Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe
-
Size
453KB
-
MD5
0fe2187cb558d7370cf21c3d181fce54
-
SHA1
d0e83b3b3278cb34ca72d963c9e25274f89e3790
-
SHA256
facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb
-
SHA512
2f5fc673b3ef95ee5c3ccc6f0524eab6f34a456a3bfe2a100f84e6e74a4d7bd6ac96aa93d0b5043505428c9b42555847a3ceb3351ad4df54b14b4051c0d8b892
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3532-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/520-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/596-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-1159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-1665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1804 88820.exe 3772 llllxff.exe 5108 4448260.exe 5044 0626000.exe 980 ddppp.exe 520 ntbnnn.exe 2312 nbhtnh.exe 4624 24682.exe 3668 djdvp.exe 2180 424482.exe 440 40044.exe 4328 1ppjd.exe 3292 hbbbtt.exe 1284 xllrlfx.exe 2904 tnthbb.exe 4316 3rfxrrf.exe 2356 vdpdv.exe 4564 tnbnhb.exe 1328 1dvjd.exe 3556 frxlfxl.exe 5036 1hbthh.exe 1904 pdjvp.exe 2664 ththbt.exe 4844 i664264.exe 2364 rxfrfxr.exe 4416 2882086.exe 1816 002600.exe 4244 xlrfrxr.exe 2272 xxrxrxx.exe 1456 s2864.exe 532 62000.exe 2376 9rfxlxx.exe 1240 k46040.exe 732 dvpdp.exe 4436 pdddv.exe 3612 djjdv.exe 2108 824844.exe 1556 ddjdv.exe 1768 28482.exe 1496 vjjdp.exe 4400 1xxlffx.exe 4388 s6660.exe 2372 48040.exe 3000 66888.exe 3296 dvpjd.exe 2532 2288226.exe 4212 26220.exe 5104 8664826.exe 872 8880202.exe 2420 488822.exe 3884 nttnbh.exe 4940 886602.exe 232 422604.exe 400 4682604.exe 2924 7hnntt.exe 772 822604.exe 460 btthnh.exe 2124 5hnnbt.exe 224 q46000.exe 596 xlrfxxr.exe 4904 486604.exe 3344 bttnhh.exe 3792 jpdpj.exe 716 c864004.exe -
resource yara_rule behavioral2/memory/3532-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/520-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/596-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-1097-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-1140-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q46000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 088604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4282626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2244840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3532 wrote to memory of 1804 3532 facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe 85 PID 3532 wrote to memory of 1804 3532 facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe 85 PID 3532 wrote to memory of 1804 3532 facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe 85 PID 1804 wrote to memory of 3772 1804 88820.exe 86 PID 1804 wrote to memory of 3772 1804 88820.exe 86 PID 1804 wrote to memory of 3772 1804 88820.exe 86 PID 3772 wrote to memory of 5108 3772 llllxff.exe 87 PID 3772 wrote to memory of 5108 3772 llllxff.exe 87 PID 3772 wrote to memory of 5108 3772 llllxff.exe 87 PID 5108 wrote to memory of 5044 5108 4448260.exe 88 PID 5108 wrote to memory of 5044 5108 4448260.exe 88 PID 5108 wrote to memory of 5044 5108 4448260.exe 88 PID 5044 wrote to memory of 980 5044 0626000.exe 89 PID 5044 wrote to memory of 980 5044 0626000.exe 89 PID 5044 wrote to memory of 980 5044 0626000.exe 89 PID 980 wrote to memory of 520 980 ddppp.exe 90 PID 980 wrote to memory of 520 980 ddppp.exe 90 PID 980 wrote to memory of 520 980 ddppp.exe 90 PID 520 wrote to memory of 2312 520 ntbnnn.exe 91 PID 520 wrote to memory of 2312 520 ntbnnn.exe 91 PID 520 wrote to memory of 2312 520 ntbnnn.exe 91 PID 2312 wrote to memory of 4624 2312 nbhtnh.exe 92 PID 2312 wrote to memory of 4624 2312 nbhtnh.exe 92 PID 2312 wrote to memory of 4624 2312 nbhtnh.exe 92 PID 4624 wrote to memory of 3668 4624 24682.exe 93 PID 4624 wrote to memory of 3668 4624 24682.exe 93 PID 4624 wrote to memory of 3668 4624 24682.exe 93 PID 3668 wrote to memory of 2180 3668 djdvp.exe 94 PID 3668 wrote to memory of 2180 3668 djdvp.exe 94 PID 3668 wrote to memory of 2180 3668 djdvp.exe 94 PID 2180 wrote to memory of 440 2180 424482.exe 95 PID 2180 wrote to memory of 440 2180 424482.exe 95 PID 2180 wrote to memory of 440 2180 424482.exe 95 PID 440 wrote to memory of 4328 440 40044.exe 96 PID 440 wrote to memory of 4328 440 40044.exe 96 PID 440 wrote to memory of 4328 440 40044.exe 96 PID 4328 wrote to memory of 3292 4328 1ppjd.exe 97 PID 4328 wrote to memory of 3292 4328 1ppjd.exe 97 PID 4328 wrote to memory of 3292 4328 1ppjd.exe 97 PID 3292 wrote to memory of 1284 3292 hbbbtt.exe 98 PID 3292 wrote to memory of 1284 3292 hbbbtt.exe 98 PID 3292 wrote to memory of 1284 3292 hbbbtt.exe 98 PID 1284 wrote to memory of 2904 1284 xllrlfx.exe 99 PID 1284 wrote to memory of 2904 1284 xllrlfx.exe 99 PID 1284 wrote to memory of 2904 1284 xllrlfx.exe 99 PID 2904 wrote to memory of 4316 2904 tnthbb.exe 100 PID 2904 wrote to memory of 4316 2904 tnthbb.exe 100 PID 2904 wrote to memory of 4316 2904 tnthbb.exe 100 PID 4316 wrote to memory of 2356 4316 3rfxrrf.exe 101 PID 4316 wrote to memory of 2356 4316 3rfxrrf.exe 101 PID 4316 wrote to memory of 2356 4316 3rfxrrf.exe 101 PID 2356 wrote to memory of 4564 2356 vdpdv.exe 102 PID 2356 wrote to memory of 4564 2356 vdpdv.exe 102 PID 2356 wrote to memory of 4564 2356 vdpdv.exe 102 PID 4564 wrote to memory of 1328 4564 tnbnhb.exe 103 PID 4564 wrote to memory of 1328 4564 tnbnhb.exe 103 PID 4564 wrote to memory of 1328 4564 tnbnhb.exe 103 PID 1328 wrote to memory of 3556 1328 1dvjd.exe 104 PID 1328 wrote to memory of 3556 1328 1dvjd.exe 104 PID 1328 wrote to memory of 3556 1328 1dvjd.exe 104 PID 3556 wrote to memory of 5036 3556 frxlfxl.exe 105 PID 3556 wrote to memory of 5036 3556 frxlfxl.exe 105 PID 3556 wrote to memory of 5036 3556 frxlfxl.exe 105 PID 5036 wrote to memory of 1904 5036 1hbthh.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe"C:\Users\Admin\AppData\Local\Temp\facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\88820.exec:\88820.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\llllxff.exec:\llllxff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\4448260.exec:\4448260.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\0626000.exec:\0626000.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\ddppp.exec:\ddppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\ntbnnn.exec:\ntbnnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:520 -
\??\c:\nbhtnh.exec:\nbhtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\24682.exec:\24682.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\djdvp.exec:\djdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\424482.exec:\424482.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\40044.exec:\40044.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\1ppjd.exec:\1ppjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\hbbbtt.exec:\hbbbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\xllrlfx.exec:\xllrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\tnthbb.exec:\tnthbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\3rfxrrf.exec:\3rfxrrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\vdpdv.exec:\vdpdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\tnbnhb.exec:\tnbnhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\1dvjd.exec:\1dvjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\frxlfxl.exec:\frxlfxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\1hbthh.exec:\1hbthh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\pdjvp.exec:\pdjvp.exe23⤵
- Executes dropped EXE
PID:1904 -
\??\c:\ththbt.exec:\ththbt.exe24⤵
- Executes dropped EXE
PID:2664 -
\??\c:\i664264.exec:\i664264.exe25⤵
- Executes dropped EXE
PID:4844 -
\??\c:\rxfrfxr.exec:\rxfrfxr.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364 -
\??\c:\2882086.exec:\2882086.exe27⤵
- Executes dropped EXE
PID:4416 -
\??\c:\002600.exec:\002600.exe28⤵
- Executes dropped EXE
PID:1816 -
\??\c:\xlrfrxr.exec:\xlrfrxr.exe29⤵
- Executes dropped EXE
PID:4244 -
\??\c:\xxrxrxx.exec:\xxrxrxx.exe30⤵
- Executes dropped EXE
PID:2272 -
\??\c:\s2864.exec:\s2864.exe31⤵
- Executes dropped EXE
PID:1456 -
\??\c:\62000.exec:\62000.exe32⤵
- Executes dropped EXE
PID:532 -
\??\c:\9rfxlxx.exec:\9rfxlxx.exe33⤵
- Executes dropped EXE
PID:2376 -
\??\c:\k46040.exec:\k46040.exe34⤵
- Executes dropped EXE
PID:1240 -
\??\c:\dvpdp.exec:\dvpdp.exe35⤵
- Executes dropped EXE
PID:732 -
\??\c:\pdddv.exec:\pdddv.exe36⤵
- Executes dropped EXE
PID:4436 -
\??\c:\djjdv.exec:\djjdv.exe37⤵
- Executes dropped EXE
PID:3612 -
\??\c:\824844.exec:\824844.exe38⤵
- Executes dropped EXE
PID:2108 -
\??\c:\ddjdv.exec:\ddjdv.exe39⤵
- Executes dropped EXE
PID:1556 -
\??\c:\28482.exec:\28482.exe40⤵
- Executes dropped EXE
PID:1768 -
\??\c:\vjjdp.exec:\vjjdp.exe41⤵
- Executes dropped EXE
PID:1496 -
\??\c:\1xxlffx.exec:\1xxlffx.exe42⤵
- Executes dropped EXE
PID:4400 -
\??\c:\s6660.exec:\s6660.exe43⤵
- Executes dropped EXE
PID:4388 -
\??\c:\48040.exec:\48040.exe44⤵
- Executes dropped EXE
PID:2372 -
\??\c:\66888.exec:\66888.exe45⤵
- Executes dropped EXE
PID:3000 -
\??\c:\dvpjd.exec:\dvpjd.exe46⤵
- Executes dropped EXE
PID:3296 -
\??\c:\2288226.exec:\2288226.exe47⤵
- Executes dropped EXE
PID:2532 -
\??\c:\26220.exec:\26220.exe48⤵
- Executes dropped EXE
PID:4212 -
\??\c:\8664826.exec:\8664826.exe49⤵
- Executes dropped EXE
PID:5104 -
\??\c:\8880202.exec:\8880202.exe50⤵
- Executes dropped EXE
PID:872 -
\??\c:\488822.exec:\488822.exe51⤵
- Executes dropped EXE
PID:2420 -
\??\c:\nttnbh.exec:\nttnbh.exe52⤵
- Executes dropped EXE
PID:3884 -
\??\c:\886602.exec:\886602.exe53⤵
- Executes dropped EXE
PID:4940 -
\??\c:\422604.exec:\422604.exe54⤵
- Executes dropped EXE
PID:232 -
\??\c:\4682604.exec:\4682604.exe55⤵
- Executes dropped EXE
PID:400 -
\??\c:\7hnntt.exec:\7hnntt.exe56⤵
- Executes dropped EXE
PID:2924 -
\??\c:\822604.exec:\822604.exe57⤵
- Executes dropped EXE
PID:772 -
\??\c:\btthnh.exec:\btthnh.exe58⤵
- Executes dropped EXE
PID:460 -
\??\c:\5hnnbt.exec:\5hnnbt.exe59⤵
- Executes dropped EXE
PID:2124 -
\??\c:\q46000.exec:\q46000.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:224 -
\??\c:\xlrfxxr.exec:\xlrfxxr.exe61⤵
- Executes dropped EXE
PID:596 -
\??\c:\486604.exec:\486604.exe62⤵
- Executes dropped EXE
PID:4904 -
\??\c:\bttnhh.exec:\bttnhh.exe63⤵
- Executes dropped EXE
PID:3344 -
\??\c:\jpdpj.exec:\jpdpj.exe64⤵
- Executes dropped EXE
PID:3792 -
\??\c:\c864004.exec:\c864004.exe65⤵
- Executes dropped EXE
PID:716 -
\??\c:\9ddpj.exec:\9ddpj.exe66⤵PID:4484
-
\??\c:\ntbnbt.exec:\ntbnbt.exe67⤵PID:5040
-
\??\c:\htbtth.exec:\htbtth.exe68⤵PID:700
-
\??\c:\462648.exec:\462648.exe69⤵PID:2356
-
\??\c:\9hbtbt.exec:\9hbtbt.exe70⤵PID:1752
-
\??\c:\5lrlllf.exec:\5lrlllf.exe71⤵PID:3536
-
\??\c:\m0266.exec:\m0266.exe72⤵PID:1328
-
\??\c:\dpvpd.exec:\dpvpd.exe73⤵PID:3500
-
\??\c:\8620600.exec:\8620600.exe74⤵PID:1264
-
\??\c:\nhnnnn.exec:\nhnnnn.exe75⤵PID:3724
-
\??\c:\684826.exec:\684826.exe76⤵PID:1904
-
\??\c:\3xfxrrf.exec:\3xfxrrf.exe77⤵PID:3340
-
\??\c:\628200.exec:\628200.exe78⤵
- System Location Discovery: System Language Discovery
PID:2784 -
\??\c:\22288.exec:\22288.exe79⤵PID:4284
-
\??\c:\622600.exec:\622600.exe80⤵PID:2364
-
\??\c:\0882648.exec:\0882648.exe81⤵PID:4156
-
\??\c:\s0086.exec:\s0086.exe82⤵PID:4256
-
\??\c:\rlrfxrr.exec:\rlrfxrr.exe83⤵PID:2964
-
\??\c:\jddvp.exec:\jddvp.exe84⤵PID:2544
-
\??\c:\e88266.exec:\e88266.exe85⤵PID:1224
-
\??\c:\8400826.exec:\8400826.exe86⤵PID:4780
-
\??\c:\hnnbtn.exec:\hnnbtn.exe87⤵PID:1388
-
\??\c:\7ppjv.exec:\7ppjv.exe88⤵PID:2348
-
\??\c:\bntnnh.exec:\bntnnh.exe89⤵PID:404
-
\??\c:\888462.exec:\888462.exe90⤵PID:5020
-
\??\c:\o862640.exec:\o862640.exe91⤵PID:2992
-
\??\c:\80882.exec:\80882.exe92⤵PID:2088
-
\??\c:\8242884.exec:\8242884.exe93⤵PID:4372
-
\??\c:\08482.exec:\08482.exe94⤵PID:2232
-
\??\c:\466224.exec:\466224.exe95⤵PID:4072
-
\??\c:\3rlxlfr.exec:\3rlxlfr.exe96⤵PID:4908
-
\??\c:\1rlfxrf.exec:\1rlfxrf.exe97⤵PID:4404
-
\??\c:\5btttt.exec:\5btttt.exe98⤵PID:1808
-
\??\c:\k02444.exec:\k02444.exe99⤵PID:3308
-
\??\c:\w02008.exec:\w02008.exe100⤵PID:3488
-
\??\c:\084268.exec:\084268.exe101⤵PID:2064
-
\??\c:\484644.exec:\484644.exe102⤵PID:5108
-
\??\c:\g6860.exec:\g6860.exe103⤵PID:3468
-
\??\c:\llxfrfl.exec:\llxfrfl.exe104⤵PID:5044
-
\??\c:\4226066.exec:\4226066.exe105⤵PID:2080
-
\??\c:\w88266.exec:\w88266.exe106⤵PID:4648
-
\??\c:\3jjvd.exec:\3jjvd.exe107⤵PID:2316
-
\??\c:\7xrxrxr.exec:\7xrxrxr.exe108⤵PID:452
-
\??\c:\7lxffll.exec:\7lxffll.exe109⤵PID:4664
-
\??\c:\20226.exec:\20226.exe110⤵PID:544
-
\??\c:\u664860.exec:\u664860.exe111⤵PID:1412
-
\??\c:\ffrxrlf.exec:\ffrxrlf.exe112⤵
- System Location Discovery: System Language Discovery
PID:3664 -
\??\c:\9jpjv.exec:\9jpjv.exe113⤵PID:1664
-
\??\c:\9hbnhb.exec:\9hbnhb.exe114⤵PID:772
-
\??\c:\7rfrlfx.exec:\7rfrlfx.exe115⤵PID:460
-
\??\c:\7xlxrlx.exec:\7xlxrlx.exe116⤵PID:2124
-
\??\c:\g6260.exec:\g6260.exe117⤵PID:2148
-
\??\c:\a0626.exec:\a0626.exe118⤵PID:596
-
\??\c:\4060826.exec:\4060826.exe119⤵PID:228
-
\??\c:\pvdpj.exec:\pvdpj.exe120⤵PID:2688
-
\??\c:\8282040.exec:\8282040.exe121⤵PID:692
-
\??\c:\xrxrrff.exec:\xrxrrff.exe122⤵PID:2904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-