Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
afa36566a1b38e4a0092e3593bb301162daee224e6b2c6f5be216038c6fad693.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
afa36566a1b38e4a0092e3593bb301162daee224e6b2c6f5be216038c6fad693.exe
-
Size
455KB
-
MD5
20cd44cb529fe5eba8f7dddc0fc539fe
-
SHA1
4759a40c4925f4fe6ac750ed9465ed1a51c48a24
-
SHA256
afa36566a1b38e4a0092e3593bb301162daee224e6b2c6f5be216038c6fad693
-
SHA512
2b1cd335fdbca4ec9240a921c6c7f9f490126963f87f23d1e5b04e55a18a03d7ce408e3056fcd4e9c9c21bf00d9d2e189df47f3d2202766cffe5626f53f8aa83
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2348-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-914-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-960-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-1141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1372 ntnhhh.exe 404 ttnntt.exe 3124 822262.exe 4592 pppjj.exe 2096 nhttnn.exe 2060 7fxrffr.exe 4908 dvvpd.exe 3600 g2084.exe 2512 pjddv.exe 2568 8020066.exe 2156 26262.exe 4052 8866622.exe 3276 6884604.exe 3612 hnbbnb.exe 2660 jvvjd.exe 4172 2626482.exe 3692 tnbnhb.exe 988 7rxfr.exe 4848 7hhhbb.exe 720 pjdvp.exe 2540 402600.exe 1744 s4084.exe 5096 e88482.exe 212 xxfrffx.exe 1680 k00844.exe 2300 1lfxrrf.exe 4900 djjvp.exe 1384 3ddvp.exe 4872 1hhtnn.exe 2328 hbnnnn.exe 2072 btthbt.exe 1952 lrxrxxf.exe 1116 4040482.exe 3332 s6028.exe 928 tttbnn.exe 3088 008202.exe 5012 pdjjj.exe 2132 a8060.exe 1000 484888.exe 4408 662248.exe 1452 860484.exe 4764 40226.exe 2000 lxlfxfx.exe 456 0848604.exe 1964 8880024.exe 4580 vpvjd.exe 4836 064262.exe 4520 vpdvp.exe 1392 08606.exe 1556 42062.exe 4528 0008260.exe 4364 9nnbnh.exe 5008 424882.exe 3104 nnbbtb.exe 2060 ththtn.exe 2860 fxffrll.exe 4908 680206.exe 2944 86646.exe 3500 484820.exe 2252 s0088.exe 2564 8202048.exe 3268 rfxrlfx.exe 812 tnhtbt.exe 4452 28008.exe -
resource yara_rule behavioral2/memory/2348-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-914-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8406486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6682664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0282226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8840826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6686826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 1372 2348 afa36566a1b38e4a0092e3593bb301162daee224e6b2c6f5be216038c6fad693.exe 83 PID 2348 wrote to memory of 1372 2348 afa36566a1b38e4a0092e3593bb301162daee224e6b2c6f5be216038c6fad693.exe 83 PID 2348 wrote to memory of 1372 2348 afa36566a1b38e4a0092e3593bb301162daee224e6b2c6f5be216038c6fad693.exe 83 PID 1372 wrote to memory of 404 1372 ntnhhh.exe 84 PID 1372 wrote to memory of 404 1372 ntnhhh.exe 84 PID 1372 wrote to memory of 404 1372 ntnhhh.exe 84 PID 404 wrote to memory of 3124 404 ttnntt.exe 85 PID 404 wrote to memory of 3124 404 ttnntt.exe 85 PID 404 wrote to memory of 3124 404 ttnntt.exe 85 PID 3124 wrote to memory of 4592 3124 822262.exe 86 PID 3124 wrote to memory of 4592 3124 822262.exe 86 PID 3124 wrote to memory of 4592 3124 822262.exe 86 PID 4592 wrote to memory of 2096 4592 pppjj.exe 87 PID 4592 wrote to memory of 2096 4592 pppjj.exe 87 PID 4592 wrote to memory of 2096 4592 pppjj.exe 87 PID 2096 wrote to memory of 2060 2096 nhttnn.exe 88 PID 2096 wrote to memory of 2060 2096 nhttnn.exe 88 PID 2096 wrote to memory of 2060 2096 nhttnn.exe 88 PID 2060 wrote to memory of 4908 2060 7fxrffr.exe 89 PID 2060 wrote to memory of 4908 2060 7fxrffr.exe 89 PID 2060 wrote to memory of 4908 2060 7fxrffr.exe 89 PID 4908 wrote to memory of 3600 4908 dvvpd.exe 90 PID 4908 wrote to memory of 3600 4908 dvvpd.exe 90 PID 4908 wrote to memory of 3600 4908 dvvpd.exe 90 PID 3600 wrote to memory of 2512 3600 g2084.exe 91 PID 3600 wrote to memory of 2512 3600 g2084.exe 91 PID 3600 wrote to memory of 2512 3600 g2084.exe 91 PID 2512 wrote to memory of 2568 2512 pjddv.exe 92 PID 2512 wrote to memory of 2568 2512 pjddv.exe 92 PID 2512 wrote to memory of 2568 2512 pjddv.exe 92 PID 2568 wrote to memory of 2156 2568 8020066.exe 93 PID 2568 wrote to memory of 2156 2568 8020066.exe 93 PID 2568 wrote to memory of 2156 2568 8020066.exe 93 PID 2156 wrote to memory of 4052 2156 26262.exe 94 PID 2156 wrote to memory of 4052 2156 26262.exe 94 PID 2156 wrote to memory of 4052 2156 26262.exe 94 PID 4052 wrote to memory of 3276 4052 8866622.exe 95 PID 4052 wrote to memory of 3276 4052 8866622.exe 95 PID 4052 wrote to memory of 3276 4052 8866622.exe 95 PID 3276 wrote to memory of 3612 3276 6884604.exe 96 PID 3276 wrote to memory of 3612 3276 6884604.exe 96 PID 3276 wrote to memory of 3612 3276 6884604.exe 96 PID 3612 wrote to memory of 2660 3612 hnbbnb.exe 97 PID 3612 wrote to memory of 2660 3612 hnbbnb.exe 97 PID 3612 wrote to memory of 2660 3612 hnbbnb.exe 97 PID 2660 wrote to memory of 4172 2660 jvvjd.exe 98 PID 2660 wrote to memory of 4172 2660 jvvjd.exe 98 PID 2660 wrote to memory of 4172 2660 jvvjd.exe 98 PID 4172 wrote to memory of 3692 4172 2626482.exe 99 PID 4172 wrote to memory of 3692 4172 2626482.exe 99 PID 4172 wrote to memory of 3692 4172 2626482.exe 99 PID 3692 wrote to memory of 988 3692 tnbnhb.exe 100 PID 3692 wrote to memory of 988 3692 tnbnhb.exe 100 PID 3692 wrote to memory of 988 3692 tnbnhb.exe 100 PID 988 wrote to memory of 4848 988 7rxfr.exe 101 PID 988 wrote to memory of 4848 988 7rxfr.exe 101 PID 988 wrote to memory of 4848 988 7rxfr.exe 101 PID 4848 wrote to memory of 720 4848 7hhhbb.exe 102 PID 4848 wrote to memory of 720 4848 7hhhbb.exe 102 PID 4848 wrote to memory of 720 4848 7hhhbb.exe 102 PID 720 wrote to memory of 2540 720 pjdvp.exe 103 PID 720 wrote to memory of 2540 720 pjdvp.exe 103 PID 720 wrote to memory of 2540 720 pjdvp.exe 103 PID 2540 wrote to memory of 1744 2540 402600.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\afa36566a1b38e4a0092e3593bb301162daee224e6b2c6f5be216038c6fad693.exe"C:\Users\Admin\AppData\Local\Temp\afa36566a1b38e4a0092e3593bb301162daee224e6b2c6f5be216038c6fad693.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\ntnhhh.exec:\ntnhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\ttnntt.exec:\ttnntt.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\822262.exec:\822262.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\pppjj.exec:\pppjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\nhttnn.exec:\nhttnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\7fxrffr.exec:\7fxrffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\dvvpd.exec:\dvvpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\g2084.exec:\g2084.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\pjddv.exec:\pjddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\8020066.exec:\8020066.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\26262.exec:\26262.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\8866622.exec:\8866622.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\6884604.exec:\6884604.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\hnbbnb.exec:\hnbbnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\jvvjd.exec:\jvvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\2626482.exec:\2626482.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\tnbnhb.exec:\tnbnhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\7rxfr.exec:\7rxfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
\??\c:\7hhhbb.exec:\7hhhbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\pjdvp.exec:\pjdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\402600.exec:\402600.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\s4084.exec:\s4084.exe23⤵
- Executes dropped EXE
PID:1744 -
\??\c:\e88482.exec:\e88482.exe24⤵
- Executes dropped EXE
PID:5096 -
\??\c:\xxfrffx.exec:\xxfrffx.exe25⤵
- Executes dropped EXE
PID:212 -
\??\c:\k00844.exec:\k00844.exe26⤵
- Executes dropped EXE
PID:1680 -
\??\c:\1lfxrrf.exec:\1lfxrrf.exe27⤵
- Executes dropped EXE
PID:2300 -
\??\c:\djjvp.exec:\djjvp.exe28⤵
- Executes dropped EXE
PID:4900 -
\??\c:\3ddvp.exec:\3ddvp.exe29⤵
- Executes dropped EXE
PID:1384 -
\??\c:\1hhtnn.exec:\1hhtnn.exe30⤵
- Executes dropped EXE
PID:4872 -
\??\c:\hbnnnn.exec:\hbnnnn.exe31⤵
- Executes dropped EXE
PID:2328 -
\??\c:\btthbt.exec:\btthbt.exe32⤵
- Executes dropped EXE
PID:2072 -
\??\c:\lrxrxxf.exec:\lrxrxxf.exe33⤵
- Executes dropped EXE
PID:1952 -
\??\c:\4040482.exec:\4040482.exe34⤵
- Executes dropped EXE
PID:1116 -
\??\c:\s6028.exec:\s6028.exe35⤵
- Executes dropped EXE
PID:3332 -
\??\c:\tttbnn.exec:\tttbnn.exe36⤵
- Executes dropped EXE
PID:928 -
\??\c:\008202.exec:\008202.exe37⤵
- Executes dropped EXE
PID:3088 -
\??\c:\pdjjj.exec:\pdjjj.exe38⤵
- Executes dropped EXE
PID:5012 -
\??\c:\a8060.exec:\a8060.exe39⤵
- Executes dropped EXE
PID:2132 -
\??\c:\484888.exec:\484888.exe40⤵
- Executes dropped EXE
PID:1000 -
\??\c:\662248.exec:\662248.exe41⤵
- Executes dropped EXE
PID:4408 -
\??\c:\860484.exec:\860484.exe42⤵
- Executes dropped EXE
PID:1452 -
\??\c:\40226.exec:\40226.exe43⤵
- Executes dropped EXE
PID:4764 -
\??\c:\lxlfxfx.exec:\lxlfxfx.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000 -
\??\c:\0848604.exec:\0848604.exe45⤵
- Executes dropped EXE
PID:456 -
\??\c:\8880024.exec:\8880024.exe46⤵
- Executes dropped EXE
PID:1964 -
\??\c:\vpvjd.exec:\vpvjd.exe47⤵
- Executes dropped EXE
PID:4580 -
\??\c:\064262.exec:\064262.exe48⤵
- Executes dropped EXE
PID:4836 -
\??\c:\vpdvp.exec:\vpdvp.exe49⤵
- Executes dropped EXE
PID:4520 -
\??\c:\08606.exec:\08606.exe50⤵
- Executes dropped EXE
PID:1392 -
\??\c:\42062.exec:\42062.exe51⤵
- Executes dropped EXE
PID:1556 -
\??\c:\0008260.exec:\0008260.exe52⤵
- Executes dropped EXE
PID:4528 -
\??\c:\9nnbnh.exec:\9nnbnh.exe53⤵
- Executes dropped EXE
PID:4364 -
\??\c:\424882.exec:\424882.exe54⤵
- Executes dropped EXE
PID:5008 -
\??\c:\nnbbtb.exec:\nnbbtb.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3104 -
\??\c:\ththtn.exec:\ththtn.exe56⤵
- Executes dropped EXE
PID:2060 -
\??\c:\fxffrll.exec:\fxffrll.exe57⤵
- Executes dropped EXE
PID:2860 -
\??\c:\680206.exec:\680206.exe58⤵
- Executes dropped EXE
PID:4908 -
\??\c:\86646.exec:\86646.exe59⤵
- Executes dropped EXE
PID:2944 -
\??\c:\484820.exec:\484820.exe60⤵
- Executes dropped EXE
PID:3500 -
\??\c:\s0088.exec:\s0088.exe61⤵
- Executes dropped EXE
PID:2252 -
\??\c:\8202048.exec:\8202048.exe62⤵
- Executes dropped EXE
PID:2564 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe63⤵
- Executes dropped EXE
PID:3268 -
\??\c:\tnhtbt.exec:\tnhtbt.exe64⤵
- Executes dropped EXE
PID:812 -
\??\c:\28008.exec:\28008.exe65⤵
- Executes dropped EXE
PID:4452 -
\??\c:\2242660.exec:\2242660.exe66⤵PID:4640
-
\??\c:\dpvjd.exec:\dpvjd.exe67⤵PID:3252
-
\??\c:\0460884.exec:\0460884.exe68⤵PID:2720
-
\??\c:\1rrlffx.exec:\1rrlffx.exe69⤵PID:2244
-
\??\c:\9lxrllf.exec:\9lxrllf.exe70⤵PID:2660
-
\??\c:\1fllfff.exec:\1fllfff.exe71⤵PID:4172
-
\??\c:\88200.exec:\88200.exe72⤵PID:5104
-
\??\c:\tttbht.exec:\tttbht.exe73⤵PID:3032
-
\??\c:\u688840.exec:\u688840.exe74⤵PID:2816
-
\??\c:\228064.exec:\228064.exe75⤵PID:4980
-
\??\c:\4286200.exec:\4286200.exe76⤵PID:720
-
\??\c:\lxlxfxx.exec:\lxlxfxx.exe77⤵PID:1752
-
\??\c:\bhnbnb.exec:\bhnbnb.exe78⤵PID:3456
-
\??\c:\bbhhhh.exec:\bbhhhh.exe79⤵PID:208
-
\??\c:\44666.exec:\44666.exe80⤵PID:224
-
\??\c:\2408048.exec:\2408048.exe81⤵PID:3624
-
\??\c:\o044444.exec:\o044444.exe82⤵PID:3056
-
\??\c:\q84882.exec:\q84882.exe83⤵PID:3864
-
\??\c:\88648.exec:\88648.exe84⤵PID:1268
-
\??\c:\08264.exec:\08264.exe85⤵PID:4932
-
\??\c:\xxxlfxr.exec:\xxxlfxr.exe86⤵PID:2736
-
\??\c:\fxrfrlf.exec:\fxrfrlf.exe87⤵PID:2416
-
\??\c:\thhhbb.exec:\thhhbb.exe88⤵PID:1096
-
\??\c:\428626.exec:\428626.exe89⤵PID:1944
-
\??\c:\tnhtnh.exec:\tnhtnh.exe90⤵PID:4968
-
\??\c:\xlrlffl.exec:\xlrlffl.exe91⤵PID:3540
-
\??\c:\3jjdv.exec:\3jjdv.exe92⤵PID:1148
-
\??\c:\42260.exec:\42260.exe93⤵PID:3428
-
\??\c:\vpdpp.exec:\vpdpp.exe94⤵PID:1960
-
\??\c:\80648.exec:\80648.exe95⤵PID:2208
-
\??\c:\w80404.exec:\w80404.exe96⤵PID:5012
-
\??\c:\6408608.exec:\6408608.exe97⤵PID:3688
-
\??\c:\o448604.exec:\o448604.exe98⤵PID:4408
-
\??\c:\206860.exec:\206860.exe99⤵PID:1292
-
\??\c:\vjvpj.exec:\vjvpj.exe100⤵PID:2968
-
\??\c:\c806424.exec:\c806424.exe101⤵PID:2876
-
\??\c:\6062602.exec:\6062602.exe102⤵PID:3468
-
\??\c:\llrlffx.exec:\llrlffx.exe103⤵PID:2732
-
\??\c:\40284.exec:\40284.exe104⤵PID:2996
-
\??\c:\842044.exec:\842044.exe105⤵PID:2348
-
\??\c:\6044882.exec:\6044882.exe106⤵PID:1308
-
\??\c:\882266.exec:\882266.exe107⤵PID:4520
-
\??\c:\40004.exec:\40004.exe108⤵PID:1392
-
\??\c:\s0260.exec:\s0260.exe109⤵PID:1556
-
\??\c:\084488.exec:\084488.exe110⤵PID:704
-
\??\c:\htnhht.exec:\htnhht.exe111⤵PID:652
-
\??\c:\ffrfrfx.exec:\ffrfrfx.exe112⤵PID:3364
-
\??\c:\xxlfllf.exec:\xxlfllf.exe113⤵PID:2096
-
\??\c:\02208.exec:\02208.exe114⤵PID:3104
-
\??\c:\6606468.exec:\6606468.exe115⤵PID:2060
-
\??\c:\64084.exec:\64084.exe116⤵PID:2860
-
\??\c:\xrfxxrl.exec:\xrfxxrl.exe117⤵PID:3648
-
\??\c:\tnhbnn.exec:\tnhbnn.exe118⤵PID:2512
-
\??\c:\vvjjj.exec:\vvjjj.exe119⤵PID:3324
-
\??\c:\jpjdv.exec:\jpjdv.exe120⤵PID:2180
-
\??\c:\82486.exec:\82486.exe121⤵PID:1772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-