Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
baa3df1efad2f7144d96533fbf6981db04264fb53ff97a26f878171a3956a89f.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
baa3df1efad2f7144d96533fbf6981db04264fb53ff97a26f878171a3956a89f.exe
-
Size
453KB
-
MD5
4a7c807614c9973ab3156b4538a13d2a
-
SHA1
d4b88b9d2a3146583e1c60642f3a09e82359cdd0
-
SHA256
baa3df1efad2f7144d96533fbf6981db04264fb53ff97a26f878171a3956a89f
-
SHA512
37fd621f2af3f4c6e6ac02cd413270e749dc0dd2925e04f1d3808515ebccc9ebd3fa0055611359e5d05e51147b4a06024e48dc6e9f34d813a03716f66561ffd9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2016-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-1018-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-1343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2208 64060.exe 3384 lflfxrr.exe 4860 llrlxrl.exe 4488 e24222.exe 2904 nhthnn.exe 2948 1htntb.exe 3404 hhhbbt.exe 744 4028666.exe 1876 ppdvp.exe 540 40266.exe 3412 pdjjv.exe 2720 4848226.exe 2704 884488.exe 856 7ttnbb.exe 5092 2844888.exe 3092 dvvvj.exe 3748 066644.exe 1764 llrlfll.exe 2784 628888.exe 1160 84044.exe 2140 266660.exe 552 86404.exe 4528 7fflrff.exe 3512 3bbttb.exe 3980 fflxxxx.exe 2988 bbthbt.exe 2628 lxfffff.exe 3852 rxfffff.exe 2940 ttbttn.exe 5036 vpvpp.exe 4088 002222.exe 2104 pppdv.exe 4324 880022.exe 2328 1rllfff.exe 1028 rfxrlll.exe 1860 7pvpp.exe 4568 9ppvj.exe 4716 lfrlllr.exe 3824 rxffxrr.exe 2096 0066440.exe 2240 m8040.exe 756 hntnhh.exe 4372 jdvpp.exe 4100 o026004.exe 1244 vddjd.exe 3256 200482.exe 3652 u804040.exe 2740 3btthn.exe 4364 404204.exe 4576 rlfxlfx.exe 3032 884864.exe 3724 o408664.exe 4492 dpjdp.exe 3656 200866.exe 2632 06886.exe 2088 q28860.exe 2924 48200.exe 1864 dvjdd.exe 4704 3dvvp.exe 4320 i006004.exe 4160 ttbbtb.exe 1668 c266660.exe 3764 q06004.exe 3744 i666666.exe -
resource yara_rule behavioral2/memory/2016-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-792-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k00082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6422266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2442048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u682660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xlfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2208 2016 baa3df1efad2f7144d96533fbf6981db04264fb53ff97a26f878171a3956a89f.exe 83 PID 2016 wrote to memory of 2208 2016 baa3df1efad2f7144d96533fbf6981db04264fb53ff97a26f878171a3956a89f.exe 83 PID 2016 wrote to memory of 2208 2016 baa3df1efad2f7144d96533fbf6981db04264fb53ff97a26f878171a3956a89f.exe 83 PID 2208 wrote to memory of 3384 2208 64060.exe 84 PID 2208 wrote to memory of 3384 2208 64060.exe 84 PID 2208 wrote to memory of 3384 2208 64060.exe 84 PID 3384 wrote to memory of 4860 3384 lflfxrr.exe 85 PID 3384 wrote to memory of 4860 3384 lflfxrr.exe 85 PID 3384 wrote to memory of 4860 3384 lflfxrr.exe 85 PID 4860 wrote to memory of 4488 4860 llrlxrl.exe 86 PID 4860 wrote to memory of 4488 4860 llrlxrl.exe 86 PID 4860 wrote to memory of 4488 4860 llrlxrl.exe 86 PID 4488 wrote to memory of 2904 4488 e24222.exe 87 PID 4488 wrote to memory of 2904 4488 e24222.exe 87 PID 4488 wrote to memory of 2904 4488 e24222.exe 87 PID 2904 wrote to memory of 2948 2904 nhthnn.exe 88 PID 2904 wrote to memory of 2948 2904 nhthnn.exe 88 PID 2904 wrote to memory of 2948 2904 nhthnn.exe 88 PID 2948 wrote to memory of 3404 2948 1htntb.exe 89 PID 2948 wrote to memory of 3404 2948 1htntb.exe 89 PID 2948 wrote to memory of 3404 2948 1htntb.exe 89 PID 3404 wrote to memory of 744 3404 hhhbbt.exe 90 PID 3404 wrote to memory of 744 3404 hhhbbt.exe 90 PID 3404 wrote to memory of 744 3404 hhhbbt.exe 90 PID 744 wrote to memory of 1876 744 4028666.exe 91 PID 744 wrote to memory of 1876 744 4028666.exe 91 PID 744 wrote to memory of 1876 744 4028666.exe 91 PID 1876 wrote to memory of 540 1876 ppdvp.exe 92 PID 1876 wrote to memory of 540 1876 ppdvp.exe 92 PID 1876 wrote to memory of 540 1876 ppdvp.exe 92 PID 540 wrote to memory of 3412 540 40266.exe 93 PID 540 wrote to memory of 3412 540 40266.exe 93 PID 540 wrote to memory of 3412 540 40266.exe 93 PID 3412 wrote to memory of 2720 3412 pdjjv.exe 94 PID 3412 wrote to memory of 2720 3412 pdjjv.exe 94 PID 3412 wrote to memory of 2720 3412 pdjjv.exe 94 PID 2720 wrote to memory of 2704 2720 4848226.exe 95 PID 2720 wrote to memory of 2704 2720 4848226.exe 95 PID 2720 wrote to memory of 2704 2720 4848226.exe 95 PID 2704 wrote to memory of 856 2704 884488.exe 96 PID 2704 wrote to memory of 856 2704 884488.exe 96 PID 2704 wrote to memory of 856 2704 884488.exe 96 PID 856 wrote to memory of 5092 856 7ttnbb.exe 97 PID 856 wrote to memory of 5092 856 7ttnbb.exe 97 PID 856 wrote to memory of 5092 856 7ttnbb.exe 97 PID 5092 wrote to memory of 3092 5092 2844888.exe 98 PID 5092 wrote to memory of 3092 5092 2844888.exe 98 PID 5092 wrote to memory of 3092 5092 2844888.exe 98 PID 3092 wrote to memory of 3748 3092 dvvvj.exe 99 PID 3092 wrote to memory of 3748 3092 dvvvj.exe 99 PID 3092 wrote to memory of 3748 3092 dvvvj.exe 99 PID 3748 wrote to memory of 1764 3748 066644.exe 100 PID 3748 wrote to memory of 1764 3748 066644.exe 100 PID 3748 wrote to memory of 1764 3748 066644.exe 100 PID 1764 wrote to memory of 2784 1764 llrlfll.exe 101 PID 1764 wrote to memory of 2784 1764 llrlfll.exe 101 PID 1764 wrote to memory of 2784 1764 llrlfll.exe 101 PID 2784 wrote to memory of 1160 2784 628888.exe 102 PID 2784 wrote to memory of 1160 2784 628888.exe 102 PID 2784 wrote to memory of 1160 2784 628888.exe 102 PID 1160 wrote to memory of 2140 1160 84044.exe 103 PID 1160 wrote to memory of 2140 1160 84044.exe 103 PID 1160 wrote to memory of 2140 1160 84044.exe 103 PID 2140 wrote to memory of 552 2140 266660.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\baa3df1efad2f7144d96533fbf6981db04264fb53ff97a26f878171a3956a89f.exe"C:\Users\Admin\AppData\Local\Temp\baa3df1efad2f7144d96533fbf6981db04264fb53ff97a26f878171a3956a89f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\64060.exec:\64060.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\lflfxrr.exec:\lflfxrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\llrlxrl.exec:\llrlxrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\e24222.exec:\e24222.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\nhthnn.exec:\nhthnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\1htntb.exec:\1htntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\hhhbbt.exec:\hhhbbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\4028666.exec:\4028666.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\ppdvp.exec:\ppdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\40266.exec:\40266.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\pdjjv.exec:\pdjjv.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\4848226.exec:\4848226.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\884488.exec:\884488.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\7ttnbb.exec:\7ttnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\2844888.exec:\2844888.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\dvvvj.exec:\dvvvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\066644.exec:\066644.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\llrlfll.exec:\llrlfll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\628888.exec:\628888.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\84044.exec:\84044.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\266660.exec:\266660.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\86404.exec:\86404.exe23⤵
- Executes dropped EXE
PID:552 -
\??\c:\7fflrff.exec:\7fflrff.exe24⤵
- Executes dropped EXE
PID:4528 -
\??\c:\3bbttb.exec:\3bbttb.exe25⤵
- Executes dropped EXE
PID:3512 -
\??\c:\fflxxxx.exec:\fflxxxx.exe26⤵
- Executes dropped EXE
PID:3980 -
\??\c:\bbthbt.exec:\bbthbt.exe27⤵
- Executes dropped EXE
PID:2988 -
\??\c:\lxfffff.exec:\lxfffff.exe28⤵
- Executes dropped EXE
PID:2628 -
\??\c:\rxfffff.exec:\rxfffff.exe29⤵
- Executes dropped EXE
PID:3852 -
\??\c:\ttbttn.exec:\ttbttn.exe30⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vpvpp.exec:\vpvpp.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5036 -
\??\c:\002222.exec:\002222.exe32⤵
- Executes dropped EXE
PID:4088 -
\??\c:\pppdv.exec:\pppdv.exe33⤵
- Executes dropped EXE
PID:2104 -
\??\c:\880022.exec:\880022.exe34⤵
- Executes dropped EXE
PID:4324 -
\??\c:\1rllfff.exec:\1rllfff.exe35⤵
- Executes dropped EXE
PID:2328 -
\??\c:\rfxrlll.exec:\rfxrlll.exe36⤵
- Executes dropped EXE
PID:1028 -
\??\c:\7pvpp.exec:\7pvpp.exe37⤵
- Executes dropped EXE
PID:1860 -
\??\c:\9ppvj.exec:\9ppvj.exe38⤵
- Executes dropped EXE
PID:4568 -
\??\c:\lfrlllr.exec:\lfrlllr.exe39⤵
- Executes dropped EXE
PID:4716 -
\??\c:\rxffxrr.exec:\rxffxrr.exe40⤵
- Executes dropped EXE
PID:3824 -
\??\c:\0066440.exec:\0066440.exe41⤵
- Executes dropped EXE
PID:2096 -
\??\c:\m8040.exec:\m8040.exe42⤵
- Executes dropped EXE
PID:2240 -
\??\c:\hntnhh.exec:\hntnhh.exe43⤵
- Executes dropped EXE
PID:756 -
\??\c:\jdvpp.exec:\jdvpp.exe44⤵
- Executes dropped EXE
PID:4372 -
\??\c:\o026004.exec:\o026004.exe45⤵
- Executes dropped EXE
PID:4100 -
\??\c:\vddjd.exec:\vddjd.exe46⤵
- Executes dropped EXE
PID:1244 -
\??\c:\200482.exec:\200482.exe47⤵
- Executes dropped EXE
PID:3256 -
\??\c:\u804040.exec:\u804040.exe48⤵
- Executes dropped EXE
PID:3652 -
\??\c:\3btthn.exec:\3btthn.exe49⤵
- Executes dropped EXE
PID:2740 -
\??\c:\404204.exec:\404204.exe50⤵
- Executes dropped EXE
PID:4364 -
\??\c:\rlfxlfx.exec:\rlfxlfx.exe51⤵
- Executes dropped EXE
PID:4576 -
\??\c:\884864.exec:\884864.exe52⤵
- Executes dropped EXE
PID:3032 -
\??\c:\o408664.exec:\o408664.exe53⤵
- Executes dropped EXE
PID:3724 -
\??\c:\dpjdp.exec:\dpjdp.exe54⤵
- Executes dropped EXE
PID:4492 -
\??\c:\200866.exec:\200866.exe55⤵
- Executes dropped EXE
PID:3656 -
\??\c:\06886.exec:\06886.exe56⤵
- Executes dropped EXE
PID:2632 -
\??\c:\q28860.exec:\q28860.exe57⤵
- Executes dropped EXE
PID:2088 -
\??\c:\48200.exec:\48200.exe58⤵
- Executes dropped EXE
PID:2924 -
\??\c:\dvjdd.exec:\dvjdd.exe59⤵
- Executes dropped EXE
PID:1864 -
\??\c:\3dvvp.exec:\3dvvp.exe60⤵
- Executes dropped EXE
PID:4704 -
\??\c:\i006004.exec:\i006004.exe61⤵
- Executes dropped EXE
PID:4320 -
\??\c:\ttbbtb.exec:\ttbbtb.exe62⤵
- Executes dropped EXE
PID:4160 -
\??\c:\c266660.exec:\c266660.exe63⤵
- Executes dropped EXE
PID:1668 -
\??\c:\q06004.exec:\q06004.exe64⤵
- Executes dropped EXE
PID:3764 -
\??\c:\i666666.exec:\i666666.exe65⤵
- Executes dropped EXE
PID:3744 -
\??\c:\466600.exec:\466600.exe66⤵PID:4832
-
\??\c:\djpdv.exec:\djpdv.exe67⤵PID:4760
-
\??\c:\hbbbbt.exec:\hbbbbt.exe68⤵PID:1560
-
\??\c:\dvvpj.exec:\dvvpj.exe69⤵PID:1248
-
\??\c:\jdppp.exec:\jdppp.exe70⤵PID:5096
-
\??\c:\3pjdd.exec:\3pjdd.exe71⤵PID:1900
-
\??\c:\266840.exec:\266840.exe72⤵PID:1396
-
\??\c:\dpvpp.exec:\dpvpp.exe73⤵PID:1348
-
\??\c:\ppdjj.exec:\ppdjj.exe74⤵PID:3092
-
\??\c:\s6264.exec:\s6264.exe75⤵PID:4732
-
\??\c:\flxrffx.exec:\flxrffx.exe76⤵PID:3364
-
\??\c:\s2046.exec:\s2046.exe77⤵PID:1764
-
\??\c:\bbbthh.exec:\bbbthh.exe78⤵PID:2524
-
\??\c:\682044.exec:\682044.exe79⤵PID:3232
-
\??\c:\jjppd.exec:\jjppd.exe80⤵PID:2032
-
\??\c:\600488.exec:\600488.exe81⤵PID:4872
-
\??\c:\5rrffll.exec:\5rrffll.exe82⤵PID:844
-
\??\c:\dvddp.exec:\dvddp.exe83⤵PID:4248
-
\??\c:\lffxrrl.exec:\lffxrrl.exe84⤵PID:1704
-
\??\c:\48488.exec:\48488.exe85⤵PID:2760
-
\??\c:\jjppp.exec:\jjppp.exe86⤵PID:4516
-
\??\c:\dpdvp.exec:\dpdvp.exe87⤵PID:2988
-
\??\c:\80862.exec:\80862.exe88⤵PID:2284
-
\??\c:\jjpjj.exec:\jjpjj.exe89⤵PID:4508
-
\??\c:\628266.exec:\628266.exe90⤵PID:4008
-
\??\c:\vvvpv.exec:\vvvpv.exe91⤵PID:2940
-
\??\c:\tnnnbh.exec:\tnnnbh.exe92⤵PID:1136
-
\??\c:\htbtnt.exec:\htbtnt.exe93⤵PID:2028
-
\??\c:\lfrfxxr.exec:\lfrfxxr.exe94⤵PID:4088
-
\??\c:\xxlfflr.exec:\xxlfflr.exe95⤵PID:4600
-
\??\c:\8864086.exec:\8864086.exe96⤵PID:1708
-
\??\c:\48280.exec:\48280.exe97⤵PID:2328
-
\??\c:\40666.exec:\40666.exe98⤵PID:1288
-
\??\c:\a4004.exec:\a4004.exe99⤵PID:2356
-
\??\c:\2060004.exec:\2060004.exe100⤵PID:1052
-
\??\c:\nthntb.exec:\nthntb.exe101⤵PID:4776
-
\??\c:\pjpjp.exec:\pjpjp.exe102⤵PID:4972
-
\??\c:\g8048.exec:\g8048.exe103⤵PID:3336
-
\??\c:\tthbtt.exec:\tthbtt.exe104⤵PID:2072
-
\??\c:\84004.exec:\84004.exe105⤵PID:4004
-
\??\c:\6860404.exec:\6860404.exe106⤵PID:2520
-
\??\c:\llllffx.exec:\llllffx.exe107⤵PID:2560
-
\??\c:\80666.exec:\80666.exe108⤵PID:760
-
\??\c:\vjddp.exec:\vjddp.exe109⤵PID:1628
-
\??\c:\bbhnhh.exec:\bbhnhh.exe110⤵PID:3256
-
\??\c:\pjvdj.exec:\pjvdj.exe111⤵PID:5040
-
\??\c:\6804800.exec:\6804800.exe112⤵PID:4376
-
\??\c:\dddpj.exec:\dddpj.exe113⤵PID:2016
-
\??\c:\ffrxxfx.exec:\ffrxxfx.exe114⤵PID:2000
-
\??\c:\i028222.exec:\i028222.exe115⤵PID:3704
-
\??\c:\pvdjv.exec:\pvdjv.exe116⤵PID:3740
-
\??\c:\xxflffl.exec:\xxflffl.exe117⤵PID:3108
-
\??\c:\lfffxrf.exec:\lfffxrf.exe118⤵PID:3792
-
\??\c:\c688264.exec:\c688264.exe119⤵PID:3064
-
\??\c:\24260.exec:\24260.exe120⤵PID:4300
-
\??\c:\rrrlxrl.exec:\rrrlxrl.exe121⤵PID:2052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-