Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe
-
Size
453KB
-
MD5
dc519d9781599fcd6b5b4c387f01cad1
-
SHA1
d1d4bdaf8eed52ecc01feae94cc5a60888c1df2e
-
SHA256
b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26
-
SHA512
780a8b53c5f43feec16eefa3db8c29030ede7e2cb4c8caeaf9b102a1b99288a052a2d414ff35596e01f73042dab0435fb419d296e26e4282b8c0a434c0da579d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4436-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-930-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-1000-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-1019-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-1470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-1943-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4436 q00864.exe 368 ntthhb.exe 1556 xxrlxrl.exe 1944 20240.exe 4268 xffxlfx.exe 1488 lrxlxfr.exe 3096 620466.exe 900 llxxlrr.exe 3420 xxfxrxx.exe 400 8226004.exe 464 8288884.exe 2572 jdpjj.exe 2352 lrxrrlf.exe 2568 djvvd.exe 2396 hbnbhh.exe 1148 nbtttt.exe 5036 1lrlffr.exe 1128 2688222.exe 1596 406660.exe 3760 tnbbtt.exe 1612 g2004.exe 2620 xrxlfff.exe 3584 ppvjj.exe 2592 rxxxrlf.exe 616 bttttt.exe 4128 28642.exe 2064 m4426.exe 4972 q00426.exe 1680 6282660.exe 4416 2460004.exe 1524 xlxrxrr.exe 1732 nbbtnn.exe 2612 68448.exe 3896 8442604.exe 2680 828482.exe 2676 vjpdp.exe 2896 8282008.exe 4684 8822664.exe 1436 djpvj.exe 3744 42242.exe 3508 o442042.exe 3652 6482048.exe 5000 i246266.exe 4516 7nnnbt.exe 1116 fxrflff.exe 2832 084204.exe 2196 24864.exe 4212 64644.exe 4436 k02228.exe 4600 64082.exe 4448 088606.exe 1872 888826.exe 1772 6620860.exe 4484 228648.exe 4268 2226048.exe 4776 028226.exe 5008 lffrrxx.exe 1356 262622.exe 4772 o682266.exe 900 2246044.exe 3420 vdjvp.exe 4532 lffffff.exe 964 046402.exe 3504 w06004.exe -
resource yara_rule behavioral2/memory/4436-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/616-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-930-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8620882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2608226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o448226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4886264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o860626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8020882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o404260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lrffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 668006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8226004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 286220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2286420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3084 wrote to memory of 4436 3084 b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe 83 PID 3084 wrote to memory of 4436 3084 b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe 83 PID 3084 wrote to memory of 4436 3084 b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe 83 PID 4436 wrote to memory of 368 4436 q00864.exe 84 PID 4436 wrote to memory of 368 4436 q00864.exe 84 PID 4436 wrote to memory of 368 4436 q00864.exe 84 PID 368 wrote to memory of 1556 368 ntthhb.exe 85 PID 368 wrote to memory of 1556 368 ntthhb.exe 85 PID 368 wrote to memory of 1556 368 ntthhb.exe 85 PID 1556 wrote to memory of 1944 1556 xxrlxrl.exe 86 PID 1556 wrote to memory of 1944 1556 xxrlxrl.exe 86 PID 1556 wrote to memory of 1944 1556 xxrlxrl.exe 86 PID 1944 wrote to memory of 4268 1944 20240.exe 87 PID 1944 wrote to memory of 4268 1944 20240.exe 87 PID 1944 wrote to memory of 4268 1944 20240.exe 87 PID 4268 wrote to memory of 1488 4268 xffxlfx.exe 88 PID 4268 wrote to memory of 1488 4268 xffxlfx.exe 88 PID 4268 wrote to memory of 1488 4268 xffxlfx.exe 88 PID 1488 wrote to memory of 3096 1488 lrxlxfr.exe 89 PID 1488 wrote to memory of 3096 1488 lrxlxfr.exe 89 PID 1488 wrote to memory of 3096 1488 lrxlxfr.exe 89 PID 3096 wrote to memory of 900 3096 620466.exe 90 PID 3096 wrote to memory of 900 3096 620466.exe 90 PID 3096 wrote to memory of 900 3096 620466.exe 90 PID 900 wrote to memory of 3420 900 llxxlrr.exe 91 PID 900 wrote to memory of 3420 900 llxxlrr.exe 91 PID 900 wrote to memory of 3420 900 llxxlrr.exe 91 PID 3420 wrote to memory of 400 3420 xxfxrxx.exe 92 PID 3420 wrote to memory of 400 3420 xxfxrxx.exe 92 PID 3420 wrote to memory of 400 3420 xxfxrxx.exe 92 PID 400 wrote to memory of 464 400 8226004.exe 93 PID 400 wrote to memory of 464 400 8226004.exe 93 PID 400 wrote to memory of 464 400 8226004.exe 93 PID 464 wrote to memory of 2572 464 8288884.exe 94 PID 464 wrote to memory of 2572 464 8288884.exe 94 PID 464 wrote to memory of 2572 464 8288884.exe 94 PID 2572 wrote to memory of 2352 2572 jdpjj.exe 95 PID 2572 wrote to memory of 2352 2572 jdpjj.exe 95 PID 2572 wrote to memory of 2352 2572 jdpjj.exe 95 PID 2352 wrote to memory of 2568 2352 lrxrrlf.exe 96 PID 2352 wrote to memory of 2568 2352 lrxrrlf.exe 96 PID 2352 wrote to memory of 2568 2352 lrxrrlf.exe 96 PID 2568 wrote to memory of 2396 2568 djvvd.exe 97 PID 2568 wrote to memory of 2396 2568 djvvd.exe 97 PID 2568 wrote to memory of 2396 2568 djvvd.exe 97 PID 2396 wrote to memory of 1148 2396 hbnbhh.exe 98 PID 2396 wrote to memory of 1148 2396 hbnbhh.exe 98 PID 2396 wrote to memory of 1148 2396 hbnbhh.exe 98 PID 1148 wrote to memory of 5036 1148 nbtttt.exe 99 PID 1148 wrote to memory of 5036 1148 nbtttt.exe 99 PID 1148 wrote to memory of 5036 1148 nbtttt.exe 99 PID 5036 wrote to memory of 1128 5036 1lrlffr.exe 100 PID 5036 wrote to memory of 1128 5036 1lrlffr.exe 100 PID 5036 wrote to memory of 1128 5036 1lrlffr.exe 100 PID 1128 wrote to memory of 1596 1128 2688222.exe 101 PID 1128 wrote to memory of 1596 1128 2688222.exe 101 PID 1128 wrote to memory of 1596 1128 2688222.exe 101 PID 1596 wrote to memory of 3760 1596 406660.exe 102 PID 1596 wrote to memory of 3760 1596 406660.exe 102 PID 1596 wrote to memory of 3760 1596 406660.exe 102 PID 3760 wrote to memory of 1612 3760 tnbbtt.exe 103 PID 3760 wrote to memory of 1612 3760 tnbbtt.exe 103 PID 3760 wrote to memory of 1612 3760 tnbbtt.exe 103 PID 1612 wrote to memory of 2620 1612 g2004.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe"C:\Users\Admin\AppData\Local\Temp\b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\q00864.exec:\q00864.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\ntthhb.exec:\ntthhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\xxrlxrl.exec:\xxrlxrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\20240.exec:\20240.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\xffxlfx.exec:\xffxlfx.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\lrxlxfr.exec:\lrxlxfr.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\620466.exec:\620466.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\llxxlrr.exec:\llxxlrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\xxfxrxx.exec:\xxfxrxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\8226004.exec:\8226004.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\8288884.exec:\8288884.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\jdpjj.exec:\jdpjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\lrxrrlf.exec:\lrxrrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\djvvd.exec:\djvvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\hbnbhh.exec:\hbnbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\nbtttt.exec:\nbtttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\1lrlffr.exec:\1lrlffr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\2688222.exec:\2688222.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\406660.exec:\406660.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\tnbbtt.exec:\tnbbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\g2004.exec:\g2004.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\xrxlfff.exec:\xrxlfff.exe23⤵
- Executes dropped EXE
PID:2620 -
\??\c:\ppvjj.exec:\ppvjj.exe24⤵
- Executes dropped EXE
PID:3584 -
\??\c:\rxxxrlf.exec:\rxxxrlf.exe25⤵
- Executes dropped EXE
PID:2592 -
\??\c:\bttttt.exec:\bttttt.exe26⤵
- Executes dropped EXE
PID:616 -
\??\c:\28642.exec:\28642.exe27⤵
- Executes dropped EXE
PID:4128 -
\??\c:\m4426.exec:\m4426.exe28⤵
- Executes dropped EXE
PID:2064 -
\??\c:\q00426.exec:\q00426.exe29⤵
- Executes dropped EXE
PID:4972 -
\??\c:\6282660.exec:\6282660.exe30⤵
- Executes dropped EXE
PID:1680 -
\??\c:\2460004.exec:\2460004.exe31⤵
- Executes dropped EXE
PID:4416 -
\??\c:\xlxrxrr.exec:\xlxrxrr.exe32⤵
- Executes dropped EXE
PID:1524 -
\??\c:\nbbtnn.exec:\nbbtnn.exe33⤵
- Executes dropped EXE
PID:1732 -
\??\c:\68448.exec:\68448.exe34⤵
- Executes dropped EXE
PID:2612 -
\??\c:\8442604.exec:\8442604.exe35⤵
- Executes dropped EXE
PID:3896 -
\??\c:\828482.exec:\828482.exe36⤵
- Executes dropped EXE
PID:2680 -
\??\c:\vjpdp.exec:\vjpdp.exe37⤵
- Executes dropped EXE
PID:2676 -
\??\c:\8282008.exec:\8282008.exe38⤵
- Executes dropped EXE
PID:2896 -
\??\c:\8822664.exec:\8822664.exe39⤵
- Executes dropped EXE
PID:4684 -
\??\c:\djpvj.exec:\djpvj.exe40⤵
- Executes dropped EXE
PID:1436 -
\??\c:\42242.exec:\42242.exe41⤵
- Executes dropped EXE
PID:3744 -
\??\c:\o442042.exec:\o442042.exe42⤵
- Executes dropped EXE
PID:3508 -
\??\c:\6482048.exec:\6482048.exe43⤵
- Executes dropped EXE
PID:3652 -
\??\c:\i246266.exec:\i246266.exe44⤵
- Executes dropped EXE
PID:5000 -
\??\c:\7nnnbt.exec:\7nnnbt.exe45⤵
- Executes dropped EXE
PID:4516 -
\??\c:\fxrflff.exec:\fxrflff.exe46⤵
- Executes dropped EXE
PID:1116 -
\??\c:\084204.exec:\084204.exe47⤵
- Executes dropped EXE
PID:2832 -
\??\c:\24864.exec:\24864.exe48⤵
- Executes dropped EXE
PID:2196 -
\??\c:\5jddj.exec:\5jddj.exe49⤵PID:4312
-
\??\c:\64644.exec:\64644.exe50⤵
- Executes dropped EXE
PID:4212 -
\??\c:\k02228.exec:\k02228.exe51⤵
- Executes dropped EXE
PID:4436 -
\??\c:\64082.exec:\64082.exe52⤵
- Executes dropped EXE
PID:4600 -
\??\c:\088606.exec:\088606.exe53⤵
- Executes dropped EXE
PID:4448 -
\??\c:\888826.exec:\888826.exe54⤵
- Executes dropped EXE
PID:1872 -
\??\c:\6620860.exec:\6620860.exe55⤵
- Executes dropped EXE
PID:1772 -
\??\c:\228648.exec:\228648.exe56⤵
- Executes dropped EXE
PID:4484 -
\??\c:\2226048.exec:\2226048.exe57⤵
- Executes dropped EXE
PID:4268 -
\??\c:\028226.exec:\028226.exe58⤵
- Executes dropped EXE
PID:4776 -
\??\c:\lffrrxx.exec:\lffrrxx.exe59⤵
- Executes dropped EXE
PID:5008 -
\??\c:\262622.exec:\262622.exe60⤵
- Executes dropped EXE
PID:1356 -
\??\c:\o682266.exec:\o682266.exe61⤵
- Executes dropped EXE
PID:4772 -
\??\c:\2246044.exec:\2246044.exe62⤵
- Executes dropped EXE
PID:900 -
\??\c:\vdjvp.exec:\vdjvp.exe63⤵
- Executes dropped EXE
PID:3420 -
\??\c:\lffffff.exec:\lffffff.exe64⤵
- Executes dropped EXE
PID:4532 -
\??\c:\046402.exec:\046402.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:964 -
\??\c:\w06004.exec:\w06004.exe66⤵
- Executes dropped EXE
PID:3504 -
\??\c:\thtntn.exec:\thtntn.exe67⤵PID:1516
-
\??\c:\g2608.exec:\g2608.exe68⤵PID:2868
-
\??\c:\thnhbb.exec:\thnhbb.exe69⤵PID:2912
-
\??\c:\thnbbt.exec:\thnbbt.exe70⤵PID:4948
-
\??\c:\620488.exec:\620488.exe71⤵PID:2396
-
\??\c:\5bbnhb.exec:\5bbnhb.exe72⤵PID:3308
-
\??\c:\028444.exec:\028444.exe73⤵PID:60
-
\??\c:\22880.exec:\22880.exe74⤵PID:1808
-
\??\c:\82420.exec:\82420.exe75⤵PID:4580
-
\??\c:\q26404.exec:\q26404.exe76⤵PID:2412
-
\??\c:\428044.exec:\428044.exe77⤵PID:4460
-
\??\c:\440044.exec:\440044.exe78⤵PID:1560
-
\??\c:\ttbtnn.exec:\ttbtnn.exe79⤵PID:4664
-
\??\c:\vjjdv.exec:\vjjdv.exe80⤵PID:1684
-
\??\c:\hntbtt.exec:\hntbtt.exe81⤵PID:4156
-
\??\c:\djpjv.exec:\djpjv.exe82⤵PID:2336
-
\??\c:\m4082.exec:\m4082.exe83⤵PID:5100
-
\??\c:\8060422.exec:\8060422.exe84⤵PID:1064
-
\??\c:\086444.exec:\086444.exe85⤵PID:616
-
\??\c:\nhbnhb.exec:\nhbnhb.exe86⤵PID:3412
-
\??\c:\bnthnh.exec:\bnthnh.exe87⤵PID:228
-
\??\c:\lrlxlxl.exec:\lrlxlxl.exe88⤵PID:948
-
\??\c:\rrrlffx.exec:\rrrlffx.exe89⤵PID:1520
-
\??\c:\1bthhb.exec:\1bthhb.exe90⤵PID:4840
-
\??\c:\nhtnhh.exec:\nhtnhh.exe91⤵PID:2588
-
\??\c:\w68622.exec:\w68622.exe92⤵PID:1468
-
\??\c:\hhnbnt.exec:\hhnbnt.exe93⤵PID:1524
-
\??\c:\82848.exec:\82848.exe94⤵PID:3112
-
\??\c:\xllxlxr.exec:\xllxlxr.exe95⤵
- System Location Discovery: System Language Discovery
PID:4256 -
\??\c:\206200.exec:\206200.exe96⤵PID:3016
-
\??\c:\jppdp.exec:\jppdp.exe97⤵PID:3840
-
\??\c:\bhnhtt.exec:\bhnhtt.exe98⤵PID:4592
-
\??\c:\bttnbb.exec:\bttnbb.exe99⤵PID:2224
-
\??\c:\jddvp.exec:\jddvp.exe100⤵PID:1776
-
\??\c:\84040.exec:\84040.exe101⤵PID:3464
-
\??\c:\1nhbnh.exec:\1nhbnh.exe102⤵PID:3192
-
\??\c:\dvdvd.exec:\dvdvd.exe103⤵PID:2716
-
\??\c:\pjvjp.exec:\pjvjp.exe104⤵PID:4380
-
\??\c:\686004.exec:\686004.exe105⤵PID:2532
-
\??\c:\20606.exec:\20606.exe106⤵PID:4408
-
\??\c:\6408220.exec:\6408220.exe107⤵PID:628
-
\??\c:\0842682.exec:\0842682.exe108⤵PID:2608
-
\??\c:\7djvd.exec:\7djvd.exe109⤵PID:4412
-
\??\c:\m2426.exec:\m2426.exe110⤵PID:3944
-
\??\c:\26648.exec:\26648.exe111⤵PID:3084
-
\??\c:\dddvv.exec:\dddvv.exe112⤵PID:4744
-
\??\c:\e88604.exec:\e88604.exe113⤵PID:1028
-
\??\c:\nhhbtt.exec:\nhhbtt.exe114⤵PID:4836
-
\??\c:\400426.exec:\400426.exe115⤵PID:4852
-
\??\c:\820826.exec:\820826.exe116⤵PID:1944
-
\??\c:\4064820.exec:\4064820.exe117⤵PID:4792
-
\??\c:\hbbhbb.exec:\hbbhbb.exe118⤵PID:4696
-
\??\c:\pjpjd.exec:\pjpjd.exe119⤵PID:3096
-
\??\c:\jvpdp.exec:\jvpdp.exe120⤵PID:3292
-
\??\c:\866084.exec:\866084.exe121⤵PID:3408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-