Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 06:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe
-
Size
453KB
-
MD5
d39bb7af27f102defd19429d31a5fa5c
-
SHA1
b2f1643aff977d2f033b7abbdda630dbb6e99b3f
-
SHA256
3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319
-
SHA512
d1a6cc077666f1586b5193d6ae3d66c68830b90142b04cce8a2b82d2f64b62bab7225a886038f899251ee4a5af6865641cd8c707cc08fb74f21fa505d24dd391
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1348-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-758-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-813-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-878-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-1008-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-1147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-1190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-1403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1848 g2264.exe 456 204860.exe 4788 9rlxrrl.exe 2200 426826.exe 2192 dpppp.exe 4340 dpvpj.exe 3068 vpvpv.exe 3988 4260004.exe 720 nbthtn.exe 4044 04882.exe 4296 4684866.exe 2160 tbbbnh.exe 1756 bttnnt.exe 2752 4664648.exe 4796 bnnnnb.exe 4800 jjvpj.exe 4212 tbthth.exe 4572 xlfxlfx.exe 5024 86682.exe 2892 888206.exe 1120 xrxlrlr.exe 2280 nbbnbt.exe 1236 dpjpj.exe 4900 nbhbhb.exe 2424 hbnbhn.exe 2108 o002042.exe 2676 8844264.exe 4932 w02600.exe 4712 5rxxrrl.exe 924 frrrrlf.exe 1252 2266066.exe 224 pjjdd.exe 4036 262660.exe 4984 pddvp.exe 4740 448024.exe 1596 bbbttt.exe 3588 xrffxxf.exe 4400 lflllrl.exe 3472 vpjpv.exe 4480 288828.exe 2844 9bhbbb.exe 1820 42604.exe 3240 028444.exe 4644 bnhbbb.exe 320 vpvpd.exe 644 68404.exe 3960 pjjdd.exe 3488 04660.exe 4352 5fxlfff.exe 536 3jdvv.exe 544 2688266.exe 1516 u822666.exe 3052 rrxrrll.exe 4788 a8844.exe 4232 9jpjj.exe 4364 fllxrlf.exe 3900 vvddp.exe 4452 64044.exe 4828 26044.exe 2432 xlrflrf.exe 4476 40022.exe 3988 frlfxlf.exe 1648 0806042.exe 2428 xlfxffl.exe -
resource yara_rule behavioral2/memory/1348-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-813-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-1008-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-1147-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4482048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 880482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 004206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2644040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2048660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6686004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262660.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1348 wrote to memory of 1848 1348 3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe 83 PID 1348 wrote to memory of 1848 1348 3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe 83 PID 1348 wrote to memory of 1848 1348 3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe 83 PID 1848 wrote to memory of 456 1848 g2264.exe 84 PID 1848 wrote to memory of 456 1848 g2264.exe 84 PID 1848 wrote to memory of 456 1848 g2264.exe 84 PID 456 wrote to memory of 4788 456 204860.exe 85 PID 456 wrote to memory of 4788 456 204860.exe 85 PID 456 wrote to memory of 4788 456 204860.exe 85 PID 4788 wrote to memory of 2200 4788 9rlxrrl.exe 86 PID 4788 wrote to memory of 2200 4788 9rlxrrl.exe 86 PID 4788 wrote to memory of 2200 4788 9rlxrrl.exe 86 PID 2200 wrote to memory of 2192 2200 426826.exe 87 PID 2200 wrote to memory of 2192 2200 426826.exe 87 PID 2200 wrote to memory of 2192 2200 426826.exe 87 PID 2192 wrote to memory of 4340 2192 dpppp.exe 88 PID 2192 wrote to memory of 4340 2192 dpppp.exe 88 PID 2192 wrote to memory of 4340 2192 dpppp.exe 88 PID 4340 wrote to memory of 3068 4340 dpvpj.exe 89 PID 4340 wrote to memory of 3068 4340 dpvpj.exe 89 PID 4340 wrote to memory of 3068 4340 dpvpj.exe 89 PID 3068 wrote to memory of 3988 3068 vpvpv.exe 90 PID 3068 wrote to memory of 3988 3068 vpvpv.exe 90 PID 3068 wrote to memory of 3988 3068 vpvpv.exe 90 PID 3988 wrote to memory of 720 3988 4260004.exe 91 PID 3988 wrote to memory of 720 3988 4260004.exe 91 PID 3988 wrote to memory of 720 3988 4260004.exe 91 PID 720 wrote to memory of 4044 720 nbthtn.exe 92 PID 720 wrote to memory of 4044 720 nbthtn.exe 92 PID 720 wrote to memory of 4044 720 nbthtn.exe 92 PID 4044 wrote to memory of 4296 4044 04882.exe 93 PID 4044 wrote to memory of 4296 4044 04882.exe 93 PID 4044 wrote to memory of 4296 4044 04882.exe 93 PID 4296 wrote to memory of 2160 4296 4684866.exe 94 PID 4296 wrote to memory of 2160 4296 4684866.exe 94 PID 4296 wrote to memory of 2160 4296 4684866.exe 94 PID 2160 wrote to memory of 1756 2160 tbbbnh.exe 95 PID 2160 wrote to memory of 1756 2160 tbbbnh.exe 95 PID 2160 wrote to memory of 1756 2160 tbbbnh.exe 95 PID 1756 wrote to memory of 2752 1756 bttnnt.exe 96 PID 1756 wrote to memory of 2752 1756 bttnnt.exe 96 PID 1756 wrote to memory of 2752 1756 bttnnt.exe 96 PID 2752 wrote to memory of 4796 2752 4664648.exe 97 PID 2752 wrote to memory of 4796 2752 4664648.exe 97 PID 2752 wrote to memory of 4796 2752 4664648.exe 97 PID 4796 wrote to memory of 4800 4796 bnnnnb.exe 98 PID 4796 wrote to memory of 4800 4796 bnnnnb.exe 98 PID 4796 wrote to memory of 4800 4796 bnnnnb.exe 98 PID 4800 wrote to memory of 4212 4800 jjvpj.exe 99 PID 4800 wrote to memory of 4212 4800 jjvpj.exe 99 PID 4800 wrote to memory of 4212 4800 jjvpj.exe 99 PID 4212 wrote to memory of 4572 4212 tbthth.exe 100 PID 4212 wrote to memory of 4572 4212 tbthth.exe 100 PID 4212 wrote to memory of 4572 4212 tbthth.exe 100 PID 4572 wrote to memory of 5024 4572 xlfxlfx.exe 101 PID 4572 wrote to memory of 5024 4572 xlfxlfx.exe 101 PID 4572 wrote to memory of 5024 4572 xlfxlfx.exe 101 PID 5024 wrote to memory of 2892 5024 86682.exe 102 PID 5024 wrote to memory of 2892 5024 86682.exe 102 PID 5024 wrote to memory of 2892 5024 86682.exe 102 PID 2892 wrote to memory of 1120 2892 888206.exe 103 PID 2892 wrote to memory of 1120 2892 888206.exe 103 PID 2892 wrote to memory of 1120 2892 888206.exe 103 PID 1120 wrote to memory of 2280 1120 xrxlrlr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe"C:\Users\Admin\AppData\Local\Temp\3c3ca734e2520d29a08670819ae17dc47de184828d7eba5c2e3da73e5b5a9319.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\g2264.exec:\g2264.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\204860.exec:\204860.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\9rlxrrl.exec:\9rlxrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\426826.exec:\426826.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\dpppp.exec:\dpppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\dpvpj.exec:\dpvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\vpvpv.exec:\vpvpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\4260004.exec:\4260004.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\nbthtn.exec:\nbthtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\04882.exec:\04882.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\4684866.exec:\4684866.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\tbbbnh.exec:\tbbbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\bttnnt.exec:\bttnnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\4664648.exec:\4664648.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\bnnnnb.exec:\bnnnnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\jjvpj.exec:\jjvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\tbthth.exec:\tbthth.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\xlfxlfx.exec:\xlfxlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\86682.exec:\86682.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\888206.exec:\888206.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\xrxlrlr.exec:\xrxlrlr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\nbbnbt.exec:\nbbnbt.exe23⤵
- Executes dropped EXE
PID:2280 -
\??\c:\dpjpj.exec:\dpjpj.exe24⤵
- Executes dropped EXE
PID:1236 -
\??\c:\nbhbhb.exec:\nbhbhb.exe25⤵
- Executes dropped EXE
PID:4900 -
\??\c:\hbnbhn.exec:\hbnbhn.exe26⤵
- Executes dropped EXE
PID:2424 -
\??\c:\o002042.exec:\o002042.exe27⤵
- Executes dropped EXE
PID:2108 -
\??\c:\8844264.exec:\8844264.exe28⤵
- Executes dropped EXE
PID:2676 -
\??\c:\w02600.exec:\w02600.exe29⤵
- Executes dropped EXE
PID:4932 -
\??\c:\5rxxrrl.exec:\5rxxrrl.exe30⤵
- Executes dropped EXE
PID:4712 -
\??\c:\frrrrlf.exec:\frrrrlf.exe31⤵
- Executes dropped EXE
PID:924 -
\??\c:\2266066.exec:\2266066.exe32⤵
- Executes dropped EXE
PID:1252 -
\??\c:\pjjdd.exec:\pjjdd.exe33⤵
- Executes dropped EXE
PID:224 -
\??\c:\262660.exec:\262660.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4036 -
\??\c:\pddvp.exec:\pddvp.exe35⤵
- Executes dropped EXE
PID:4984 -
\??\c:\448024.exec:\448024.exe36⤵
- Executes dropped EXE
PID:4740 -
\??\c:\bbbttt.exec:\bbbttt.exe37⤵
- Executes dropped EXE
PID:1596 -
\??\c:\xrffxxf.exec:\xrffxxf.exe38⤵
- Executes dropped EXE
PID:3588 -
\??\c:\lflllrl.exec:\lflllrl.exe39⤵
- Executes dropped EXE
PID:4400 -
\??\c:\vpjpv.exec:\vpjpv.exe40⤵
- Executes dropped EXE
PID:3472 -
\??\c:\288828.exec:\288828.exe41⤵
- Executes dropped EXE
PID:4480 -
\??\c:\9bhbbb.exec:\9bhbbb.exe42⤵
- Executes dropped EXE
PID:2844 -
\??\c:\42604.exec:\42604.exe43⤵
- Executes dropped EXE
PID:1820 -
\??\c:\028444.exec:\028444.exe44⤵
- Executes dropped EXE
PID:3240 -
\??\c:\bnhbbb.exec:\bnhbbb.exe45⤵
- Executes dropped EXE
PID:4644 -
\??\c:\vpvpd.exec:\vpvpd.exe46⤵
- Executes dropped EXE
PID:320 -
\??\c:\68404.exec:\68404.exe47⤵
- Executes dropped EXE
PID:644 -
\??\c:\pjjdd.exec:\pjjdd.exe48⤵
- Executes dropped EXE
PID:3960 -
\??\c:\04660.exec:\04660.exe49⤵
- Executes dropped EXE
PID:3488 -
\??\c:\5fxlfff.exec:\5fxlfff.exe50⤵
- Executes dropped EXE
PID:4352 -
\??\c:\24242.exec:\24242.exe51⤵PID:1212
-
\??\c:\3jdvv.exec:\3jdvv.exe52⤵
- Executes dropped EXE
PID:536 -
\??\c:\2688266.exec:\2688266.exe53⤵
- Executes dropped EXE
PID:544 -
\??\c:\u822666.exec:\u822666.exe54⤵
- Executes dropped EXE
PID:1516 -
\??\c:\rrxrrll.exec:\rrxrrll.exe55⤵
- Executes dropped EXE
PID:3052 -
\??\c:\a8844.exec:\a8844.exe56⤵
- Executes dropped EXE
PID:4788 -
\??\c:\9jpjj.exec:\9jpjj.exe57⤵
- Executes dropped EXE
PID:4232 -
\??\c:\fllxrlf.exec:\fllxrlf.exe58⤵
- Executes dropped EXE
PID:4364 -
\??\c:\vvddp.exec:\vvddp.exe59⤵
- Executes dropped EXE
PID:3900 -
\??\c:\64044.exec:\64044.exe60⤵
- Executes dropped EXE
PID:4452 -
\??\c:\26044.exec:\26044.exe61⤵
- Executes dropped EXE
PID:4828 -
\??\c:\xlrflrf.exec:\xlrflrf.exe62⤵
- Executes dropped EXE
PID:2432 -
\??\c:\40022.exec:\40022.exe63⤵
- Executes dropped EXE
PID:4476 -
\??\c:\frlfxlf.exec:\frlfxlf.exe64⤵
- Executes dropped EXE
PID:3988 -
\??\c:\0806042.exec:\0806042.exe65⤵
- Executes dropped EXE
PID:1648 -
\??\c:\xlfxffl.exec:\xlfxffl.exe66⤵
- Executes dropped EXE
PID:2428 -
\??\c:\dpjdv.exec:\dpjdv.exe67⤵PID:4884
-
\??\c:\0282200.exec:\0282200.exe68⤵PID:796
-
\??\c:\446088.exec:\446088.exe69⤵PID:1472
-
\??\c:\826404.exec:\826404.exe70⤵PID:1336
-
\??\c:\8620040.exec:\8620040.exe71⤵PID:4928
-
\??\c:\4026048.exec:\4026048.exe72⤵PID:2716
-
\??\c:\bbhbnb.exec:\bbhbnb.exe73⤵PID:4456
-
\??\c:\vpvpv.exec:\vpvpv.exe74⤵PID:4184
-
\??\c:\0260866.exec:\0260866.exe75⤵PID:5076
-
\??\c:\pdddv.exec:\pdddv.exe76⤵PID:2156
-
\??\c:\1htttt.exec:\1htttt.exe77⤵PID:4976
-
\??\c:\4286082.exec:\4286082.exe78⤵PID:4528
-
\??\c:\jjpjd.exec:\jjpjd.exe79⤵PID:2064
-
\??\c:\2826044.exec:\2826044.exe80⤵PID:4936
-
\??\c:\6686004.exec:\6686004.exe81⤵
- System Location Discovery: System Language Discovery
PID:2512 -
\??\c:\7xrlfxr.exec:\7xrlfxr.exe82⤵PID:4764
-
\??\c:\228200.exec:\228200.exe83⤵PID:1532
-
\??\c:\0426606.exec:\0426606.exe84⤵PID:1004
-
\??\c:\rrxrrrl.exec:\rrxrrrl.exe85⤵PID:1172
-
\??\c:\8644826.exec:\8644826.exe86⤵PID:3856
-
\??\c:\602204.exec:\602204.exe87⤵PID:4440
-
\??\c:\rfrfxxf.exec:\rfrfxxf.exe88⤵PID:4820
-
\??\c:\642244.exec:\642244.exe89⤵PID:4500
-
\??\c:\0882282.exec:\0882282.exe90⤵PID:4924
-
\??\c:\80420.exec:\80420.exe91⤵PID:744
-
\??\c:\pjpjj.exec:\pjpjj.exe92⤵PID:1952
-
\??\c:\80806.exec:\80806.exe93⤵PID:4316
-
\??\c:\28242.exec:\28242.exe94⤵PID:2916
-
\??\c:\k46004.exec:\k46004.exe95⤵PID:2524
-
\??\c:\bbtntn.exec:\bbtntn.exe96⤵PID:4656
-
\??\c:\nbtnbt.exec:\nbtnbt.exe97⤵PID:4716
-
\??\c:\rfxrlxr.exec:\rfxrlxr.exe98⤵PID:1580
-
\??\c:\440826.exec:\440826.exe99⤵PID:4640
-
\??\c:\80642.exec:\80642.exe100⤵PID:624
-
\??\c:\djjvp.exec:\djjvp.exe101⤵PID:112
-
\??\c:\ppvjv.exec:\ppvjv.exe102⤵PID:4404
-
\??\c:\422264.exec:\422264.exe103⤵PID:4484
-
\??\c:\dvvpd.exec:\dvvpd.exe104⤵PID:2956
-
\??\c:\httnhh.exec:\httnhh.exe105⤵PID:3584
-
\??\c:\8848640.exec:\8848640.exe106⤵PID:1656
-
\??\c:\xrxxffl.exec:\xrxxffl.exe107⤵PID:3772
-
\??\c:\xlfxxxr.exec:\xlfxxxr.exe108⤵
- System Location Discovery: System Language Discovery
PID:5000 -
\??\c:\vvdpp.exec:\vvdpp.exe109⤵PID:4960
-
\??\c:\dpvpj.exec:\dpvpj.exe110⤵PID:2384
-
\??\c:\046422.exec:\046422.exe111⤵PID:264
-
\??\c:\40266.exec:\40266.exe112⤵PID:5056
-
\??\c:\4488228.exec:\4488228.exe113⤵PID:2604
-
\??\c:\bthnhn.exec:\bthnhn.exe114⤵PID:4380
-
\??\c:\284860.exec:\284860.exe115⤵PID:692
-
\??\c:\8066222.exec:\8066222.exe116⤵PID:4552
-
\??\c:\2468402.exec:\2468402.exe117⤵PID:4188
-
\??\c:\llrrllf.exec:\llrrllf.exe118⤵PID:2596
-
\??\c:\hbnhhb.exec:\hbnhhb.exe119⤵PID:4420
-
\??\c:\bnnntb.exec:\bnnntb.exe120⤵PID:772
-
\??\c:\6008822.exec:\6008822.exe121⤵PID:4788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-