Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 14:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe
-
Size
454KB
-
MD5
06241bd1d858ecd7dfbb1021e97c3a15
-
SHA1
96168875e1b52223de7e2beae79cb419f5ae4c7e
-
SHA256
333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47
-
SHA512
43aa10a2aac5a7fe1a3033a0902b4eb05df01db5d6e058a8ba38acb9e81f911ce65b7d5dd05f775ddce950a8776a042930d485d41661e88f6a58782db65acafc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/404-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-1026-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-1084-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-1184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-1642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2552 dppjj.exe 4364 0280008.exe 1168 llxlffl.exe 4600 420066.exe 2004 fflrxxx.exe 2868 httntt.exe 3896 000262.exe 1808 7rlfxxr.exe 1272 fflrffl.exe 684 60606.exe 1632 dvdvv.exe 4592 66446.exe 3060 5djpv.exe 1468 ffrrxxx.exe 4972 62440.exe 5088 btbttt.exe 3012 04044.exe 5108 rllfxlf.exe 464 rfxlfrl.exe 3864 nthnnh.exe 2636 04004.exe 1684 m8884.exe 1824 44048.exe 2208 846044.exe 4604 btnthh.exe 3244 nbttbn.exe 2820 bhnhhh.exe 720 2282820.exe 4676 04660.exe 4076 djvpj.exe 2568 tnttnn.exe 4720 42406.exe 4332 xxlxrff.exe 4508 vdppp.exe 5020 1jpdv.exe 2044 hhttth.exe 1236 nbhtnn.exe 2504 40280.exe 4968 i426420.exe 4436 3pvvd.exe 2592 846600.exe 2316 jddvv.exe 2276 xlxrfxx.exe 4156 04600.exe 1692 8860448.exe 900 a6440.exe 3148 vvdpd.exe 400 48448.exe 3980 686624.exe 4232 468828.exe 4064 22488.exe 4952 jpvdp.exe 3312 lxllrfx.exe 4456 880448.exe 3200 hbtbth.exe 2104 84004.exe 2532 u226044.exe 3900 vjppp.exe 4728 7lrfllr.exe 380 60228.exe 2112 flrrllf.exe 2604 2626600.exe 3328 8622662.exe 4616 xfrlfff.exe -
resource yara_rule behavioral2/memory/404-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-815-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6448482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxlxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flflrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q66488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8282660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6022664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240406.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 404 wrote to memory of 2552 404 333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe 84 PID 404 wrote to memory of 2552 404 333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe 84 PID 404 wrote to memory of 2552 404 333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe 84 PID 2552 wrote to memory of 4364 2552 dppjj.exe 85 PID 2552 wrote to memory of 4364 2552 dppjj.exe 85 PID 2552 wrote to memory of 4364 2552 dppjj.exe 85 PID 4364 wrote to memory of 1168 4364 0280008.exe 86 PID 4364 wrote to memory of 1168 4364 0280008.exe 86 PID 4364 wrote to memory of 1168 4364 0280008.exe 86 PID 1168 wrote to memory of 4600 1168 llxlffl.exe 87 PID 1168 wrote to memory of 4600 1168 llxlffl.exe 87 PID 1168 wrote to memory of 4600 1168 llxlffl.exe 87 PID 4600 wrote to memory of 2004 4600 420066.exe 88 PID 4600 wrote to memory of 2004 4600 420066.exe 88 PID 4600 wrote to memory of 2004 4600 420066.exe 88 PID 2004 wrote to memory of 2868 2004 fflrxxx.exe 89 PID 2004 wrote to memory of 2868 2004 fflrxxx.exe 89 PID 2004 wrote to memory of 2868 2004 fflrxxx.exe 89 PID 2868 wrote to memory of 3896 2868 httntt.exe 90 PID 2868 wrote to memory of 3896 2868 httntt.exe 90 PID 2868 wrote to memory of 3896 2868 httntt.exe 90 PID 3896 wrote to memory of 1808 3896 000262.exe 91 PID 3896 wrote to memory of 1808 3896 000262.exe 91 PID 3896 wrote to memory of 1808 3896 000262.exe 91 PID 1808 wrote to memory of 1272 1808 7rlfxxr.exe 92 PID 1808 wrote to memory of 1272 1808 7rlfxxr.exe 92 PID 1808 wrote to memory of 1272 1808 7rlfxxr.exe 92 PID 1272 wrote to memory of 684 1272 fflrffl.exe 93 PID 1272 wrote to memory of 684 1272 fflrffl.exe 93 PID 1272 wrote to memory of 684 1272 fflrffl.exe 93 PID 684 wrote to memory of 1632 684 60606.exe 94 PID 684 wrote to memory of 1632 684 60606.exe 94 PID 684 wrote to memory of 1632 684 60606.exe 94 PID 1632 wrote to memory of 4592 1632 dvdvv.exe 95 PID 1632 wrote to memory of 4592 1632 dvdvv.exe 95 PID 1632 wrote to memory of 4592 1632 dvdvv.exe 95 PID 4592 wrote to memory of 3060 4592 66446.exe 96 PID 4592 wrote to memory of 3060 4592 66446.exe 96 PID 4592 wrote to memory of 3060 4592 66446.exe 96 PID 3060 wrote to memory of 1468 3060 5djpv.exe 97 PID 3060 wrote to memory of 1468 3060 5djpv.exe 97 PID 3060 wrote to memory of 1468 3060 5djpv.exe 97 PID 1468 wrote to memory of 4972 1468 ffrrxxx.exe 98 PID 1468 wrote to memory of 4972 1468 ffrrxxx.exe 98 PID 1468 wrote to memory of 4972 1468 ffrrxxx.exe 98 PID 4972 wrote to memory of 5088 4972 62440.exe 99 PID 4972 wrote to memory of 5088 4972 62440.exe 99 PID 4972 wrote to memory of 5088 4972 62440.exe 99 PID 5088 wrote to memory of 3012 5088 btbttt.exe 100 PID 5088 wrote to memory of 3012 5088 btbttt.exe 100 PID 5088 wrote to memory of 3012 5088 btbttt.exe 100 PID 3012 wrote to memory of 5108 3012 04044.exe 101 PID 3012 wrote to memory of 5108 3012 04044.exe 101 PID 3012 wrote to memory of 5108 3012 04044.exe 101 PID 5108 wrote to memory of 464 5108 rllfxlf.exe 102 PID 5108 wrote to memory of 464 5108 rllfxlf.exe 102 PID 5108 wrote to memory of 464 5108 rllfxlf.exe 102 PID 464 wrote to memory of 3864 464 rfxlfrl.exe 103 PID 464 wrote to memory of 3864 464 rfxlfrl.exe 103 PID 464 wrote to memory of 3864 464 rfxlfrl.exe 103 PID 3864 wrote to memory of 2636 3864 nthnnh.exe 104 PID 3864 wrote to memory of 2636 3864 nthnnh.exe 104 PID 3864 wrote to memory of 2636 3864 nthnnh.exe 104 PID 2636 wrote to memory of 1684 2636 04004.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe"C:\Users\Admin\AppData\Local\Temp\333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\dppjj.exec:\dppjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\0280008.exec:\0280008.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\llxlffl.exec:\llxlffl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\420066.exec:\420066.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\fflrxxx.exec:\fflrxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\httntt.exec:\httntt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\000262.exec:\000262.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\7rlfxxr.exec:\7rlfxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\fflrffl.exec:\fflrffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\60606.exec:\60606.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\dvdvv.exec:\dvdvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\66446.exec:\66446.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\5djpv.exec:\5djpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\ffrrxxx.exec:\ffrrxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\62440.exec:\62440.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\btbttt.exec:\btbttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\04044.exec:\04044.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\rllfxlf.exec:\rllfxlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\rfxlfrl.exec:\rfxlfrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\nthnnh.exec:\nthnnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\04004.exec:\04004.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\m8884.exec:\m8884.exe23⤵
- Executes dropped EXE
PID:1684 -
\??\c:\44048.exec:\44048.exe24⤵
- Executes dropped EXE
PID:1824 -
\??\c:\846044.exec:\846044.exe25⤵
- Executes dropped EXE
PID:2208 -
\??\c:\btnthh.exec:\btnthh.exe26⤵
- Executes dropped EXE
PID:4604 -
\??\c:\nbttbn.exec:\nbttbn.exe27⤵
- Executes dropped EXE
PID:3244 -
\??\c:\bhnhhh.exec:\bhnhhh.exe28⤵
- Executes dropped EXE
PID:2820 -
\??\c:\2282820.exec:\2282820.exe29⤵
- Executes dropped EXE
PID:720 -
\??\c:\04660.exec:\04660.exe30⤵
- Executes dropped EXE
PID:4676 -
\??\c:\djvpj.exec:\djvpj.exe31⤵
- Executes dropped EXE
PID:4076 -
\??\c:\tnttnn.exec:\tnttnn.exe32⤵
- Executes dropped EXE
PID:2568 -
\??\c:\42406.exec:\42406.exe33⤵
- Executes dropped EXE
PID:4720 -
\??\c:\xxlxrff.exec:\xxlxrff.exe34⤵
- Executes dropped EXE
PID:4332 -
\??\c:\vdppp.exec:\vdppp.exe35⤵
- Executes dropped EXE
PID:4508 -
\??\c:\1jpdv.exec:\1jpdv.exe36⤵
- Executes dropped EXE
PID:5020 -
\??\c:\hhttth.exec:\hhttth.exe37⤵
- Executes dropped EXE
PID:2044 -
\??\c:\nbhtnn.exec:\nbhtnn.exe38⤵
- Executes dropped EXE
PID:1236 -
\??\c:\40280.exec:\40280.exe39⤵
- Executes dropped EXE
PID:2504 -
\??\c:\i426420.exec:\i426420.exe40⤵
- Executes dropped EXE
PID:4968 -
\??\c:\3pvvd.exec:\3pvvd.exe41⤵
- Executes dropped EXE
PID:4436 -
\??\c:\846600.exec:\846600.exe42⤵
- Executes dropped EXE
PID:2592 -
\??\c:\jddvv.exec:\jddvv.exe43⤵
- Executes dropped EXE
PID:2316 -
\??\c:\xlxrfxx.exec:\xlxrfxx.exe44⤵
- Executes dropped EXE
PID:2276 -
\??\c:\04600.exec:\04600.exe45⤵
- Executes dropped EXE
PID:4156 -
\??\c:\8860448.exec:\8860448.exe46⤵
- Executes dropped EXE
PID:1692 -
\??\c:\a6440.exec:\a6440.exe47⤵
- Executes dropped EXE
PID:900 -
\??\c:\vvdpd.exec:\vvdpd.exe48⤵
- Executes dropped EXE
PID:3148 -
\??\c:\48448.exec:\48448.exe49⤵
- Executes dropped EXE
PID:400 -
\??\c:\686624.exec:\686624.exe50⤵
- Executes dropped EXE
PID:3980 -
\??\c:\468828.exec:\468828.exe51⤵
- Executes dropped EXE
PID:4232 -
\??\c:\22488.exec:\22488.exe52⤵
- Executes dropped EXE
PID:4064 -
\??\c:\jpvdp.exec:\jpvdp.exe53⤵
- Executes dropped EXE
PID:4952 -
\??\c:\lxllrfx.exec:\lxllrfx.exe54⤵
- Executes dropped EXE
PID:3312 -
\??\c:\880448.exec:\880448.exe55⤵
- Executes dropped EXE
PID:4456 -
\??\c:\hbtbth.exec:\hbtbth.exe56⤵
- Executes dropped EXE
PID:3200 -
\??\c:\84004.exec:\84004.exe57⤵
- Executes dropped EXE
PID:2104 -
\??\c:\u226044.exec:\u226044.exe58⤵
- Executes dropped EXE
PID:2532 -
\??\c:\vjppp.exec:\vjppp.exe59⤵
- Executes dropped EXE
PID:3900 -
\??\c:\7lrfllr.exec:\7lrfllr.exe60⤵
- Executes dropped EXE
PID:4728 -
\??\c:\60228.exec:\60228.exe61⤵
- Executes dropped EXE
PID:380 -
\??\c:\flrrllf.exec:\flrrllf.exe62⤵
- Executes dropped EXE
PID:2112 -
\??\c:\2626600.exec:\2626600.exe63⤵
- Executes dropped EXE
PID:2604 -
\??\c:\8622662.exec:\8622662.exe64⤵
- Executes dropped EXE
PID:3328 -
\??\c:\xfrlfff.exec:\xfrlfff.exe65⤵
- Executes dropped EXE
PID:4616 -
\??\c:\48048.exec:\48048.exe66⤵PID:2944
-
\??\c:\jvjjv.exec:\jvjjv.exe67⤵PID:3012
-
\??\c:\044882.exec:\044882.exe68⤵PID:2028
-
\??\c:\fxlfllx.exec:\fxlfllx.exe69⤵PID:1744
-
\??\c:\868848.exec:\868848.exe70⤵PID:516
-
\??\c:\hbtnbb.exec:\hbtnbb.exe71⤵PID:1516
-
\??\c:\8226004.exec:\8226004.exe72⤵PID:4260
-
\??\c:\dvjdv.exec:\dvjdv.exe73⤵PID:3292
-
\??\c:\68444.exec:\68444.exe74⤵PID:1684
-
\??\c:\nnbhtt.exec:\nnbhtt.exe75⤵PID:536
-
\??\c:\3ppvd.exec:\3ppvd.exe76⤵
- System Location Discovery: System Language Discovery
PID:2448 -
\??\c:\06820.exec:\06820.exe77⤵PID:2264
-
\??\c:\djjdv.exec:\djjdv.exe78⤵PID:4976
-
\??\c:\26686.exec:\26686.exe79⤵PID:3940
-
\??\c:\3lxrrrl.exec:\3lxrrrl.exe80⤵PID:728
-
\??\c:\24600.exec:\24600.exe81⤵PID:1972
-
\??\c:\rrxxrlf.exec:\rrxxrlf.exe82⤵PID:1132
-
\??\c:\c848266.exec:\c848266.exe83⤵PID:1648
-
\??\c:\046066.exec:\046066.exe84⤵PID:2756
-
\??\c:\xlrlffx.exec:\xlrlffx.exe85⤵PID:5008
-
\??\c:\xrrlffx.exec:\xrrlffx.exe86⤵PID:4992
-
\??\c:\rrfxxfx.exec:\rrfxxfx.exe87⤵PID:4608
-
\??\c:\w24828.exec:\w24828.exe88⤵PID:3744
-
\??\c:\446262.exec:\446262.exe89⤵PID:4216
-
\??\c:\dvvvd.exec:\dvvvd.exe90⤵PID:2580
-
\??\c:\80260.exec:\80260.exe91⤵PID:3140
-
\??\c:\26068.exec:\26068.exe92⤵PID:2996
-
\??\c:\64044.exec:\64044.exe93⤵PID:3284
-
\??\c:\04040.exec:\04040.exe94⤵PID:2504
-
\??\c:\vvvjj.exec:\vvvjj.exe95⤵PID:4968
-
\??\c:\tnhbtt.exec:\tnhbtt.exe96⤵PID:404
-
\??\c:\2666000.exec:\2666000.exe97⤵PID:4552
-
\??\c:\9nbntt.exec:\9nbntt.exe98⤵PID:2364
-
\??\c:\jjjdv.exec:\jjjdv.exe99⤵PID:4092
-
\??\c:\7thhtt.exec:\7thhtt.exe100⤵PID:4672
-
\??\c:\0422266.exec:\0422266.exe101⤵PID:1988
-
\??\c:\lflffxr.exec:\lflffxr.exe102⤵PID:4684
-
\??\c:\20828.exec:\20828.exe103⤵PID:3148
-
\??\c:\440006.exec:\440006.exe104⤵PID:3716
-
\??\c:\6422288.exec:\6422288.exe105⤵PID:4308
-
\??\c:\rrrrlrr.exec:\rrrrlrr.exe106⤵PID:4232
-
\??\c:\08448.exec:\08448.exe107⤵PID:1344
-
\??\c:\62204.exec:\62204.exe108⤵PID:768
-
\??\c:\hbhhnn.exec:\hbhhnn.exe109⤵PID:2888
-
\??\c:\xrxlfll.exec:\xrxlfll.exe110⤵PID:4496
-
\??\c:\282082.exec:\282082.exe111⤵PID:3320
-
\??\c:\tbhnnb.exec:\tbhnnb.exe112⤵PID:2584
-
\??\c:\pjppj.exec:\pjppj.exe113⤵PID:684
-
\??\c:\vvvdd.exec:\vvvdd.exe114⤵PID:3880
-
\??\c:\6442682.exec:\6442682.exe115⤵PID:3668
-
\??\c:\9nthnn.exec:\9nthnn.exe116⤵PID:1932
-
\??\c:\rxxllxf.exec:\rxxllxf.exe117⤵PID:4944
-
\??\c:\m2888.exec:\m2888.exe118⤵PID:1468
-
\??\c:\bbbbtt.exec:\bbbbtt.exe119⤵PID:2604
-
\??\c:\btbbtb.exec:\btbbtb.exe120⤵PID:3328
-
\??\c:\bttnhh.exec:\bttnhh.exe121⤵PID:3164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-