Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af5db2664a151bcebaac00a6355efaf62fcc4a536103c030c3e4fb94afdb2f9a.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
af5db2664a151bcebaac00a6355efaf62fcc4a536103c030c3e4fb94afdb2f9a.exe
-
Size
455KB
-
MD5
4bed566b2149fed0c323bd73e2d77dd4
-
SHA1
49272a9ebcaac02d1aa6ac8950128971b257c473
-
SHA256
af5db2664a151bcebaac00a6355efaf62fcc4a536103c030c3e4fb94afdb2f9a
-
SHA512
ca356614d891875e0d3e71ffd46dae2407f4f3b9a2c9d7271b928ee97c09437c117a44550faf84a375ec223a04ccc6c802feac37360bf3e8d0f8acd4e7ff3dbd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2272-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-768-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-904-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-1014-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-1042-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-1234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1316 nnntnh.exe 2000 hhnhht.exe 4264 q86800.exe 3064 fxxfffx.exe 2052 bbbttt.exe 3700 nbhbtt.exe 4160 vvvpj.exe 1852 e82648.exe 1740 nhhthb.exe 1816 20822.exe 1720 4440482.exe 1944 frxrflf.exe 1248 622060.exe 4196 4200260.exe 840 thhtbt.exe 1524 86664.exe 4060 86642.exe 2220 7rxrlfx.exe 4596 2042082.exe 2308 vjpdp.exe 1100 xffrfrf.exe 552 5tnhtn.exe 4112 nhbnhb.exe 3512 o400864.exe 3980 nnnhtn.exe 5056 jjvvv.exe 3948 c226044.exe 2284 jddvj.exe 4864 xrfrlfx.exe 2100 e08808.exe 2548 q62204.exe 1152 c020826.exe 5052 9ddpj.exe 4852 9hhbnn.exe 1920 60266.exe 1768 a4482.exe 4232 082860.exe 4276 nttttn.exe 4220 llfrlfx.exe 3164 88448.exe 2724 844440.exe 4124 1xlfffr.exe 2964 3nnhbb.exe 1556 fllfrrx.exe 2672 jpjjj.exe 3256 222266.exe 1552 hhthnn.exe 3136 w06044.exe 4364 6846020.exe 4952 280488.exe 4576 vpjdd.exe 3704 60660.exe 5080 xlrllff.exe 4656 xlrlrrr.exe 4572 vdvvd.exe 4788 266262.exe 1108 7rlfrrl.exe 4560 2848400.exe 1404 vdvpj.exe 744 6400888.exe 5028 nbhbtt.exe 620 nbbthh.exe 540 tthnhn.exe 1504 xllfxrr.exe -
resource yara_rule behavioral2/memory/2272-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-768-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-904-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6688204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8604826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e62884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k84282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 1316 2272 af5db2664a151bcebaac00a6355efaf62fcc4a536103c030c3e4fb94afdb2f9a.exe 83 PID 2272 wrote to memory of 1316 2272 af5db2664a151bcebaac00a6355efaf62fcc4a536103c030c3e4fb94afdb2f9a.exe 83 PID 2272 wrote to memory of 1316 2272 af5db2664a151bcebaac00a6355efaf62fcc4a536103c030c3e4fb94afdb2f9a.exe 83 PID 1316 wrote to memory of 2000 1316 nnntnh.exe 84 PID 1316 wrote to memory of 2000 1316 nnntnh.exe 84 PID 1316 wrote to memory of 2000 1316 nnntnh.exe 84 PID 2000 wrote to memory of 4264 2000 hhnhht.exe 85 PID 2000 wrote to memory of 4264 2000 hhnhht.exe 85 PID 2000 wrote to memory of 4264 2000 hhnhht.exe 85 PID 4264 wrote to memory of 3064 4264 q86800.exe 86 PID 4264 wrote to memory of 3064 4264 q86800.exe 86 PID 4264 wrote to memory of 3064 4264 q86800.exe 86 PID 3064 wrote to memory of 2052 3064 fxxfffx.exe 87 PID 3064 wrote to memory of 2052 3064 fxxfffx.exe 87 PID 3064 wrote to memory of 2052 3064 fxxfffx.exe 87 PID 2052 wrote to memory of 3700 2052 bbbttt.exe 88 PID 2052 wrote to memory of 3700 2052 bbbttt.exe 88 PID 2052 wrote to memory of 3700 2052 bbbttt.exe 88 PID 3700 wrote to memory of 4160 3700 nbhbtt.exe 89 PID 3700 wrote to memory of 4160 3700 nbhbtt.exe 89 PID 3700 wrote to memory of 4160 3700 nbhbtt.exe 89 PID 4160 wrote to memory of 1852 4160 vvvpj.exe 90 PID 4160 wrote to memory of 1852 4160 vvvpj.exe 90 PID 4160 wrote to memory of 1852 4160 vvvpj.exe 90 PID 1852 wrote to memory of 1740 1852 e82648.exe 91 PID 1852 wrote to memory of 1740 1852 e82648.exe 91 PID 1852 wrote to memory of 1740 1852 e82648.exe 91 PID 1740 wrote to memory of 1816 1740 nhhthb.exe 92 PID 1740 wrote to memory of 1816 1740 nhhthb.exe 92 PID 1740 wrote to memory of 1816 1740 nhhthb.exe 92 PID 1816 wrote to memory of 1720 1816 20822.exe 93 PID 1816 wrote to memory of 1720 1816 20822.exe 93 PID 1816 wrote to memory of 1720 1816 20822.exe 93 PID 1720 wrote to memory of 1944 1720 4440482.exe 94 PID 1720 wrote to memory of 1944 1720 4440482.exe 94 PID 1720 wrote to memory of 1944 1720 4440482.exe 94 PID 1944 wrote to memory of 1248 1944 frxrflf.exe 95 PID 1944 wrote to memory of 1248 1944 frxrflf.exe 95 PID 1944 wrote to memory of 1248 1944 frxrflf.exe 95 PID 1248 wrote to memory of 4196 1248 622060.exe 96 PID 1248 wrote to memory of 4196 1248 622060.exe 96 PID 1248 wrote to memory of 4196 1248 622060.exe 96 PID 4196 wrote to memory of 840 4196 4200260.exe 97 PID 4196 wrote to memory of 840 4196 4200260.exe 97 PID 4196 wrote to memory of 840 4196 4200260.exe 97 PID 840 wrote to memory of 1524 840 thhtbt.exe 98 PID 840 wrote to memory of 1524 840 thhtbt.exe 98 PID 840 wrote to memory of 1524 840 thhtbt.exe 98 PID 1524 wrote to memory of 4060 1524 86664.exe 99 PID 1524 wrote to memory of 4060 1524 86664.exe 99 PID 1524 wrote to memory of 4060 1524 86664.exe 99 PID 4060 wrote to memory of 2220 4060 86642.exe 100 PID 4060 wrote to memory of 2220 4060 86642.exe 100 PID 4060 wrote to memory of 2220 4060 86642.exe 100 PID 2220 wrote to memory of 4596 2220 7rxrlfx.exe 101 PID 2220 wrote to memory of 4596 2220 7rxrlfx.exe 101 PID 2220 wrote to memory of 4596 2220 7rxrlfx.exe 101 PID 4596 wrote to memory of 2308 4596 2042082.exe 102 PID 4596 wrote to memory of 2308 4596 2042082.exe 102 PID 4596 wrote to memory of 2308 4596 2042082.exe 102 PID 2308 wrote to memory of 1100 2308 vjpdp.exe 103 PID 2308 wrote to memory of 1100 2308 vjpdp.exe 103 PID 2308 wrote to memory of 1100 2308 vjpdp.exe 103 PID 1100 wrote to memory of 552 1100 xffrfrf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\af5db2664a151bcebaac00a6355efaf62fcc4a536103c030c3e4fb94afdb2f9a.exe"C:\Users\Admin\AppData\Local\Temp\af5db2664a151bcebaac00a6355efaf62fcc4a536103c030c3e4fb94afdb2f9a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\nnntnh.exec:\nnntnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\hhnhht.exec:\hhnhht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\q86800.exec:\q86800.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\fxxfffx.exec:\fxxfffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\bbbttt.exec:\bbbttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\nbhbtt.exec:\nbhbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\vvvpj.exec:\vvvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\e82648.exec:\e82648.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\nhhthb.exec:\nhhthb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\20822.exec:\20822.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\4440482.exec:\4440482.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\frxrflf.exec:\frxrflf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\622060.exec:\622060.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\4200260.exec:\4200260.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\thhtbt.exec:\thhtbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\86664.exec:\86664.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\86642.exec:\86642.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\7rxrlfx.exec:\7rxrlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\2042082.exec:\2042082.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\vjpdp.exec:\vjpdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\xffrfrf.exec:\xffrfrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\5tnhtn.exec:\5tnhtn.exe23⤵
- Executes dropped EXE
PID:552 -
\??\c:\nhbnhb.exec:\nhbnhb.exe24⤵
- Executes dropped EXE
PID:4112 -
\??\c:\o400864.exec:\o400864.exe25⤵
- Executes dropped EXE
PID:3512 -
\??\c:\nnnhtn.exec:\nnnhtn.exe26⤵
- Executes dropped EXE
PID:3980 -
\??\c:\jjvvv.exec:\jjvvv.exe27⤵
- Executes dropped EXE
PID:5056 -
\??\c:\c226044.exec:\c226044.exe28⤵
- Executes dropped EXE
PID:3948 -
\??\c:\jddvj.exec:\jddvj.exe29⤵
- Executes dropped EXE
PID:2284 -
\??\c:\xrfrlfx.exec:\xrfrlfx.exe30⤵
- Executes dropped EXE
PID:4864 -
\??\c:\e08808.exec:\e08808.exe31⤵
- Executes dropped EXE
PID:2100 -
\??\c:\q62204.exec:\q62204.exe32⤵
- Executes dropped EXE
PID:2548 -
\??\c:\c020826.exec:\c020826.exe33⤵
- Executes dropped EXE
PID:1152 -
\??\c:\9ddpj.exec:\9ddpj.exe34⤵
- Executes dropped EXE
PID:5052 -
\??\c:\9hhbnn.exec:\9hhbnn.exe35⤵
- Executes dropped EXE
PID:4852 -
\??\c:\60266.exec:\60266.exe36⤵
- Executes dropped EXE
PID:1920 -
\??\c:\a4482.exec:\a4482.exe37⤵
- Executes dropped EXE
PID:1768 -
\??\c:\082860.exec:\082860.exe38⤵
- Executes dropped EXE
PID:4232 -
\??\c:\nttttn.exec:\nttttn.exe39⤵
- Executes dropped EXE
PID:4276 -
\??\c:\llfrlfx.exec:\llfrlfx.exe40⤵
- Executes dropped EXE
PID:4220 -
\??\c:\88448.exec:\88448.exe41⤵
- Executes dropped EXE
PID:3164 -
\??\c:\844440.exec:\844440.exe42⤵
- Executes dropped EXE
PID:2724 -
\??\c:\1xlfffr.exec:\1xlfffr.exe43⤵
- Executes dropped EXE
PID:4124 -
\??\c:\3nnhbb.exec:\3nnhbb.exe44⤵
- Executes dropped EXE
PID:2964 -
\??\c:\fllfrrx.exec:\fllfrrx.exe45⤵
- Executes dropped EXE
PID:1556 -
\??\c:\jpjjj.exec:\jpjjj.exe46⤵
- Executes dropped EXE
PID:2672 -
\??\c:\222266.exec:\222266.exe47⤵
- Executes dropped EXE
PID:3256 -
\??\c:\hhthnn.exec:\hhthnn.exe48⤵
- Executes dropped EXE
PID:1552 -
\??\c:\w06044.exec:\w06044.exe49⤵
- Executes dropped EXE
PID:3136 -
\??\c:\6846020.exec:\6846020.exe50⤵
- Executes dropped EXE
PID:4364 -
\??\c:\280488.exec:\280488.exe51⤵
- Executes dropped EXE
PID:4952 -
\??\c:\vpjdd.exec:\vpjdd.exe52⤵
- Executes dropped EXE
PID:4576 -
\??\c:\60660.exec:\60660.exe53⤵
- Executes dropped EXE
PID:3704 -
\??\c:\xlrllff.exec:\xlrllff.exe54⤵
- Executes dropped EXE
PID:5080 -
\??\c:\xlrlrrr.exec:\xlrlrrr.exe55⤵
- Executes dropped EXE
PID:4656 -
\??\c:\vdvvd.exec:\vdvvd.exe56⤵
- Executes dropped EXE
PID:4572 -
\??\c:\266262.exec:\266262.exe57⤵
- Executes dropped EXE
PID:4788 -
\??\c:\7rlfrrl.exec:\7rlfrrl.exe58⤵
- Executes dropped EXE
PID:1108 -
\??\c:\2848400.exec:\2848400.exe59⤵
- Executes dropped EXE
PID:4560 -
\??\c:\vdvpj.exec:\vdvpj.exe60⤵
- Executes dropped EXE
PID:1404 -
\??\c:\6400888.exec:\6400888.exe61⤵
- Executes dropped EXE
PID:744 -
\??\c:\nbhbtt.exec:\nbhbtt.exe62⤵
- Executes dropped EXE
PID:5028 -
\??\c:\nbbthh.exec:\nbbthh.exe63⤵
- Executes dropped EXE
PID:620 -
\??\c:\tthnhn.exec:\tthnhn.exe64⤵
- Executes dropped EXE
PID:540 -
\??\c:\xllfxrr.exec:\xllfxrr.exe65⤵
- Executes dropped EXE
PID:1504 -
\??\c:\xrxfxxl.exec:\xrxfxxl.exe66⤵PID:1388
-
\??\c:\8660482.exec:\8660482.exe67⤵PID:2652
-
\??\c:\7vvpj.exec:\7vvpj.exe68⤵PID:3656
-
\??\c:\rfrfrlr.exec:\rfrfrlr.exe69⤵PID:3376
-
\??\c:\bntnhh.exec:\bntnhh.exe70⤵PID:2656
-
\??\c:\pvvvd.exec:\pvvvd.exe71⤵PID:4756
-
\??\c:\lxrrlfr.exec:\lxrrlfr.exe72⤵PID:444
-
\??\c:\222660.exec:\222660.exe73⤵PID:840
-
\??\c:\28066.exec:\28066.exe74⤵PID:3092
-
\??\c:\dvdvj.exec:\dvdvj.exe75⤵PID:4732
-
\??\c:\0460406.exec:\0460406.exe76⤵PID:1396
-
\??\c:\thnhtn.exec:\thnhtn.exe77⤵PID:2808
-
\??\c:\flxrlll.exec:\flxrlll.exe78⤵PID:1856
-
\??\c:\9bnhnt.exec:\9bnhnt.exe79⤵PID:1160
-
\??\c:\846204.exec:\846204.exe80⤵PID:5016
-
\??\c:\068266.exec:\068266.exe81⤵PID:4872
-
\??\c:\04400.exec:\04400.exe82⤵PID:3992
-
\??\c:\jpddj.exec:\jpddj.exe83⤵PID:844
-
\??\c:\466000.exec:\466000.exe84⤵PID:1752
-
\??\c:\jdvjv.exec:\jdvjv.exe85⤵PID:4248
-
\??\c:\nnttbt.exec:\nnttbt.exe86⤵PID:1704
-
\??\c:\rfrlrxf.exec:\rfrlrxf.exe87⤵PID:852
-
\??\c:\866648.exec:\866648.exe88⤵PID:3028
-
\??\c:\xrrlxrl.exec:\xrrlxrl.exe89⤵PID:3580
-
\??\c:\3jdvj.exec:\3jdvj.exe90⤵PID:4508
-
\??\c:\2060260.exec:\2060260.exe91⤵PID:3284
-
\??\c:\2804822.exec:\2804822.exe92⤵PID:1192
-
\??\c:\jvvjj.exec:\jvvjj.exe93⤵PID:4668
-
\??\c:\3llfxxr.exec:\3llfxxr.exe94⤵PID:2792
-
\??\c:\pjjdd.exec:\pjjdd.exe95⤵PID:948
-
\??\c:\lxxlxrl.exec:\lxxlxrl.exe96⤵PID:1240
-
\??\c:\c026060.exec:\c026060.exe97⤵PID:4600
-
\??\c:\00660.exec:\00660.exe98⤵PID:1028
-
\??\c:\fxlxlfr.exec:\fxlxlfr.exe99⤵PID:2580
-
\??\c:\0820426.exec:\0820426.exe100⤵PID:1920
-
\??\c:\1flfrlx.exec:\1flfrlx.exe101⤵PID:764
-
\??\c:\24222.exec:\24222.exe102⤵PID:4716
-
\??\c:\6440260.exec:\6440260.exe103⤵PID:1052
-
\??\c:\i820848.exec:\i820848.exe104⤵PID:2240
-
\??\c:\44882.exec:\44882.exe105⤵PID:1532
-
\??\c:\1lxrllx.exec:\1lxrllx.exe106⤵PID:2908
-
\??\c:\u460606.exec:\u460606.exe107⤵PID:4124
-
\??\c:\1ddvj.exec:\1ddvj.exe108⤵PID:4004
-
\??\c:\5vpdd.exec:\5vpdd.exe109⤵PID:760
-
\??\c:\0060826.exec:\0060826.exe110⤵PID:3652
-
\??\c:\9lfxlfx.exec:\9lfxlfx.exe111⤵PID:1452
-
\??\c:\btnhbh.exec:\btnhbh.exe112⤵PID:4360
-
\??\c:\w84444.exec:\w84444.exe113⤵PID:4340
-
\??\c:\vdppj.exec:\vdppj.exe114⤵PID:2040
-
\??\c:\hbthbt.exec:\hbthbt.exe115⤵PID:3032
-
\??\c:\xrlfxrr.exec:\xrlfxrr.exe116⤵PID:1316
-
\??\c:\g2820.exec:\g2820.exe117⤵PID:3384
-
\??\c:\w20026.exec:\w20026.exe118⤵PID:392
-
\??\c:\lfxxllf.exec:\lfxxllf.exe119⤵PID:4468
-
\??\c:\2248204.exec:\2248204.exe120⤵PID:2052
-
\??\c:\7nthhb.exec:\7nthhb.exe121⤵PID:2088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-