Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b8afa43b30707a9922c1467cbb6d1550a67bc2a8d68502fa94f3da699962c6d3.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b8afa43b30707a9922c1467cbb6d1550a67bc2a8d68502fa94f3da699962c6d3.exe
-
Size
455KB
-
MD5
4bdabaaa9b099cd15d095346268dc0ad
-
SHA1
5c1e447f9b957ab514b08064e8f037165ac85cfc
-
SHA256
b8afa43b30707a9922c1467cbb6d1550a67bc2a8d68502fa94f3da699962c6d3
-
SHA512
805f4c995ed3c203ba27788745ddba0aeecd2e2bd58c8ea53fdb679404222b36ad9a27970e3a8a37714207d2db5e8b910308b25cdcadee29f1f4cb662c8d189f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2812-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-896-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-1279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-1470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-1474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 636 406004.exe 2264 llflfxf.exe 4920 s0844.exe 3908 nthbtn.exe 3036 o860426.exe 2460 446040.exe 4556 200422.exe 3920 6208406.exe 3488 a4482.exe 3656 xrrlxrl.exe 1352 4064486.exe 720 q28482.exe 4352 286482.exe 2904 xxfxxxx.exe 3156 3jddv.exe 4572 jdvjv.exe 4000 a6828.exe 4300 vq422.exe 3892 dvvvp.exe 3440 0226402.exe 1184 u026444.exe 2836 xxxffrr.exe 2548 q02884.exe 2368 lrxrxlf.exe 3312 pppjp.exe 512 rxfffxx.exe 4652 868840.exe 5052 444686.exe 5064 pvdvp.exe 5048 24448.exe 1252 g0262.exe 1280 9nbbhn.exe 1600 jdvdd.exe 3396 llfxrrl.exe 1732 604202.exe 1516 5vpdp.exe 972 60682.exe 2744 668448.exe 2020 680004.exe 5032 8288480.exe 3912 8844060.exe 696 rxxxrff.exe 3436 8244404.exe 3272 tnntnb.exe 4992 vvjjd.exe 1472 dvddj.exe 2656 tnttnh.exe 1840 6004444.exe 4168 ttbtth.exe 2520 8266622.exe 3884 22848.exe 1376 lrffxrl.exe 1276 tnbtht.exe 1748 04626.exe 3256 nhhtnn.exe 1144 1ttbtt.exe 4612 8226662.exe 2332 bnbnbt.exe 3224 26406.exe 3920 fxxxxrl.exe 1860 nntnnn.exe 4204 thnhhh.exe 2756 5nhhbt.exe 4012 dvdvp.exe -
resource yara_rule behavioral2/memory/2812-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-896-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6664204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2444822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c686822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2026202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 004662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q02884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 880864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o026266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6004486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8660820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2812 wrote to memory of 636 2812 b8afa43b30707a9922c1467cbb6d1550a67bc2a8d68502fa94f3da699962c6d3.exe 83 PID 2812 wrote to memory of 636 2812 b8afa43b30707a9922c1467cbb6d1550a67bc2a8d68502fa94f3da699962c6d3.exe 83 PID 2812 wrote to memory of 636 2812 b8afa43b30707a9922c1467cbb6d1550a67bc2a8d68502fa94f3da699962c6d3.exe 83 PID 636 wrote to memory of 2264 636 406004.exe 84 PID 636 wrote to memory of 2264 636 406004.exe 84 PID 636 wrote to memory of 2264 636 406004.exe 84 PID 2264 wrote to memory of 4920 2264 llflfxf.exe 85 PID 2264 wrote to memory of 4920 2264 llflfxf.exe 85 PID 2264 wrote to memory of 4920 2264 llflfxf.exe 85 PID 4920 wrote to memory of 3908 4920 s0844.exe 86 PID 4920 wrote to memory of 3908 4920 s0844.exe 86 PID 4920 wrote to memory of 3908 4920 s0844.exe 86 PID 3908 wrote to memory of 3036 3908 nthbtn.exe 87 PID 3908 wrote to memory of 3036 3908 nthbtn.exe 87 PID 3908 wrote to memory of 3036 3908 nthbtn.exe 87 PID 3036 wrote to memory of 2460 3036 o860426.exe 88 PID 3036 wrote to memory of 2460 3036 o860426.exe 88 PID 3036 wrote to memory of 2460 3036 o860426.exe 88 PID 2460 wrote to memory of 4556 2460 446040.exe 89 PID 2460 wrote to memory of 4556 2460 446040.exe 89 PID 2460 wrote to memory of 4556 2460 446040.exe 89 PID 4556 wrote to memory of 3920 4556 200422.exe 90 PID 4556 wrote to memory of 3920 4556 200422.exe 90 PID 4556 wrote to memory of 3920 4556 200422.exe 90 PID 3920 wrote to memory of 3488 3920 6208406.exe 91 PID 3920 wrote to memory of 3488 3920 6208406.exe 91 PID 3920 wrote to memory of 3488 3920 6208406.exe 91 PID 3488 wrote to memory of 3656 3488 a4482.exe 92 PID 3488 wrote to memory of 3656 3488 a4482.exe 92 PID 3488 wrote to memory of 3656 3488 a4482.exe 92 PID 3656 wrote to memory of 1352 3656 xrrlxrl.exe 93 PID 3656 wrote to memory of 1352 3656 xrrlxrl.exe 93 PID 3656 wrote to memory of 1352 3656 xrrlxrl.exe 93 PID 1352 wrote to memory of 720 1352 4064486.exe 94 PID 1352 wrote to memory of 720 1352 4064486.exe 94 PID 1352 wrote to memory of 720 1352 4064486.exe 94 PID 720 wrote to memory of 4352 720 q28482.exe 95 PID 720 wrote to memory of 4352 720 q28482.exe 95 PID 720 wrote to memory of 4352 720 q28482.exe 95 PID 4352 wrote to memory of 2904 4352 286482.exe 96 PID 4352 wrote to memory of 2904 4352 286482.exe 96 PID 4352 wrote to memory of 2904 4352 286482.exe 96 PID 2904 wrote to memory of 3156 2904 xxfxxxx.exe 97 PID 2904 wrote to memory of 3156 2904 xxfxxxx.exe 97 PID 2904 wrote to memory of 3156 2904 xxfxxxx.exe 97 PID 3156 wrote to memory of 4572 3156 3jddv.exe 98 PID 3156 wrote to memory of 4572 3156 3jddv.exe 98 PID 3156 wrote to memory of 4572 3156 3jddv.exe 98 PID 4572 wrote to memory of 4000 4572 jdvjv.exe 99 PID 4572 wrote to memory of 4000 4572 jdvjv.exe 99 PID 4572 wrote to memory of 4000 4572 jdvjv.exe 99 PID 4000 wrote to memory of 4300 4000 a6828.exe 100 PID 4000 wrote to memory of 4300 4000 a6828.exe 100 PID 4000 wrote to memory of 4300 4000 a6828.exe 100 PID 4300 wrote to memory of 3892 4300 vq422.exe 101 PID 4300 wrote to memory of 3892 4300 vq422.exe 101 PID 4300 wrote to memory of 3892 4300 vq422.exe 101 PID 3892 wrote to memory of 3440 3892 dvvvp.exe 102 PID 3892 wrote to memory of 3440 3892 dvvvp.exe 102 PID 3892 wrote to memory of 3440 3892 dvvvp.exe 102 PID 3440 wrote to memory of 1184 3440 0226402.exe 103 PID 3440 wrote to memory of 1184 3440 0226402.exe 103 PID 3440 wrote to memory of 1184 3440 0226402.exe 103 PID 1184 wrote to memory of 2836 1184 u026444.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8afa43b30707a9922c1467cbb6d1550a67bc2a8d68502fa94f3da699962c6d3.exe"C:\Users\Admin\AppData\Local\Temp\b8afa43b30707a9922c1467cbb6d1550a67bc2a8d68502fa94f3da699962c6d3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\406004.exec:\406004.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\llflfxf.exec:\llflfxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\s0844.exec:\s0844.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\nthbtn.exec:\nthbtn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\o860426.exec:\o860426.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\446040.exec:\446040.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\200422.exec:\200422.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\6208406.exec:\6208406.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\a4482.exec:\a4482.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\4064486.exec:\4064486.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\q28482.exec:\q28482.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\286482.exec:\286482.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\xxfxxxx.exec:\xxfxxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\3jddv.exec:\3jddv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\jdvjv.exec:\jdvjv.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\a6828.exec:\a6828.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\vq422.exec:\vq422.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\dvvvp.exec:\dvvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\0226402.exec:\0226402.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\u026444.exec:\u026444.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\xxxffrr.exec:\xxxffrr.exe23⤵
- Executes dropped EXE
PID:2836 -
\??\c:\q02884.exec:\q02884.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2548 -
\??\c:\lrxrxlf.exec:\lrxrxlf.exe25⤵
- Executes dropped EXE
PID:2368 -
\??\c:\pppjp.exec:\pppjp.exe26⤵
- Executes dropped EXE
PID:3312 -
\??\c:\rxfffxx.exec:\rxfffxx.exe27⤵
- Executes dropped EXE
PID:512 -
\??\c:\868840.exec:\868840.exe28⤵
- Executes dropped EXE
PID:4652 -
\??\c:\444686.exec:\444686.exe29⤵
- Executes dropped EXE
PID:5052 -
\??\c:\pvdvp.exec:\pvdvp.exe30⤵
- Executes dropped EXE
PID:5064 -
\??\c:\24448.exec:\24448.exe31⤵
- Executes dropped EXE
PID:5048 -
\??\c:\g0262.exec:\g0262.exe32⤵
- Executes dropped EXE
PID:1252 -
\??\c:\9nbbhn.exec:\9nbbhn.exe33⤵
- Executes dropped EXE
PID:1280 -
\??\c:\jdvdd.exec:\jdvdd.exe34⤵
- Executes dropped EXE
PID:1600 -
\??\c:\llfxrrl.exec:\llfxrrl.exe35⤵
- Executes dropped EXE
PID:3396 -
\??\c:\604202.exec:\604202.exe36⤵
- Executes dropped EXE
PID:1732 -
\??\c:\5vpdp.exec:\5vpdp.exe37⤵
- Executes dropped EXE
PID:1516 -
\??\c:\60682.exec:\60682.exe38⤵
- Executes dropped EXE
PID:972 -
\??\c:\668448.exec:\668448.exe39⤵
- Executes dropped EXE
PID:2744 -
\??\c:\680004.exec:\680004.exe40⤵
- Executes dropped EXE
PID:2020 -
\??\c:\8288480.exec:\8288480.exe41⤵
- Executes dropped EXE
PID:5032 -
\??\c:\8844060.exec:\8844060.exe42⤵
- Executes dropped EXE
PID:3912 -
\??\c:\rxxxrff.exec:\rxxxrff.exe43⤵
- Executes dropped EXE
PID:696 -
\??\c:\8244404.exec:\8244404.exe44⤵
- Executes dropped EXE
PID:3436 -
\??\c:\tnntnb.exec:\tnntnb.exe45⤵
- Executes dropped EXE
PID:3272 -
\??\c:\vvjjd.exec:\vvjjd.exe46⤵
- Executes dropped EXE
PID:4992 -
\??\c:\dvddj.exec:\dvddj.exe47⤵
- Executes dropped EXE
PID:1472 -
\??\c:\tnttnh.exec:\tnttnh.exe48⤵
- Executes dropped EXE
PID:2656 -
\??\c:\6004444.exec:\6004444.exe49⤵
- Executes dropped EXE
PID:1840 -
\??\c:\ttbtth.exec:\ttbtth.exe50⤵
- Executes dropped EXE
PID:4168 -
\??\c:\8266622.exec:\8266622.exe51⤵
- Executes dropped EXE
PID:2520 -
\??\c:\22848.exec:\22848.exe52⤵
- Executes dropped EXE
PID:3884 -
\??\c:\lrffxrl.exec:\lrffxrl.exe53⤵
- Executes dropped EXE
PID:1376 -
\??\c:\tnbtht.exec:\tnbtht.exe54⤵
- Executes dropped EXE
PID:1276 -
\??\c:\04626.exec:\04626.exe55⤵
- Executes dropped EXE
PID:1748 -
\??\c:\nhhtnn.exec:\nhhtnn.exe56⤵
- Executes dropped EXE
PID:3256 -
\??\c:\1ttbtt.exec:\1ttbtt.exe57⤵
- Executes dropped EXE
PID:1144 -
\??\c:\8226662.exec:\8226662.exe58⤵
- Executes dropped EXE
PID:4612 -
\??\c:\bnbnbt.exec:\bnbnbt.exe59⤵
- Executes dropped EXE
PID:2332 -
\??\c:\26406.exec:\26406.exe60⤵
- Executes dropped EXE
PID:3224 -
\??\c:\fxxxxrl.exec:\fxxxxrl.exe61⤵
- Executes dropped EXE
PID:3920 -
\??\c:\nntnnn.exec:\nntnnn.exe62⤵
- Executes dropped EXE
PID:1860 -
\??\c:\thnhhh.exec:\thnhhh.exe63⤵
- Executes dropped EXE
PID:4204 -
\??\c:\5nhhbt.exec:\5nhhbt.exe64⤵
- Executes dropped EXE
PID:2756 -
\??\c:\dvdvp.exec:\dvdvp.exe65⤵
- Executes dropped EXE
PID:4012 -
\??\c:\5jddv.exec:\5jddv.exe66⤵PID:4772
-
\??\c:\bhnnhn.exec:\bhnnhn.exe67⤵PID:1556
-
\??\c:\008804.exec:\008804.exe68⤵PID:2904
-
\??\c:\lrlxlfx.exec:\lrlxlfx.exe69⤵PID:4092
-
\??\c:\xlfxffx.exec:\xlfxffx.exe70⤵PID:3964
-
\??\c:\jvjjj.exec:\jvjjj.exe71⤵PID:4008
-
\??\c:\fxlflfl.exec:\fxlflfl.exe72⤵PID:1176
-
\??\c:\840484.exec:\840484.exe73⤵PID:2292
-
\??\c:\004662.exec:\004662.exe74⤵
- System Location Discovery: System Language Discovery
PID:840 -
\??\c:\jpdvp.exec:\jpdvp.exe75⤵PID:2468
-
\??\c:\hhnhnb.exec:\hhnhnb.exe76⤵PID:3320
-
\??\c:\ppvpj.exec:\ppvpj.exe77⤵PID:4540
-
\??\c:\824442.exec:\824442.exe78⤵PID:772
-
\??\c:\0060488.exec:\0060488.exe79⤵PID:392
-
\??\c:\268248.exec:\268248.exe80⤵PID:2548
-
\??\c:\tnnhbb.exec:\tnnhbb.exe81⤵PID:3948
-
\??\c:\8848262.exec:\8848262.exe82⤵PID:1476
-
\??\c:\844826.exec:\844826.exe83⤵PID:4836
-
\??\c:\frflxxx.exec:\frflxxx.exe84⤵PID:1728
-
\??\c:\pvvpj.exec:\pvvpj.exe85⤵PID:512
-
\??\c:\02882.exec:\02882.exe86⤵PID:3104
-
\??\c:\httnhb.exec:\httnhb.exe87⤵PID:4600
-
\??\c:\o680460.exec:\o680460.exe88⤵PID:1308
-
\??\c:\lllffxx.exec:\lllffxx.exe89⤵PID:3988
-
\??\c:\btnnnt.exec:\btnnnt.exe90⤵PID:4116
-
\??\c:\024222.exec:\024222.exe91⤵PID:1252
-
\??\c:\48662.exec:\48662.exe92⤵PID:2892
-
\??\c:\tnnhhb.exec:\tnnhhb.exe93⤵PID:2808
-
\??\c:\884228.exec:\884228.exe94⤵PID:1656
-
\??\c:\ffllfxx.exec:\ffllfxx.exe95⤵PID:1572
-
\??\c:\7rxxrrr.exec:\7rxxrrr.exe96⤵PID:2696
-
\??\c:\lxllllf.exec:\lxllllf.exe97⤵PID:4960
-
\??\c:\nbhnbb.exec:\nbhnbb.exe98⤵PID:1160
-
\??\c:\dvvpp.exec:\dvvpp.exe99⤵PID:2664
-
\??\c:\4260440.exec:\4260440.exe100⤵PID:1132
-
\??\c:\844488.exec:\844488.exe101⤵PID:4024
-
\??\c:\9jjvp.exec:\9jjvp.exe102⤵PID:4408
-
\??\c:\s2688.exec:\s2688.exe103⤵PID:1980
-
\??\c:\4060044.exec:\4060044.exe104⤵PID:3044
-
\??\c:\8026600.exec:\8026600.exe105⤵PID:4424
-
\??\c:\rxfxxxr.exec:\rxfxxxr.exe106⤵PID:4376
-
\??\c:\s8088.exec:\s8088.exe107⤵PID:2740
-
\??\c:\6004486.exec:\6004486.exe108⤵
- System Location Discovery: System Language Discovery
PID:1948 -
\??\c:\btbttt.exec:\btbttt.exe109⤵PID:764
-
\??\c:\jdjdd.exec:\jdjdd.exe110⤵PID:2872
-
\??\c:\62264.exec:\62264.exe111⤵PID:1324
-
\??\c:\02048.exec:\02048.exe112⤵PID:4736
-
\??\c:\nnnhbn.exec:\nnnhbn.exe113⤵PID:1460
-
\??\c:\jvvpp.exec:\jvvpp.exe114⤵PID:1664
-
\??\c:\7jvpd.exec:\7jvpd.exe115⤵PID:4656
-
\??\c:\4844000.exec:\4844000.exe116⤵PID:1608
-
\??\c:\068604.exec:\068604.exe117⤵PID:4228
-
\??\c:\pjvpv.exec:\pjvpv.exe118⤵PID:4864
-
\??\c:\60642.exec:\60642.exe119⤵PID:3688
-
\??\c:\4826482.exec:\4826482.exe120⤵PID:372
-
\??\c:\4008282.exec:\4008282.exe121⤵PID:1876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-