Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 04:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe
-
Size
453KB
-
MD5
449db5e2ba1d90fa8df02673681433a0
-
SHA1
6a9571d43f8ba7022b72ab378f0f866d67c0f389
-
SHA256
86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418
-
SHA512
db33643d176f162397a60e881763185e8b3280f66ae6e56290a308b7c413d8507db02d87be2624de7c51424be454806efee429d6a7400b63ccc7bbf8cc6a7ebd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4264-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-1014-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-1058-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-1331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-1359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 776 rffxfll.exe 2192 lfflflf.exe 2004 u428486.exe 4916 thnnnh.exe 4208 ffxlllx.exe 1812 o442048.exe 3888 hbtnhb.exe 4260 bbhbtt.exe 948 282048.exe 964 xllxrlx.exe 1436 vjdpj.exe 3524 u828068.exe 2292 1lfrlfr.exe 244 464422.exe 3552 5rxrrlr.exe 4512 nhnhnh.exe 3668 ppdvp.exe 3644 20866.exe 4312 m8264.exe 1500 3jdpj.exe 100 jdvdp.exe 4280 flrfflx.exe 664 840426.exe 4268 5jpdp.exe 5084 bttnnn.exe 1240 vpvjp.exe 1388 c004860.exe 1212 5btnbb.exe 4012 w44288.exe 3996 5jjdp.exe 2840 pjdvv.exe 4588 u404664.exe 2436 46208.exe 4904 tbnbhh.exe 3692 q84204.exe 3184 860860.exe 2976 00648.exe 1396 2008260.exe 4184 pddvj.exe 3384 ppvvp.exe 1464 thnhhh.exe 4788 s4844.exe 4684 jvdvj.exe 4864 s2228.exe 4528 20460.exe 3860 xrlrlrl.exe 3636 1xxlxrl.exe 3472 bbhbnh.exe 1796 6626482.exe 1444 nhthbt.exe 4976 ntttht.exe 4416 822648.exe 3712 pvdvp.exe 4408 rlxrrlr.exe 4484 0826004.exe 3948 24042.exe 2152 nbbthb.exe 5044 28482.exe 888 k62082.exe 448 6048260.exe 4508 hthtnh.exe 2004 868664.exe 2300 7rfxrrl.exe 3944 thhbtn.exe -
resource yara_rule behavioral2/memory/4264-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-1014-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8448820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8288004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2604884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 622648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8282604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4264 wrote to memory of 776 4264 86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe 82 PID 4264 wrote to memory of 776 4264 86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe 82 PID 4264 wrote to memory of 776 4264 86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe 82 PID 776 wrote to memory of 2192 776 rffxfll.exe 83 PID 776 wrote to memory of 2192 776 rffxfll.exe 83 PID 776 wrote to memory of 2192 776 rffxfll.exe 83 PID 2192 wrote to memory of 2004 2192 lfflflf.exe 84 PID 2192 wrote to memory of 2004 2192 lfflflf.exe 84 PID 2192 wrote to memory of 2004 2192 lfflflf.exe 84 PID 2004 wrote to memory of 4916 2004 u428486.exe 85 PID 2004 wrote to memory of 4916 2004 u428486.exe 85 PID 2004 wrote to memory of 4916 2004 u428486.exe 85 PID 4916 wrote to memory of 4208 4916 thnnnh.exe 86 PID 4916 wrote to memory of 4208 4916 thnnnh.exe 86 PID 4916 wrote to memory of 4208 4916 thnnnh.exe 86 PID 4208 wrote to memory of 1812 4208 ffxlllx.exe 87 PID 4208 wrote to memory of 1812 4208 ffxlllx.exe 87 PID 4208 wrote to memory of 1812 4208 ffxlllx.exe 87 PID 1812 wrote to memory of 3888 1812 o442048.exe 88 PID 1812 wrote to memory of 3888 1812 o442048.exe 88 PID 1812 wrote to memory of 3888 1812 o442048.exe 88 PID 3888 wrote to memory of 4260 3888 hbtnhb.exe 89 PID 3888 wrote to memory of 4260 3888 hbtnhb.exe 89 PID 3888 wrote to memory of 4260 3888 hbtnhb.exe 89 PID 4260 wrote to memory of 948 4260 bbhbtt.exe 90 PID 4260 wrote to memory of 948 4260 bbhbtt.exe 90 PID 4260 wrote to memory of 948 4260 bbhbtt.exe 90 PID 948 wrote to memory of 964 948 282048.exe 91 PID 948 wrote to memory of 964 948 282048.exe 91 PID 948 wrote to memory of 964 948 282048.exe 91 PID 964 wrote to memory of 1436 964 xllxrlx.exe 92 PID 964 wrote to memory of 1436 964 xllxrlx.exe 92 PID 964 wrote to memory of 1436 964 xllxrlx.exe 92 PID 1436 wrote to memory of 3524 1436 vjdpj.exe 93 PID 1436 wrote to memory of 3524 1436 vjdpj.exe 93 PID 1436 wrote to memory of 3524 1436 vjdpj.exe 93 PID 3524 wrote to memory of 2292 3524 u828068.exe 94 PID 3524 wrote to memory of 2292 3524 u828068.exe 94 PID 3524 wrote to memory of 2292 3524 u828068.exe 94 PID 2292 wrote to memory of 244 2292 1lfrlfr.exe 95 PID 2292 wrote to memory of 244 2292 1lfrlfr.exe 95 PID 2292 wrote to memory of 244 2292 1lfrlfr.exe 95 PID 244 wrote to memory of 3552 244 464422.exe 96 PID 244 wrote to memory of 3552 244 464422.exe 96 PID 244 wrote to memory of 3552 244 464422.exe 96 PID 3552 wrote to memory of 4512 3552 5rxrrlr.exe 97 PID 3552 wrote to memory of 4512 3552 5rxrrlr.exe 97 PID 3552 wrote to memory of 4512 3552 5rxrrlr.exe 97 PID 4512 wrote to memory of 3668 4512 nhnhnh.exe 98 PID 4512 wrote to memory of 3668 4512 nhnhnh.exe 98 PID 4512 wrote to memory of 3668 4512 nhnhnh.exe 98 PID 3668 wrote to memory of 3644 3668 ppdvp.exe 99 PID 3668 wrote to memory of 3644 3668 ppdvp.exe 99 PID 3668 wrote to memory of 3644 3668 ppdvp.exe 99 PID 3644 wrote to memory of 4312 3644 20866.exe 100 PID 3644 wrote to memory of 4312 3644 20866.exe 100 PID 3644 wrote to memory of 4312 3644 20866.exe 100 PID 4312 wrote to memory of 1500 4312 m8264.exe 101 PID 4312 wrote to memory of 1500 4312 m8264.exe 101 PID 4312 wrote to memory of 1500 4312 m8264.exe 101 PID 1500 wrote to memory of 100 1500 3jdpj.exe 102 PID 1500 wrote to memory of 100 1500 3jdpj.exe 102 PID 1500 wrote to memory of 100 1500 3jdpj.exe 102 PID 100 wrote to memory of 4280 100 jdvdp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe"C:\Users\Admin\AppData\Local\Temp\86831f114facbc9a83c01f3bfa9aeb57ae90c0877efe9ba7c40374ee96555418N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\rffxfll.exec:\rffxfll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\lfflflf.exec:\lfflflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\u428486.exec:\u428486.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\thnnnh.exec:\thnnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\ffxlllx.exec:\ffxlllx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\o442048.exec:\o442048.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\hbtnhb.exec:\hbtnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\bbhbtt.exec:\bbhbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\282048.exec:\282048.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\xllxrlx.exec:\xllxrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\vjdpj.exec:\vjdpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\u828068.exec:\u828068.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\1lfrlfr.exec:\1lfrlfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\464422.exec:\464422.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\5rxrrlr.exec:\5rxrrlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\nhnhnh.exec:\nhnhnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\ppdvp.exec:\ppdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\20866.exec:\20866.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\m8264.exec:\m8264.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\3jdpj.exec:\3jdpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\jdvdp.exec:\jdvdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\flrfflx.exec:\flrfflx.exe23⤵
- Executes dropped EXE
PID:4280 -
\??\c:\840426.exec:\840426.exe24⤵
- Executes dropped EXE
PID:664 -
\??\c:\5jpdp.exec:\5jpdp.exe25⤵
- Executes dropped EXE
PID:4268 -
\??\c:\bttnnn.exec:\bttnnn.exe26⤵
- Executes dropped EXE
PID:5084 -
\??\c:\vpvjp.exec:\vpvjp.exe27⤵
- Executes dropped EXE
PID:1240 -
\??\c:\c004860.exec:\c004860.exe28⤵
- Executes dropped EXE
PID:1388 -
\??\c:\5btnbb.exec:\5btnbb.exe29⤵
- Executes dropped EXE
PID:1212 -
\??\c:\w44288.exec:\w44288.exe30⤵
- Executes dropped EXE
PID:4012 -
\??\c:\5jjdp.exec:\5jjdp.exe31⤵
- Executes dropped EXE
PID:3996 -
\??\c:\pjdvv.exec:\pjdvv.exe32⤵
- Executes dropped EXE
PID:2840 -
\??\c:\u404664.exec:\u404664.exe33⤵
- Executes dropped EXE
PID:4588 -
\??\c:\46208.exec:\46208.exe34⤵
- Executes dropped EXE
PID:2436 -
\??\c:\tbnbhh.exec:\tbnbhh.exe35⤵
- Executes dropped EXE
PID:4904 -
\??\c:\q84204.exec:\q84204.exe36⤵
- Executes dropped EXE
PID:3692 -
\??\c:\860860.exec:\860860.exe37⤵
- Executes dropped EXE
PID:3184 -
\??\c:\00648.exec:\00648.exe38⤵
- Executes dropped EXE
PID:2976 -
\??\c:\2008260.exec:\2008260.exe39⤵
- Executes dropped EXE
PID:1396 -
\??\c:\pddvj.exec:\pddvj.exe40⤵
- Executes dropped EXE
PID:4184 -
\??\c:\ppvvp.exec:\ppvvp.exe41⤵
- Executes dropped EXE
PID:3384 -
\??\c:\thnhhh.exec:\thnhhh.exe42⤵
- Executes dropped EXE
PID:1464 -
\??\c:\s4844.exec:\s4844.exe43⤵
- Executes dropped EXE
PID:4788 -
\??\c:\jvdvj.exec:\jvdvj.exe44⤵
- Executes dropped EXE
PID:4684 -
\??\c:\s2228.exec:\s2228.exe45⤵
- Executes dropped EXE
PID:4864 -
\??\c:\20460.exec:\20460.exe46⤵
- Executes dropped EXE
PID:4528 -
\??\c:\xrlrlrl.exec:\xrlrlrl.exe47⤵
- Executes dropped EXE
PID:3860 -
\??\c:\1xxlxrl.exec:\1xxlxrl.exe48⤵
- Executes dropped EXE
PID:3636 -
\??\c:\bbhbnh.exec:\bbhbnh.exe49⤵
- Executes dropped EXE
PID:3472 -
\??\c:\6626482.exec:\6626482.exe50⤵
- Executes dropped EXE
PID:1796 -
\??\c:\nhthbt.exec:\nhthbt.exe51⤵
- Executes dropped EXE
PID:1444 -
\??\c:\ntttht.exec:\ntttht.exe52⤵
- Executes dropped EXE
PID:4976 -
\??\c:\822648.exec:\822648.exe53⤵
- Executes dropped EXE
PID:4416 -
\??\c:\pvdvp.exec:\pvdvp.exe54⤵
- Executes dropped EXE
PID:3712 -
\??\c:\rlxrrlr.exec:\rlxrrlr.exe55⤵
- Executes dropped EXE
PID:4408 -
\??\c:\0826004.exec:\0826004.exe56⤵
- Executes dropped EXE
PID:4484 -
\??\c:\24042.exec:\24042.exe57⤵
- Executes dropped EXE
PID:3948 -
\??\c:\nbbthb.exec:\nbbthb.exe58⤵
- Executes dropped EXE
PID:2152 -
\??\c:\28482.exec:\28482.exe59⤵
- Executes dropped EXE
PID:5044 -
\??\c:\k62082.exec:\k62082.exe60⤵
- Executes dropped EXE
PID:888 -
\??\c:\6048260.exec:\6048260.exe61⤵
- Executes dropped EXE
PID:448 -
\??\c:\hthtnh.exec:\hthtnh.exe62⤵
- Executes dropped EXE
PID:4508 -
\??\c:\868664.exec:\868664.exe63⤵
- Executes dropped EXE
PID:2004 -
\??\c:\7rfxrrl.exec:\7rfxrrl.exe64⤵
- Executes dropped EXE
PID:2300 -
\??\c:\thhbtn.exec:\thhbtn.exe65⤵
- Executes dropped EXE
PID:3944 -
\??\c:\e82608.exec:\e82608.exe66⤵PID:4728
-
\??\c:\s4426.exec:\s4426.exe67⤵PID:4208
-
\??\c:\tntnnh.exec:\tntnnh.exe68⤵PID:2876
-
\??\c:\242240.exec:\242240.exe69⤵PID:2736
-
\??\c:\8060426.exec:\8060426.exe70⤵PID:4016
-
\??\c:\i804820.exec:\i804820.exe71⤵PID:2776
-
\??\c:\0660882.exec:\0660882.exe72⤵PID:1280
-
\??\c:\7llxrrf.exec:\7llxrrf.exe73⤵PID:964
-
\??\c:\4444826.exec:\4444826.exe74⤵PID:4020
-
\??\c:\084260.exec:\084260.exe75⤵PID:3524
-
\??\c:\i800826.exec:\i800826.exe76⤵PID:4284
-
\??\c:\i620442.exec:\i620442.exe77⤵PID:3160
-
\??\c:\lrxlxrf.exec:\lrxlxrf.exe78⤵PID:436
-
\??\c:\440042.exec:\440042.exe79⤵PID:2644
-
\??\c:\i060444.exec:\i060444.exe80⤵PID:4796
-
\??\c:\xrxrxrx.exec:\xrxrxrx.exe81⤵PID:1340
-
\??\c:\424426.exec:\424426.exe82⤵PID:1716
-
\??\c:\2804600.exec:\2804600.exe83⤵PID:4896
-
\??\c:\lflfflf.exec:\lflfflf.exe84⤵PID:1984
-
\??\c:\nhbhbn.exec:\nhbhbn.exe85⤵PID:1892
-
\??\c:\9ppjj.exec:\9ppjj.exe86⤵
- System Location Discovery: System Language Discovery
PID:3560 -
\??\c:\m6826.exec:\m6826.exe87⤵PID:2172
-
\??\c:\0804266.exec:\0804266.exe88⤵PID:2588
-
\??\c:\btnttt.exec:\btnttt.exe89⤵PID:1636
-
\??\c:\bbthtb.exec:\bbthtb.exe90⤵PID:3152
-
\??\c:\thbnnn.exec:\thbnnn.exe91⤵PID:1896
-
\??\c:\0826604.exec:\0826604.exe92⤵PID:1240
-
\??\c:\8448820.exec:\8448820.exe93⤵
- System Location Discovery: System Language Discovery
PID:5036 -
\??\c:\nbhbtt.exec:\nbhbtt.exe94⤵PID:2000
-
\??\c:\xrxrrrx.exec:\xrxrrrx.exe95⤵PID:4720
-
\??\c:\24046.exec:\24046.exe96⤵PID:3964
-
\??\c:\7xxrllf.exec:\7xxrllf.exe97⤵PID:228
-
\??\c:\nbnbhb.exec:\nbnbhb.exe98⤵PID:2824
-
\??\c:\5nnnbn.exec:\5nnnbn.exe99⤵PID:1196
-
\??\c:\48048.exec:\48048.exe100⤵PID:2604
-
\??\c:\80042.exec:\80042.exe101⤵
- System Location Discovery: System Language Discovery
PID:4704 -
\??\c:\tnbbhh.exec:\tnbbhh.exe102⤵PID:1148
-
\??\c:\680044.exec:\680044.exe103⤵PID:1384
-
\??\c:\c060060.exec:\c060060.exe104⤵PID:1464
-
\??\c:\ppdvv.exec:\ppdvv.exe105⤵PID:2392
-
\??\c:\g0048.exec:\g0048.exe106⤵PID:3000
-
\??\c:\w66044.exec:\w66044.exe107⤵PID:2340
-
\??\c:\ppvpd.exec:\ppvpd.exe108⤵PID:4844
-
\??\c:\860042.exec:\860042.exe109⤵PID:3640
-
\??\c:\0804444.exec:\0804444.exe110⤵PID:4468
-
\??\c:\2808226.exec:\2808226.exe111⤵PID:3472
-
\??\c:\g2260.exec:\g2260.exe112⤵PID:4892
-
\??\c:\24086.exec:\24086.exe113⤵PID:3896
-
\??\c:\vjvpd.exec:\vjvpd.exe114⤵PID:3660
-
\??\c:\nbbthb.exec:\nbbthb.exe115⤵PID:3304
-
\??\c:\0068226.exec:\0068226.exe116⤵PID:4416
-
\??\c:\nhnhbb.exec:\nhnhbb.exe117⤵PID:3712
-
\??\c:\6282666.exec:\6282666.exe118⤵PID:1704
-
\??\c:\648622.exec:\648622.exe119⤵PID:4448
-
\??\c:\640444.exec:\640444.exe120⤵PID:380
-
\??\c:\a2264.exec:\a2264.exe121⤵PID:5044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-