Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 21:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e80ebfd02026f952b2c3d640c71567542e5103860e27d81633d5f300f03b2c4.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3e80ebfd02026f952b2c3d640c71567542e5103860e27d81633d5f300f03b2c4.exe
-
Size
453KB
-
MD5
044c7c77986594b84556303b5eac4a55
-
SHA1
0ea1d1376bd1082439497a743678c8384c5182fc
-
SHA256
3e80ebfd02026f952b2c3d640c71567542e5103860e27d81633d5f300f03b2c4
-
SHA512
5ef642bf5866f24d5b6330ae4df3548f65177c210d78d186895168c7068cbd96cdd2579ffe96dd3e01468ea261ddd3e5fa42e81aebb6dccde47b9d0aaf430fc7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2164-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-1204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-1310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-1434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2164 rflxrfx.exe 3604 bhnnhh.exe 952 608484.exe 2556 ntbthh.exe 3516 646460.exe 976 7vjpd.exe 244 djjdp.exe 4012 c686600.exe 3264 nbbttn.exe 400 pddvd.exe 876 3xrfxxl.exe 2912 62808.exe 4560 xflxxrx.exe 1916 dpjvj.exe 3488 2046420.exe 3576 3ttntn.exe 4032 06664.exe 2376 m6608.exe 4812 htbnbt.exe 2328 xllxrlx.exe 1640 862826.exe 1264 bbnhhn.exe 1172 rxxlfrl.exe 4128 08044.exe 3644 c004260.exe 1540 604264.exe 4256 nbnbth.exe 2368 nhtntt.exe 1572 7lfxlfr.exe 4016 rxxxrlf.exe 1848 fxrfrlf.exe 2804 9fxlxxl.exe 4884 xflxrlx.exe 3016 284426.exe 3012 s0044.exe 3560 3hbnbt.exe 3584 djdpd.exe 4984 u002086.exe 4448 0008608.exe 3464 848688.exe 3392 hhbthb.exe 3940 24080.exe 4364 fxrfxrf.exe 3808 q62606.exe 3868 thnhbh.exe 4380 6404606.exe 4396 q00648.exe 3480 nbthtn.exe 4880 4482608.exe 952 jpdvj.exe 2656 jjvpj.exe 2204 i282082.exe 4480 3llxlfx.exe 976 0842600.exe 2412 pjjjv.exe 4392 7ttntt.exe 2560 ntbtbb.exe 4776 0280820.exe 3496 64088.exe 2692 866426.exe 2340 rlfrlfr.exe 4836 g6260.exe 2336 284888.exe 1696 vvdvp.exe -
resource yara_rule behavioral2/memory/2164-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-970-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0488606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2660000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8620264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8400884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4460440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4662262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2164 2440 3e80ebfd02026f952b2c3d640c71567542e5103860e27d81633d5f300f03b2c4.exe 85 PID 2440 wrote to memory of 2164 2440 3e80ebfd02026f952b2c3d640c71567542e5103860e27d81633d5f300f03b2c4.exe 85 PID 2440 wrote to memory of 2164 2440 3e80ebfd02026f952b2c3d640c71567542e5103860e27d81633d5f300f03b2c4.exe 85 PID 2164 wrote to memory of 3604 2164 rflxrfx.exe 86 PID 2164 wrote to memory of 3604 2164 rflxrfx.exe 86 PID 2164 wrote to memory of 3604 2164 rflxrfx.exe 86 PID 3604 wrote to memory of 952 3604 bhnnhh.exe 87 PID 3604 wrote to memory of 952 3604 bhnnhh.exe 87 PID 3604 wrote to memory of 952 3604 bhnnhh.exe 87 PID 952 wrote to memory of 2556 952 608484.exe 88 PID 952 wrote to memory of 2556 952 608484.exe 88 PID 952 wrote to memory of 2556 952 608484.exe 88 PID 2556 wrote to memory of 3516 2556 ntbthh.exe 89 PID 2556 wrote to memory of 3516 2556 ntbthh.exe 89 PID 2556 wrote to memory of 3516 2556 ntbthh.exe 89 PID 3516 wrote to memory of 976 3516 646460.exe 90 PID 3516 wrote to memory of 976 3516 646460.exe 90 PID 3516 wrote to memory of 976 3516 646460.exe 90 PID 976 wrote to memory of 244 976 7vjpd.exe 91 PID 976 wrote to memory of 244 976 7vjpd.exe 91 PID 976 wrote to memory of 244 976 7vjpd.exe 91 PID 244 wrote to memory of 4012 244 djjdp.exe 92 PID 244 wrote to memory of 4012 244 djjdp.exe 92 PID 244 wrote to memory of 4012 244 djjdp.exe 92 PID 4012 wrote to memory of 3264 4012 c686600.exe 93 PID 4012 wrote to memory of 3264 4012 c686600.exe 93 PID 4012 wrote to memory of 3264 4012 c686600.exe 93 PID 3264 wrote to memory of 400 3264 nbbttn.exe 94 PID 3264 wrote to memory of 400 3264 nbbttn.exe 94 PID 3264 wrote to memory of 400 3264 nbbttn.exe 94 PID 400 wrote to memory of 876 400 pddvd.exe 95 PID 400 wrote to memory of 876 400 pddvd.exe 95 PID 400 wrote to memory of 876 400 pddvd.exe 95 PID 876 wrote to memory of 2912 876 3xrfxxl.exe 96 PID 876 wrote to memory of 2912 876 3xrfxxl.exe 96 PID 876 wrote to memory of 2912 876 3xrfxxl.exe 96 PID 2912 wrote to memory of 4560 2912 62808.exe 97 PID 2912 wrote to memory of 4560 2912 62808.exe 97 PID 2912 wrote to memory of 4560 2912 62808.exe 97 PID 4560 wrote to memory of 1916 4560 xflxxrx.exe 98 PID 4560 wrote to memory of 1916 4560 xflxxrx.exe 98 PID 4560 wrote to memory of 1916 4560 xflxxrx.exe 98 PID 1916 wrote to memory of 3488 1916 dpjvj.exe 99 PID 1916 wrote to memory of 3488 1916 dpjvj.exe 99 PID 1916 wrote to memory of 3488 1916 dpjvj.exe 99 PID 3488 wrote to memory of 3576 3488 2046420.exe 100 PID 3488 wrote to memory of 3576 3488 2046420.exe 100 PID 3488 wrote to memory of 3576 3488 2046420.exe 100 PID 3576 wrote to memory of 4032 3576 3ttntn.exe 101 PID 3576 wrote to memory of 4032 3576 3ttntn.exe 101 PID 3576 wrote to memory of 4032 3576 3ttntn.exe 101 PID 4032 wrote to memory of 2376 4032 06664.exe 102 PID 4032 wrote to memory of 2376 4032 06664.exe 102 PID 4032 wrote to memory of 2376 4032 06664.exe 102 PID 2376 wrote to memory of 4812 2376 m6608.exe 103 PID 2376 wrote to memory of 4812 2376 m6608.exe 103 PID 2376 wrote to memory of 4812 2376 m6608.exe 103 PID 4812 wrote to memory of 2328 4812 htbnbt.exe 104 PID 4812 wrote to memory of 2328 4812 htbnbt.exe 104 PID 4812 wrote to memory of 2328 4812 htbnbt.exe 104 PID 2328 wrote to memory of 1640 2328 xllxrlx.exe 105 PID 2328 wrote to memory of 1640 2328 xllxrlx.exe 105 PID 2328 wrote to memory of 1640 2328 xllxrlx.exe 105 PID 1640 wrote to memory of 1264 1640 862826.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e80ebfd02026f952b2c3d640c71567542e5103860e27d81633d5f300f03b2c4.exe"C:\Users\Admin\AppData\Local\Temp\3e80ebfd02026f952b2c3d640c71567542e5103860e27d81633d5f300f03b2c4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\rflxrfx.exec:\rflxrfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\bhnnhh.exec:\bhnnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\608484.exec:\608484.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\ntbthh.exec:\ntbthh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\646460.exec:\646460.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\7vjpd.exec:\7vjpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\djjdp.exec:\djjdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\c686600.exec:\c686600.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\nbbttn.exec:\nbbttn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\pddvd.exec:\pddvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\3xrfxxl.exec:\3xrfxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\62808.exec:\62808.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\xflxxrx.exec:\xflxxrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\dpjvj.exec:\dpjvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\2046420.exec:\2046420.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\3ttntn.exec:\3ttntn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\06664.exec:\06664.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\m6608.exec:\m6608.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\htbnbt.exec:\htbnbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\xllxrlx.exec:\xllxrlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\862826.exec:\862826.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\bbnhhn.exec:\bbnhhn.exe23⤵
- Executes dropped EXE
PID:1264 -
\??\c:\rxxlfrl.exec:\rxxlfrl.exe24⤵
- Executes dropped EXE
PID:1172 -
\??\c:\08044.exec:\08044.exe25⤵
- Executes dropped EXE
PID:4128 -
\??\c:\c004260.exec:\c004260.exe26⤵
- Executes dropped EXE
PID:3644 -
\??\c:\604264.exec:\604264.exe27⤵
- Executes dropped EXE
PID:1540 -
\??\c:\nbnbth.exec:\nbnbth.exe28⤵
- Executes dropped EXE
PID:4256 -
\??\c:\nhtntt.exec:\nhtntt.exe29⤵
- Executes dropped EXE
PID:2368 -
\??\c:\7lfxlfr.exec:\7lfxlfr.exe30⤵
- Executes dropped EXE
PID:1572 -
\??\c:\rxxxrlf.exec:\rxxxrlf.exe31⤵
- Executes dropped EXE
PID:4016 -
\??\c:\fxrfrlf.exec:\fxrfrlf.exe32⤵
- Executes dropped EXE
PID:1848 -
\??\c:\9fxlxxl.exec:\9fxlxxl.exe33⤵
- Executes dropped EXE
PID:2804 -
\??\c:\xflxrlx.exec:\xflxrlx.exe34⤵
- Executes dropped EXE
PID:4884 -
\??\c:\284426.exec:\284426.exe35⤵
- Executes dropped EXE
PID:3016 -
\??\c:\s0044.exec:\s0044.exe36⤵
- Executes dropped EXE
PID:3012 -
\??\c:\3hbnbt.exec:\3hbnbt.exe37⤵
- Executes dropped EXE
PID:3560 -
\??\c:\djdpd.exec:\djdpd.exe38⤵
- Executes dropped EXE
PID:3584 -
\??\c:\u002086.exec:\u002086.exe39⤵
- Executes dropped EXE
PID:4984 -
\??\c:\0008608.exec:\0008608.exe40⤵
- Executes dropped EXE
PID:4448 -
\??\c:\848688.exec:\848688.exe41⤵
- Executes dropped EXE
PID:3464 -
\??\c:\hhbthb.exec:\hhbthb.exe42⤵
- Executes dropped EXE
PID:3392 -
\??\c:\24080.exec:\24080.exe43⤵
- Executes dropped EXE
PID:3940 -
\??\c:\fxrfxrf.exec:\fxrfxrf.exe44⤵
- Executes dropped EXE
PID:4364 -
\??\c:\q62606.exec:\q62606.exe45⤵
- Executes dropped EXE
PID:3808 -
\??\c:\thnhbh.exec:\thnhbh.exe46⤵
- Executes dropped EXE
PID:3868 -
\??\c:\6404606.exec:\6404606.exe47⤵
- Executes dropped EXE
PID:4380 -
\??\c:\q00648.exec:\q00648.exe48⤵
- Executes dropped EXE
PID:4396 -
\??\c:\nbthtn.exec:\nbthtn.exe49⤵
- Executes dropped EXE
PID:3480 -
\??\c:\4482608.exec:\4482608.exe50⤵
- Executes dropped EXE
PID:4880 -
\??\c:\jpdvj.exec:\jpdvj.exe51⤵
- Executes dropped EXE
PID:952 -
\??\c:\jjvpj.exec:\jjvpj.exe52⤵
- Executes dropped EXE
PID:2656 -
\??\c:\i282082.exec:\i282082.exe53⤵
- Executes dropped EXE
PID:2204 -
\??\c:\3llxlfx.exec:\3llxlfx.exe54⤵
- Executes dropped EXE
PID:4480 -
\??\c:\0842600.exec:\0842600.exe55⤵
- Executes dropped EXE
PID:976 -
\??\c:\pjjjv.exec:\pjjjv.exe56⤵
- Executes dropped EXE
PID:2412 -
\??\c:\7ttntt.exec:\7ttntt.exe57⤵
- Executes dropped EXE
PID:4392 -
\??\c:\ntbtbb.exec:\ntbtbb.exe58⤵
- Executes dropped EXE
PID:2560 -
\??\c:\0280820.exec:\0280820.exe59⤵
- Executes dropped EXE
PID:4776 -
\??\c:\64088.exec:\64088.exe60⤵
- Executes dropped EXE
PID:3496 -
\??\c:\866426.exec:\866426.exe61⤵
- Executes dropped EXE
PID:2692 -
\??\c:\rlfrlfr.exec:\rlfrlfr.exe62⤵
- Executes dropped EXE
PID:2340 -
\??\c:\g6260.exec:\g6260.exe63⤵
- Executes dropped EXE
PID:4836 -
\??\c:\284888.exec:\284888.exe64⤵
- Executes dropped EXE
PID:2336 -
\??\c:\vvdvp.exec:\vvdvp.exe65⤵
- Executes dropped EXE
PID:1696 -
\??\c:\84448.exec:\84448.exe66⤵PID:3916
-
\??\c:\86042.exec:\86042.exe67⤵PID:4076
-
\??\c:\lrxrrll.exec:\lrxrrll.exe68⤵PID:4748
-
\??\c:\rlfxxxx.exec:\rlfxxxx.exe69⤵PID:372
-
\??\c:\082082.exec:\082082.exe70⤵PID:2640
-
\??\c:\844826.exec:\844826.exe71⤵PID:2404
-
\??\c:\8882462.exec:\8882462.exe72⤵PID:2880
-
\??\c:\rfxfrxl.exec:\rfxfrxl.exe73⤵PID:2328
-
\??\c:\7nhtbb.exec:\7nhtbb.exe74⤵PID:2968
-
\??\c:\8440820.exec:\8440820.exe75⤵PID:3100
-
\??\c:\m2860.exec:\m2860.exe76⤵
- System Location Discovery: System Language Discovery
PID:4252 -
\??\c:\dpvpd.exec:\dpvpd.exe77⤵PID:2236
-
\??\c:\48804.exec:\48804.exe78⤵PID:4136
-
\??\c:\rxfrfxl.exec:\rxfrfxl.exe79⤵PID:1844
-
\??\c:\pvjpp.exec:\pvjpp.exe80⤵PID:3360
-
\??\c:\pdppj.exec:\pdppj.exe81⤵PID:3664
-
\??\c:\jpppv.exec:\jpppv.exe82⤵PID:4004
-
\??\c:\9tbtnt.exec:\9tbtnt.exe83⤵PID:3572
-
\??\c:\rfllllf.exec:\rfllllf.exe84⤵PID:468
-
\??\c:\xrlfxrf.exec:\xrlfxrf.exe85⤵PID:1700
-
\??\c:\xrfrlfx.exec:\xrfrlfx.exe86⤵PID:1744
-
\??\c:\rfrffxx.exec:\rfrffxx.exe87⤵PID:2776
-
\??\c:\1xxrfxr.exec:\1xxrfxr.exe88⤵PID:4016
-
\??\c:\hhhthb.exec:\hhhthb.exe89⤵PID:4324
-
\??\c:\3ppjd.exec:\3ppjd.exe90⤵PID:4180
-
\??\c:\628248.exec:\628248.exe91⤵PID:4288
-
\??\c:\httnhb.exec:\httnhb.exe92⤵PID:2564
-
\??\c:\rrxrrlr.exec:\rrxrrlr.exe93⤵PID:1704
-
\??\c:\g4486.exec:\g4486.exe94⤵PID:3012
-
\??\c:\3vvjj.exec:\3vvjj.exe95⤵PID:4860
-
\??\c:\fllxlfl.exec:\fllxlfl.exe96⤵PID:3068
-
\??\c:\hbbttt.exec:\hbbttt.exe97⤵PID:404
-
\??\c:\a2820.exec:\a2820.exe98⤵PID:4388
-
\??\c:\rxxlxfx.exec:\rxxlxfx.exe99⤵PID:2288
-
\??\c:\thnbtn.exec:\thnbtn.exe100⤵PID:3184
-
\??\c:\a0646.exec:\a0646.exe101⤵PID:3940
-
\??\c:\bhhbth.exec:\bhhbth.exe102⤵PID:552
-
\??\c:\1bbtnh.exec:\1bbtnh.exe103⤵PID:3388
-
\??\c:\6286082.exec:\6286082.exe104⤵PID:2892
-
\??\c:\3djvj.exec:\3djvj.exe105⤵PID:1084
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe106⤵PID:4380
-
\??\c:\fxfxfxx.exec:\fxfxfxx.exe107⤵PID:448
-
\??\c:\6400464.exec:\6400464.exe108⤵PID:4316
-
\??\c:\jdvpj.exec:\jdvpj.exe109⤵PID:3480
-
\??\c:\thhthb.exec:\thhthb.exe110⤵PID:1960
-
\??\c:\24486.exec:\24486.exe111⤵PID:3276
-
\??\c:\48866.exec:\48866.exe112⤵PID:1800
-
\??\c:\s6406.exec:\s6406.exe113⤵PID:4280
-
\??\c:\htnttn.exec:\htnttn.exe114⤵PID:3516
-
\??\c:\7fxxlfx.exec:\7fxxlfx.exe115⤵PID:1560
-
\??\c:\tnhbnh.exec:\tnhbnh.exe116⤵PID:3328
-
\??\c:\tnthtn.exec:\tnthtn.exe117⤵PID:4012
-
\??\c:\tnnhhh.exec:\tnnhhh.exe118⤵PID:3232
-
\??\c:\44042.exec:\44042.exe119⤵PID:4112
-
\??\c:\04420.exec:\04420.exe120⤵PID:3264
-
\??\c:\s8840.exec:\s8840.exe121⤵PID:4832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-