Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 21:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
30e9c6b33b971b438c0b3db5ea0964fc7d1cab9c2131294e18591b5540b38aa0.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
30e9c6b33b971b438c0b3db5ea0964fc7d1cab9c2131294e18591b5540b38aa0.exe
-
Size
332KB
-
MD5
c627dddffa7434e42384fbb2b307622c
-
SHA1
526fd0d28ae693bd9813ebbed46a5bfe297efac1
-
SHA256
30e9c6b33b971b438c0b3db5ea0964fc7d1cab9c2131294e18591b5540b38aa0
-
SHA512
3eb5903d056bddfdaf2e1dc693137b1b17bdd7401f0df856da09403aeb19ded80cd3aaa145369e3f7bb0a193d608cd58d70508cfd7c2eabc2e902a32dab720f6
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhP:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1524-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-742-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-1128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-1664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 452 nttthn.exe 1520 228204.exe 1144 42642.exe 4916 lrlflrl.exe 2236 9ffxrrl.exe 2804 4404264.exe 1636 pjppp.exe 1416 s8048.exe 4048 i864826.exe 1140 8466426.exe 3524 1ttnbb.exe 2840 frxrlxl.exe 5080 802844.exe 528 pdpvj.exe 1912 frrlffr.exe 4772 jvvjd.exe 2232 nhnhnb.exe 4088 2000486.exe 1016 xffrlfx.exe 3468 3rlfrrf.exe 3512 ttthhb.exe 1228 86824.exe 3564 dpjpv.exe 1904 nthtnt.exe 2684 dpjjd.exe 2732 826004.exe 3460 80882.exe 2564 lxxrlfx.exe 2528 vpvpd.exe 4960 lfllrrx.exe 2764 xrrlxrl.exe 3380 082620.exe 1684 4460822.exe 428 46868.exe 3696 pdpdd.exe 3708 lxxrllx.exe 3792 0426048.exe 3084 260486.exe 3168 hhhbbt.exe 408 068204.exe 1156 jvdvj.exe 2748 802826.exe 3592 0404026.exe 4084 66660.exe 5060 062248.exe 4724 44846.exe 1352 3bhbbt.exe 3624 246044.exe 4836 5ppvp.exe 4856 88222.exe 540 0488226.exe 4148 xxrrlll.exe 2052 ttbtnn.exe 4020 pjjjj.exe 1396 66006.exe 4924 nntnbb.exe 1392 xxlfllx.exe 224 m2006.exe 1696 62442.exe 3212 u848266.exe 4048 208044.exe 1640 22066.exe 4956 068828.exe 2452 9jdpj.exe -
resource yara_rule behavioral2/memory/1524-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-732-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 444888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c204006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k68648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2000486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1524 wrote to memory of 452 1524 30e9c6b33b971b438c0b3db5ea0964fc7d1cab9c2131294e18591b5540b38aa0.exe 83 PID 1524 wrote to memory of 452 1524 30e9c6b33b971b438c0b3db5ea0964fc7d1cab9c2131294e18591b5540b38aa0.exe 83 PID 1524 wrote to memory of 452 1524 30e9c6b33b971b438c0b3db5ea0964fc7d1cab9c2131294e18591b5540b38aa0.exe 83 PID 452 wrote to memory of 1520 452 nttthn.exe 84 PID 452 wrote to memory of 1520 452 nttthn.exe 84 PID 452 wrote to memory of 1520 452 nttthn.exe 84 PID 1520 wrote to memory of 1144 1520 228204.exe 85 PID 1520 wrote to memory of 1144 1520 228204.exe 85 PID 1520 wrote to memory of 1144 1520 228204.exe 85 PID 1144 wrote to memory of 4916 1144 42642.exe 86 PID 1144 wrote to memory of 4916 1144 42642.exe 86 PID 1144 wrote to memory of 4916 1144 42642.exe 86 PID 4916 wrote to memory of 2236 4916 lrlflrl.exe 87 PID 4916 wrote to memory of 2236 4916 lrlflrl.exe 87 PID 4916 wrote to memory of 2236 4916 lrlflrl.exe 87 PID 2236 wrote to memory of 2804 2236 9ffxrrl.exe 88 PID 2236 wrote to memory of 2804 2236 9ffxrrl.exe 88 PID 2236 wrote to memory of 2804 2236 9ffxrrl.exe 88 PID 2804 wrote to memory of 1636 2804 4404264.exe 89 PID 2804 wrote to memory of 1636 2804 4404264.exe 89 PID 2804 wrote to memory of 1636 2804 4404264.exe 89 PID 1636 wrote to memory of 1416 1636 pjppp.exe 90 PID 1636 wrote to memory of 1416 1636 pjppp.exe 90 PID 1636 wrote to memory of 1416 1636 pjppp.exe 90 PID 1416 wrote to memory of 4048 1416 s8048.exe 91 PID 1416 wrote to memory of 4048 1416 s8048.exe 91 PID 1416 wrote to memory of 4048 1416 s8048.exe 91 PID 4048 wrote to memory of 1140 4048 i864826.exe 92 PID 4048 wrote to memory of 1140 4048 i864826.exe 92 PID 4048 wrote to memory of 1140 4048 i864826.exe 92 PID 1140 wrote to memory of 3524 1140 8466426.exe 93 PID 1140 wrote to memory of 3524 1140 8466426.exe 93 PID 1140 wrote to memory of 3524 1140 8466426.exe 93 PID 3524 wrote to memory of 2840 3524 1ttnbb.exe 94 PID 3524 wrote to memory of 2840 3524 1ttnbb.exe 94 PID 3524 wrote to memory of 2840 3524 1ttnbb.exe 94 PID 2840 wrote to memory of 5080 2840 frxrlxl.exe 95 PID 2840 wrote to memory of 5080 2840 frxrlxl.exe 95 PID 2840 wrote to memory of 5080 2840 frxrlxl.exe 95 PID 5080 wrote to memory of 528 5080 802844.exe 96 PID 5080 wrote to memory of 528 5080 802844.exe 96 PID 5080 wrote to memory of 528 5080 802844.exe 96 PID 528 wrote to memory of 1912 528 pdpvj.exe 97 PID 528 wrote to memory of 1912 528 pdpvj.exe 97 PID 528 wrote to memory of 1912 528 pdpvj.exe 97 PID 1912 wrote to memory of 4772 1912 frrlffr.exe 98 PID 1912 wrote to memory of 4772 1912 frrlffr.exe 98 PID 1912 wrote to memory of 4772 1912 frrlffr.exe 98 PID 4772 wrote to memory of 2232 4772 jvvjd.exe 99 PID 4772 wrote to memory of 2232 4772 jvvjd.exe 99 PID 4772 wrote to memory of 2232 4772 jvvjd.exe 99 PID 2232 wrote to memory of 4088 2232 nhnhnb.exe 100 PID 2232 wrote to memory of 4088 2232 nhnhnb.exe 100 PID 2232 wrote to memory of 4088 2232 nhnhnb.exe 100 PID 4088 wrote to memory of 1016 4088 2000486.exe 101 PID 4088 wrote to memory of 1016 4088 2000486.exe 101 PID 4088 wrote to memory of 1016 4088 2000486.exe 101 PID 1016 wrote to memory of 3468 1016 xffrlfx.exe 102 PID 1016 wrote to memory of 3468 1016 xffrlfx.exe 102 PID 1016 wrote to memory of 3468 1016 xffrlfx.exe 102 PID 3468 wrote to memory of 3512 3468 3rlfrrf.exe 103 PID 3468 wrote to memory of 3512 3468 3rlfrrf.exe 103 PID 3468 wrote to memory of 3512 3468 3rlfrrf.exe 103 PID 3512 wrote to memory of 1228 3512 ttthhb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\30e9c6b33b971b438c0b3db5ea0964fc7d1cab9c2131294e18591b5540b38aa0.exe"C:\Users\Admin\AppData\Local\Temp\30e9c6b33b971b438c0b3db5ea0964fc7d1cab9c2131294e18591b5540b38aa0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\nttthn.exec:\nttthn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\228204.exec:\228204.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\42642.exec:\42642.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\lrlflrl.exec:\lrlflrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\9ffxrrl.exec:\9ffxrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\4404264.exec:\4404264.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\pjppp.exec:\pjppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\s8048.exec:\s8048.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\i864826.exec:\i864826.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\8466426.exec:\8466426.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\1ttnbb.exec:\1ttnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\frxrlxl.exec:\frxrlxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\802844.exec:\802844.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\pdpvj.exec:\pdpvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\frrlffr.exec:\frrlffr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\jvvjd.exec:\jvvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\nhnhnb.exec:\nhnhnb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\2000486.exec:\2000486.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\xffrlfx.exec:\xffrlfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\3rlfrrf.exec:\3rlfrrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\ttthhb.exec:\ttthhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\86824.exec:\86824.exe23⤵
- Executes dropped EXE
PID:1228 -
\??\c:\dpjpv.exec:\dpjpv.exe24⤵
- Executes dropped EXE
PID:3564 -
\??\c:\nthtnt.exec:\nthtnt.exe25⤵
- Executes dropped EXE
PID:1904 -
\??\c:\dpjjd.exec:\dpjjd.exe26⤵
- Executes dropped EXE
PID:2684 -
\??\c:\826004.exec:\826004.exe27⤵
- Executes dropped EXE
PID:2732 -
\??\c:\80882.exec:\80882.exe28⤵
- Executes dropped EXE
PID:3460 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe29⤵
- Executes dropped EXE
PID:2564 -
\??\c:\vpvpd.exec:\vpvpd.exe30⤵
- Executes dropped EXE
PID:2528 -
\??\c:\lfllrrx.exec:\lfllrrx.exe31⤵
- Executes dropped EXE
PID:4960 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe32⤵
- Executes dropped EXE
PID:2764 -
\??\c:\082620.exec:\082620.exe33⤵
- Executes dropped EXE
PID:3380 -
\??\c:\4460822.exec:\4460822.exe34⤵
- Executes dropped EXE
PID:1684 -
\??\c:\46868.exec:\46868.exe35⤵
- Executes dropped EXE
PID:428 -
\??\c:\pdpdd.exec:\pdpdd.exe36⤵
- Executes dropped EXE
PID:3696 -
\??\c:\lxxrllx.exec:\lxxrllx.exe37⤵
- Executes dropped EXE
PID:3708 -
\??\c:\0426048.exec:\0426048.exe38⤵
- Executes dropped EXE
PID:3792 -
\??\c:\260486.exec:\260486.exe39⤵
- Executes dropped EXE
PID:3084 -
\??\c:\hhhbbt.exec:\hhhbbt.exe40⤵
- Executes dropped EXE
PID:3168 -
\??\c:\068204.exec:\068204.exe41⤵
- Executes dropped EXE
PID:408 -
\??\c:\jvdvj.exec:\jvdvj.exe42⤵
- Executes dropped EXE
PID:1156 -
\??\c:\802826.exec:\802826.exe43⤵
- Executes dropped EXE
PID:2748 -
\??\c:\0404026.exec:\0404026.exe44⤵
- Executes dropped EXE
PID:3592 -
\??\c:\66660.exec:\66660.exe45⤵
- Executes dropped EXE
PID:4084 -
\??\c:\062248.exec:\062248.exe46⤵
- Executes dropped EXE
PID:5060 -
\??\c:\44846.exec:\44846.exe47⤵
- Executes dropped EXE
PID:4724 -
\??\c:\3bhbbt.exec:\3bhbbt.exe48⤵
- Executes dropped EXE
PID:1352 -
\??\c:\246044.exec:\246044.exe49⤵
- Executes dropped EXE
PID:3624 -
\??\c:\5ppvp.exec:\5ppvp.exe50⤵
- Executes dropped EXE
PID:4836 -
\??\c:\xxxxlll.exec:\xxxxlll.exe51⤵PID:4356
-
\??\c:\88222.exec:\88222.exe52⤵
- Executes dropped EXE
PID:4856 -
\??\c:\0488226.exec:\0488226.exe53⤵
- Executes dropped EXE
PID:540 -
\??\c:\xxrrlll.exec:\xxrrlll.exe54⤵
- Executes dropped EXE
PID:4148 -
\??\c:\ttbtnn.exec:\ttbtnn.exe55⤵
- Executes dropped EXE
PID:2052 -
\??\c:\pjjjj.exec:\pjjjj.exe56⤵
- Executes dropped EXE
PID:4020 -
\??\c:\66006.exec:\66006.exe57⤵
- Executes dropped EXE
PID:1396 -
\??\c:\nntnbb.exec:\nntnbb.exe58⤵
- Executes dropped EXE
PID:4924 -
\??\c:\xxlfllx.exec:\xxlfllx.exe59⤵
- Executes dropped EXE
PID:1392 -
\??\c:\m2006.exec:\m2006.exe60⤵
- Executes dropped EXE
PID:224 -
\??\c:\62442.exec:\62442.exe61⤵
- Executes dropped EXE
PID:1696 -
\??\c:\u848266.exec:\u848266.exe62⤵
- Executes dropped EXE
PID:3212 -
\??\c:\208044.exec:\208044.exe63⤵
- Executes dropped EXE
PID:4048 -
\??\c:\22066.exec:\22066.exe64⤵
- Executes dropped EXE
PID:1640 -
\??\c:\068828.exec:\068828.exe65⤵
- Executes dropped EXE
PID:4956 -
\??\c:\9jdpj.exec:\9jdpj.exe66⤵
- Executes dropped EXE
PID:2452 -
\??\c:\8262822.exec:\8262822.exe67⤵PID:1928
-
\??\c:\62488.exec:\62488.exe68⤵PID:2020
-
\??\c:\7thbhh.exec:\7thbhh.exe69⤵PID:1860
-
\??\c:\s2888.exec:\s2888.exe70⤵PID:4772
-
\??\c:\6406628.exec:\6406628.exe71⤵PID:3840
-
\??\c:\bttnnn.exec:\bttnnn.exe72⤵PID:5012
-
\??\c:\9bnhnb.exec:\9bnhnb.exe73⤵PID:3576
-
\??\c:\o020466.exec:\o020466.exe74⤵PID:1992
-
\??\c:\20206.exec:\20206.exe75⤵PID:2376
-
\??\c:\e02044.exec:\e02044.exe76⤵PID:4536
-
\??\c:\rlrllxr.exec:\rlrllxr.exe77⤵PID:2684
-
\??\c:\086268.exec:\086268.exe78⤵PID:2168
-
\??\c:\0664000.exec:\0664000.exe79⤵PID:4280
-
\??\c:\7xffxxx.exec:\7xffxxx.exe80⤵PID:3484
-
\??\c:\pdddv.exec:\pdddv.exe81⤵PID:3404
-
\??\c:\jjjdv.exec:\jjjdv.exe82⤵PID:1244
-
\??\c:\66840.exec:\66840.exe83⤵PID:2940
-
\??\c:\20486.exec:\20486.exe84⤵
- System Location Discovery: System Language Discovery
PID:1848 -
\??\c:\vdpjd.exec:\vdpjd.exe85⤵PID:396
-
\??\c:\80048.exec:\80048.exe86⤵PID:4452
-
\??\c:\7tthtt.exec:\7tthtt.exe87⤵PID:2860
-
\??\c:\8682626.exec:\8682626.exe88⤵PID:3792
-
\??\c:\fxlxxff.exec:\fxlxxff.exe89⤵PID:548
-
\??\c:\480404.exec:\480404.exe90⤵PID:3104
-
\??\c:\q86062.exec:\q86062.exe91⤵PID:408
-
\??\c:\66028.exec:\66028.exe92⤵PID:1156
-
\??\c:\nhnhhn.exec:\nhnhhn.exe93⤵PID:3940
-
\??\c:\nhnttb.exec:\nhnttb.exe94⤵PID:532
-
\??\c:\nhtbnn.exec:\nhtbnn.exe95⤵PID:4884
-
\??\c:\htttnh.exec:\htttnh.exe96⤵PID:652
-
\??\c:\xlrrrrl.exec:\xlrrrrl.exe97⤵PID:3204
-
\??\c:\pjvpv.exec:\pjvpv.exe98⤵PID:1352
-
\??\c:\680660.exec:\680660.exe99⤵PID:4224
-
\??\c:\btbtnt.exec:\btbtnt.exe100⤵PID:4504
-
\??\c:\5ddjj.exec:\5ddjj.exe101⤵PID:4356
-
\??\c:\lffrlff.exec:\lffrlff.exe102⤵PID:4896
-
\??\c:\066000.exec:\066000.exe103⤵PID:540
-
\??\c:\xfrfrrf.exec:\xfrfrrf.exe104⤵PID:3928
-
\??\c:\rfxrlfx.exec:\rfxrlfx.exe105⤵PID:908
-
\??\c:\thbtnn.exec:\thbtnn.exe106⤵PID:4940
-
\??\c:\64044.exec:\64044.exe107⤵PID:4364
-
\??\c:\228264.exec:\228264.exe108⤵PID:4480
-
\??\c:\9nnthb.exec:\9nnthb.exe109⤵PID:3768
-
\??\c:\u082884.exec:\u082884.exe110⤵PID:3024
-
\??\c:\w24400.exec:\w24400.exe111⤵PID:4584
-
\??\c:\0062266.exec:\0062266.exe112⤵PID:4844
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe113⤵PID:3552
-
\??\c:\646028.exec:\646028.exe114⤵PID:712
-
\??\c:\4682448.exec:\4682448.exe115⤵PID:2136
-
\??\c:\g4222.exec:\g4222.exe116⤵PID:5052
-
\??\c:\o026008.exec:\o026008.exe117⤵PID:4492
-
\??\c:\bnnhhb.exec:\bnnhhb.exe118⤵PID:1140
-
\??\c:\2020620.exec:\2020620.exe119⤵PID:528
-
\??\c:\064622.exec:\064622.exe120⤵PID:3400
-
\??\c:\bbbtnn.exec:\bbbtnn.exe121⤵PID:3424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-