Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 22:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe
-
Size
454KB
-
MD5
d8bb4b686882d9513e81344cef3e84f0
-
SHA1
caeca27ea26e29b7eb91ebe3962ca4f0b4f9dfd0
-
SHA256
3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9c
-
SHA512
177bc87bb55b151bc85decdc7833ddb08ebae350ad15270cf173eb19540390961159baf94421f447d50f454d884102bc22fd0ffd60f7725748e38892a82c1e60
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3728-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-1031-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-1404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-1419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-1454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3248 i444000.exe 3340 600000.exe 1752 04628.exe 5088 4882266.exe 4268 btnbbt.exe 2824 jpjvj.exe 412 vpddj.exe 208 flrfxrf.exe 2216 rffrlxl.exe 3564 rxrlxxr.exe 2700 2008608.exe 832 80648.exe 2280 0884248.exe 2752 nbnhbt.exe 4520 28200.exe 4000 5lfrfxl.exe 4928 q02042.exe 2404 3vjvp.exe 724 jjjdj.exe 748 0004826.exe 3876 bnnthb.exe 4896 0008604.exe 3000 282660.exe 4644 084282.exe 3644 88086.exe 4992 8842042.exe 4588 424288.exe 2368 4060826.exe 1444 lrlxrlf.exe 888 604644.exe 2296 3pjvj.exe 1660 46004.exe 4324 jddvj.exe 3416 htbntn.exe 3788 jvjvp.exe 3012 62882.exe 3560 7pdpj.exe 3584 1lfrfxr.exe 1308 bnnbtn.exe 3716 i404248.exe 4944 xllfxrl.exe 3392 626060.exe 1740 bnnhnb.exe 680 xlfxrrl.exe 4052 s0686.exe 4964 6664204.exe 4380 jvpjv.exe 5064 thnnnh.exe 2696 nhhtnn.exe 1084 5nntnh.exe 3688 64260.exe 1388 rxxrffr.exe 4056 3hhbtn.exe 4312 lxfxxrr.exe 2876 ntbnbt.exe 2736 tnhthb.exe 976 20042.exe 1132 4664220.exe 2156 bnhbhb.exe 4392 e62426.exe 4776 bnnnbt.exe 4416 08826.exe 1684 00608.exe 4848 844826.exe -
resource yara_rule behavioral2/memory/3728-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-804-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q88082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6664204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lffrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3728 wrote to memory of 3248 3728 3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe 85 PID 3728 wrote to memory of 3248 3728 3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe 85 PID 3728 wrote to memory of 3248 3728 3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe 85 PID 3248 wrote to memory of 3340 3248 i444000.exe 86 PID 3248 wrote to memory of 3340 3248 i444000.exe 86 PID 3248 wrote to memory of 3340 3248 i444000.exe 86 PID 3340 wrote to memory of 1752 3340 600000.exe 87 PID 3340 wrote to memory of 1752 3340 600000.exe 87 PID 3340 wrote to memory of 1752 3340 600000.exe 87 PID 1752 wrote to memory of 5088 1752 04628.exe 88 PID 1752 wrote to memory of 5088 1752 04628.exe 88 PID 1752 wrote to memory of 5088 1752 04628.exe 88 PID 5088 wrote to memory of 4268 5088 4882266.exe 89 PID 5088 wrote to memory of 4268 5088 4882266.exe 89 PID 5088 wrote to memory of 4268 5088 4882266.exe 89 PID 4268 wrote to memory of 2824 4268 btnbbt.exe 90 PID 4268 wrote to memory of 2824 4268 btnbbt.exe 90 PID 4268 wrote to memory of 2824 4268 btnbbt.exe 90 PID 2824 wrote to memory of 412 2824 jpjvj.exe 91 PID 2824 wrote to memory of 412 2824 jpjvj.exe 91 PID 2824 wrote to memory of 412 2824 jpjvj.exe 91 PID 412 wrote to memory of 208 412 vpddj.exe 92 PID 412 wrote to memory of 208 412 vpddj.exe 92 PID 412 wrote to memory of 208 412 vpddj.exe 92 PID 208 wrote to memory of 2216 208 flrfxrf.exe 93 PID 208 wrote to memory of 2216 208 flrfxrf.exe 93 PID 208 wrote to memory of 2216 208 flrfxrf.exe 93 PID 2216 wrote to memory of 3564 2216 rffrlxl.exe 94 PID 2216 wrote to memory of 3564 2216 rffrlxl.exe 94 PID 2216 wrote to memory of 3564 2216 rffrlxl.exe 94 PID 3564 wrote to memory of 2700 3564 rxrlxxr.exe 95 PID 3564 wrote to memory of 2700 3564 rxrlxxr.exe 95 PID 3564 wrote to memory of 2700 3564 rxrlxxr.exe 95 PID 2700 wrote to memory of 832 2700 2008608.exe 96 PID 2700 wrote to memory of 832 2700 2008608.exe 96 PID 2700 wrote to memory of 832 2700 2008608.exe 96 PID 832 wrote to memory of 2280 832 80648.exe 97 PID 832 wrote to memory of 2280 832 80648.exe 97 PID 832 wrote to memory of 2280 832 80648.exe 97 PID 2280 wrote to memory of 2752 2280 0884248.exe 98 PID 2280 wrote to memory of 2752 2280 0884248.exe 98 PID 2280 wrote to memory of 2752 2280 0884248.exe 98 PID 2752 wrote to memory of 4520 2752 nbnhbt.exe 99 PID 2752 wrote to memory of 4520 2752 nbnhbt.exe 99 PID 2752 wrote to memory of 4520 2752 nbnhbt.exe 99 PID 4520 wrote to memory of 4000 4520 28200.exe 100 PID 4520 wrote to memory of 4000 4520 28200.exe 100 PID 4520 wrote to memory of 4000 4520 28200.exe 100 PID 4000 wrote to memory of 4928 4000 5lfrfxl.exe 101 PID 4000 wrote to memory of 4928 4000 5lfrfxl.exe 101 PID 4000 wrote to memory of 4928 4000 5lfrfxl.exe 101 PID 4928 wrote to memory of 2404 4928 q02042.exe 102 PID 4928 wrote to memory of 2404 4928 q02042.exe 102 PID 4928 wrote to memory of 2404 4928 q02042.exe 102 PID 2404 wrote to memory of 724 2404 3vjvp.exe 103 PID 2404 wrote to memory of 724 2404 3vjvp.exe 103 PID 2404 wrote to memory of 724 2404 3vjvp.exe 103 PID 724 wrote to memory of 748 724 jjjdj.exe 104 PID 724 wrote to memory of 748 724 jjjdj.exe 104 PID 724 wrote to memory of 748 724 jjjdj.exe 104 PID 748 wrote to memory of 3876 748 0004826.exe 105 PID 748 wrote to memory of 3876 748 0004826.exe 105 PID 748 wrote to memory of 3876 748 0004826.exe 105 PID 3876 wrote to memory of 4896 3876 bnnthb.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe"C:\Users\Admin\AppData\Local\Temp\3f2611863c8ac3a4f880d6ef74393730216913b1461c0bbb95bb1958a1a9db9cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\i444000.exec:\i444000.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\600000.exec:\600000.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\04628.exec:\04628.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\4882266.exec:\4882266.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\btnbbt.exec:\btnbbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\jpjvj.exec:\jpjvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\vpddj.exec:\vpddj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\flrfxrf.exec:\flrfxrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\rffrlxl.exec:\rffrlxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\rxrlxxr.exec:\rxrlxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\2008608.exec:\2008608.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\80648.exec:\80648.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\0884248.exec:\0884248.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\nbnhbt.exec:\nbnhbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\28200.exec:\28200.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\5lfrfxl.exec:\5lfrfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\q02042.exec:\q02042.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\3vjvp.exec:\3vjvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\jjjdj.exec:\jjjdj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
\??\c:\0004826.exec:\0004826.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\bnnthb.exec:\bnnthb.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\0008604.exec:\0008604.exe23⤵
- Executes dropped EXE
PID:4896 -
\??\c:\282660.exec:\282660.exe24⤵
- Executes dropped EXE
PID:3000 -
\??\c:\084282.exec:\084282.exe25⤵
- Executes dropped EXE
PID:4644 -
\??\c:\88086.exec:\88086.exe26⤵
- Executes dropped EXE
PID:3644 -
\??\c:\8842042.exec:\8842042.exe27⤵
- Executes dropped EXE
PID:4992 -
\??\c:\424288.exec:\424288.exe28⤵
- Executes dropped EXE
PID:4588 -
\??\c:\4060826.exec:\4060826.exe29⤵
- Executes dropped EXE
PID:2368 -
\??\c:\lrlxrlf.exec:\lrlxrlf.exe30⤵
- Executes dropped EXE
PID:1444 -
\??\c:\604644.exec:\604644.exe31⤵
- Executes dropped EXE
PID:888 -
\??\c:\3pjvj.exec:\3pjvj.exe32⤵
- Executes dropped EXE
PID:2296 -
\??\c:\46004.exec:\46004.exe33⤵
- Executes dropped EXE
PID:1660 -
\??\c:\jddvj.exec:\jddvj.exe34⤵
- Executes dropped EXE
PID:4324 -
\??\c:\htbntn.exec:\htbntn.exe35⤵
- Executes dropped EXE
PID:3416 -
\??\c:\jvjvp.exec:\jvjvp.exe36⤵
- Executes dropped EXE
PID:3788 -
\??\c:\62882.exec:\62882.exe37⤵
- Executes dropped EXE
PID:3012 -
\??\c:\7pdpj.exec:\7pdpj.exe38⤵
- Executes dropped EXE
PID:3560 -
\??\c:\1lfrfxr.exec:\1lfrfxr.exe39⤵
- Executes dropped EXE
PID:3584 -
\??\c:\bnnbtn.exec:\bnnbtn.exe40⤵
- Executes dropped EXE
PID:1308 -
\??\c:\i404248.exec:\i404248.exe41⤵
- Executes dropped EXE
PID:3716 -
\??\c:\xllfxrl.exec:\xllfxrl.exe42⤵
- Executes dropped EXE
PID:4944 -
\??\c:\626060.exec:\626060.exe43⤵
- Executes dropped EXE
PID:3392 -
\??\c:\bnnhnb.exec:\bnnhnb.exe44⤵
- Executes dropped EXE
PID:1740 -
\??\c:\xlfxrrl.exec:\xlfxrrl.exe45⤵
- Executes dropped EXE
PID:680 -
\??\c:\s0686.exec:\s0686.exe46⤵
- Executes dropped EXE
PID:4052 -
\??\c:\6664204.exec:\6664204.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964 -
\??\c:\jvpjv.exec:\jvpjv.exe48⤵
- Executes dropped EXE
PID:4380 -
\??\c:\thnnnh.exec:\thnnnh.exe49⤵
- Executes dropped EXE
PID:5064 -
\??\c:\nhhtnn.exec:\nhhtnn.exe50⤵
- Executes dropped EXE
PID:2696 -
\??\c:\5nntnh.exec:\5nntnh.exe51⤵
- Executes dropped EXE
PID:1084 -
\??\c:\64260.exec:\64260.exe52⤵
- Executes dropped EXE
PID:3688 -
\??\c:\rxxrffr.exec:\rxxrffr.exe53⤵
- Executes dropped EXE
PID:1388 -
\??\c:\3hhbtn.exec:\3hhbtn.exe54⤵
- Executes dropped EXE
PID:4056 -
\??\c:\lxfxxrr.exec:\lxfxxrr.exe55⤵
- Executes dropped EXE
PID:4312 -
\??\c:\ntbnbt.exec:\ntbnbt.exe56⤵
- Executes dropped EXE
PID:2876 -
\??\c:\tnhthb.exec:\tnhthb.exe57⤵
- Executes dropped EXE
PID:2736 -
\??\c:\20042.exec:\20042.exe58⤵
- Executes dropped EXE
PID:976 -
\??\c:\4664220.exec:\4664220.exe59⤵
- Executes dropped EXE
PID:1132 -
\??\c:\bnhbhb.exec:\bnhbhb.exe60⤵
- Executes dropped EXE
PID:2156 -
\??\c:\e62426.exec:\e62426.exe61⤵
- Executes dropped EXE
PID:4392 -
\??\c:\bnnnbt.exec:\bnnnbt.exe62⤵
- Executes dropped EXE
PID:4776 -
\??\c:\08826.exec:\08826.exe63⤵
- Executes dropped EXE
PID:4416 -
\??\c:\00608.exec:\00608.exe64⤵
- Executes dropped EXE
PID:1684 -
\??\c:\844826.exec:\844826.exe65⤵
- Executes dropped EXE
PID:4848 -
\??\c:\i440066.exec:\i440066.exe66⤵PID:3532
-
\??\c:\frrlffx.exec:\frrlffx.exe67⤵PID:1696
-
\??\c:\c844888.exec:\c844888.exe68⤵PID:4816
-
\??\c:\vjjjd.exec:\vjjjd.exe69⤵PID:3336
-
\??\c:\k28222.exec:\k28222.exe70⤵PID:3916
-
\??\c:\6004444.exec:\6004444.exe71⤵PID:3928
-
\??\c:\bnnhbb.exec:\bnnhbb.exe72⤵PID:1768
-
\??\c:\q20404.exec:\q20404.exe73⤵PID:4076
-
\??\c:\pdpjp.exec:\pdpjp.exe74⤵PID:4868
-
\??\c:\c688226.exec:\c688226.exe75⤵PID:724
-
\??\c:\3hhttb.exec:\3hhttb.exe76⤵PID:3548
-
\??\c:\02482.exec:\02482.exe77⤵PID:3056
-
\??\c:\c404882.exec:\c404882.exe78⤵PID:4252
-
\??\c:\028626.exec:\028626.exe79⤵PID:1496
-
\??\c:\684822.exec:\684822.exe80⤵PID:4136
-
\??\c:\622260.exec:\622260.exe81⤵PID:4496
-
\??\c:\pvjdv.exec:\pvjdv.exe82⤵PID:4572
-
\??\c:\422608.exec:\422608.exe83⤵PID:2368
-
\??\c:\xrxrrll.exec:\xrxrrll.exe84⤵PID:2924
-
\??\c:\vvdpd.exec:\vvdpd.exe85⤵PID:4504
-
\??\c:\62486.exec:\62486.exe86⤵PID:1228
-
\??\c:\vdjdv.exec:\vdjdv.exe87⤵PID:1100
-
\??\c:\jpvjj.exec:\jpvjj.exe88⤵PID:3500
-
\??\c:\3btnhb.exec:\3btnhb.exe89⤵PID:4040
-
\??\c:\bnnbnt.exec:\bnnbnt.exe90⤵PID:4860
-
\??\c:\nthtnh.exec:\nthtnh.exe91⤵PID:3988
-
\??\c:\frllfrl.exec:\frllfrl.exe92⤵PID:3036
-
\??\c:\000482.exec:\000482.exe93⤵PID:1596
-
\??\c:\frlffxf.exec:\frlffxf.exe94⤵PID:3736
-
\??\c:\6424260.exec:\6424260.exe95⤵PID:1376
-
\??\c:\u820608.exec:\u820608.exe96⤵PID:620
-
\??\c:\82240.exec:\82240.exe97⤵PID:4404
-
\??\c:\648266.exec:\648266.exe98⤵PID:3156
-
\??\c:\84684.exec:\84684.exe99⤵PID:4408
-
\??\c:\k08400.exec:\k08400.exe100⤵PID:5064
-
\??\c:\xxfxrlr.exec:\xxfxrlr.exe101⤵PID:2980
-
\??\c:\4260822.exec:\4260822.exe102⤵PID:4304
-
\??\c:\9xfrllf.exec:\9xfrllf.exe103⤵
- System Location Discovery: System Language Discovery
PID:4932 -
\??\c:\1fxlfrl.exec:\1fxlfrl.exe104⤵PID:3688
-
\??\c:\c402664.exec:\c402664.exe105⤵PID:952
-
\??\c:\8442042.exec:\8442042.exe106⤵PID:1752
-
\??\c:\9xxlxrf.exec:\9xxlxrf.exe107⤵PID:2276
-
\??\c:\tnbnbt.exec:\tnbnbt.exe108⤵PID:2192
-
\??\c:\6064260.exec:\6064260.exe109⤵PID:2736
-
\??\c:\484488.exec:\484488.exe110⤵PID:244
-
\??\c:\g6822.exec:\g6822.exe111⤵PID:2600
-
\??\c:\lxfrlff.exec:\lxfrlff.exe112⤵PID:2844
-
\??\c:\rlfrfxr.exec:\rlfrfxr.exe113⤵PID:1132
-
\??\c:\ntthtn.exec:\ntthtn.exe114⤵PID:2108
-
\??\c:\2460826.exec:\2460826.exe115⤵PID:716
-
\??\c:\dvpvj.exec:\dvpvj.exe116⤵PID:656
-
\??\c:\s8460.exec:\s8460.exe117⤵PID:3804
-
\??\c:\2620482.exec:\2620482.exe118⤵PID:2112
-
\??\c:\5nbnbt.exec:\5nbnbt.exe119⤵PID:4776
-
\??\c:\m8048.exec:\m8048.exe120⤵PID:3232
-
\??\c:\jvpdp.exec:\jvpdp.exe121⤵PID:2412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-