Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 22:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
487870bf25ab8469f039b998cf633233534f8c0408e67c050ffeb4eec930cfe4.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
487870bf25ab8469f039b998cf633233534f8c0408e67c050ffeb4eec930cfe4.exe
-
Size
454KB
-
MD5
d9ae31f29289ea8a8ec72eaa7e7af116
-
SHA1
3dae49950266693423f440d344de79a60da45be0
-
SHA256
487870bf25ab8469f039b998cf633233534f8c0408e67c050ffeb4eec930cfe4
-
SHA512
a192283a6cb4937f0155b326d8ae9b2c8d60ed15477cbe4c458b67f4c1d2d4efea9da76ec1877aef05218533c6fc64173819a7e875437fde36dcacc328967da5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet5:q7Tc2NYHUrAwfMp3CDt5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3144-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-742-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2260 3nttnb.exe 3584 e80848.exe 1172 lrllffx.exe 2152 6446808.exe 1412 0660044.exe 1912 ffllrfx.exe 1196 5fxxfrx.exe 1116 062884.exe 1092 jpvvj.exe 4336 pjpjd.exe 4728 flrrlrl.exe 4976 pdppd.exe 384 1xrrlrr.exe 4768 6844844.exe 3640 2806044.exe 3736 4844400.exe 1692 688008.exe 1128 680000.exe 1104 m0204.exe 2012 28426.exe 2640 6664860.exe 4896 xlxllfl.exe 964 vvvpp.exe 3760 6286862.exe 3916 88202.exe 1348 httbhh.exe 1448 3pvpd.exe 2692 622644.exe 5048 fxfxrrl.exe 3336 68282.exe 4576 k26648.exe 4472 682042.exe 4568 3hnhtb.exe 1540 btbhtn.exe 660 nhhtnn.exe 1716 nhnnhn.exe 1984 7tbbtt.exe 1724 rffrxrr.exe 2532 488444.exe 5092 26606.exe 1924 8284660.exe 4772 5nhhhh.exe 4004 82226.exe 4028 fffxrrr.exe 4492 00688.exe 4124 040404.exe 1784 88288.exe 2888 tnttnb.exe 4440 4060048.exe 524 vvvvp.exe 3144 nhnhhn.exe 1016 7rxxxxx.exe 3952 g8042.exe 1172 466248.exe 2152 44844.exe 2336 064006.exe 1412 q40000.exe 2612 9tbbtb.exe 1020 lfxfrxr.exe 1320 lxflxfr.exe 3076 446626.exe 3328 ffllfll.exe 4152 k64002.exe 4336 888064.exe -
resource yara_rule behavioral2/memory/3144-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-729-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0026600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o642604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2644866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4426004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0824646.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3144 wrote to memory of 2260 3144 487870bf25ab8469f039b998cf633233534f8c0408e67c050ffeb4eec930cfe4.exe 83 PID 3144 wrote to memory of 2260 3144 487870bf25ab8469f039b998cf633233534f8c0408e67c050ffeb4eec930cfe4.exe 83 PID 3144 wrote to memory of 2260 3144 487870bf25ab8469f039b998cf633233534f8c0408e67c050ffeb4eec930cfe4.exe 83 PID 2260 wrote to memory of 3584 2260 3nttnb.exe 84 PID 2260 wrote to memory of 3584 2260 3nttnb.exe 84 PID 2260 wrote to memory of 3584 2260 3nttnb.exe 84 PID 3584 wrote to memory of 1172 3584 e80848.exe 85 PID 3584 wrote to memory of 1172 3584 e80848.exe 85 PID 3584 wrote to memory of 1172 3584 e80848.exe 85 PID 1172 wrote to memory of 2152 1172 lrllffx.exe 86 PID 1172 wrote to memory of 2152 1172 lrllffx.exe 86 PID 1172 wrote to memory of 2152 1172 lrllffx.exe 86 PID 2152 wrote to memory of 1412 2152 6446808.exe 87 PID 2152 wrote to memory of 1412 2152 6446808.exe 87 PID 2152 wrote to memory of 1412 2152 6446808.exe 87 PID 1412 wrote to memory of 1912 1412 0660044.exe 88 PID 1412 wrote to memory of 1912 1412 0660044.exe 88 PID 1412 wrote to memory of 1912 1412 0660044.exe 88 PID 1912 wrote to memory of 1196 1912 ffllrfx.exe 89 PID 1912 wrote to memory of 1196 1912 ffllrfx.exe 89 PID 1912 wrote to memory of 1196 1912 ffllrfx.exe 89 PID 1196 wrote to memory of 1116 1196 5fxxfrx.exe 90 PID 1196 wrote to memory of 1116 1196 5fxxfrx.exe 90 PID 1196 wrote to memory of 1116 1196 5fxxfrx.exe 90 PID 1116 wrote to memory of 1092 1116 062884.exe 91 PID 1116 wrote to memory of 1092 1116 062884.exe 91 PID 1116 wrote to memory of 1092 1116 062884.exe 91 PID 1092 wrote to memory of 4336 1092 jpvvj.exe 92 PID 1092 wrote to memory of 4336 1092 jpvvj.exe 92 PID 1092 wrote to memory of 4336 1092 jpvvj.exe 92 PID 4336 wrote to memory of 4728 4336 pjpjd.exe 93 PID 4336 wrote to memory of 4728 4336 pjpjd.exe 93 PID 4336 wrote to memory of 4728 4336 pjpjd.exe 93 PID 4728 wrote to memory of 4976 4728 flrrlrl.exe 94 PID 4728 wrote to memory of 4976 4728 flrrlrl.exe 94 PID 4728 wrote to memory of 4976 4728 flrrlrl.exe 94 PID 4976 wrote to memory of 384 4976 pdppd.exe 95 PID 4976 wrote to memory of 384 4976 pdppd.exe 95 PID 4976 wrote to memory of 384 4976 pdppd.exe 95 PID 384 wrote to memory of 4768 384 1xrrlrr.exe 96 PID 384 wrote to memory of 4768 384 1xrrlrr.exe 96 PID 384 wrote to memory of 4768 384 1xrrlrr.exe 96 PID 4768 wrote to memory of 3640 4768 6844844.exe 97 PID 4768 wrote to memory of 3640 4768 6844844.exe 97 PID 4768 wrote to memory of 3640 4768 6844844.exe 97 PID 3640 wrote to memory of 3736 3640 2806044.exe 98 PID 3640 wrote to memory of 3736 3640 2806044.exe 98 PID 3640 wrote to memory of 3736 3640 2806044.exe 98 PID 3736 wrote to memory of 1692 3736 4844400.exe 99 PID 3736 wrote to memory of 1692 3736 4844400.exe 99 PID 3736 wrote to memory of 1692 3736 4844400.exe 99 PID 1692 wrote to memory of 1128 1692 688008.exe 100 PID 1692 wrote to memory of 1128 1692 688008.exe 100 PID 1692 wrote to memory of 1128 1692 688008.exe 100 PID 1128 wrote to memory of 1104 1128 680000.exe 101 PID 1128 wrote to memory of 1104 1128 680000.exe 101 PID 1128 wrote to memory of 1104 1128 680000.exe 101 PID 1104 wrote to memory of 2012 1104 m0204.exe 102 PID 1104 wrote to memory of 2012 1104 m0204.exe 102 PID 1104 wrote to memory of 2012 1104 m0204.exe 102 PID 2012 wrote to memory of 2640 2012 28426.exe 103 PID 2012 wrote to memory of 2640 2012 28426.exe 103 PID 2012 wrote to memory of 2640 2012 28426.exe 103 PID 2640 wrote to memory of 4896 2640 6664860.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\487870bf25ab8469f039b998cf633233534f8c0408e67c050ffeb4eec930cfe4.exe"C:\Users\Admin\AppData\Local\Temp\487870bf25ab8469f039b998cf633233534f8c0408e67c050ffeb4eec930cfe4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\3nttnb.exec:\3nttnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\e80848.exec:\e80848.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\lrllffx.exec:\lrllffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\6446808.exec:\6446808.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\0660044.exec:\0660044.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\ffllrfx.exec:\ffllrfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\5fxxfrx.exec:\5fxxfrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\062884.exec:\062884.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\jpvvj.exec:\jpvvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\pjpjd.exec:\pjpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\flrrlrl.exec:\flrrlrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\pdppd.exec:\pdppd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\1xrrlrr.exec:\1xrrlrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\6844844.exec:\6844844.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\2806044.exec:\2806044.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\4844400.exec:\4844400.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\688008.exec:\688008.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\680000.exec:\680000.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\m0204.exec:\m0204.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\28426.exec:\28426.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\6664860.exec:\6664860.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\xlxllfl.exec:\xlxllfl.exe23⤵
- Executes dropped EXE
PID:4896 -
\??\c:\vvvpp.exec:\vvvpp.exe24⤵
- Executes dropped EXE
PID:964 -
\??\c:\6286862.exec:\6286862.exe25⤵
- Executes dropped EXE
PID:3760 -
\??\c:\88202.exec:\88202.exe26⤵
- Executes dropped EXE
PID:3916 -
\??\c:\httbhh.exec:\httbhh.exe27⤵
- Executes dropped EXE
PID:1348 -
\??\c:\3pvpd.exec:\3pvpd.exe28⤵
- Executes dropped EXE
PID:1448 -
\??\c:\622644.exec:\622644.exe29⤵
- Executes dropped EXE
PID:2692 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe30⤵
- Executes dropped EXE
PID:5048 -
\??\c:\68282.exec:\68282.exe31⤵
- Executes dropped EXE
PID:3336 -
\??\c:\k26648.exec:\k26648.exe32⤵
- Executes dropped EXE
PID:4576 -
\??\c:\682042.exec:\682042.exe33⤵
- Executes dropped EXE
PID:4472 -
\??\c:\3hnhtb.exec:\3hnhtb.exe34⤵
- Executes dropped EXE
PID:4568 -
\??\c:\btbhtn.exec:\btbhtn.exe35⤵
- Executes dropped EXE
PID:1540 -
\??\c:\nhhtnn.exec:\nhhtnn.exe36⤵
- Executes dropped EXE
PID:660 -
\??\c:\nhnnhn.exec:\nhnnhn.exe37⤵
- Executes dropped EXE
PID:1716 -
\??\c:\7tbbtt.exec:\7tbbtt.exe38⤵
- Executes dropped EXE
PID:1984 -
\??\c:\rffrxrr.exec:\rffrxrr.exe39⤵
- Executes dropped EXE
PID:1724 -
\??\c:\488444.exec:\488444.exe40⤵
- Executes dropped EXE
PID:2532 -
\??\c:\26606.exec:\26606.exe41⤵
- Executes dropped EXE
PID:5092 -
\??\c:\8284660.exec:\8284660.exe42⤵
- Executes dropped EXE
PID:1924 -
\??\c:\5nhhhh.exec:\5nhhhh.exe43⤵
- Executes dropped EXE
PID:4772 -
\??\c:\82226.exec:\82226.exe44⤵
- Executes dropped EXE
PID:4004 -
\??\c:\fffxrrr.exec:\fffxrrr.exe45⤵
- Executes dropped EXE
PID:4028 -
\??\c:\00688.exec:\00688.exe46⤵
- Executes dropped EXE
PID:4492 -
\??\c:\040404.exec:\040404.exe47⤵
- Executes dropped EXE
PID:4124 -
\??\c:\88288.exec:\88288.exe48⤵
- Executes dropped EXE
PID:1784 -
\??\c:\tnttnb.exec:\tnttnb.exe49⤵
- Executes dropped EXE
PID:2888 -
\??\c:\4060048.exec:\4060048.exe50⤵
- Executes dropped EXE
PID:4440 -
\??\c:\vvvvp.exec:\vvvvp.exe51⤵
- Executes dropped EXE
PID:524 -
\??\c:\nhnhhn.exec:\nhnhhn.exe52⤵
- Executes dropped EXE
PID:3144 -
\??\c:\7rxxxxx.exec:\7rxxxxx.exe53⤵
- Executes dropped EXE
PID:1016 -
\??\c:\g8042.exec:\g8042.exe54⤵
- Executes dropped EXE
PID:3952 -
\??\c:\466248.exec:\466248.exe55⤵
- Executes dropped EXE
PID:1172 -
\??\c:\44844.exec:\44844.exe56⤵
- Executes dropped EXE
PID:2152 -
\??\c:\064006.exec:\064006.exe57⤵
- Executes dropped EXE
PID:2336 -
\??\c:\q40000.exec:\q40000.exe58⤵
- Executes dropped EXE
PID:1412 -
\??\c:\9tbbtb.exec:\9tbbtb.exe59⤵
- Executes dropped EXE
PID:2612 -
\??\c:\lfxfrxr.exec:\lfxfrxr.exe60⤵
- Executes dropped EXE
PID:1020 -
\??\c:\lxflxfr.exec:\lxflxfr.exe61⤵
- Executes dropped EXE
PID:1320 -
\??\c:\446626.exec:\446626.exe62⤵
- Executes dropped EXE
PID:3076 -
\??\c:\ffllfll.exec:\ffllfll.exe63⤵
- Executes dropped EXE
PID:3328 -
\??\c:\k64002.exec:\k64002.exe64⤵
- Executes dropped EXE
PID:4152 -
\??\c:\888064.exec:\888064.exe65⤵
- Executes dropped EXE
PID:4336 -
\??\c:\xfllfll.exec:\xfllfll.exe66⤵PID:3256
-
\??\c:\hbntbb.exec:\hbntbb.exe67⤵PID:2992
-
\??\c:\m6660.exec:\m6660.exe68⤵PID:4480
-
\??\c:\4804668.exec:\4804668.exe69⤵PID:2188
-
\??\c:\rlrllll.exec:\rlrllll.exe70⤵PID:1840
-
\??\c:\pvjvp.exec:\pvjvp.exe71⤵PID:4084
-
\??\c:\c288664.exec:\c288664.exe72⤵PID:4208
-
\??\c:\80004.exec:\80004.exe73⤵PID:2768
-
\??\c:\00600.exec:\00600.exe74⤵PID:8
-
\??\c:\7pvdv.exec:\7pvdv.exe75⤵PID:4684
-
\??\c:\4268648.exec:\4268648.exe76⤵PID:4752
-
\??\c:\pvdvd.exec:\pvdvd.exe77⤵PID:4256
-
\??\c:\i284680.exec:\i284680.exe78⤵PID:4872
-
\??\c:\6446866.exec:\6446866.exe79⤵PID:1612
-
\??\c:\rrffffl.exec:\rrffffl.exe80⤵PID:1980
-
\??\c:\0824646.exec:\0824646.exe81⤵
- System Location Discovery: System Language Discovery
PID:1892 -
\??\c:\rxrrxff.exec:\rxrrxff.exe82⤵PID:2368
-
\??\c:\0002226.exec:\0002226.exe83⤵PID:3124
-
\??\c:\8288002.exec:\8288002.exe84⤵PID:3696
-
\??\c:\244462.exec:\244462.exe85⤵PID:3508
-
\??\c:\btbbbh.exec:\btbbbh.exe86⤵PID:2508
-
\??\c:\vdjvj.exec:\vdjvj.exe87⤵PID:1120
-
\??\c:\djppj.exec:\djppj.exe88⤵PID:4464
-
\??\c:\0028840.exec:\0028840.exe89⤵PID:3748
-
\??\c:\g2828.exec:\g2828.exe90⤵PID:2064
-
\??\c:\btnnbt.exec:\btnnbt.exe91⤵PID:4356
-
\??\c:\42448.exec:\42448.exe92⤵PID:1180
-
\??\c:\48068.exec:\48068.exe93⤵PID:4172
-
\??\c:\680000.exec:\680000.exe94⤵PID:2516
-
\??\c:\20604.exec:\20604.exe95⤵PID:3800
-
\??\c:\264406.exec:\264406.exe96⤵PID:1764
-
\??\c:\826822.exec:\826822.exe97⤵PID:3580
-
\??\c:\46202.exec:\46202.exe98⤵PID:4540
-
\??\c:\2804448.exec:\2804448.exe99⤵PID:3432
-
\??\c:\04208.exec:\04208.exe100⤵PID:3860
-
\??\c:\66224.exec:\66224.exe101⤵PID:368
-
\??\c:\xlllxll.exec:\xlllxll.exe102⤵PID:4456
-
\??\c:\nhntbn.exec:\nhntbn.exe103⤵PID:3964
-
\??\c:\rxflrfr.exec:\rxflrfr.exe104⤵PID:956
-
\??\c:\5jppv.exec:\5jppv.exe105⤵PID:1880
-
\??\c:\200008.exec:\200008.exe106⤵PID:4448
-
\??\c:\606284.exec:\606284.exe107⤵PID:4016
-
\??\c:\ttnnth.exec:\ttnnth.exe108⤵PID:4780
-
\??\c:\e68466.exec:\e68466.exe109⤵PID:1900
-
\??\c:\2626066.exec:\2626066.exe110⤵PID:4904
-
\??\c:\ttbnnt.exec:\ttbnnt.exe111⤵PID:2888
-
\??\c:\262262.exec:\262262.exe112⤵PID:4440
-
\??\c:\jpdvv.exec:\jpdvv.exe113⤵PID:524
-
\??\c:\c648288.exec:\c648288.exe114⤵PID:3144
-
\??\c:\nnhhtb.exec:\nnhhtb.exe115⤵PID:1456
-
\??\c:\llxxxfl.exec:\llxxxfl.exe116⤵PID:4184
-
\??\c:\ppvvd.exec:\ppvvd.exe117⤵PID:4572
-
\??\c:\04482.exec:\04482.exe118⤵PID:1576
-
\??\c:\rxxlllr.exec:\rxxlllr.exe119⤵PID:4832
-
\??\c:\c224488.exec:\c224488.exe120⤵PID:3920
-
\??\c:\660868.exec:\660868.exe121⤵PID:1788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-