Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 19:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d490c2cf066089f80984198f55f21d81ca9adb8892ad952482c278a32f217574N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d490c2cf066089f80984198f55f21d81ca9adb8892ad952482c278a32f217574N.exe
-
Size
453KB
-
MD5
6c5db2af347010c04d0ee11454e25290
-
SHA1
f5d37efa2d58678c24c72a7dfd69569e3a4bf4d8
-
SHA256
d490c2cf066089f80984198f55f21d81ca9adb8892ad952482c278a32f217574
-
SHA512
235fd853d76cd91579c3076e817713fabc69d8b8f1a76968f67fec1df5b879930fddb26ca3804b0bae7cb083daab0e1db880bcc9f7bdcb16aaceca9e8571352d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/392-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-1077-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-1229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-1236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-1387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-1427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4416 8220404.exe 1072 rxxrlfx.exe 3592 jvdpj.exe 2916 2660486.exe 1832 26422.exe 800 1llfxxr.exe 3924 220068.exe 3200 e06666.exe 3772 bnthbb.exe 3180 204248.exe 3108 82266.exe 396 3vdpp.exe 1524 60000.exe 2584 04442.exe 3716 i642484.exe 4780 rxfxrll.exe 2216 flffflf.exe 3472 g2848.exe 4684 htthbb.exe 3116 844260.exe 4612 1rlfrlr.exe 1580 0448264.exe 4184 1lrlrrx.exe 1076 dddvv.exe 1308 6848822.exe 4012 4886242.exe 1624 8666048.exe 4940 a4484.exe 668 624482.exe 3676 i804860.exe 2056 rrxlxlf.exe 1600 6682004.exe 1816 htbhbb.exe 2164 rxfrxlf.exe 3956 bttnhn.exe 2832 c060606.exe 1820 ffrlfxx.exe 5040 rxlfxfx.exe 4676 xfllffx.exe 3324 8288260.exe 1640 a4044.exe 1504 2042286.exe 1712 004648.exe 2772 bnthbb.exe 3732 jvdpj.exe 1040 vpvpj.exe 4588 btthbt.exe 4712 jjpdj.exe 3708 u620826.exe 2476 q46860.exe 4468 nnhbtt.exe 4472 frfrxrf.exe 3820 hhbttt.exe 4400 40604.exe 4036 ddvjd.exe 2968 xlfxfxf.exe 1928 3lxrflf.exe 3592 xlxrfff.exe 5096 5vdpj.exe 1708 tnbbhh.exe 2084 06260.exe 2288 206666.exe 4648 llxxlrx.exe 4840 04266.exe -
resource yara_rule behavioral2/memory/392-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-982-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-1077-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2626222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e26022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0842604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6620860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w62200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 392 wrote to memory of 4416 392 d490c2cf066089f80984198f55f21d81ca9adb8892ad952482c278a32f217574N.exe 82 PID 392 wrote to memory of 4416 392 d490c2cf066089f80984198f55f21d81ca9adb8892ad952482c278a32f217574N.exe 82 PID 392 wrote to memory of 4416 392 d490c2cf066089f80984198f55f21d81ca9adb8892ad952482c278a32f217574N.exe 82 PID 4416 wrote to memory of 1072 4416 8220404.exe 83 PID 4416 wrote to memory of 1072 4416 8220404.exe 83 PID 4416 wrote to memory of 1072 4416 8220404.exe 83 PID 1072 wrote to memory of 3592 1072 rxxrlfx.exe 84 PID 1072 wrote to memory of 3592 1072 rxxrlfx.exe 84 PID 1072 wrote to memory of 3592 1072 rxxrlfx.exe 84 PID 3592 wrote to memory of 2916 3592 jvdpj.exe 85 PID 3592 wrote to memory of 2916 3592 jvdpj.exe 85 PID 3592 wrote to memory of 2916 3592 jvdpj.exe 85 PID 2916 wrote to memory of 1832 2916 2660486.exe 86 PID 2916 wrote to memory of 1832 2916 2660486.exe 86 PID 2916 wrote to memory of 1832 2916 2660486.exe 86 PID 1832 wrote to memory of 800 1832 26422.exe 87 PID 1832 wrote to memory of 800 1832 26422.exe 87 PID 1832 wrote to memory of 800 1832 26422.exe 87 PID 800 wrote to memory of 3924 800 1llfxxr.exe 88 PID 800 wrote to memory of 3924 800 1llfxxr.exe 88 PID 800 wrote to memory of 3924 800 1llfxxr.exe 88 PID 3924 wrote to memory of 3200 3924 220068.exe 89 PID 3924 wrote to memory of 3200 3924 220068.exe 89 PID 3924 wrote to memory of 3200 3924 220068.exe 89 PID 3200 wrote to memory of 3772 3200 e06666.exe 90 PID 3200 wrote to memory of 3772 3200 e06666.exe 90 PID 3200 wrote to memory of 3772 3200 e06666.exe 90 PID 3772 wrote to memory of 3180 3772 bnthbb.exe 91 PID 3772 wrote to memory of 3180 3772 bnthbb.exe 91 PID 3772 wrote to memory of 3180 3772 bnthbb.exe 91 PID 3180 wrote to memory of 3108 3180 204248.exe 92 PID 3180 wrote to memory of 3108 3180 204248.exe 92 PID 3180 wrote to memory of 3108 3180 204248.exe 92 PID 3108 wrote to memory of 396 3108 82266.exe 93 PID 3108 wrote to memory of 396 3108 82266.exe 93 PID 3108 wrote to memory of 396 3108 82266.exe 93 PID 396 wrote to memory of 1524 396 3vdpp.exe 94 PID 396 wrote to memory of 1524 396 3vdpp.exe 94 PID 396 wrote to memory of 1524 396 3vdpp.exe 94 PID 1524 wrote to memory of 2584 1524 60000.exe 95 PID 1524 wrote to memory of 2584 1524 60000.exe 95 PID 1524 wrote to memory of 2584 1524 60000.exe 95 PID 2584 wrote to memory of 3716 2584 04442.exe 96 PID 2584 wrote to memory of 3716 2584 04442.exe 96 PID 2584 wrote to memory of 3716 2584 04442.exe 96 PID 3716 wrote to memory of 4780 3716 i642484.exe 97 PID 3716 wrote to memory of 4780 3716 i642484.exe 97 PID 3716 wrote to memory of 4780 3716 i642484.exe 97 PID 4780 wrote to memory of 2216 4780 rxfxrll.exe 98 PID 4780 wrote to memory of 2216 4780 rxfxrll.exe 98 PID 4780 wrote to memory of 2216 4780 rxfxrll.exe 98 PID 2216 wrote to memory of 3472 2216 flffflf.exe 99 PID 2216 wrote to memory of 3472 2216 flffflf.exe 99 PID 2216 wrote to memory of 3472 2216 flffflf.exe 99 PID 3472 wrote to memory of 4684 3472 g2848.exe 100 PID 3472 wrote to memory of 4684 3472 g2848.exe 100 PID 3472 wrote to memory of 4684 3472 g2848.exe 100 PID 4684 wrote to memory of 3116 4684 htthbb.exe 101 PID 4684 wrote to memory of 3116 4684 htthbb.exe 101 PID 4684 wrote to memory of 3116 4684 htthbb.exe 101 PID 3116 wrote to memory of 4612 3116 844260.exe 102 PID 3116 wrote to memory of 4612 3116 844260.exe 102 PID 3116 wrote to memory of 4612 3116 844260.exe 102 PID 4612 wrote to memory of 1580 4612 1rlfrlr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d490c2cf066089f80984198f55f21d81ca9adb8892ad952482c278a32f217574N.exe"C:\Users\Admin\AppData\Local\Temp\d490c2cf066089f80984198f55f21d81ca9adb8892ad952482c278a32f217574N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\8220404.exec:\8220404.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\jvdpj.exec:\jvdpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\2660486.exec:\2660486.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\26422.exec:\26422.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\1llfxxr.exec:\1llfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\220068.exec:\220068.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\e06666.exec:\e06666.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\bnthbb.exec:\bnthbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\204248.exec:\204248.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\82266.exec:\82266.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\3vdpp.exec:\3vdpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\60000.exec:\60000.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\04442.exec:\04442.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\i642484.exec:\i642484.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\rxfxrll.exec:\rxfxrll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\flffflf.exec:\flffflf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\g2848.exec:\g2848.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\htthbb.exec:\htthbb.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\844260.exec:\844260.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\1rlfrlr.exec:\1rlfrlr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\0448264.exec:\0448264.exe23⤵
- Executes dropped EXE
PID:1580 -
\??\c:\1lrlrrx.exec:\1lrlrrx.exe24⤵
- Executes dropped EXE
PID:4184 -
\??\c:\dddvv.exec:\dddvv.exe25⤵
- Executes dropped EXE
PID:1076 -
\??\c:\6848822.exec:\6848822.exe26⤵
- Executes dropped EXE
PID:1308 -
\??\c:\4886242.exec:\4886242.exe27⤵
- Executes dropped EXE
PID:4012 -
\??\c:\8666048.exec:\8666048.exe28⤵
- Executes dropped EXE
PID:1624 -
\??\c:\a4484.exec:\a4484.exe29⤵
- Executes dropped EXE
PID:4940 -
\??\c:\624482.exec:\624482.exe30⤵
- Executes dropped EXE
PID:668 -
\??\c:\i804860.exec:\i804860.exe31⤵
- Executes dropped EXE
PID:3676 -
\??\c:\rrxlxlf.exec:\rrxlxlf.exe32⤵
- Executes dropped EXE
PID:2056 -
\??\c:\6682004.exec:\6682004.exe33⤵
- Executes dropped EXE
PID:1600 -
\??\c:\htbhbb.exec:\htbhbb.exe34⤵
- Executes dropped EXE
PID:1816 -
\??\c:\rxfrxlf.exec:\rxfrxlf.exe35⤵
- Executes dropped EXE
PID:2164 -
\??\c:\bttnhn.exec:\bttnhn.exe36⤵
- Executes dropped EXE
PID:3956 -
\??\c:\c060606.exec:\c060606.exe37⤵
- Executes dropped EXE
PID:2832 -
\??\c:\ffrlfxx.exec:\ffrlfxx.exe38⤵
- Executes dropped EXE
PID:1820 -
\??\c:\rxlfxfx.exec:\rxlfxfx.exe39⤵
- Executes dropped EXE
PID:5040 -
\??\c:\xfllffx.exec:\xfllffx.exe40⤵
- Executes dropped EXE
PID:4676 -
\??\c:\8288260.exec:\8288260.exe41⤵
- Executes dropped EXE
PID:3324 -
\??\c:\a4044.exec:\a4044.exe42⤵
- Executes dropped EXE
PID:1640 -
\??\c:\2042286.exec:\2042286.exe43⤵
- Executes dropped EXE
PID:1504 -
\??\c:\004648.exec:\004648.exe44⤵
- Executes dropped EXE
PID:1712 -
\??\c:\bnthbb.exec:\bnthbb.exe45⤵
- Executes dropped EXE
PID:2772 -
\??\c:\jvdpj.exec:\jvdpj.exe46⤵
- Executes dropped EXE
PID:3732 -
\??\c:\vpvpj.exec:\vpvpj.exe47⤵
- Executes dropped EXE
PID:1040 -
\??\c:\btthbt.exec:\btthbt.exe48⤵
- Executes dropped EXE
PID:4588 -
\??\c:\jjpdj.exec:\jjpdj.exe49⤵
- Executes dropped EXE
PID:4712 -
\??\c:\u620826.exec:\u620826.exe50⤵
- Executes dropped EXE
PID:3708 -
\??\c:\q46860.exec:\q46860.exe51⤵
- Executes dropped EXE
PID:2476 -
\??\c:\nnhbtt.exec:\nnhbtt.exe52⤵
- Executes dropped EXE
PID:4468 -
\??\c:\frfrxrf.exec:\frfrxrf.exe53⤵
- Executes dropped EXE
PID:4472 -
\??\c:\hhbttt.exec:\hhbttt.exe54⤵
- Executes dropped EXE
PID:3820 -
\??\c:\40604.exec:\40604.exe55⤵
- Executes dropped EXE
PID:4400 -
\??\c:\ddvjd.exec:\ddvjd.exe56⤵
- Executes dropped EXE
PID:4036 -
\??\c:\xlfxfxf.exec:\xlfxfxf.exe57⤵
- Executes dropped EXE
PID:2968 -
\??\c:\3lxrflf.exec:\3lxrflf.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928 -
\??\c:\xlxrfff.exec:\xlxrfff.exe59⤵
- Executes dropped EXE
PID:3592 -
\??\c:\5vdpj.exec:\5vdpj.exe60⤵
- Executes dropped EXE
PID:5096 -
\??\c:\tnbbhh.exec:\tnbbhh.exe61⤵
- Executes dropped EXE
PID:1708 -
\??\c:\06260.exec:\06260.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084 -
\??\c:\206666.exec:\206666.exe63⤵
- Executes dropped EXE
PID:2288 -
\??\c:\llxxlrx.exec:\llxxlrx.exe64⤵
- Executes dropped EXE
PID:4648 -
\??\c:\04266.exec:\04266.exe65⤵
- Executes dropped EXE
PID:4840 -
\??\c:\w62200.exec:\w62200.exe66⤵
- System Location Discovery: System Language Discovery
PID:3200 -
\??\c:\hnnbth.exec:\hnnbth.exe67⤵PID:3180
-
\??\c:\3xfxrrl.exec:\3xfxrrl.exe68⤵PID:3004
-
\??\c:\64448.exec:\64448.exe69⤵PID:4464
-
\??\c:\4288226.exec:\4288226.exe70⤵PID:4828
-
\??\c:\0466060.exec:\0466060.exe71⤵PID:1524
-
\??\c:\486628.exec:\486628.exe72⤵PID:2688
-
\??\c:\dddvj.exec:\dddvj.exe73⤵PID:1608
-
\??\c:\0282600.exec:\0282600.exe74⤵PID:1960
-
\??\c:\84260.exec:\84260.exe75⤵PID:3872
-
\??\c:\40664.exec:\40664.exe76⤵PID:1804
-
\??\c:\jppdd.exec:\jppdd.exe77⤵PID:1440
-
\??\c:\6002606.exec:\6002606.exe78⤵PID:3160
-
\??\c:\rrrlfxr.exec:\rrrlfxr.exe79⤵PID:2800
-
\??\c:\jddvp.exec:\jddvp.exe80⤵
- System Location Discovery: System Language Discovery
PID:1924 -
\??\c:\ttbtnn.exec:\ttbtnn.exe81⤵PID:1696
-
\??\c:\080484.exec:\080484.exe82⤵PID:4968
-
\??\c:\xflfxrl.exec:\xflfxrl.exe83⤵PID:3780
-
\??\c:\3lfxrll.exec:\3lfxrll.exe84⤵PID:4496
-
\??\c:\2644644.exec:\2644644.exe85⤵PID:3556
-
\??\c:\dvjdp.exec:\dvjdp.exe86⤵PID:3248
-
\??\c:\9tbttt.exec:\9tbttt.exe87⤵PID:3032
-
\??\c:\6288222.exec:\6288222.exe88⤵PID:4536
-
\??\c:\dvvpd.exec:\dvvpd.exe89⤵PID:2168
-
\??\c:\fxxrrfl.exec:\fxxrrfl.exe90⤵PID:2192
-
\??\c:\a8040.exec:\a8040.exe91⤵PID:2980
-
\??\c:\i406000.exec:\i406000.exe92⤵PID:3812
-
\??\c:\llfllxr.exec:\llfllxr.exe93⤵PID:3728
-
\??\c:\nhnhbb.exec:\nhnhbb.exe94⤵PID:1280
-
\??\c:\282662.exec:\282662.exe95⤵PID:2004
-
\??\c:\jjjvp.exec:\jjjvp.exe96⤵PID:716
-
\??\c:\6688226.exec:\6688226.exe97⤵PID:1344
-
\??\c:\246488.exec:\246488.exe98⤵PID:3280
-
\??\c:\062644.exec:\062644.exe99⤵PID:2744
-
\??\c:\bhtnhb.exec:\bhtnhb.exe100⤵PID:2304
-
\??\c:\nbbttn.exec:\nbbttn.exe101⤵PID:3744
-
\??\c:\jvjjd.exec:\jvjjd.exe102⤵PID:4664
-
\??\c:\40220.exec:\40220.exe103⤵PID:1224
-
\??\c:\ddvpj.exec:\ddvpj.exe104⤵PID:2412
-
\??\c:\e26022.exec:\e26022.exe105⤵
- System Location Discovery: System Language Discovery
PID:4520 -
\??\c:\ppdjd.exec:\ppdjd.exe106⤵PID:4676
-
\??\c:\9lffrlf.exec:\9lffrlf.exe107⤵PID:4848
-
\??\c:\8248828.exec:\8248828.exe108⤵PID:2704
-
\??\c:\86444.exec:\86444.exe109⤵PID:3112
-
\??\c:\s2264.exec:\s2264.exe110⤵PID:2996
-
\??\c:\7lrfffx.exec:\7lrfffx.exe111⤵PID:2772
-
\??\c:\tbbtnn.exec:\tbbtnn.exe112⤵PID:3732
-
\??\c:\2666222.exec:\2666222.exe113⤵PID:2984
-
\??\c:\k44484.exec:\k44484.exe114⤵PID:4588
-
\??\c:\3lrlrrl.exec:\3lrlrrl.exe115⤵PID:1892
-
\??\c:\2024066.exec:\2024066.exe116⤵PID:2376
-
\??\c:\4020426.exec:\4020426.exe117⤵PID:2476
-
\??\c:\lflxrfx.exec:\lflxrfx.exe118⤵PID:376
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe119⤵PID:4348
-
\??\c:\46604.exec:\46604.exe120⤵PID:2796
-
\??\c:\jjjdp.exec:\jjjdp.exe121⤵PID:1072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-