Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 21:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe
-
Size
454KB
-
MD5
cb8b26870b10c039c882fc9f5ff98db9
-
SHA1
a3677c5a249272134da6b6b59be0fb24b9184344
-
SHA256
593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9
-
SHA512
81a6c3b0e9d436319461afdba47e4dfc3b5c1d9b25e18ef1d3c67f420f75398262fc02ccb89cc60fd4073f25d04cf5c69e97c59703ce3c1f0afd5afb8fd2837b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3320-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/796-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-778-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-926-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-975-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-1141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-1208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-1212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-1398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2520 44048.exe 4700 xlfxrlf.exe 1124 2622224.exe 2008 nnthtb.exe 2384 frxrlrl.exe 900 rlxllff.exe 4964 3vpdp.exe 4220 5pvpd.exe 4232 0448220.exe 1836 dppjd.exe 2500 8404826.exe 3900 04262.exe 1356 pjvpp.exe 2712 fxfxflf.exe 4888 086222.exe 4516 bnbbtn.exe 4012 86084.exe 4724 lrxxfxl.exe 3792 hnbtnn.exe 4740 llrllll.exe 4892 2444068.exe 184 q02626.exe 4956 nbnhbb.exe 4368 5lfllll.exe 4824 bhntnn.exe 1232 8400488.exe 2196 228482.exe 4660 tnbtbt.exe 728 26048.exe 1648 4668446.exe 5008 864484.exe 4236 2226008.exe 3924 hthhhh.exe 4784 0666660.exe 3448 dpddv.exe 1724 xlrlfrl.exe 1012 bbbtbh.exe 4920 a2484.exe 3052 60282.exe 4412 8066004.exe 4428 llrrlfx.exe 3320 044688.exe 3152 u800446.exe 2276 08864.exe 3980 2006048.exe 1260 xrflxrl.exe 2008 646004.exe 2384 28660.exe 4572 pjjdd.exe 1336 06822.exe 2476 1tthbb.exe 936 vpjvp.exe 2868 9rrlxxr.exe 3868 dddvv.exe 4584 m2822.exe 2564 482660.exe 3604 vddvp.exe 4532 3fxrrrl.exe 2336 240048.exe 864 84482.exe 4888 4686020.exe 684 2060888.exe 1932 s8882.exe 4736 s8862.exe -
resource yara_rule behavioral2/memory/3320-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/796-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-768-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-778-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0888200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0844488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0464260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e40442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6888604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3320 wrote to memory of 2520 3320 593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe 84 PID 3320 wrote to memory of 2520 3320 593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe 84 PID 3320 wrote to memory of 2520 3320 593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe 84 PID 2520 wrote to memory of 4700 2520 44048.exe 85 PID 2520 wrote to memory of 4700 2520 44048.exe 85 PID 2520 wrote to memory of 4700 2520 44048.exe 85 PID 4700 wrote to memory of 1124 4700 xlfxrlf.exe 86 PID 4700 wrote to memory of 1124 4700 xlfxrlf.exe 86 PID 4700 wrote to memory of 1124 4700 xlfxrlf.exe 86 PID 1124 wrote to memory of 2008 1124 2622224.exe 130 PID 1124 wrote to memory of 2008 1124 2622224.exe 130 PID 1124 wrote to memory of 2008 1124 2622224.exe 130 PID 2008 wrote to memory of 2384 2008 nnthtb.exe 131 PID 2008 wrote to memory of 2384 2008 nnthtb.exe 131 PID 2008 wrote to memory of 2384 2008 nnthtb.exe 131 PID 2384 wrote to memory of 900 2384 frxrlrl.exe 89 PID 2384 wrote to memory of 900 2384 frxrlrl.exe 89 PID 2384 wrote to memory of 900 2384 frxrlrl.exe 89 PID 900 wrote to memory of 4964 900 rlxllff.exe 90 PID 900 wrote to memory of 4964 900 rlxllff.exe 90 PID 900 wrote to memory of 4964 900 rlxllff.exe 90 PID 4964 wrote to memory of 4220 4964 3vpdp.exe 91 PID 4964 wrote to memory of 4220 4964 3vpdp.exe 91 PID 4964 wrote to memory of 4220 4964 3vpdp.exe 91 PID 4220 wrote to memory of 4232 4220 5pvpd.exe 92 PID 4220 wrote to memory of 4232 4220 5pvpd.exe 92 PID 4220 wrote to memory of 4232 4220 5pvpd.exe 92 PID 4232 wrote to memory of 1836 4232 0448220.exe 93 PID 4232 wrote to memory of 1836 4232 0448220.exe 93 PID 4232 wrote to memory of 1836 4232 0448220.exe 93 PID 1836 wrote to memory of 2500 1836 dppjd.exe 94 PID 1836 wrote to memory of 2500 1836 dppjd.exe 94 PID 1836 wrote to memory of 2500 1836 dppjd.exe 94 PID 2500 wrote to memory of 3900 2500 8404826.exe 95 PID 2500 wrote to memory of 3900 2500 8404826.exe 95 PID 2500 wrote to memory of 3900 2500 8404826.exe 95 PID 3900 wrote to memory of 1356 3900 04262.exe 96 PID 3900 wrote to memory of 1356 3900 04262.exe 96 PID 3900 wrote to memory of 1356 3900 04262.exe 96 PID 1356 wrote to memory of 2712 1356 pjvpp.exe 97 PID 1356 wrote to memory of 2712 1356 pjvpp.exe 97 PID 1356 wrote to memory of 2712 1356 pjvpp.exe 97 PID 2712 wrote to memory of 4888 2712 fxfxflf.exe 98 PID 2712 wrote to memory of 4888 2712 fxfxflf.exe 98 PID 2712 wrote to memory of 4888 2712 fxfxflf.exe 98 PID 4888 wrote to memory of 4516 4888 086222.exe 99 PID 4888 wrote to memory of 4516 4888 086222.exe 99 PID 4888 wrote to memory of 4516 4888 086222.exe 99 PID 4516 wrote to memory of 4012 4516 bnbbtn.exe 100 PID 4516 wrote to memory of 4012 4516 bnbbtn.exe 100 PID 4516 wrote to memory of 4012 4516 bnbbtn.exe 100 PID 4012 wrote to memory of 4724 4012 86084.exe 101 PID 4012 wrote to memory of 4724 4012 86084.exe 101 PID 4012 wrote to memory of 4724 4012 86084.exe 101 PID 4724 wrote to memory of 3792 4724 lrxxfxl.exe 102 PID 4724 wrote to memory of 3792 4724 lrxxfxl.exe 102 PID 4724 wrote to memory of 3792 4724 lrxxfxl.exe 102 PID 3792 wrote to memory of 4740 3792 hnbtnn.exe 103 PID 3792 wrote to memory of 4740 3792 hnbtnn.exe 103 PID 3792 wrote to memory of 4740 3792 hnbtnn.exe 103 PID 4740 wrote to memory of 4892 4740 llrllll.exe 104 PID 4740 wrote to memory of 4892 4740 llrllll.exe 104 PID 4740 wrote to memory of 4892 4740 llrllll.exe 104 PID 4892 wrote to memory of 184 4892 2444068.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe"C:\Users\Admin\AppData\Local\Temp\593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\44048.exec:\44048.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\xlfxrlf.exec:\xlfxrlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\2622224.exec:\2622224.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\nnthtb.exec:\nnthtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\frxrlrl.exec:\frxrlrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\rlxllff.exec:\rlxllff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\3vpdp.exec:\3vpdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\5pvpd.exec:\5pvpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\0448220.exec:\0448220.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\dppjd.exec:\dppjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\8404826.exec:\8404826.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\04262.exec:\04262.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\pjvpp.exec:\pjvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\fxfxflf.exec:\fxfxflf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\086222.exec:\086222.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\bnbbtn.exec:\bnbbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\86084.exec:\86084.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\lrxxfxl.exec:\lrxxfxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\hnbtnn.exec:\hnbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\llrllll.exec:\llrllll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\2444068.exec:\2444068.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\q02626.exec:\q02626.exe23⤵
- Executes dropped EXE
PID:184 -
\??\c:\nbnhbb.exec:\nbnhbb.exe24⤵
- Executes dropped EXE
PID:4956 -
\??\c:\5lfllll.exec:\5lfllll.exe25⤵
- Executes dropped EXE
PID:4368 -
\??\c:\bhntnn.exec:\bhntnn.exe26⤵
- Executes dropped EXE
PID:4824 -
\??\c:\8400488.exec:\8400488.exe27⤵
- Executes dropped EXE
PID:1232 -
\??\c:\228482.exec:\228482.exe28⤵
- Executes dropped EXE
PID:2196 -
\??\c:\tnbtbt.exec:\tnbtbt.exe29⤵
- Executes dropped EXE
PID:4660 -
\??\c:\26048.exec:\26048.exe30⤵
- Executes dropped EXE
PID:728 -
\??\c:\4668446.exec:\4668446.exe31⤵
- Executes dropped EXE
PID:1648 -
\??\c:\864484.exec:\864484.exe32⤵
- Executes dropped EXE
PID:5008 -
\??\c:\2226008.exec:\2226008.exe33⤵
- Executes dropped EXE
PID:4236 -
\??\c:\hthhhh.exec:\hthhhh.exe34⤵
- Executes dropped EXE
PID:3924 -
\??\c:\0666660.exec:\0666660.exe35⤵
- Executes dropped EXE
PID:4784 -
\??\c:\dpddv.exec:\dpddv.exe36⤵
- Executes dropped EXE
PID:3448 -
\??\c:\xlrlfrl.exec:\xlrlfrl.exe37⤵
- Executes dropped EXE
PID:1724 -
\??\c:\bbbtbh.exec:\bbbtbh.exe38⤵
- Executes dropped EXE
PID:1012 -
\??\c:\a2484.exec:\a2484.exe39⤵
- Executes dropped EXE
PID:4920 -
\??\c:\60282.exec:\60282.exe40⤵
- Executes dropped EXE
PID:3052 -
\??\c:\8066004.exec:\8066004.exe41⤵
- Executes dropped EXE
PID:4412 -
\??\c:\llrrlfx.exec:\llrrlfx.exe42⤵
- Executes dropped EXE
PID:4428 -
\??\c:\044688.exec:\044688.exe43⤵
- Executes dropped EXE
PID:3320 -
\??\c:\u800446.exec:\u800446.exe44⤵
- Executes dropped EXE
PID:3152 -
\??\c:\08864.exec:\08864.exe45⤵
- Executes dropped EXE
PID:2276 -
\??\c:\2006048.exec:\2006048.exe46⤵
- Executes dropped EXE
PID:3980 -
\??\c:\xrflxrl.exec:\xrflxrl.exe47⤵
- Executes dropped EXE
PID:1260 -
\??\c:\646004.exec:\646004.exe48⤵
- Executes dropped EXE
PID:2008 -
\??\c:\28660.exec:\28660.exe49⤵
- Executes dropped EXE
PID:2384 -
\??\c:\pjjdd.exec:\pjjdd.exe50⤵
- Executes dropped EXE
PID:4572 -
\??\c:\06822.exec:\06822.exe51⤵
- Executes dropped EXE
PID:1336 -
\??\c:\1tthbb.exec:\1tthbb.exe52⤵
- Executes dropped EXE
PID:2476 -
\??\c:\vpjvp.exec:\vpjvp.exe53⤵
- Executes dropped EXE
PID:936 -
\??\c:\9rrlxxr.exec:\9rrlxxr.exe54⤵
- Executes dropped EXE
PID:2868 -
\??\c:\dddvv.exec:\dddvv.exe55⤵
- Executes dropped EXE
PID:3868 -
\??\c:\m2822.exec:\m2822.exe56⤵
- Executes dropped EXE
PID:4584 -
\??\c:\482660.exec:\482660.exe57⤵
- Executes dropped EXE
PID:2564 -
\??\c:\vddvp.exec:\vddvp.exe58⤵
- Executes dropped EXE
PID:3604 -
\??\c:\3fxrrrl.exec:\3fxrrrl.exe59⤵
- Executes dropped EXE
PID:4532 -
\??\c:\240048.exec:\240048.exe60⤵
- Executes dropped EXE
PID:2336 -
\??\c:\84482.exec:\84482.exe61⤵
- Executes dropped EXE
PID:864 -
\??\c:\4686020.exec:\4686020.exe62⤵
- Executes dropped EXE
PID:4888 -
\??\c:\2060888.exec:\2060888.exe63⤵
- Executes dropped EXE
PID:684 -
\??\c:\s8882.exec:\s8882.exe64⤵
- Executes dropped EXE
PID:1932 -
\??\c:\s8862.exec:\s8862.exe65⤵
- Executes dropped EXE
PID:4736 -
\??\c:\3nbtnn.exec:\3nbtnn.exe66⤵PID:3164
-
\??\c:\26660.exec:\26660.exe67⤵PID:3960
-
\??\c:\vvvvp.exec:\vvvvp.exe68⤵PID:3820
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe69⤵PID:4132
-
\??\c:\htbhnt.exec:\htbhnt.exe70⤵PID:924
-
\??\c:\84040.exec:\84040.exe71⤵PID:3292
-
\??\c:\428648.exec:\428648.exe72⤵PID:4268
-
\??\c:\xxlxrlf.exec:\xxlxrlf.exe73⤵PID:1732
-
\??\c:\484444.exec:\484444.exe74⤵PID:2448
-
\??\c:\thbthb.exec:\thbthb.exe75⤵PID:2268
-
\??\c:\3xfxllr.exec:\3xfxllr.exe76⤵PID:4852
-
\??\c:\44042.exec:\44042.exe77⤵PID:796
-
\??\c:\vppjd.exec:\vppjd.exe78⤵PID:1804
-
\??\c:\fxxrllf.exec:\fxxrllf.exe79⤵PID:1920
-
\??\c:\rlxrrlf.exec:\rlxrrlf.exe80⤵PID:2760
-
\??\c:\2802262.exec:\2802262.exe81⤵PID:4808
-
\??\c:\2848260.exec:\2848260.exe82⤵PID:4400
-
\??\c:\lflxrfx.exec:\lflxrfx.exe83⤵PID:1052
-
\??\c:\424408.exec:\424408.exe84⤵PID:4044
-
\??\c:\44822.exec:\44822.exe85⤵PID:4664
-
\??\c:\tthhnn.exec:\tthhnn.exe86⤵PID:1788
-
\??\c:\5vppj.exec:\5vppj.exe87⤵PID:1636
-
\??\c:\26848.exec:\26848.exe88⤵PID:4784
-
\??\c:\4408604.exec:\4408604.exe89⤵PID:2568
-
\??\c:\jvddp.exec:\jvddp.exe90⤵PID:2628
-
\??\c:\jjppv.exec:\jjppv.exe91⤵PID:1236
-
\??\c:\bttnnn.exec:\bttnnn.exe92⤵PID:4500
-
\??\c:\2620482.exec:\2620482.exe93⤵PID:1176
-
\??\c:\2442228.exec:\2442228.exe94⤵PID:4464
-
\??\c:\2404848.exec:\2404848.exe95⤵PID:1676
-
\??\c:\lfxrllf.exec:\lfxrllf.exe96⤵PID:2520
-
\??\c:\1pddv.exec:\1pddv.exe97⤵PID:4552
-
\??\c:\84622.exec:\84622.exe98⤵PID:3152
-
\??\c:\lrfrlxf.exec:\lrfrlxf.exe99⤵PID:4980
-
\??\c:\vpvdd.exec:\vpvdd.exe100⤵PID:4484
-
\??\c:\262080.exec:\262080.exe101⤵PID:2004
-
\??\c:\44048.exec:\44048.exe102⤵PID:4336
-
\??\c:\2680802.exec:\2680802.exe103⤵PID:4812
-
\??\c:\044482.exec:\044482.exe104⤵PID:4672
-
\??\c:\000422.exec:\000422.exe105⤵PID:2236
-
\??\c:\rxfxrlf.exec:\rxfxrlf.exe106⤵PID:468
-
\??\c:\lxrlllr.exec:\lxrlllr.exe107⤵PID:400
-
\??\c:\040486.exec:\040486.exe108⤵PID:3312
-
\??\c:\42844.exec:\42844.exe109⤵PID:4232
-
\??\c:\1tttnn.exec:\1tttnn.exe110⤵PID:5012
-
\??\c:\428484.exec:\428484.exe111⤵PID:4576
-
\??\c:\i244826.exec:\i244826.exe112⤵PID:3060
-
\??\c:\c026226.exec:\c026226.exe113⤵PID:2116
-
\??\c:\dvdvp.exec:\dvdvp.exe114⤵PID:704
-
\??\c:\jvvpj.exec:\jvvpj.exe115⤵PID:4396
-
\??\c:\200448.exec:\200448.exe116⤵PID:1048
-
\??\c:\26660.exec:\26660.exe117⤵PID:2888
-
\??\c:\llfffll.exec:\llfffll.exe118⤵PID:684
-
\??\c:\hnttnn.exec:\hnttnn.exe119⤵PID:1932
-
\??\c:\httbtb.exec:\httbtb.exe120⤵PID:1896
-
\??\c:\4888660.exec:\4888660.exe121⤵PID:3704
-
\??\c:\hbnhbt.exec:\hbnhbt.exe122⤵PID:3612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-