Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 13:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d48ff702ffb59321bb76741d6b48e0770925dfd07fff2d68f37427d9ef5906c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0d48ff702ffb59321bb76741d6b48e0770925dfd07fff2d68f37427d9ef5906c.exe
-
Size
454KB
-
MD5
7c63140b443573a20d178d86a2245dd0
-
SHA1
ffae22655d5dc93fd3ac0a9ff8c5ee7ed58ea7c7
-
SHA256
0d48ff702ffb59321bb76741d6b48e0770925dfd07fff2d68f37427d9ef5906c
-
SHA512
a56556bfe785d562f31c35c71b4bf3bda55d7b7c549b35d6c1de6a4afcbac38569b92e0582977f5d4280d8783db31dfb8978af3b1c8be6db477647d6c7dcac51
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4676-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-851-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-1187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-1638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4356 o242648.exe 380 q48682.exe 5116 22200.exe 1592 6468264.exe 1568 2024042.exe 3720 6220826.exe 2592 7bbnbn.exe 3472 nbhttn.exe 312 tnthbn.exe 908 dpvdp.exe 3960 08404.exe 1640 rfllxlx.exe 3412 246086.exe 224 c880820.exe 2260 3lxrrrr.exe 3924 22064.exe 1644 004886.exe 3532 s2860.exe 3932 4464204.exe 4140 40086.exe 1896 rlfrxxl.exe 1184 u048608.exe 212 0622604.exe 2760 vjpvj.exe 4872 hnthnh.exe 1364 46608.exe 376 2220860.exe 4924 jdjvv.exe 4376 6004822.exe 1232 408820.exe 1136 622200.exe 1388 7vjvj.exe 452 u446642.exe 4828 9dpdp.exe 2368 4264600.exe 4832 222648.exe 4544 m4864.exe 4884 4448604.exe 112 lrlfrrl.exe 2972 xxffrxf.exe 4064 c464220.exe 2744 jvdpj.exe 5092 2820426.exe 3976 frxlxrr.exe 4572 rllxlfx.exe 1984 k04648.exe 4340 6008264.exe 1056 40608.exe 4676 thhbnh.exe 2220 3xlrffr.exe 4124 lfrlxrf.exe 1140 a4642.exe 956 840820.exe 3384 7ffrlfr.exe 4388 9rffrxl.exe 552 2882042.exe 4092 1lrlfxx.exe 4456 4004264.exe 2596 vjpdd.exe 4320 lrrlxrf.exe 4852 3ddpd.exe 2824 848260.exe 2900 q44860.exe 2888 c260820.exe -
resource yara_rule behavioral2/memory/4676-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-675-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6024666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e20648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w02004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o666448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2004482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrlrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8442260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 660802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6286042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4682660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k44804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6604260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 686424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684860.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4676 wrote to memory of 4356 4676 0d48ff702ffb59321bb76741d6b48e0770925dfd07fff2d68f37427d9ef5906c.exe 83 PID 4676 wrote to memory of 4356 4676 0d48ff702ffb59321bb76741d6b48e0770925dfd07fff2d68f37427d9ef5906c.exe 83 PID 4676 wrote to memory of 4356 4676 0d48ff702ffb59321bb76741d6b48e0770925dfd07fff2d68f37427d9ef5906c.exe 83 PID 4356 wrote to memory of 380 4356 o242648.exe 84 PID 4356 wrote to memory of 380 4356 o242648.exe 84 PID 4356 wrote to memory of 380 4356 o242648.exe 84 PID 380 wrote to memory of 5116 380 q48682.exe 85 PID 380 wrote to memory of 5116 380 q48682.exe 85 PID 380 wrote to memory of 5116 380 q48682.exe 85 PID 5116 wrote to memory of 1592 5116 22200.exe 86 PID 5116 wrote to memory of 1592 5116 22200.exe 86 PID 5116 wrote to memory of 1592 5116 22200.exe 86 PID 1592 wrote to memory of 1568 1592 6468264.exe 87 PID 1592 wrote to memory of 1568 1592 6468264.exe 87 PID 1592 wrote to memory of 1568 1592 6468264.exe 87 PID 1568 wrote to memory of 3720 1568 2024042.exe 88 PID 1568 wrote to memory of 3720 1568 2024042.exe 88 PID 1568 wrote to memory of 3720 1568 2024042.exe 88 PID 3720 wrote to memory of 2592 3720 6220826.exe 89 PID 3720 wrote to memory of 2592 3720 6220826.exe 89 PID 3720 wrote to memory of 2592 3720 6220826.exe 89 PID 2592 wrote to memory of 3472 2592 7bbnbn.exe 90 PID 2592 wrote to memory of 3472 2592 7bbnbn.exe 90 PID 2592 wrote to memory of 3472 2592 7bbnbn.exe 90 PID 3472 wrote to memory of 312 3472 nbhttn.exe 91 PID 3472 wrote to memory of 312 3472 nbhttn.exe 91 PID 3472 wrote to memory of 312 3472 nbhttn.exe 91 PID 312 wrote to memory of 908 312 tnthbn.exe 92 PID 312 wrote to memory of 908 312 tnthbn.exe 92 PID 312 wrote to memory of 908 312 tnthbn.exe 92 PID 908 wrote to memory of 3960 908 dpvdp.exe 93 PID 908 wrote to memory of 3960 908 dpvdp.exe 93 PID 908 wrote to memory of 3960 908 dpvdp.exe 93 PID 3960 wrote to memory of 1640 3960 08404.exe 94 PID 3960 wrote to memory of 1640 3960 08404.exe 94 PID 3960 wrote to memory of 1640 3960 08404.exe 94 PID 1640 wrote to memory of 3412 1640 rfllxlx.exe 95 PID 1640 wrote to memory of 3412 1640 rfllxlx.exe 95 PID 1640 wrote to memory of 3412 1640 rfllxlx.exe 95 PID 3412 wrote to memory of 224 3412 246086.exe 96 PID 3412 wrote to memory of 224 3412 246086.exe 96 PID 3412 wrote to memory of 224 3412 246086.exe 96 PID 224 wrote to memory of 2260 224 c880820.exe 97 PID 224 wrote to memory of 2260 224 c880820.exe 97 PID 224 wrote to memory of 2260 224 c880820.exe 97 PID 2260 wrote to memory of 3924 2260 3lxrrrr.exe 98 PID 2260 wrote to memory of 3924 2260 3lxrrrr.exe 98 PID 2260 wrote to memory of 3924 2260 3lxrrrr.exe 98 PID 3924 wrote to memory of 1644 3924 22064.exe 99 PID 3924 wrote to memory of 1644 3924 22064.exe 99 PID 3924 wrote to memory of 1644 3924 22064.exe 99 PID 1644 wrote to memory of 3532 1644 004886.exe 100 PID 1644 wrote to memory of 3532 1644 004886.exe 100 PID 1644 wrote to memory of 3532 1644 004886.exe 100 PID 3532 wrote to memory of 3932 3532 s2860.exe 101 PID 3532 wrote to memory of 3932 3532 s2860.exe 101 PID 3532 wrote to memory of 3932 3532 s2860.exe 101 PID 3932 wrote to memory of 4140 3932 4464204.exe 102 PID 3932 wrote to memory of 4140 3932 4464204.exe 102 PID 3932 wrote to memory of 4140 3932 4464204.exe 102 PID 4140 wrote to memory of 1896 4140 40086.exe 103 PID 4140 wrote to memory of 1896 4140 40086.exe 103 PID 4140 wrote to memory of 1896 4140 40086.exe 103 PID 1896 wrote to memory of 1184 1896 rlfrxxl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d48ff702ffb59321bb76741d6b48e0770925dfd07fff2d68f37427d9ef5906c.exe"C:\Users\Admin\AppData\Local\Temp\0d48ff702ffb59321bb76741d6b48e0770925dfd07fff2d68f37427d9ef5906c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\o242648.exec:\o242648.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\q48682.exec:\q48682.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\22200.exec:\22200.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\6468264.exec:\6468264.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\2024042.exec:\2024042.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\6220826.exec:\6220826.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\7bbnbn.exec:\7bbnbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\nbhttn.exec:\nbhttn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\tnthbn.exec:\tnthbn.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:312 -
\??\c:\dpvdp.exec:\dpvdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
\??\c:\08404.exec:\08404.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\rfllxlx.exec:\rfllxlx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\246086.exec:\246086.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\c880820.exec:\c880820.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\3lxrrrr.exec:\3lxrrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\22064.exec:\22064.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\004886.exec:\004886.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\s2860.exec:\s2860.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\4464204.exec:\4464204.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\40086.exec:\40086.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\rlfrxxl.exec:\rlfrxxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\u048608.exec:\u048608.exe23⤵
- Executes dropped EXE
PID:1184 -
\??\c:\0622604.exec:\0622604.exe24⤵
- Executes dropped EXE
PID:212 -
\??\c:\vjpvj.exec:\vjpvj.exe25⤵
- Executes dropped EXE
PID:2760 -
\??\c:\hnthnh.exec:\hnthnh.exe26⤵
- Executes dropped EXE
PID:4872 -
\??\c:\46608.exec:\46608.exe27⤵
- Executes dropped EXE
PID:1364 -
\??\c:\2220860.exec:\2220860.exe28⤵
- Executes dropped EXE
PID:376 -
\??\c:\jdjvv.exec:\jdjvv.exe29⤵
- Executes dropped EXE
PID:4924 -
\??\c:\6004822.exec:\6004822.exe30⤵
- Executes dropped EXE
PID:4376 -
\??\c:\408820.exec:\408820.exe31⤵
- Executes dropped EXE
PID:1232 -
\??\c:\622200.exec:\622200.exe32⤵
- Executes dropped EXE
PID:1136 -
\??\c:\7vjvj.exec:\7vjvj.exe33⤵
- Executes dropped EXE
PID:1388 -
\??\c:\u446642.exec:\u446642.exe34⤵
- Executes dropped EXE
PID:452 -
\??\c:\9dpdp.exec:\9dpdp.exe35⤵
- Executes dropped EXE
PID:4828 -
\??\c:\4264600.exec:\4264600.exe36⤵
- Executes dropped EXE
PID:2368 -
\??\c:\222648.exec:\222648.exe37⤵
- Executes dropped EXE
PID:4832 -
\??\c:\m4864.exec:\m4864.exe38⤵
- Executes dropped EXE
PID:4544 -
\??\c:\4448604.exec:\4448604.exe39⤵
- Executes dropped EXE
PID:4884 -
\??\c:\lrlfrrl.exec:\lrlfrrl.exe40⤵
- Executes dropped EXE
PID:112 -
\??\c:\xxffrxf.exec:\xxffrxf.exe41⤵
- Executes dropped EXE
PID:2972 -
\??\c:\c464220.exec:\c464220.exe42⤵
- Executes dropped EXE
PID:4064 -
\??\c:\jvdpj.exec:\jvdpj.exe43⤵
- Executes dropped EXE
PID:2744 -
\??\c:\2820426.exec:\2820426.exe44⤵
- Executes dropped EXE
PID:5092 -
\??\c:\frxlxrr.exec:\frxlxrr.exe45⤵
- Executes dropped EXE
PID:3976 -
\??\c:\rllxlfx.exec:\rllxlfx.exe46⤵
- Executes dropped EXE
PID:4572 -
\??\c:\k04648.exec:\k04648.exe47⤵
- Executes dropped EXE
PID:1984 -
\??\c:\6008264.exec:\6008264.exe48⤵
- Executes dropped EXE
PID:4340 -
\??\c:\40608.exec:\40608.exe49⤵
- Executes dropped EXE
PID:1056 -
\??\c:\thhbnh.exec:\thhbnh.exe50⤵
- Executes dropped EXE
PID:4676 -
\??\c:\3xlrffr.exec:\3xlrffr.exe51⤵
- Executes dropped EXE
PID:2220 -
\??\c:\lfrlxrf.exec:\lfrlxrf.exe52⤵
- Executes dropped EXE
PID:4124 -
\??\c:\a4642.exec:\a4642.exe53⤵
- Executes dropped EXE
PID:1140 -
\??\c:\840820.exec:\840820.exe54⤵
- Executes dropped EXE
PID:956 -
\??\c:\7ffrlfr.exec:\7ffrlfr.exe55⤵
- Executes dropped EXE
PID:3384 -
\??\c:\9rffrxl.exec:\9rffrxl.exe56⤵
- Executes dropped EXE
PID:4388 -
\??\c:\2882042.exec:\2882042.exe57⤵
- Executes dropped EXE
PID:552 -
\??\c:\1lrlfxx.exec:\1lrlfxx.exe58⤵
- Executes dropped EXE
PID:4092 -
\??\c:\4004264.exec:\4004264.exe59⤵
- Executes dropped EXE
PID:4456 -
\??\c:\vjpdd.exec:\vjpdd.exe60⤵
- Executes dropped EXE
PID:2596 -
\??\c:\lrrlxrf.exec:\lrrlxrf.exe61⤵
- Executes dropped EXE
PID:4320 -
\??\c:\3ddpd.exec:\3ddpd.exe62⤵
- Executes dropped EXE
PID:4852 -
\??\c:\848260.exec:\848260.exe63⤵
- Executes dropped EXE
PID:2824 -
\??\c:\q44860.exec:\q44860.exe64⤵
- Executes dropped EXE
PID:2900 -
\??\c:\c260820.exec:\c260820.exe65⤵
- Executes dropped EXE
PID:2888 -
\??\c:\xlrlxrf.exec:\xlrlxrf.exe66⤵PID:2360
-
\??\c:\826088.exec:\826088.exe67⤵PID:1132
-
\??\c:\82480.exec:\82480.exe68⤵PID:1580
-
\??\c:\xrfrfrf.exec:\xrfrfrf.exe69⤵PID:3084
-
\??\c:\dppvj.exec:\dppvj.exe70⤵PID:3052
-
\??\c:\hhnbnb.exec:\hhnbnb.exe71⤵PID:2260
-
\??\c:\06246.exec:\06246.exe72⤵PID:3924
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe73⤵PID:3388
-
\??\c:\5vdvp.exec:\5vdvp.exe74⤵PID:1208
-
\??\c:\bbnhtt.exec:\bbnhtt.exe75⤵PID:4228
-
\??\c:\pjpdj.exec:\pjpdj.exe76⤵PID:3480
-
\??\c:\ffrxxlf.exec:\ffrxxlf.exe77⤵PID:4704
-
\??\c:\a6604.exec:\a6604.exe78⤵PID:824
-
\??\c:\llfxffl.exec:\llfxffl.exe79⤵PID:1576
-
\??\c:\1fffxxx.exec:\1fffxxx.exe80⤵PID:2292
-
\??\c:\hbtthh.exec:\hbtthh.exe81⤵PID:2020
-
\??\c:\2460000.exec:\2460000.exe82⤵PID:3436
-
\??\c:\4886228.exec:\4886228.exe83⤵PID:1912
-
\??\c:\2622288.exec:\2622288.exe84⤵PID:932
-
\??\c:\202044.exec:\202044.exe85⤵PID:692
-
\??\c:\jpvpp.exec:\jpvpp.exe86⤵PID:968
-
\??\c:\2266048.exec:\2266048.exe87⤵PID:4752
-
\??\c:\0400448.exec:\0400448.exe88⤵PID:4592
-
\??\c:\jdvvd.exec:\jdvvd.exe89⤵PID:3612
-
\??\c:\w02668.exec:\w02668.exe90⤵PID:2764
-
\??\c:\bbbbnn.exec:\bbbbnn.exe91⤵PID:1216
-
\??\c:\4848664.exec:\4848664.exe92⤵PID:4296
-
\??\c:\9vvdv.exec:\9vvdv.exe93⤵PID:3892
-
\??\c:\xrrlrrl.exec:\xrrlrrl.exe94⤵PID:4448
-
\??\c:\w00600.exec:\w00600.exe95⤵PID:3956
-
\??\c:\02482.exec:\02482.exe96⤵PID:3008
-
\??\c:\3hbbnn.exec:\3hbbnn.exe97⤵PID:2708
-
\??\c:\jvdvv.exec:\jvdvv.exe98⤵PID:2228
-
\??\c:\q40606.exec:\q40606.exe99⤵PID:2100
-
\??\c:\lllffff.exec:\lllffff.exe100⤵PID:3328
-
\??\c:\484400.exec:\484400.exe101⤵PID:112
-
\??\c:\88488.exec:\88488.exe102⤵PID:2972
-
\??\c:\1hbbtb.exec:\1hbbtb.exe103⤵PID:2052
-
\??\c:\3ddpj.exec:\3ddpj.exe104⤵PID:2904
-
\??\c:\o626044.exec:\o626044.exe105⤵PID:4928
-
\??\c:\rlrlfxx.exec:\rlrlfxx.exe106⤵PID:3732
-
\??\c:\20042.exec:\20042.exe107⤵PID:4684
-
\??\c:\688204.exec:\688204.exe108⤵PID:2440
-
\??\c:\vppdp.exec:\vppdp.exe109⤵PID:232
-
\??\c:\00282.exec:\00282.exe110⤵PID:1480
-
\??\c:\6604260.exec:\6604260.exe111⤵
- System Location Discovery: System Language Discovery
PID:3460 -
\??\c:\m6248.exec:\m6248.exe112⤵PID:1688
-
\??\c:\pjdpv.exec:\pjdpv.exe113⤵PID:1476
-
\??\c:\nhbtbt.exec:\nhbtbt.exe114⤵PID:4476
-
\??\c:\bthbtn.exec:\bthbtn.exe115⤵PID:2144
-
\??\c:\jvdpp.exec:\jvdpp.exe116⤵PID:3240
-
\??\c:\1lrlrxf.exec:\1lrlrxf.exe117⤵
- System Location Discovery: System Language Discovery
PID:4868 -
\??\c:\8426060.exec:\8426060.exe118⤵PID:2212
-
\??\c:\0888288.exec:\0888288.exe119⤵PID:2012
-
\??\c:\3rrlxrl.exec:\3rrlxrl.exe120⤵PID:3472
-
\??\c:\4288600.exec:\4288600.exe121⤵PID:2992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-