Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 22:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe
-
Size
456KB
-
MD5
4a78e247f45a33f53a3bdd74b2be58fe
-
SHA1
74ef2587bda7ae1ef7ff31e6e5c8ec556d4a86d7
-
SHA256
422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e
-
SHA512
ba85f49b62d987d8f0732b27cabdc04cc2545ff099ee65f5c3263a9a8defb1b8d4be4745767ac75474ee0802975b45c6cda2d18c5f5a77cd2dda30b994c73092
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRa:q7Tc2NYHUrAwfMp3CDRa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3788-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4380 xlfrlfr.exe 3976 fxfxxfr.exe 3124 7jjdv.exe 2140 nbbnbt.exe 3600 6244680.exe 4024 00604.exe 3576 bbnnbh.exe 3136 04442.exe 3168 66608.exe 628 htttbt.exe 3080 m4420.exe 4940 7tnhbb.exe 4780 hbbnbb.exe 3128 6428226.exe 2692 8660860.exe 2992 20042.exe 2536 pjdpv.exe 1952 4220206.exe 2072 04482.exe 2776 2220820.exe 4200 866486.exe 3148 44426.exe 3472 0848884.exe 3156 4244046.exe 1172 lxfxfrx.exe 836 lxxrxlf.exe 220 7xrlxrl.exe 4828 486048.exe 372 flrlffx.exe 1580 hbttbt.exe 2084 48826.exe 3904 2666000.exe 1384 hbtnhh.exe 1776 06608.exe 4700 jppdv.exe 4396 086604.exe 2336 264264.exe 2664 xffxlfl.exe 1512 640404.exe 4996 lrrlllf.exe 2856 dppjj.exe 4524 6804488.exe 3964 4682662.exe 4620 g2822.exe 2832 4662266.exe 4444 vdjdd.exe 2384 bnttnn.exe 3944 1lfxlfx.exe 3240 i888282.exe 3896 228608.exe 4796 nbnhbt.exe 1948 20442.exe 2140 tbhtnt.exe 1604 2648482.exe 5028 vjpvp.exe 4256 2620482.exe 2780 nbbnbt.exe 3544 22804.exe 2648 26822.exe 1548 q02088.exe 3636 lrlxrfx.exe 60 ddvpp.exe 1028 lrrlfff.exe 4772 k88826.exe -
resource yara_rule behavioral2/memory/3788-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-628-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e84204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3788 wrote to memory of 4380 3788 422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe 83 PID 3788 wrote to memory of 4380 3788 422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe 83 PID 3788 wrote to memory of 4380 3788 422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe 83 PID 4380 wrote to memory of 3976 4380 xlfrlfr.exe 84 PID 4380 wrote to memory of 3976 4380 xlfrlfr.exe 84 PID 4380 wrote to memory of 3976 4380 xlfrlfr.exe 84 PID 3976 wrote to memory of 3124 3976 fxfxxfr.exe 85 PID 3976 wrote to memory of 3124 3976 fxfxxfr.exe 85 PID 3976 wrote to memory of 3124 3976 fxfxxfr.exe 85 PID 3124 wrote to memory of 2140 3124 7jjdv.exe 86 PID 3124 wrote to memory of 2140 3124 7jjdv.exe 86 PID 3124 wrote to memory of 2140 3124 7jjdv.exe 86 PID 2140 wrote to memory of 3600 2140 nbbnbt.exe 87 PID 2140 wrote to memory of 3600 2140 nbbnbt.exe 87 PID 2140 wrote to memory of 3600 2140 nbbnbt.exe 87 PID 3600 wrote to memory of 4024 3600 6244680.exe 88 PID 3600 wrote to memory of 4024 3600 6244680.exe 88 PID 3600 wrote to memory of 4024 3600 6244680.exe 88 PID 4024 wrote to memory of 3576 4024 00604.exe 89 PID 4024 wrote to memory of 3576 4024 00604.exe 89 PID 4024 wrote to memory of 3576 4024 00604.exe 89 PID 3576 wrote to memory of 3136 3576 bbnnbh.exe 90 PID 3576 wrote to memory of 3136 3576 bbnnbh.exe 90 PID 3576 wrote to memory of 3136 3576 bbnnbh.exe 90 PID 3136 wrote to memory of 3168 3136 04442.exe 91 PID 3136 wrote to memory of 3168 3136 04442.exe 91 PID 3136 wrote to memory of 3168 3136 04442.exe 91 PID 3168 wrote to memory of 628 3168 66608.exe 92 PID 3168 wrote to memory of 628 3168 66608.exe 92 PID 3168 wrote to memory of 628 3168 66608.exe 92 PID 628 wrote to memory of 3080 628 htttbt.exe 93 PID 628 wrote to memory of 3080 628 htttbt.exe 93 PID 628 wrote to memory of 3080 628 htttbt.exe 93 PID 3080 wrote to memory of 4940 3080 m4420.exe 94 PID 3080 wrote to memory of 4940 3080 m4420.exe 94 PID 3080 wrote to memory of 4940 3080 m4420.exe 94 PID 4940 wrote to memory of 4780 4940 7tnhbb.exe 95 PID 4940 wrote to memory of 4780 4940 7tnhbb.exe 95 PID 4940 wrote to memory of 4780 4940 7tnhbb.exe 95 PID 4780 wrote to memory of 3128 4780 hbbnbb.exe 96 PID 4780 wrote to memory of 3128 4780 hbbnbb.exe 96 PID 4780 wrote to memory of 3128 4780 hbbnbb.exe 96 PID 3128 wrote to memory of 2692 3128 6428226.exe 97 PID 3128 wrote to memory of 2692 3128 6428226.exe 97 PID 3128 wrote to memory of 2692 3128 6428226.exe 97 PID 2692 wrote to memory of 2992 2692 8660860.exe 98 PID 2692 wrote to memory of 2992 2692 8660860.exe 98 PID 2692 wrote to memory of 2992 2692 8660860.exe 98 PID 2992 wrote to memory of 2536 2992 20042.exe 99 PID 2992 wrote to memory of 2536 2992 20042.exe 99 PID 2992 wrote to memory of 2536 2992 20042.exe 99 PID 2536 wrote to memory of 1952 2536 pjdpv.exe 100 PID 2536 wrote to memory of 1952 2536 pjdpv.exe 100 PID 2536 wrote to memory of 1952 2536 pjdpv.exe 100 PID 1952 wrote to memory of 2072 1952 4220206.exe 101 PID 1952 wrote to memory of 2072 1952 4220206.exe 101 PID 1952 wrote to memory of 2072 1952 4220206.exe 101 PID 2072 wrote to memory of 2776 2072 04482.exe 102 PID 2072 wrote to memory of 2776 2072 04482.exe 102 PID 2072 wrote to memory of 2776 2072 04482.exe 102 PID 2776 wrote to memory of 4200 2776 2220820.exe 103 PID 2776 wrote to memory of 4200 2776 2220820.exe 103 PID 2776 wrote to memory of 4200 2776 2220820.exe 103 PID 4200 wrote to memory of 3148 4200 866486.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe"C:\Users\Admin\AppData\Local\Temp\422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\xlfrlfr.exec:\xlfrlfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\fxfxxfr.exec:\fxfxxfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\7jjdv.exec:\7jjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\nbbnbt.exec:\nbbnbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\6244680.exec:\6244680.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\00604.exec:\00604.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\bbnnbh.exec:\bbnnbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\04442.exec:\04442.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\66608.exec:\66608.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\htttbt.exec:\htttbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\m4420.exec:\m4420.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\7tnhbb.exec:\7tnhbb.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\hbbnbb.exec:\hbbnbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\6428226.exec:\6428226.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\8660860.exec:\8660860.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\20042.exec:\20042.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\pjdpv.exec:\pjdpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\4220206.exec:\4220206.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\04482.exec:\04482.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\2220820.exec:\2220820.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\866486.exec:\866486.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\44426.exec:\44426.exe23⤵
- Executes dropped EXE
PID:3148 -
\??\c:\0848884.exec:\0848884.exe24⤵
- Executes dropped EXE
PID:3472 -
\??\c:\4244046.exec:\4244046.exe25⤵
- Executes dropped EXE
PID:3156 -
\??\c:\lxfxfrx.exec:\lxfxfrx.exe26⤵
- Executes dropped EXE
PID:1172 -
\??\c:\lxxrxlf.exec:\lxxrxlf.exe27⤵
- Executes dropped EXE
PID:836 -
\??\c:\7xrlxrl.exec:\7xrlxrl.exe28⤵
- Executes dropped EXE
PID:220 -
\??\c:\486048.exec:\486048.exe29⤵
- Executes dropped EXE
PID:4828 -
\??\c:\flrlffx.exec:\flrlffx.exe30⤵
- Executes dropped EXE
PID:372 -
\??\c:\hbttbt.exec:\hbttbt.exe31⤵
- Executes dropped EXE
PID:1580 -
\??\c:\48826.exec:\48826.exe32⤵
- Executes dropped EXE
PID:2084 -
\??\c:\2666000.exec:\2666000.exe33⤵
- Executes dropped EXE
PID:3904 -
\??\c:\hbtnhh.exec:\hbtnhh.exe34⤵
- Executes dropped EXE
PID:1384 -
\??\c:\06608.exec:\06608.exe35⤵
- Executes dropped EXE
PID:1776 -
\??\c:\jppdv.exec:\jppdv.exe36⤵
- Executes dropped EXE
PID:4700 -
\??\c:\086604.exec:\086604.exe37⤵
- Executes dropped EXE
PID:4396 -
\??\c:\264264.exec:\264264.exe38⤵
- Executes dropped EXE
PID:2336 -
\??\c:\xffxlfl.exec:\xffxlfl.exe39⤵
- Executes dropped EXE
PID:2664 -
\??\c:\640404.exec:\640404.exe40⤵
- Executes dropped EXE
PID:1512 -
\??\c:\lrrlllf.exec:\lrrlllf.exe41⤵
- Executes dropped EXE
PID:4996 -
\??\c:\dppjj.exec:\dppjj.exe42⤵
- Executes dropped EXE
PID:2856 -
\??\c:\6804488.exec:\6804488.exe43⤵
- Executes dropped EXE
PID:4524 -
\??\c:\4682662.exec:\4682662.exe44⤵
- Executes dropped EXE
PID:3964 -
\??\c:\g2822.exec:\g2822.exe45⤵
- Executes dropped EXE
PID:4620 -
\??\c:\4662266.exec:\4662266.exe46⤵
- Executes dropped EXE
PID:2832 -
\??\c:\vdjdd.exec:\vdjdd.exe47⤵
- Executes dropped EXE
PID:4444 -
\??\c:\bnttnn.exec:\bnttnn.exe48⤵
- Executes dropped EXE
PID:2384 -
\??\c:\1lfxlfx.exec:\1lfxlfx.exe49⤵
- Executes dropped EXE
PID:3944 -
\??\c:\i888282.exec:\i888282.exe50⤵
- Executes dropped EXE
PID:3240 -
\??\c:\228608.exec:\228608.exe51⤵
- Executes dropped EXE
PID:3896 -
\??\c:\nbnhbt.exec:\nbnhbt.exe52⤵
- Executes dropped EXE
PID:4796 -
\??\c:\20442.exec:\20442.exe53⤵
- Executes dropped EXE
PID:1948 -
\??\c:\tbhtnt.exec:\tbhtnt.exe54⤵
- Executes dropped EXE
PID:2140 -
\??\c:\2648482.exec:\2648482.exe55⤵
- Executes dropped EXE
PID:1604 -
\??\c:\vjpvp.exec:\vjpvp.exe56⤵
- Executes dropped EXE
PID:5028 -
\??\c:\2620482.exec:\2620482.exe57⤵
- Executes dropped EXE
PID:4256 -
\??\c:\nbbnbt.exec:\nbbnbt.exe58⤵
- Executes dropped EXE
PID:2780 -
\??\c:\22804.exec:\22804.exe59⤵
- Executes dropped EXE
PID:3544 -
\??\c:\26822.exec:\26822.exe60⤵
- Executes dropped EXE
PID:2648 -
\??\c:\q02088.exec:\q02088.exe61⤵
- Executes dropped EXE
PID:1548 -
\??\c:\lrlxrfx.exec:\lrlxrfx.exe62⤵
- Executes dropped EXE
PID:3636 -
\??\c:\ddvpp.exec:\ddvpp.exe63⤵
- Executes dropped EXE
PID:60 -
\??\c:\lrrlfff.exec:\lrrlfff.exe64⤵
- Executes dropped EXE
PID:1028 -
\??\c:\k88826.exec:\k88826.exe65⤵
- Executes dropped EXE
PID:4772 -
\??\c:\860866.exec:\860866.exe66⤵PID:4940
-
\??\c:\3vvjd.exec:\3vvjd.exe67⤵PID:4572
-
\??\c:\vvpdv.exec:\vvpdv.exe68⤵PID:3088
-
\??\c:\i006440.exec:\i006440.exe69⤵PID:2796
-
\??\c:\208262.exec:\208262.exe70⤵PID:3580
-
\??\c:\1hbtnn.exec:\1hbtnn.exe71⤵PID:2412
-
\??\c:\6066262.exec:\6066262.exe72⤵PID:3744
-
\??\c:\dvjdv.exec:\dvjdv.exe73⤵PID:3732
-
\??\c:\9vpjd.exec:\9vpjd.exe74⤵PID:1724
-
\??\c:\4864040.exec:\4864040.exe75⤵PID:2560
-
\??\c:\040804.exec:\040804.exe76⤵PID:3948
-
\??\c:\666426.exec:\666426.exe77⤵PID:4272
-
\??\c:\tbbnhb.exec:\tbbnhb.exe78⤵PID:4236
-
\??\c:\3lfxrll.exec:\3lfxrll.exe79⤵PID:4680
-
\??\c:\rrrrlfx.exec:\rrrrlfx.exe80⤵PID:2108
-
\??\c:\8288246.exec:\8288246.exe81⤵PID:1140
-
\??\c:\lxlxflf.exec:\lxlxflf.exe82⤵PID:2960
-
\??\c:\htttnn.exec:\htttnn.exe83⤵PID:4784
-
\??\c:\8668288.exec:\8668288.exe84⤵PID:5100
-
\??\c:\frfrlxl.exec:\frfrlxl.exe85⤵PID:264
-
\??\c:\80648.exec:\80648.exe86⤵PID:4748
-
\??\c:\880826.exec:\880826.exe87⤵PID:1412
-
\??\c:\fxxlfxr.exec:\fxxlfxr.exe88⤵PID:4904
-
\??\c:\ffrfxrl.exec:\ffrfxrl.exe89⤵PID:372
-
\??\c:\604804.exec:\604804.exe90⤵PID:3848
-
\??\c:\84604.exec:\84604.exe91⤵PID:1704
-
\??\c:\djjvv.exec:\djjvv.exe92⤵PID:1804
-
\??\c:\jvdpj.exec:\jvdpj.exe93⤵PID:1540
-
\??\c:\1pjdj.exec:\1pjdj.exe94⤵PID:3280
-
\??\c:\vjjpd.exec:\vjjpd.exe95⤵PID:4304
-
\??\c:\42648.exec:\42648.exe96⤵PID:2900
-
\??\c:\pddjv.exec:\pddjv.exe97⤵PID:3308
-
\??\c:\tbbhtn.exec:\tbbhtn.exe98⤵PID:4912
-
\??\c:\g2826.exec:\g2826.exe99⤵PID:720
-
\??\c:\u482286.exec:\u482286.exe100⤵PID:4508
-
\??\c:\jvdvp.exec:\jvdvp.exe101⤵PID:3020
-
\??\c:\xfrfxrl.exec:\xfrfxrl.exe102⤵PID:1316
-
\??\c:\1ppjd.exec:\1ppjd.exe103⤵PID:4208
-
\??\c:\2226048.exec:\2226048.exe104⤵PID:4524
-
\??\c:\82822.exec:\82822.exe105⤵PID:4856
-
\??\c:\btbhbh.exec:\btbhbh.exe106⤵PID:4620
-
\??\c:\82808.exec:\82808.exe107⤵PID:448
-
\??\c:\8402084.exec:\8402084.exe108⤵PID:1796
-
\??\c:\5flffff.exec:\5flffff.exe109⤵PID:3908
-
\??\c:\dpvpp.exec:\dpvpp.exe110⤵PID:4568
-
\??\c:\5ntnnn.exec:\5ntnnn.exe111⤵PID:3240
-
\??\c:\rlrlfff.exec:\rlrlfff.exe112⤵PID:1036
-
\??\c:\9hbnbb.exec:\9hbnbb.exe113⤵PID:3884
-
\??\c:\4442042.exec:\4442042.exe114⤵PID:8
-
\??\c:\00242.exec:\00242.exe115⤵PID:2140
-
\??\c:\xllxlfr.exec:\xllxlfr.exe116⤵PID:4328
-
\??\c:\xlfrfxl.exec:\xlfrfxl.exe117⤵PID:4696
-
\??\c:\a6668.exec:\a6668.exe118⤵PID:4376
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe119⤵PID:4788
-
\??\c:\xffrxrf.exec:\xffrxrf.exe120⤵PID:2780
-
\??\c:\hthtnh.exec:\hthtnh.exe121⤵PID:3544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-