Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 20:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
168db49ba71e0b54bcb12af5779f46805ad57d303de8df403cbcf16e94079e02N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
168db49ba71e0b54bcb12af5779f46805ad57d303de8df403cbcf16e94079e02N.exe
-
Size
454KB
-
MD5
f8ae8b15d54b6dac1087894e8b68c9a0
-
SHA1
f8dcf0fad802aa27beaacc9ed509476fffd30e69
-
SHA256
168db49ba71e0b54bcb12af5779f46805ad57d303de8df403cbcf16e94079e02
-
SHA512
a3e2a39232a73e7ddbd9e121ad1a8e6ab0cd842944e19ddf41d0c7c6d23306de5d8b8b4def162d38f01cb98e0ac1b6918b012ec9e4a7310d07581fe2d0869142
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1832-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-961-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-1321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5084 flrlfxx.exe 4944 7llflrl.exe 2596 a6826.exe 3572 400044.exe 2124 8448826.exe 3140 vpppp.exe 3260 3tbbtt.exe 2056 nbhbbb.exe 4992 k48266.exe 4320 pjvvp.exe 4796 8626048.exe 1240 7vvvv.exe 4200 484822.exe 3992 9xxxrxr.exe 3548 4626000.exe 1508 022662.exe 1212 frxrrrx.exe 4804 028222.exe 2112 064488.exe 5036 hbthtn.exe 4556 48882.exe 3416 frlxxlf.exe 2068 3vvpd.exe 4900 nhbnnn.exe 3228 s4200.exe 1596 jjpjj.exe 2736 2868426.exe 3852 u288826.exe 2956 60060.exe 2848 848848.exe 4972 888268.exe 2408 htbtnh.exe 4536 k40462.exe 3732 vppjj.exe 1268 40660.exe 1520 20486.exe 4156 8622042.exe 4872 rxxrrfl.exe 652 bnnthh.exe 4160 20608.exe 4128 c668260.exe 5104 44842.exe 1832 llrlfxl.exe 3720 208608.exe 3112 6444888.exe 3584 u842862.exe 1000 djjdv.exe 3572 06642.exe 2416 5xlfxrf.exe 1708 jdvpj.exe 2500 08428.exe 2176 s4088.exe 1196 26600.exe 628 024460.exe 4992 nttnbb.exe 3324 9thnnb.exe 4320 426080.exe 3204 tttbtt.exe 1940 484826.exe 1240 9frfxxl.exe 4200 3vpjd.exe 3716 bnhbtn.exe 2768 1tbnnt.exe 1508 062042.exe -
resource yara_rule behavioral2/memory/1832-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-659-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 064242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 226666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llflrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1832 wrote to memory of 5084 1832 168db49ba71e0b54bcb12af5779f46805ad57d303de8df403cbcf16e94079e02N.exe 83 PID 1832 wrote to memory of 5084 1832 168db49ba71e0b54bcb12af5779f46805ad57d303de8df403cbcf16e94079e02N.exe 83 PID 1832 wrote to memory of 5084 1832 168db49ba71e0b54bcb12af5779f46805ad57d303de8df403cbcf16e94079e02N.exe 83 PID 5084 wrote to memory of 4944 5084 flrlfxx.exe 84 PID 5084 wrote to memory of 4944 5084 flrlfxx.exe 84 PID 5084 wrote to memory of 4944 5084 flrlfxx.exe 84 PID 4944 wrote to memory of 2596 4944 7llflrl.exe 85 PID 4944 wrote to memory of 2596 4944 7llflrl.exe 85 PID 4944 wrote to memory of 2596 4944 7llflrl.exe 85 PID 2596 wrote to memory of 3572 2596 a6826.exe 86 PID 2596 wrote to memory of 3572 2596 a6826.exe 86 PID 2596 wrote to memory of 3572 2596 a6826.exe 86 PID 3572 wrote to memory of 2124 3572 400044.exe 87 PID 3572 wrote to memory of 2124 3572 400044.exe 87 PID 3572 wrote to memory of 2124 3572 400044.exe 87 PID 2124 wrote to memory of 3140 2124 8448826.exe 88 PID 2124 wrote to memory of 3140 2124 8448826.exe 88 PID 2124 wrote to memory of 3140 2124 8448826.exe 88 PID 3140 wrote to memory of 3260 3140 vpppp.exe 89 PID 3140 wrote to memory of 3260 3140 vpppp.exe 89 PID 3140 wrote to memory of 3260 3140 vpppp.exe 89 PID 3260 wrote to memory of 2056 3260 3tbbtt.exe 90 PID 3260 wrote to memory of 2056 3260 3tbbtt.exe 90 PID 3260 wrote to memory of 2056 3260 3tbbtt.exe 90 PID 2056 wrote to memory of 4992 2056 nbhbbb.exe 91 PID 2056 wrote to memory of 4992 2056 nbhbbb.exe 91 PID 2056 wrote to memory of 4992 2056 nbhbbb.exe 91 PID 4992 wrote to memory of 4320 4992 k48266.exe 92 PID 4992 wrote to memory of 4320 4992 k48266.exe 92 PID 4992 wrote to memory of 4320 4992 k48266.exe 92 PID 4320 wrote to memory of 4796 4320 pjvvp.exe 93 PID 4320 wrote to memory of 4796 4320 pjvvp.exe 93 PID 4320 wrote to memory of 4796 4320 pjvvp.exe 93 PID 4796 wrote to memory of 1240 4796 8626048.exe 143 PID 4796 wrote to memory of 1240 4796 8626048.exe 143 PID 4796 wrote to memory of 1240 4796 8626048.exe 143 PID 1240 wrote to memory of 4200 1240 7vvvv.exe 144 PID 1240 wrote to memory of 4200 1240 7vvvv.exe 144 PID 1240 wrote to memory of 4200 1240 7vvvv.exe 144 PID 4200 wrote to memory of 3992 4200 484822.exe 96 PID 4200 wrote to memory of 3992 4200 484822.exe 96 PID 4200 wrote to memory of 3992 4200 484822.exe 96 PID 3992 wrote to memory of 3548 3992 9xxxrxr.exe 97 PID 3992 wrote to memory of 3548 3992 9xxxrxr.exe 97 PID 3992 wrote to memory of 3548 3992 9xxxrxr.exe 97 PID 3548 wrote to memory of 1508 3548 4626000.exe 147 PID 3548 wrote to memory of 1508 3548 4626000.exe 147 PID 3548 wrote to memory of 1508 3548 4626000.exe 147 PID 1508 wrote to memory of 1212 1508 022662.exe 99 PID 1508 wrote to memory of 1212 1508 022662.exe 99 PID 1508 wrote to memory of 1212 1508 022662.exe 99 PID 1212 wrote to memory of 4804 1212 frxrrrx.exe 100 PID 1212 wrote to memory of 4804 1212 frxrrrx.exe 100 PID 1212 wrote to memory of 4804 1212 frxrrrx.exe 100 PID 4804 wrote to memory of 2112 4804 028222.exe 101 PID 4804 wrote to memory of 2112 4804 028222.exe 101 PID 4804 wrote to memory of 2112 4804 028222.exe 101 PID 2112 wrote to memory of 5036 2112 064488.exe 102 PID 2112 wrote to memory of 5036 2112 064488.exe 102 PID 2112 wrote to memory of 5036 2112 064488.exe 102 PID 5036 wrote to memory of 4556 5036 hbthtn.exe 103 PID 5036 wrote to memory of 4556 5036 hbthtn.exe 103 PID 5036 wrote to memory of 4556 5036 hbthtn.exe 103 PID 4556 wrote to memory of 3416 4556 48882.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\168db49ba71e0b54bcb12af5779f46805ad57d303de8df403cbcf16e94079e02N.exe"C:\Users\Admin\AppData\Local\Temp\168db49ba71e0b54bcb12af5779f46805ad57d303de8df403cbcf16e94079e02N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\flrlfxx.exec:\flrlfxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\7llflrl.exec:\7llflrl.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\a6826.exec:\a6826.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\400044.exec:\400044.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\8448826.exec:\8448826.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\vpppp.exec:\vpppp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\3tbbtt.exec:\3tbbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\nbhbbb.exec:\nbhbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\k48266.exec:\k48266.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\pjvvp.exec:\pjvvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\8626048.exec:\8626048.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\7vvvv.exec:\7vvvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\484822.exec:\484822.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\9xxxrxr.exec:\9xxxrxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\4626000.exec:\4626000.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\022662.exec:\022662.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\frxrrrx.exec:\frxrrrx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\028222.exec:\028222.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\064488.exec:\064488.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\hbthtn.exec:\hbthtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\48882.exec:\48882.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\frlxxlf.exec:\frlxxlf.exe23⤵
- Executes dropped EXE
PID:3416 -
\??\c:\3vvpd.exec:\3vvpd.exe24⤵
- Executes dropped EXE
PID:2068 -
\??\c:\nhbnnn.exec:\nhbnnn.exe25⤵
- Executes dropped EXE
PID:4900 -
\??\c:\s4200.exec:\s4200.exe26⤵
- Executes dropped EXE
PID:3228 -
\??\c:\jjpjj.exec:\jjpjj.exe27⤵
- Executes dropped EXE
PID:1596 -
\??\c:\2868426.exec:\2868426.exe28⤵
- Executes dropped EXE
PID:2736 -
\??\c:\u288826.exec:\u288826.exe29⤵
- Executes dropped EXE
PID:3852 -
\??\c:\60060.exec:\60060.exe30⤵
- Executes dropped EXE
PID:2956 -
\??\c:\848848.exec:\848848.exe31⤵
- Executes dropped EXE
PID:2848 -
\??\c:\888268.exec:\888268.exe32⤵
- Executes dropped EXE
PID:4972 -
\??\c:\htbtnh.exec:\htbtnh.exe33⤵
- Executes dropped EXE
PID:2408 -
\??\c:\k40462.exec:\k40462.exe34⤵
- Executes dropped EXE
PID:4536 -
\??\c:\vppjj.exec:\vppjj.exe35⤵
- Executes dropped EXE
PID:3732 -
\??\c:\40660.exec:\40660.exe36⤵
- Executes dropped EXE
PID:1268 -
\??\c:\20486.exec:\20486.exe37⤵
- Executes dropped EXE
PID:1520 -
\??\c:\8622042.exec:\8622042.exe38⤵
- Executes dropped EXE
PID:4156 -
\??\c:\rxxrrfl.exec:\rxxrrfl.exe39⤵
- Executes dropped EXE
PID:4872 -
\??\c:\bnnthh.exec:\bnnthh.exe40⤵
- Executes dropped EXE
PID:652 -
\??\c:\20608.exec:\20608.exe41⤵
- Executes dropped EXE
PID:4160 -
\??\c:\c668260.exec:\c668260.exe42⤵
- Executes dropped EXE
PID:4128 -
\??\c:\o826082.exec:\o826082.exe43⤵PID:388
-
\??\c:\44842.exec:\44842.exe44⤵
- Executes dropped EXE
PID:5104 -
\??\c:\llrlfxl.exec:\llrlfxl.exe45⤵
- Executes dropped EXE
PID:1832 -
\??\c:\208608.exec:\208608.exe46⤵
- Executes dropped EXE
PID:3720 -
\??\c:\6444888.exec:\6444888.exe47⤵
- Executes dropped EXE
PID:3112 -
\??\c:\u842862.exec:\u842862.exe48⤵
- Executes dropped EXE
PID:3584 -
\??\c:\djjdv.exec:\djjdv.exe49⤵
- Executes dropped EXE
PID:1000 -
\??\c:\06642.exec:\06642.exe50⤵
- Executes dropped EXE
PID:3572 -
\??\c:\5xlfxrf.exec:\5xlfxrf.exe51⤵
- Executes dropped EXE
PID:2416 -
\??\c:\jdvpj.exec:\jdvpj.exe52⤵
- Executes dropped EXE
PID:1708 -
\??\c:\08428.exec:\08428.exe53⤵
- Executes dropped EXE
PID:2500 -
\??\c:\s4088.exec:\s4088.exe54⤵
- Executes dropped EXE
PID:2176 -
\??\c:\26600.exec:\26600.exe55⤵
- Executes dropped EXE
PID:1196 -
\??\c:\024460.exec:\024460.exe56⤵
- Executes dropped EXE
PID:628 -
\??\c:\nttnbb.exec:\nttnbb.exe57⤵
- Executes dropped EXE
PID:4992 -
\??\c:\9thnnb.exec:\9thnnb.exe58⤵
- Executes dropped EXE
PID:3324 -
\??\c:\426080.exec:\426080.exe59⤵
- Executes dropped EXE
PID:4320 -
\??\c:\tttbtt.exec:\tttbtt.exe60⤵
- Executes dropped EXE
PID:3204 -
\??\c:\484826.exec:\484826.exe61⤵
- Executes dropped EXE
PID:1940 -
\??\c:\9frfxxl.exec:\9frfxxl.exe62⤵
- Executes dropped EXE
PID:1240 -
\??\c:\3vpjd.exec:\3vpjd.exe63⤵
- Executes dropped EXE
PID:4200 -
\??\c:\bnhbtn.exec:\bnhbtn.exe64⤵
- Executes dropped EXE
PID:3716 -
\??\c:\1tbnnt.exec:\1tbnnt.exe65⤵
- Executes dropped EXE
PID:2768 -
\??\c:\062042.exec:\062042.exe66⤵
- Executes dropped EXE
PID:1508 -
\??\c:\2246620.exec:\2246620.exe67⤵PID:2352
-
\??\c:\vvddj.exec:\vvddj.exe68⤵PID:2496
-
\??\c:\4448442.exec:\4448442.exe69⤵PID:2980
-
\??\c:\08088.exec:\08088.exe70⤵PID:4804
-
\??\c:\m8866.exec:\m8866.exe71⤵PID:592
-
\??\c:\pvjvj.exec:\pvjvj.exe72⤵PID:3464
-
\??\c:\226222.exec:\226222.exe73⤵PID:3340
-
\??\c:\ddppj.exec:\ddppj.exe74⤵PID:1200
-
\??\c:\406082.exec:\406082.exe75⤵PID:3416
-
\??\c:\280866.exec:\280866.exe76⤵PID:2212
-
\??\c:\7hnhbb.exec:\7hnhbb.exe77⤵PID:2068
-
\??\c:\6842022.exec:\6842022.exe78⤵PID:5052
-
\??\c:\848844.exec:\848844.exe79⤵PID:3212
-
\??\c:\hbbtnh.exec:\hbbtnh.exe80⤵PID:1220
-
\??\c:\820282.exec:\820282.exe81⤵PID:4584
-
\??\c:\o426666.exec:\o426666.exe82⤵PID:2440
-
\??\c:\066604.exec:\066604.exe83⤵PID:3848
-
\??\c:\e42244.exec:\e42244.exe84⤵PID:2364
-
\??\c:\48886.exec:\48886.exe85⤵PID:2452
-
\??\c:\002048.exec:\002048.exe86⤵PID:1936
-
\??\c:\bnnhbt.exec:\bnnhbt.exe87⤵PID:4916
-
\??\c:\bbtbhn.exec:\bbtbhn.exe88⤵PID:3312
-
\??\c:\nhnhhh.exec:\nhnhhh.exe89⤵PID:5020
-
\??\c:\66422.exec:\66422.exe90⤵PID:4536
-
\??\c:\xlxrlfl.exec:\xlxrlfl.exe91⤵PID:4244
-
\??\c:\28448.exec:\28448.exe92⤵PID:4336
-
\??\c:\86842.exec:\86842.exe93⤵PID:3304
-
\??\c:\jvvpj.exec:\jvvpj.exe94⤵PID:4364
-
\??\c:\e62422.exec:\e62422.exe95⤵PID:2088
-
\??\c:\u804040.exec:\u804040.exe96⤵PID:4380
-
\??\c:\hhhhtn.exec:\hhhhtn.exe97⤵PID:4312
-
\??\c:\4282600.exec:\4282600.exe98⤵PID:4436
-
\??\c:\k40408.exec:\k40408.exe99⤵PID:1080
-
\??\c:\6426668.exec:\6426668.exe100⤵PID:4192
-
\??\c:\1jjdv.exec:\1jjdv.exe101⤵PID:4328
-
\??\c:\7ppvd.exec:\7ppvd.exe102⤵PID:1964
-
\??\c:\5jjdp.exec:\5jjdp.exe103⤵PID:3452
-
\??\c:\bhtnht.exec:\bhtnht.exe104⤵PID:4944
-
\??\c:\pjpjd.exec:\pjpjd.exe105⤵PID:1384
-
\??\c:\7xxfffx.exec:\7xxfffx.exe106⤵PID:396
-
\??\c:\040488.exec:\040488.exe107⤵PID:3588
-
\??\c:\86604.exec:\86604.exe108⤵PID:2532
-
\??\c:\jdpdv.exec:\jdpdv.exe109⤵PID:764
-
\??\c:\2806444.exec:\2806444.exe110⤵PID:4124
-
\??\c:\jddvd.exec:\jddvd.exe111⤵PID:3748
-
\??\c:\dpdvp.exec:\dpdvp.exe112⤵PID:1036
-
\??\c:\fllfxrl.exec:\fllfxrl.exe113⤵PID:2712
-
\??\c:\s4004.exec:\s4004.exe114⤵PID:3288
-
\??\c:\i000044.exec:\i000044.exe115⤵PID:1996
-
\??\c:\0260482.exec:\0260482.exe116⤵PID:1664
-
\??\c:\4888882.exec:\4888882.exe117⤵PID:2172
-
\??\c:\bnhhbb.exec:\bnhhbb.exe118⤵PID:1240
-
\??\c:\bbhthb.exec:\bbhthb.exe119⤵PID:4200
-
\??\c:\g4088.exec:\g4088.exe120⤵PID:3192
-
\??\c:\9lrlllr.exec:\9lrlllr.exe121⤵PID:2748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-