Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 03:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b19a14cca8d36284aa035b2ab144505e0396668c6c223629e652fb1ccbdc5770.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b19a14cca8d36284aa035b2ab144505e0396668c6c223629e652fb1ccbdc5770.exe
-
Size
454KB
-
MD5
e409f64b40d8054be4aafa5bc50b97b6
-
SHA1
8116ef681dda046b5cdd9338d56af1a52019e877
-
SHA256
b19a14cca8d36284aa035b2ab144505e0396668c6c223629e652fb1ccbdc5770
-
SHA512
465c0fbac16c0a014c0eede015bd55baac62ce6159bb075851e4ba936598836d329491901b8a839286883ccb2e9266140d6881e0afd82e3ccb463257ccb6a6bb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1156-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-809-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-1096-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-1106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-1324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-1484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1952 a0262.exe 2900 0826462.exe 4464 s4402.exe 3548 httbbb.exe 3628 lrfllxl.exe 3676 08204.exe 2896 646644.exe 832 g2862.exe 228 a8864.exe 3964 82264.exe 3476 rxrlfxl.exe 3060 22820.exe 3688 24826.exe 620 3ffrlfx.exe 5060 pvdpj.exe 3224 e68064.exe 4616 44048.exe 4936 06482.exe 5100 9httbh.exe 4512 646048.exe 4528 82048.exe 3348 420826.exe 4480 068266.exe 2516 rlllffx.exe 1036 lxlxffx.exe 860 m4004.exe 2800 4022262.exe 3764 466004.exe 3088 7djjj.exe 3256 bnhbnn.exe 3716 9lxrrrl.exe 468 dvddj.exe 4920 vpvpv.exe 2144 vpjjd.exe 2208 686806.exe 4584 46660.exe 3160 i060482.exe 2876 88482.exe 1712 g6860.exe 2756 pjjdd.exe 4432 w82042.exe 788 vpdjp.exe 4288 80086.exe 4356 6220482.exe 3588 s8600.exe 408 5bttnn.exe 1436 bntnbt.exe 1320 djdpd.exe 4856 28660.exe 4924 5jdvj.exe 4752 6826042.exe 832 288468.exe 2248 rffxfxr.exe 2708 6220042.exe 3640 6882266.exe 4872 26620.exe 344 s0608.exe 3476 3nbtbb.exe 4092 044860.exe 1252 u820820.exe 964 lfxfxlf.exe 4612 86822.exe 4180 nbbtht.exe 2188 hnttbh.exe -
resource yara_rule behavioral2/memory/1156-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-721-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4082600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0404888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w06088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2400004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0662660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 662600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1156 wrote to memory of 1952 1156 b19a14cca8d36284aa035b2ab144505e0396668c6c223629e652fb1ccbdc5770.exe 83 PID 1156 wrote to memory of 1952 1156 b19a14cca8d36284aa035b2ab144505e0396668c6c223629e652fb1ccbdc5770.exe 83 PID 1156 wrote to memory of 1952 1156 b19a14cca8d36284aa035b2ab144505e0396668c6c223629e652fb1ccbdc5770.exe 83 PID 1952 wrote to memory of 2900 1952 a0262.exe 84 PID 1952 wrote to memory of 2900 1952 a0262.exe 84 PID 1952 wrote to memory of 2900 1952 a0262.exe 84 PID 2900 wrote to memory of 4464 2900 0826462.exe 85 PID 2900 wrote to memory of 4464 2900 0826462.exe 85 PID 2900 wrote to memory of 4464 2900 0826462.exe 85 PID 4464 wrote to memory of 3548 4464 s4402.exe 86 PID 4464 wrote to memory of 3548 4464 s4402.exe 86 PID 4464 wrote to memory of 3548 4464 s4402.exe 86 PID 3548 wrote to memory of 3628 3548 httbbb.exe 87 PID 3548 wrote to memory of 3628 3548 httbbb.exe 87 PID 3548 wrote to memory of 3628 3548 httbbb.exe 87 PID 3628 wrote to memory of 3676 3628 lrfllxl.exe 88 PID 3628 wrote to memory of 3676 3628 lrfllxl.exe 88 PID 3628 wrote to memory of 3676 3628 lrfllxl.exe 88 PID 3676 wrote to memory of 2896 3676 08204.exe 89 PID 3676 wrote to memory of 2896 3676 08204.exe 89 PID 3676 wrote to memory of 2896 3676 08204.exe 89 PID 2896 wrote to memory of 832 2896 646644.exe 90 PID 2896 wrote to memory of 832 2896 646644.exe 90 PID 2896 wrote to memory of 832 2896 646644.exe 90 PID 832 wrote to memory of 228 832 g2862.exe 91 PID 832 wrote to memory of 228 832 g2862.exe 91 PID 832 wrote to memory of 228 832 g2862.exe 91 PID 228 wrote to memory of 3964 228 a8864.exe 92 PID 228 wrote to memory of 3964 228 a8864.exe 92 PID 228 wrote to memory of 3964 228 a8864.exe 92 PID 3964 wrote to memory of 3476 3964 82264.exe 140 PID 3964 wrote to memory of 3476 3964 82264.exe 140 PID 3964 wrote to memory of 3476 3964 82264.exe 140 PID 3476 wrote to memory of 3060 3476 rxrlfxl.exe 94 PID 3476 wrote to memory of 3060 3476 rxrlfxl.exe 94 PID 3476 wrote to memory of 3060 3476 rxrlfxl.exe 94 PID 3060 wrote to memory of 3688 3060 22820.exe 95 PID 3060 wrote to memory of 3688 3060 22820.exe 95 PID 3060 wrote to memory of 3688 3060 22820.exe 95 PID 3688 wrote to memory of 620 3688 24826.exe 96 PID 3688 wrote to memory of 620 3688 24826.exe 96 PID 3688 wrote to memory of 620 3688 24826.exe 96 PID 620 wrote to memory of 5060 620 3ffrlfx.exe 97 PID 620 wrote to memory of 5060 620 3ffrlfx.exe 97 PID 620 wrote to memory of 5060 620 3ffrlfx.exe 97 PID 5060 wrote to memory of 3224 5060 pvdpj.exe 98 PID 5060 wrote to memory of 3224 5060 pvdpj.exe 98 PID 5060 wrote to memory of 3224 5060 pvdpj.exe 98 PID 3224 wrote to memory of 4616 3224 e68064.exe 99 PID 3224 wrote to memory of 4616 3224 e68064.exe 99 PID 3224 wrote to memory of 4616 3224 e68064.exe 99 PID 4616 wrote to memory of 4936 4616 44048.exe 100 PID 4616 wrote to memory of 4936 4616 44048.exe 100 PID 4616 wrote to memory of 4936 4616 44048.exe 100 PID 4936 wrote to memory of 5100 4936 06482.exe 101 PID 4936 wrote to memory of 5100 4936 06482.exe 101 PID 4936 wrote to memory of 5100 4936 06482.exe 101 PID 5100 wrote to memory of 4512 5100 9httbh.exe 102 PID 5100 wrote to memory of 4512 5100 9httbh.exe 102 PID 5100 wrote to memory of 4512 5100 9httbh.exe 102 PID 4512 wrote to memory of 4528 4512 646048.exe 103 PID 4512 wrote to memory of 4528 4512 646048.exe 103 PID 4512 wrote to memory of 4528 4512 646048.exe 103 PID 4528 wrote to memory of 3348 4528 82048.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b19a14cca8d36284aa035b2ab144505e0396668c6c223629e652fb1ccbdc5770.exe"C:\Users\Admin\AppData\Local\Temp\b19a14cca8d36284aa035b2ab144505e0396668c6c223629e652fb1ccbdc5770.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\a0262.exec:\a0262.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\0826462.exec:\0826462.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\s4402.exec:\s4402.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\httbbb.exec:\httbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\lrfllxl.exec:\lrfllxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\08204.exec:\08204.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\646644.exec:\646644.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\g2862.exec:\g2862.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\a8864.exec:\a8864.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\82264.exec:\82264.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\rxrlfxl.exec:\rxrlfxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\22820.exec:\22820.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\24826.exec:\24826.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\3ffrlfx.exec:\3ffrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\pvdpj.exec:\pvdpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\e68064.exec:\e68064.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\44048.exec:\44048.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\06482.exec:\06482.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\9httbh.exec:\9httbh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\646048.exec:\646048.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\82048.exec:\82048.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\420826.exec:\420826.exe23⤵
- Executes dropped EXE
PID:3348 -
\??\c:\068266.exec:\068266.exe24⤵
- Executes dropped EXE
PID:4480 -
\??\c:\rlllffx.exec:\rlllffx.exe25⤵
- Executes dropped EXE
PID:2516 -
\??\c:\lxlxffx.exec:\lxlxffx.exe26⤵
- Executes dropped EXE
PID:1036 -
\??\c:\m4004.exec:\m4004.exe27⤵
- Executes dropped EXE
PID:860 -
\??\c:\4022262.exec:\4022262.exe28⤵
- Executes dropped EXE
PID:2800 -
\??\c:\466004.exec:\466004.exe29⤵
- Executes dropped EXE
PID:3764 -
\??\c:\7djjj.exec:\7djjj.exe30⤵
- Executes dropped EXE
PID:3088 -
\??\c:\bnhbnn.exec:\bnhbnn.exe31⤵
- Executes dropped EXE
PID:3256 -
\??\c:\9lxrrrl.exec:\9lxrrrl.exe32⤵
- Executes dropped EXE
PID:3716 -
\??\c:\dvddj.exec:\dvddj.exe33⤵
- Executes dropped EXE
PID:468 -
\??\c:\vpvpv.exec:\vpvpv.exe34⤵
- Executes dropped EXE
PID:4920 -
\??\c:\vpjjd.exec:\vpjjd.exe35⤵
- Executes dropped EXE
PID:2144 -
\??\c:\686806.exec:\686806.exe36⤵
- Executes dropped EXE
PID:2208 -
\??\c:\46660.exec:\46660.exe37⤵
- Executes dropped EXE
PID:4584 -
\??\c:\i060482.exec:\i060482.exe38⤵
- Executes dropped EXE
PID:3160 -
\??\c:\88482.exec:\88482.exe39⤵
- Executes dropped EXE
PID:2876 -
\??\c:\g6860.exec:\g6860.exe40⤵
- Executes dropped EXE
PID:1712 -
\??\c:\pjjdd.exec:\pjjdd.exe41⤵
- Executes dropped EXE
PID:2756 -
\??\c:\w82042.exec:\w82042.exe42⤵
- Executes dropped EXE
PID:4432 -
\??\c:\vpdjp.exec:\vpdjp.exe43⤵
- Executes dropped EXE
PID:788 -
\??\c:\80086.exec:\80086.exe44⤵
- Executes dropped EXE
PID:4288 -
\??\c:\6220482.exec:\6220482.exe45⤵
- Executes dropped EXE
PID:4356 -
\??\c:\s8600.exec:\s8600.exe46⤵
- Executes dropped EXE
PID:3588 -
\??\c:\5bttnn.exec:\5bttnn.exe47⤵
- Executes dropped EXE
PID:408 -
\??\c:\bntnbt.exec:\bntnbt.exe48⤵
- Executes dropped EXE
PID:1436 -
\??\c:\djdpd.exec:\djdpd.exe49⤵
- Executes dropped EXE
PID:1320 -
\??\c:\28660.exec:\28660.exe50⤵
- Executes dropped EXE
PID:4856 -
\??\c:\5jdvj.exec:\5jdvj.exe51⤵
- Executes dropped EXE
PID:4924 -
\??\c:\6826042.exec:\6826042.exe52⤵
- Executes dropped EXE
PID:4752 -
\??\c:\288468.exec:\288468.exe53⤵
- Executes dropped EXE
PID:832 -
\??\c:\rffxfxr.exec:\rffxfxr.exe54⤵
- Executes dropped EXE
PID:2248 -
\??\c:\6220042.exec:\6220042.exe55⤵
- Executes dropped EXE
PID:2708 -
\??\c:\6882266.exec:\6882266.exe56⤵
- Executes dropped EXE
PID:3640 -
\??\c:\26620.exec:\26620.exe57⤵
- Executes dropped EXE
PID:4872 -
\??\c:\s0608.exec:\s0608.exe58⤵
- Executes dropped EXE
PID:344 -
\??\c:\3nbtbb.exec:\3nbtbb.exe59⤵
- Executes dropped EXE
PID:3476 -
\??\c:\044860.exec:\044860.exe60⤵
- Executes dropped EXE
PID:4092 -
\??\c:\u820820.exec:\u820820.exe61⤵
- Executes dropped EXE
PID:1252 -
\??\c:\lfxfxlf.exec:\lfxfxlf.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:964 -
\??\c:\86822.exec:\86822.exe63⤵
- Executes dropped EXE
PID:4612 -
\??\c:\nbbtht.exec:\nbbtht.exe64⤵
- Executes dropped EXE
PID:4180 -
\??\c:\hnttbh.exec:\hnttbh.exe65⤵
- Executes dropped EXE
PID:2188 -
\??\c:\64260.exec:\64260.exe66⤵PID:1080
-
\??\c:\3flfrxx.exec:\3flfrxx.exe67⤵PID:5044
-
\??\c:\44864.exec:\44864.exe68⤵PID:1892
-
\??\c:\3llxrrf.exec:\3llxrrf.exe69⤵PID:2632
-
\??\c:\7llxrlf.exec:\7llxrlf.exe70⤵PID:2288
-
\??\c:\vjvjv.exec:\vjvjv.exe71⤵PID:1684
-
\??\c:\vpjvj.exec:\vpjvj.exe72⤵PID:2020
-
\??\c:\o848048.exec:\o848048.exe73⤵PID:1148
-
\??\c:\bttbnt.exec:\bttbnt.exe74⤵PID:4480
-
\??\c:\rffrfxl.exec:\rffrfxl.exe75⤵PID:4520
-
\??\c:\fxxrxxl.exec:\fxxrxxl.exe76⤵PID:1640
-
\??\c:\pjvjv.exec:\pjvjv.exe77⤵PID:1036
-
\??\c:\882648.exec:\882648.exe78⤵PID:940
-
\??\c:\288608.exec:\288608.exe79⤵PID:1656
-
\??\c:\bhnnhn.exec:\bhnnhn.exe80⤵PID:2968
-
\??\c:\i264260.exec:\i264260.exe81⤵PID:1524
-
\??\c:\ppvjv.exec:\ppvjv.exe82⤵PID:4496
-
\??\c:\2688604.exec:\2688604.exe83⤵PID:3256
-
\??\c:\9lxlxlx.exec:\9lxlxlx.exe84⤵PID:3284
-
\??\c:\4408826.exec:\4408826.exe85⤵PID:4960
-
\??\c:\4028220.exec:\4028220.exe86⤵PID:920
-
\??\c:\2864264.exec:\2864264.exe87⤵PID:2452
-
\??\c:\9jpdv.exec:\9jpdv.exe88⤵PID:724
-
\??\c:\066464.exec:\066464.exe89⤵PID:3268
-
\??\c:\vpdpd.exec:\vpdpd.exe90⤵PID:448
-
\??\c:\bhhhhn.exec:\bhhhhn.exe91⤵PID:3116
-
\??\c:\e04422.exec:\e04422.exe92⤵PID:2628
-
\??\c:\208284.exec:\208284.exe93⤵PID:4816
-
\??\c:\9dddv.exec:\9dddv.exe94⤵PID:4044
-
\??\c:\8288260.exec:\8288260.exe95⤵PID:1476
-
\??\c:\ntthth.exec:\ntthth.exe96⤵PID:4444
-
\??\c:\nttnth.exec:\nttnth.exe97⤵PID:852
-
\??\c:\9rrlxrf.exec:\9rrlxrf.exe98⤵PID:1832
-
\??\c:\pjpjv.exec:\pjpjv.exe99⤵PID:4804
-
\??\c:\c620808.exec:\c620808.exe100⤵PID:2928
-
\??\c:\s8846.exec:\s8846.exe101⤵PID:4348
-
\??\c:\bnk066.exec:\bnk066.exe102⤵PID:2376
-
\??\c:\jddvd.exec:\jddvd.exe103⤵PID:4452
-
\??\c:\620420.exec:\620420.exe104⤵PID:1828
-
\??\c:\3hnhbt.exec:\3hnhbt.exe105⤵PID:3344
-
\??\c:\2444204.exec:\2444204.exe106⤵PID:1740
-
\??\c:\ttbtnh.exec:\ttbtnh.exe107⤵PID:2896
-
\??\c:\8266288.exec:\8266288.exe108⤵PID:4276
-
\??\c:\646260.exec:\646260.exe109⤵PID:1672
-
\??\c:\dvdvd.exec:\dvdvd.exe110⤵PID:1952
-
\??\c:\208862.exec:\208862.exe111⤵PID:2220
-
\??\c:\o264444.exec:\o264444.exe112⤵PID:3640
-
\??\c:\q26626.exec:\q26626.exe113⤵PID:4872
-
\??\c:\a6800.exec:\a6800.exe114⤵PID:2476
-
\??\c:\60646.exec:\60646.exe115⤵
- System Location Discovery: System Language Discovery
PID:3684 -
\??\c:\6200046.exec:\6200046.exe116⤵PID:540
-
\??\c:\44404.exec:\44404.exe117⤵PID:3964
-
\??\c:\1ffrxrl.exec:\1ffrxrl.exe118⤵PID:3704
-
\??\c:\260204.exec:\260204.exe119⤵PID:620
-
\??\c:\nhhbtt.exec:\nhhbtt.exe120⤵PID:3848
-
\??\c:\i282008.exec:\i282008.exe121⤵PID:1484
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-