PID 3876 wrote to memory of 448 3876 1fxrffx.exe 94 PID 3876 wrote to memory of 448 3876 1fxrffx.exe 94 PID 448 wrote to memory of 4996 448 022088.exe 95 PID 448 wrote to memory of 4996 448 022088.exe 95 PID 448 wrote to memory of 4996 448 022088.exe 95 PID 4996 wrote to memory of 3352 4996 0862042.exe 96 PID 4996 wrote to memory of 3352 4996 0862042.exe 96 PID 4996 wrote to memory of 3352 4996 0862042.exe 96 PID 3352 wrote to memory of 228 3352 48424.exe 97 PID 3352 wrote to memory of 228 3352 48424.exe 97 PID 3352 wrote to memory of 228 3352 48424.exe 97 PID 228 wrote to memory of 2460 228 3hthtn.exe 98 PID 228 wrote to memory of 2460 228 3hthtn.exe 98 PID 228 wrote to memory of 2460 228 3hthtn.exe 98 PID 2460 wrote to memory of 3780 2460 hhthnb.exe 99 PID 2460 wrote to memory of 3780 2460 hhthnb.exe 99 PID 2460 wrote to memory of 3780 2460 hhthnb.exe 99 PID 3780 wrote to memory of 4628 3780 jvdpd.exe 100 PID 3780 wrote to memory of 4628 3780 jvdpd.exe 100 PID 3780 wrote to memory of 4628 3780 jvdpd.exe 100 PID 4628 wrote to memory of 4816 4628 fllxflf.exe 101 PID 4628 wrote to memory of 4816 4628 fllxflf.exe 101 PID 4628 wrote to memory of 4816 4628 fllxflf.exe 101 PID 4816 wrote to memory of 1780 4816 8620484.exe 102 PID 4816 wrote to memory of 1780 4816 8620484.exe 102 PID 4816 wrote to memory of 1780 4816 8620484.exe 102 PID 1780 wrote to memory of 4840 1780 8088848.exe 103 PID 1780 wrote to memory of 4840 1780 8088848.exe 103 PID 1780 wrote to memory of 4840 1780 8088848.exe 103 PID 4840 wrote to memory of 2772 4840 66620.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe"C:\Users\Admin\AppData\Local\Temp\114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\llffffx.exec:\llffffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\628206.exec:\628206.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\thhhhb.exec:\thhhhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\bthnhb.exec:\bthnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\9bbnbt.exec:\9bbnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\bnnbtn.exec:\bnnbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\xflrlfr.exec:\xflrlfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\nbthbb.exec:\nbthbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\xxxrlff.exec:\xxxrlff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\ddvpd.exec:\ddvpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\1fxrffx.exec:\1fxrffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\022088.exec:\022088.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\0862042.exec:\0862042.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\48424.exec:\48424.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\3hthtn.exec:\3hthtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\hhthnb.exec:\hhthnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\jvdpd.exec:\jvdpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\fllxflf.exec:\fllxflf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\8620484.exec:\8620484.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\8088848.exec:\8088848.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\66620.exec:\66620.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\frrfxlf.exec:\frrfxlf.exe23⤵
- Executes dropped EXE
PID:2772 -
\??\c:\40266.exec:\40266.exe24⤵
- Executes dropped EXE
PID:4732 -
\??\c:\86824.exec:\86824.exe25⤵
- Executes dropped EXE
PID:3424 -
\??\c:\rrrrrrl.exec:\rrrrrrl.exe26⤵
- Executes dropped EXE
PID:2700 -
\??\c:\5bhbbn.exec:\5bhbbn.exe27⤵
- Executes dropped EXE
PID:4080 -
\??\c:\5jddv.exec:\5jddv.exe28⤵
- Executes dropped EXE
PID:3436 -
\??\c:\vjpjd.exec:\vjpjd.exe29⤵
- Executes dropped EXE
PID:1004 -
\??\c:\28826.exec:\28826.exe30⤵
- Executes dropped EXE
PID:2300 -
\??\c:\hhnhtt.exec:\hhnhtt.exe31⤵
- Executes dropped EXE
PID:4600 -
\??\c:\lfrxfll.exec:\lfrxfll.exe32⤵
- Executes dropped EXE
PID:4220 -
\??\c:\ppvjv.exec:\ppvjv.exe33⤵
- Executes dropped EXE
PID:1288 -
\??\c:\hhhthb.exec:\hhhthb.exe34⤵
- Executes dropped EXE
PID:4896 -
\??\c:\nbbnhb.exec:\nbbnhb.exe35⤵
- Executes dropped EXE
PID:4744 -
\??\c:\jvvjv.exec:\jvvjv.exe36⤵
- Executes dropped EXE
PID:1828 -
\??\c:\3vpjv.exec:\3vpjv.exe37⤵
- Executes dropped EXE
PID:2164 -
\??\c:\q44200.exec:\q44200.exe38⤵
- Executes dropped EXE
PID:2076 -
\??\c:\hhbhbb.exec:\hhbhbb.exe39⤵
- Executes dropped EXE
PID:1924 -
\??\c:\3vpdp.exec:\3vpdp.exe40⤵
- Executes dropped EXE
PID:3948 -
\??\c:\484248.exec:\484248.exe41⤵
- Executes dropped EXE
PID:3140 -
\??\c:\bnhbnh.exec:\bnhbnh.exe42⤵
- Executes dropped EXE
PID:1968 -
\??\c:\lrxlfxx.exec:\lrxlfxx.exe43⤵
- Executes dropped EXE
PID:4580 -
\??\c:\4622000.exec:\4622000.exe44⤵
- Executes dropped EXE
PID:1864 -
\??\c:\u482642.exec:\u482642.exe45⤵
- Executes dropped EXE
PID:2184 -
\??\c:\ddvpj.exec:\ddvpj.exe46⤵
- Executes dropped EXE
PID:1640 -
\??\c:\vjvvj.exec:\vjvvj.exe47⤵
- Executes dropped EXE
PID:8 -
\??\c:\628200.exec:\628200.exe48⤵
- Executes dropped EXE
PID:1940 -
\??\c:\3vvpd.exec:\3vvpd.exe49⤵
- Executes dropped EXE
PID:4872 -
\??\c:\826260.exec:\826260.exe50⤵
- Executes dropped EXE
PID:396 -
\??\c:\864220.exec:\864220.exe51⤵
- Executes dropped EXE
PID:4496 -
\??\c:\7hnbhh.exec:\7hnbhh.exe52⤵
- Executes dropped EXE
PID:4472 -
\??\c:\bbhthb.exec:\bbhthb.exe53⤵
- Executes dropped EXE
PID:4800 -
\??\c:\200804.exec:\200804.exe54⤵
- Executes dropped EXE
PID:4904 -
\??\c:\nbtbnb.exec:\nbtbnb.exe55⤵
- Executes dropped EXE
PID:856 -
\??\c:\lxlxxrr.exec:\lxlxxrr.exe56⤵
- Executes dropped EXE
PID:2728 -
\??\c:\xllxxrf.exec:\xllxxrf.exe57⤵
- Executes dropped EXE
PID:2896 -
\??\c:\7bthbt.exec:\7bthbt.exe58⤵
- Executes dropped EXE
PID:2396 -
\??\c:\1lfrfxl.exec:\1lfrfxl.exe59⤵
- Executes dropped EXE
PID:3036 -
\??\c:\nbtnbt.exec:\nbtnbt.exe60⤵
- Executes dropped EXE
PID:1048 -
\??\c:\lfffxlf.exec:\lfffxlf.exe61⤵
- Executes dropped EXE
PID:380 -
\??\c:\fxxrrrx.exec:\fxxrrrx.exe62⤵
- Executes dropped EXE
PID:1596 -
\??\c:\000482.exec:\000482.exe63⤵
- Executes dropped EXE
PID:2364 -
\??\c:\444426.exec:\444426.exe64⤵
- Executes dropped EXE
PID:1448 -
\??\c:\462048.exec:\462048.exe65⤵
- Executes dropped EXE
PID:1628 -
\??\c:\202060.exec:\202060.exe66⤵PID:3300
-
\??\c:\428266.exec:\428266.exe67⤵PID:2124
-
\??\c:\622044.exec:\622044.exe68⤵PID:800
-
\??\c:\84028.exec:\84028.exe69⤵PID:2448
-
\??\c:\lrffrxl.exec:\lrffrxl.exe70⤵PID:5000
-
\??\c:\pddvj.exec:\pddvj.exe71⤵PID:4988
-
\??\c:\264222.exec:\264222.exe72⤵PID:4996
-
\??\c:\28204.exec:\28204.exe73⤵PID:1436
-
\??\c:\5ffrxfx.exec:\5ffrxfx.exe74⤵PID:4656
-
\??\c:\60260.exec:\60260.exe75⤵PID:2176
-
\??\c:\llfrfrr.exec:\llfrfrr.exe76⤵PID:3760
-
\??\c:\084226.exec:\084226.exe77⤵PID:2276
-
\??\c:\2808828.exec:\2808828.exe78⤵PID:4516
-
\??\c:\42464.exec:\42464.exe79⤵PID:5108
-
\??\c:\frxxlfx.exec:\frxxlfx.exe80⤵PID:4076
-
\??\c:\btbntn.exec:\btbntn.exe81⤵PID:1116
-
\??\c:\ffrfxxr.exec:\ffrfxxr.exe82⤵PID:2084
-
\??\c:\pvpdd.exec:\pvpdd.exe83⤵PID:2772
-
\??\c:\q84644.exec:\q84644.exe84⤵PID:4164
-
\??\c:\824888.exec:\824888.exe85⤵PID:2420
-
\??\c:\1ttthn.exec:\1ttthn.exe86⤵PID:540
-
\??\c:\fflllfr.exec:\fflllfr.exe87⤵PID:2960
-
\??\c:\lllxrlx.exec:\lllxrlx.exe88⤵PID:3968
-
\??\c:\680822.exec:\680822.exe89⤵PID:5092
-
\??\c:\4600400.exec:\4600400.exe90⤵PID:3504
-
\??\c:\fllxlfr.exec:\fllxlfr.exe91⤵PID:532
-
\??\c:\frllxxr.exec:\frllxxr.exe92⤵PID:4900
-
\??\c:\lllxlfr.exec:\lllxlfr.exe93⤵PID:3320
-
\??\c:\jvdpp.exec:\jvdpp.exe94⤵PID:3272
-
\??\c:\2268002.exec:\2268002.exe95⤵PID:1528
-
\??\c:\u046480.exec:\u046480.exe96⤵PID:4220
-
\??\c:\u282482.exec:\u282482.exe97⤵PID:3728
-
\??\c:\lflxrfr.exec:\lflxrfr.exe98⤵PID:1176
-
\??\c:\42808.exec:\42808.exe99⤵PID:3812
-
\??\c:\62206.exec:\62206.exe100⤵PID:2172
-
\??\c:\406860.exec:\406860.exe101⤵PID:4292
-
\??\c:\c048044.exec:\c048044.exe102⤵PID:3212
-
\??\c:\i060446.exec:\i060446.exe103⤵PID:4768
-
\??\c:\ffxlxrf.exec:\ffxlxrf.exe104⤵PID:2060
-
\??\c:\4048642.exec:\4048642.exe105⤵PID:4032
-
\??\c:\jvvdp.exec:\jvvdp.exe106⤵PID:620
-
\??\c:\9jdvj.exec:\9jdvj.exe107⤵PID:412
-
\??\c:\2226828.exec:\2226828.exe108⤵PID:3576
-
\??\c:\tnhthb.exec:\tnhthb.exe109⤵PID:4328
-
\??\c:\vddpd.exec:\vddpd.exe110⤵PID:3996
-
\??\c:\00082.exec:\00082.exe111⤵PID:1640
-
\??\c:\8886420.exec:\8886420.exe112⤵PID:2408
-
\??\c:\2246482.exec:\2246482.exe113⤵PID:1588
-
\??\c:\xlxxxrr.exec:\xlxxxrr.exe114⤵PID:4068
-
\??\c:\60640.exec:\60640.exe115⤵PID:2732
-
\??\c:\88686.exec:\88686.exe116⤵PID:4364
-
\??\c:\226864.exec:\226864.exe117⤵PID:1056
-
\??\c:\9xfxlfx.exec:\9xfxlfx.exe118⤵PID:2400
-
\??\c:\c042044.exec:\c042044.exe119⤵PID:1008
-
\??\c:\o486420.exec:\o486420.exe120⤵PID:4128
-
\??\c:\bthtnb.exec:\bthtnb.exe121⤵PID:3440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-