Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2024, 20:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
183cf9046f4cbe10158a9690e7d5c45aa0f62215c864bf4e6f94e85ce30938cf.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
183cf9046f4cbe10158a9690e7d5c45aa0f62215c864bf4e6f94e85ce30938cf.exe
-
Size
453KB
-
MD5
a6947c86b9318399bf130e106ea853ef
-
SHA1
df77e1fc5549fcaff4f4d6ac54e503c7d68be72e
-
SHA256
183cf9046f4cbe10158a9690e7d5c45aa0f62215c864bf4e6f94e85ce30938cf
-
SHA512
4b16776d3966b4ac39501364fcb2f13f7dc9476a86550acd823d84e859fcffb39926eb3873b275f4eb1f0c7421f8bef363e9841fd6b4e4474f7636503ba1c044
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4712-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-1168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-1901-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4712 466288.exe 1200 rrrlfxl.exe 3992 040248.exe 3300 80260.exe 4240 86400.exe 4844 3djjd.exe 2672 04002.exe 2200 806666.exe 4532 hbbbtt.exe 1264 xrlfxxr.exe 2020 688226.exe 2864 064002.exe 4596 w80028.exe 3556 rlllrrf.exe 3252 6044248.exe 4920 462666.exe 1288 ddjvp.exe 4344 ttbnnt.exe 1004 42840.exe 3776 0268860.exe 4452 846808.exe 4460 tttntt.exe 1640 062822.exe 3932 rrflllf.exe 4612 pdjdp.exe 3892 bttnhb.exe 228 4802420.exe 1920 844882.exe 876 8066004.exe 4744 02060.exe 3192 q28482.exe 4728 u082800.exe 3808 vpppp.exe 3044 248822.exe 5116 600600.exe 4456 240448.exe 1608 680044.exe 652 662608.exe 3832 0848222.exe 1224 4864646.exe 3264 488444.exe 3020 bttnnn.exe 2392 ppjjd.exe 5004 pjpjj.exe 4200 rfrlffx.exe 3132 400260.exe 5064 xxxrlrr.exe 1860 dvvpj.exe 1752 hnthnh.exe 1200 2282260.exe 3992 nhbbbb.exe 3208 xxfxffl.exe 3320 rfrxlrf.exe 1008 ppjdv.exe 1596 vddpj.exe 4068 206044.exe 2292 vjjjp.exe 2676 dvpjd.exe 4512 xlxrxxl.exe 2864 5jjvp.exe 2336 jjjdv.exe 3752 pddvp.exe 3252 260000.exe 4920 802086.exe -
resource yara_rule behavioral2/memory/4712-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-654-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e08282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 886044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2404882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0280000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2482222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0444848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e08400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 620444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8826604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpdp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3944 wrote to memory of 4712 3944 183cf9046f4cbe10158a9690e7d5c45aa0f62215c864bf4e6f94e85ce30938cf.exe 86 PID 3944 wrote to memory of 4712 3944 183cf9046f4cbe10158a9690e7d5c45aa0f62215c864bf4e6f94e85ce30938cf.exe 86 PID 3944 wrote to memory of 4712 3944 183cf9046f4cbe10158a9690e7d5c45aa0f62215c864bf4e6f94e85ce30938cf.exe 86 PID 4712 wrote to memory of 1200 4712 466288.exe 87 PID 4712 wrote to memory of 1200 4712 466288.exe 87 PID 4712 wrote to memory of 1200 4712 466288.exe 87 PID 1200 wrote to memory of 3992 1200 rrrlfxl.exe 88 PID 1200 wrote to memory of 3992 1200 rrrlfxl.exe 88 PID 1200 wrote to memory of 3992 1200 rrrlfxl.exe 88 PID 3992 wrote to memory of 3300 3992 040248.exe 89 PID 3992 wrote to memory of 3300 3992 040248.exe 89 PID 3992 wrote to memory of 3300 3992 040248.exe 89 PID 3300 wrote to memory of 4240 3300 80260.exe 90 PID 3300 wrote to memory of 4240 3300 80260.exe 90 PID 3300 wrote to memory of 4240 3300 80260.exe 90 PID 4240 wrote to memory of 4844 4240 86400.exe 91 PID 4240 wrote to memory of 4844 4240 86400.exe 91 PID 4240 wrote to memory of 4844 4240 86400.exe 91 PID 4844 wrote to memory of 2672 4844 3djjd.exe 92 PID 4844 wrote to memory of 2672 4844 3djjd.exe 92 PID 4844 wrote to memory of 2672 4844 3djjd.exe 92 PID 2672 wrote to memory of 2200 2672 04002.exe 93 PID 2672 wrote to memory of 2200 2672 04002.exe 93 PID 2672 wrote to memory of 2200 2672 04002.exe 93 PID 2200 wrote to memory of 4532 2200 806666.exe 94 PID 2200 wrote to memory of 4532 2200 806666.exe 94 PID 2200 wrote to memory of 4532 2200 806666.exe 94 PID 4532 wrote to memory of 1264 4532 hbbbtt.exe 95 PID 4532 wrote to memory of 1264 4532 hbbbtt.exe 95 PID 4532 wrote to memory of 1264 4532 hbbbtt.exe 95 PID 1264 wrote to memory of 2020 1264 xrlfxxr.exe 96 PID 1264 wrote to memory of 2020 1264 xrlfxxr.exe 96 PID 1264 wrote to memory of 2020 1264 xrlfxxr.exe 96 PID 2020 wrote to memory of 2864 2020 688226.exe 97 PID 2020 wrote to memory of 2864 2020 688226.exe 97 PID 2020 wrote to memory of 2864 2020 688226.exe 97 PID 2864 wrote to memory of 4596 2864 064002.exe 98 PID 2864 wrote to memory of 4596 2864 064002.exe 98 PID 2864 wrote to memory of 4596 2864 064002.exe 98 PID 4596 wrote to memory of 3556 4596 w80028.exe 99 PID 4596 wrote to memory of 3556 4596 w80028.exe 99 PID 4596 wrote to memory of 3556 4596 w80028.exe 99 PID 3556 wrote to memory of 3252 3556 rlllrrf.exe 100 PID 3556 wrote to memory of 3252 3556 rlllrrf.exe 100 PID 3556 wrote to memory of 3252 3556 rlllrrf.exe 100 PID 3252 wrote to memory of 4920 3252 6044248.exe 101 PID 3252 wrote to memory of 4920 3252 6044248.exe 101 PID 3252 wrote to memory of 4920 3252 6044248.exe 101 PID 4920 wrote to memory of 1288 4920 462666.exe 102 PID 4920 wrote to memory of 1288 4920 462666.exe 102 PID 4920 wrote to memory of 1288 4920 462666.exe 102 PID 1288 wrote to memory of 4344 1288 ddjvp.exe 103 PID 1288 wrote to memory of 4344 1288 ddjvp.exe 103 PID 1288 wrote to memory of 4344 1288 ddjvp.exe 103 PID 4344 wrote to memory of 1004 4344 ttbnnt.exe 104 PID 4344 wrote to memory of 1004 4344 ttbnnt.exe 104 PID 4344 wrote to memory of 1004 4344 ttbnnt.exe 104 PID 1004 wrote to memory of 3776 1004 42840.exe 105 PID 1004 wrote to memory of 3776 1004 42840.exe 105 PID 1004 wrote to memory of 3776 1004 42840.exe 105 PID 3776 wrote to memory of 4452 3776 0268860.exe 106 PID 3776 wrote to memory of 4452 3776 0268860.exe 106 PID 3776 wrote to memory of 4452 3776 0268860.exe 106 PID 4452 wrote to memory of 4460 4452 846808.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\183cf9046f4cbe10158a9690e7d5c45aa0f62215c864bf4e6f94e85ce30938cf.exe"C:\Users\Admin\AppData\Local\Temp\183cf9046f4cbe10158a9690e7d5c45aa0f62215c864bf4e6f94e85ce30938cf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\466288.exec:\466288.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\rrrlfxl.exec:\rrrlfxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\040248.exec:\040248.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\80260.exec:\80260.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\86400.exec:\86400.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\3djjd.exec:\3djjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\04002.exec:\04002.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\806666.exec:\806666.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\hbbbtt.exec:\hbbbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\688226.exec:\688226.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\064002.exec:\064002.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\w80028.exec:\w80028.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\rlllrrf.exec:\rlllrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\6044248.exec:\6044248.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\462666.exec:\462666.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\ddjvp.exec:\ddjvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\ttbnnt.exec:\ttbnnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\42840.exec:\42840.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\0268860.exec:\0268860.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\846808.exec:\846808.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\tttntt.exec:\tttntt.exe23⤵
- Executes dropped EXE
PID:4460 -
\??\c:\062822.exec:\062822.exe24⤵
- Executes dropped EXE
PID:1640 -
\??\c:\rrflllf.exec:\rrflllf.exe25⤵
- Executes dropped EXE
PID:3932 -
\??\c:\pdjdp.exec:\pdjdp.exe26⤵
- Executes dropped EXE
PID:4612 -
\??\c:\bttnhb.exec:\bttnhb.exe27⤵
- Executes dropped EXE
PID:3892 -
\??\c:\4802420.exec:\4802420.exe28⤵
- Executes dropped EXE
PID:228 -
\??\c:\844882.exec:\844882.exe29⤵
- Executes dropped EXE
PID:1920 -
\??\c:\8066004.exec:\8066004.exe30⤵
- Executes dropped EXE
PID:876 -
\??\c:\02060.exec:\02060.exe31⤵
- Executes dropped EXE
PID:4744 -
\??\c:\q28482.exec:\q28482.exe32⤵
- Executes dropped EXE
PID:3192 -
\??\c:\u082800.exec:\u082800.exe33⤵
- Executes dropped EXE
PID:4728 -
\??\c:\vpppp.exec:\vpppp.exe34⤵
- Executes dropped EXE
PID:3808 -
\??\c:\248822.exec:\248822.exe35⤵
- Executes dropped EXE
PID:3044 -
\??\c:\600600.exec:\600600.exe36⤵
- Executes dropped EXE
PID:5116 -
\??\c:\240448.exec:\240448.exe37⤵
- Executes dropped EXE
PID:4456 -
\??\c:\680044.exec:\680044.exe38⤵
- Executes dropped EXE
PID:1608 -
\??\c:\662608.exec:\662608.exe39⤵
- Executes dropped EXE
PID:652 -
\??\c:\0848222.exec:\0848222.exe40⤵
- Executes dropped EXE
PID:3832 -
\??\c:\4864646.exec:\4864646.exe41⤵
- Executes dropped EXE
PID:1224 -
\??\c:\488444.exec:\488444.exe42⤵
- Executes dropped EXE
PID:3264 -
\??\c:\bttnnn.exec:\bttnnn.exe43⤵
- Executes dropped EXE
PID:3020 -
\??\c:\ppjjd.exec:\ppjjd.exe44⤵
- Executes dropped EXE
PID:2392 -
\??\c:\pjpjj.exec:\pjpjj.exe45⤵
- Executes dropped EXE
PID:5004 -
\??\c:\rfrlffx.exec:\rfrlffx.exe46⤵
- Executes dropped EXE
PID:4200 -
\??\c:\400260.exec:\400260.exe47⤵
- Executes dropped EXE
PID:3132 -
\??\c:\tbntbb.exec:\tbntbb.exe48⤵PID:2872
-
\??\c:\xxxrlrr.exec:\xxxrlrr.exe49⤵
- Executes dropped EXE
PID:5064 -
\??\c:\dvvpj.exec:\dvvpj.exe50⤵
- Executes dropped EXE
PID:1860 -
\??\c:\hnthnh.exec:\hnthnh.exe51⤵
- Executes dropped EXE
PID:1752 -
\??\c:\2282260.exec:\2282260.exe52⤵
- Executes dropped EXE
PID:1200 -
\??\c:\nhbbbb.exec:\nhbbbb.exe53⤵
- Executes dropped EXE
PID:3992 -
\??\c:\xxfxffl.exec:\xxfxffl.exe54⤵
- Executes dropped EXE
PID:3208 -
\??\c:\rfrxlrf.exec:\rfrxlrf.exe55⤵
- Executes dropped EXE
PID:3320 -
\??\c:\ppjdv.exec:\ppjdv.exe56⤵
- Executes dropped EXE
PID:1008 -
\??\c:\vddpj.exec:\vddpj.exe57⤵
- Executes dropped EXE
PID:1596 -
\??\c:\206044.exec:\206044.exe58⤵
- Executes dropped EXE
PID:4068 -
\??\c:\vjjjp.exec:\vjjjp.exe59⤵
- Executes dropped EXE
PID:2292 -
\??\c:\dvpjd.exec:\dvpjd.exe60⤵
- Executes dropped EXE
PID:2676 -
\??\c:\xlxrxxl.exec:\xlxrxxl.exe61⤵
- Executes dropped EXE
PID:4512 -
\??\c:\5jjvp.exec:\5jjvp.exe62⤵
- Executes dropped EXE
PID:2864 -
\??\c:\jjjdv.exec:\jjjdv.exe63⤵
- Executes dropped EXE
PID:2336 -
\??\c:\pddvp.exec:\pddvp.exe64⤵
- Executes dropped EXE
PID:3752 -
\??\c:\260000.exec:\260000.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3252 -
\??\c:\802086.exec:\802086.exe66⤵
- Executes dropped EXE
PID:4920 -
\??\c:\602660.exec:\602660.exe67⤵PID:4336
-
\??\c:\btbhnn.exec:\btbhnn.exe68⤵PID:3572
-
\??\c:\06000.exec:\06000.exe69⤵PID:2828
-
\??\c:\thnhhb.exec:\thnhhb.exe70⤵PID:2524
-
\??\c:\btbttt.exec:\btbttt.exe71⤵PID:4544
-
\??\c:\a2480.exec:\a2480.exe72⤵PID:2144
-
\??\c:\24260.exec:\24260.exe73⤵PID:2400
-
\??\c:\262682.exec:\262682.exe74⤵PID:1436
-
\??\c:\fflfxxx.exec:\fflfxxx.exe75⤵PID:2168
-
\??\c:\bttnhb.exec:\bttnhb.exe76⤵PID:3008
-
\??\c:\6400886.exec:\6400886.exe77⤵PID:4000
-
\??\c:\08488.exec:\08488.exe78⤵PID:3772
-
\??\c:\nhnntt.exec:\nhnntt.exe79⤵PID:2824
-
\??\c:\80040.exec:\80040.exe80⤵PID:2368
-
\??\c:\g8044.exec:\g8044.exe81⤵PID:4664
-
\??\c:\frxxrrx.exec:\frxxrrx.exe82⤵PID:1028
-
\??\c:\pjpjj.exec:\pjpjj.exe83⤵PID:2372
-
\??\c:\rrxxxxx.exec:\rrxxxxx.exe84⤵PID:2188
-
\??\c:\80604.exec:\80604.exe85⤵PID:3372
-
\??\c:\vdjdd.exec:\vdjdd.exe86⤵PID:3480
-
\??\c:\46488.exec:\46488.exe87⤵PID:4524
-
\??\c:\pdpvp.exec:\pdpvp.exe88⤵PID:1632
-
\??\c:\nnbttt.exec:\nnbttt.exe89⤵PID:3044
-
\??\c:\4428622.exec:\4428622.exe90⤵PID:1712
-
\??\c:\thtttt.exec:\thtttt.exe91⤵PID:4456
-
\??\c:\ffxxfll.exec:\ffxxfll.exe92⤵PID:2276
-
\??\c:\dpppp.exec:\dpppp.exe93⤵PID:3036
-
\??\c:\tbhnnt.exec:\tbhnnt.exe94⤵PID:3760
-
\??\c:\46822.exec:\46822.exe95⤵PID:2868
-
\??\c:\264462.exec:\264462.exe96⤵PID:3484
-
\??\c:\a6660.exec:\a6660.exe97⤵PID:2716
-
\??\c:\llrxrfx.exec:\llrxrfx.exe98⤵PID:4868
-
\??\c:\djvdj.exec:\djvdj.exe99⤵PID:2288
-
\??\c:\xxlflfx.exec:\xxlflfx.exe100⤵PID:4080
-
\??\c:\btnhnt.exec:\btnhnt.exe101⤵PID:4432
-
\??\c:\04004.exec:\04004.exe102⤵PID:2032
-
\??\c:\o622004.exec:\o622004.exe103⤵PID:4712
-
\??\c:\260048.exec:\260048.exe104⤵PID:5020
-
\??\c:\20204.exec:\20204.exe105⤵PID:2800
-
\??\c:\1jvpj.exec:\1jvpj.exe106⤵PID:3796
-
\??\c:\4040662.exec:\4040662.exe107⤵PID:940
-
\??\c:\pdjpp.exec:\pdjpp.exe108⤵PID:1084
-
\??\c:\1djjp.exec:\1djjp.exe109⤵PID:4848
-
\??\c:\w00886.exec:\w00886.exe110⤵PID:3488
-
\??\c:\m4482.exec:\m4482.exe111⤵PID:1412
-
\??\c:\428406.exec:\428406.exe112⤵PID:1140
-
\??\c:\208248.exec:\208248.exe113⤵PID:3408
-
\??\c:\hhtnnn.exec:\hhtnnn.exe114⤵PID:2676
-
\??\c:\lrffllf.exec:\lrffllf.exe115⤵PID:2408
-
\??\c:\s4088.exec:\s4088.exe116⤵PID:972
-
\??\c:\600404.exec:\600404.exe117⤵PID:832
-
\??\c:\bnhtbn.exec:\bnhtbn.exe118⤵PID:1068
-
\??\c:\2222246.exec:\2222246.exe119⤵PID:1052
-
\??\c:\820002.exec:\820002.exe120⤵PID:3984
-
\??\c:\rlfflrl.exec:\rlfflrl.exe121⤵PID:4336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-