Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
871b46dc11fc586a27d689ffe5f9bbfd047c3a3bee746b9088ea0bca07bdfd0e.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
871b46dc11fc586a27d689ffe5f9bbfd047c3a3bee746b9088ea0bca07bdfd0e.exe
-
Size
455KB
-
MD5
b588ee8f189011ca5c9fe309622263f8
-
SHA1
ad0a1bfae640136a30661b680b631de3ef577883
-
SHA256
871b46dc11fc586a27d689ffe5f9bbfd047c3a3bee746b9088ea0bca07bdfd0e
-
SHA512
7d2bf34afc3538ac3c80fda4162858e85a62e0c50e68413189bac612904dc3983a4e903293620629b28f213ac6700feedb465bb38120823b384d906562fc2a50
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6U:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3692-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-877-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-881-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-1015-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-1161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-1369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4848 frrrlll.exe 4932 28048.exe 1240 44004.exe 4504 846088.exe 832 xflfxxr.exe 2624 20844.exe 2428 4880600.exe 4692 dvpjd.exe 1216 ddjdj.exe 4992 0084888.exe 5016 o482260.exe 2200 8622600.exe 2388 9lfxrlx.exe 3756 pppdd.exe 2188 xxxlxfr.exe 4944 pdpjd.exe 1176 pddjj.exe 2320 86826.exe 5080 vpjdp.exe 1856 m6244.exe 3120 xlxxllr.exe 4476 2048604.exe 3332 1vpjv.exe 5028 hthtnb.exe 352 tnhthb.exe 548 60206.exe 3764 hthbbb.exe 2412 5vpdv.exe 4976 llxllrr.exe 1820 frxrxrx.exe 3960 ddjvd.exe 3000 m2426.exe 3276 frlfrfr.exe 2208 68420.exe 1824 xrrlxxl.exe 2880 0482264.exe 3580 02642.exe 400 448648.exe 4748 864860.exe 3324 rlfxxxl.exe 1212 bnnbtn.exe 5116 9vvdj.exe 1732 040866.exe 5012 llrlfxr.exe 3448 42204.exe 2652 bhnbnh.exe 1368 664226.exe 4652 djdpd.exe 4364 406082.exe 4316 w60886.exe 2912 822026.exe 4948 3xlxrlx.exe 2336 jppdv.exe 2896 nhbttt.exe 4740 22264.exe 2028 402648.exe 1592 hnbtbt.exe 3504 246682.exe 2608 262082.exe 4288 lfllxxl.exe 1048 84066.exe 1860 flrrlxr.exe 4420 222648.exe 4280 282642.exe -
resource yara_rule behavioral2/memory/3692-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-881-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8668266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2004260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c482082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4626482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k28882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0404060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4842008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w22042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3692 wrote to memory of 4848 3692 871b46dc11fc586a27d689ffe5f9bbfd047c3a3bee746b9088ea0bca07bdfd0e.exe 83 PID 3692 wrote to memory of 4848 3692 871b46dc11fc586a27d689ffe5f9bbfd047c3a3bee746b9088ea0bca07bdfd0e.exe 83 PID 3692 wrote to memory of 4848 3692 871b46dc11fc586a27d689ffe5f9bbfd047c3a3bee746b9088ea0bca07bdfd0e.exe 83 PID 4848 wrote to memory of 4932 4848 frrrlll.exe 84 PID 4848 wrote to memory of 4932 4848 frrrlll.exe 84 PID 4848 wrote to memory of 4932 4848 frrrlll.exe 84 PID 4932 wrote to memory of 1240 4932 28048.exe 85 PID 4932 wrote to memory of 1240 4932 28048.exe 85 PID 4932 wrote to memory of 1240 4932 28048.exe 85 PID 1240 wrote to memory of 4504 1240 44004.exe 86 PID 1240 wrote to memory of 4504 1240 44004.exe 86 PID 1240 wrote to memory of 4504 1240 44004.exe 86 PID 4504 wrote to memory of 832 4504 846088.exe 87 PID 4504 wrote to memory of 832 4504 846088.exe 87 PID 4504 wrote to memory of 832 4504 846088.exe 87 PID 832 wrote to memory of 2624 832 xflfxxr.exe 88 PID 832 wrote to memory of 2624 832 xflfxxr.exe 88 PID 832 wrote to memory of 2624 832 xflfxxr.exe 88 PID 2624 wrote to memory of 2428 2624 20844.exe 89 PID 2624 wrote to memory of 2428 2624 20844.exe 89 PID 2624 wrote to memory of 2428 2624 20844.exe 89 PID 2428 wrote to memory of 4692 2428 4880600.exe 90 PID 2428 wrote to memory of 4692 2428 4880600.exe 90 PID 2428 wrote to memory of 4692 2428 4880600.exe 90 PID 4692 wrote to memory of 1216 4692 dvpjd.exe 91 PID 4692 wrote to memory of 1216 4692 dvpjd.exe 91 PID 4692 wrote to memory of 1216 4692 dvpjd.exe 91 PID 1216 wrote to memory of 4992 1216 ddjdj.exe 92 PID 1216 wrote to memory of 4992 1216 ddjdj.exe 92 PID 1216 wrote to memory of 4992 1216 ddjdj.exe 92 PID 4992 wrote to memory of 5016 4992 0084888.exe 93 PID 4992 wrote to memory of 5016 4992 0084888.exe 93 PID 4992 wrote to memory of 5016 4992 0084888.exe 93 PID 5016 wrote to memory of 2200 5016 o482260.exe 94 PID 5016 wrote to memory of 2200 5016 o482260.exe 94 PID 5016 wrote to memory of 2200 5016 o482260.exe 94 PID 2200 wrote to memory of 2388 2200 8622600.exe 95 PID 2200 wrote to memory of 2388 2200 8622600.exe 95 PID 2200 wrote to memory of 2388 2200 8622600.exe 95 PID 2388 wrote to memory of 3756 2388 9lfxrlx.exe 96 PID 2388 wrote to memory of 3756 2388 9lfxrlx.exe 96 PID 2388 wrote to memory of 3756 2388 9lfxrlx.exe 96 PID 3756 wrote to memory of 2188 3756 pppdd.exe 97 PID 3756 wrote to memory of 2188 3756 pppdd.exe 97 PID 3756 wrote to memory of 2188 3756 pppdd.exe 97 PID 2188 wrote to memory of 4944 2188 xxxlxfr.exe 98 PID 2188 wrote to memory of 4944 2188 xxxlxfr.exe 98 PID 2188 wrote to memory of 4944 2188 xxxlxfr.exe 98 PID 4944 wrote to memory of 1176 4944 pdpjd.exe 99 PID 4944 wrote to memory of 1176 4944 pdpjd.exe 99 PID 4944 wrote to memory of 1176 4944 pdpjd.exe 99 PID 1176 wrote to memory of 2320 1176 pddjj.exe 100 PID 1176 wrote to memory of 2320 1176 pddjj.exe 100 PID 1176 wrote to memory of 2320 1176 pddjj.exe 100 PID 2320 wrote to memory of 5080 2320 86826.exe 101 PID 2320 wrote to memory of 5080 2320 86826.exe 101 PID 2320 wrote to memory of 5080 2320 86826.exe 101 PID 5080 wrote to memory of 1856 5080 vpjdp.exe 102 PID 5080 wrote to memory of 1856 5080 vpjdp.exe 102 PID 5080 wrote to memory of 1856 5080 vpjdp.exe 102 PID 1856 wrote to memory of 3120 1856 m6244.exe 103 PID 1856 wrote to memory of 3120 1856 m6244.exe 103 PID 1856 wrote to memory of 3120 1856 m6244.exe 103 PID 3120 wrote to memory of 4476 3120 xlxxllr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\871b46dc11fc586a27d689ffe5f9bbfd047c3a3bee746b9088ea0bca07bdfd0e.exe"C:\Users\Admin\AppData\Local\Temp\871b46dc11fc586a27d689ffe5f9bbfd047c3a3bee746b9088ea0bca07bdfd0e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\frrrlll.exec:\frrrlll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\28048.exec:\28048.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\44004.exec:\44004.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\846088.exec:\846088.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\xflfxxr.exec:\xflfxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\20844.exec:\20844.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\4880600.exec:\4880600.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\dvpjd.exec:\dvpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\ddjdj.exec:\ddjdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\0084888.exec:\0084888.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\o482260.exec:\o482260.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\8622600.exec:\8622600.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\9lfxrlx.exec:\9lfxrlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\pppdd.exec:\pppdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\xxxlxfr.exec:\xxxlxfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\pdpjd.exec:\pdpjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\pddjj.exec:\pddjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\86826.exec:\86826.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\vpjdp.exec:\vpjdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\m6244.exec:\m6244.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\xlxxllr.exec:\xlxxllr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\2048604.exec:\2048604.exe23⤵
- Executes dropped EXE
PID:4476 -
\??\c:\1vpjv.exec:\1vpjv.exe24⤵
- Executes dropped EXE
PID:3332 -
\??\c:\hthtnb.exec:\hthtnb.exe25⤵
- Executes dropped EXE
PID:5028 -
\??\c:\tnhthb.exec:\tnhthb.exe26⤵
- Executes dropped EXE
PID:352 -
\??\c:\60206.exec:\60206.exe27⤵
- Executes dropped EXE
PID:548 -
\??\c:\hthbbb.exec:\hthbbb.exe28⤵
- Executes dropped EXE
PID:3764 -
\??\c:\5vpdv.exec:\5vpdv.exe29⤵
- Executes dropped EXE
PID:2412 -
\??\c:\llxllrr.exec:\llxllrr.exe30⤵
- Executes dropped EXE
PID:4976 -
\??\c:\frxrxrx.exec:\frxrxrx.exe31⤵
- Executes dropped EXE
PID:1820 -
\??\c:\ddjvd.exec:\ddjvd.exe32⤵
- Executes dropped EXE
PID:3960 -
\??\c:\m2426.exec:\m2426.exe33⤵
- Executes dropped EXE
PID:3000 -
\??\c:\frlfrfr.exec:\frlfrfr.exe34⤵
- Executes dropped EXE
PID:3276 -
\??\c:\68420.exec:\68420.exe35⤵
- Executes dropped EXE
PID:2208 -
\??\c:\xrrlxxl.exec:\xrrlxxl.exe36⤵
- Executes dropped EXE
PID:1824 -
\??\c:\0482264.exec:\0482264.exe37⤵
- Executes dropped EXE
PID:2880 -
\??\c:\02642.exec:\02642.exe38⤵
- Executes dropped EXE
PID:3580 -
\??\c:\448648.exec:\448648.exe39⤵
- Executes dropped EXE
PID:400 -
\??\c:\864860.exec:\864860.exe40⤵
- Executes dropped EXE
PID:4748 -
\??\c:\rlfxxxl.exec:\rlfxxxl.exe41⤵
- Executes dropped EXE
PID:3324 -
\??\c:\bnnbtn.exec:\bnnbtn.exe42⤵
- Executes dropped EXE
PID:1212 -
\??\c:\9vvdj.exec:\9vvdj.exe43⤵
- Executes dropped EXE
PID:5116 -
\??\c:\040866.exec:\040866.exe44⤵
- Executes dropped EXE
PID:1732 -
\??\c:\llrlfxr.exec:\llrlfxr.exe45⤵
- Executes dropped EXE
PID:5012 -
\??\c:\42204.exec:\42204.exe46⤵
- Executes dropped EXE
PID:3448 -
\??\c:\bhnbnh.exec:\bhnbnh.exe47⤵
- Executes dropped EXE
PID:2652 -
\??\c:\664226.exec:\664226.exe48⤵
- Executes dropped EXE
PID:1368 -
\??\c:\djdpd.exec:\djdpd.exe49⤵
- Executes dropped EXE
PID:4652 -
\??\c:\406082.exec:\406082.exe50⤵
- Executes dropped EXE
PID:4364 -
\??\c:\w60886.exec:\w60886.exe51⤵
- Executes dropped EXE
PID:4316 -
\??\c:\822026.exec:\822026.exe52⤵
- Executes dropped EXE
PID:2912 -
\??\c:\3xlxrlx.exec:\3xlxrlx.exe53⤵
- Executes dropped EXE
PID:4948 -
\??\c:\jppdv.exec:\jppdv.exe54⤵
- Executes dropped EXE
PID:2336 -
\??\c:\nhbttt.exec:\nhbttt.exe55⤵
- Executes dropped EXE
PID:2896 -
\??\c:\22264.exec:\22264.exe56⤵
- Executes dropped EXE
PID:4740 -
\??\c:\402648.exec:\402648.exe57⤵
- Executes dropped EXE
PID:2028 -
\??\c:\hnbtbt.exec:\hnbtbt.exe58⤵
- Executes dropped EXE
PID:1592 -
\??\c:\246682.exec:\246682.exe59⤵
- Executes dropped EXE
PID:3504 -
\??\c:\262082.exec:\262082.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2608 -
\??\c:\lfllxxl.exec:\lfllxxl.exe61⤵
- Executes dropped EXE
PID:4288 -
\??\c:\84066.exec:\84066.exe62⤵
- Executes dropped EXE
PID:1048 -
\??\c:\flrrlxr.exec:\flrrlxr.exe63⤵
- Executes dropped EXE
PID:1860 -
\??\c:\222648.exec:\222648.exe64⤵
- Executes dropped EXE
PID:4420 -
\??\c:\282642.exec:\282642.exe65⤵
- Executes dropped EXE
PID:4280 -
\??\c:\bbnbnn.exec:\bbnbnn.exe66⤵PID:1348
-
\??\c:\8620482.exec:\8620482.exe67⤵PID:628
-
\??\c:\86882.exec:\86882.exe68⤵PID:4804
-
\??\c:\lxxlxlx.exec:\lxxlxlx.exe69⤵PID:4892
-
\??\c:\8882042.exec:\8882042.exe70⤵PID:4520
-
\??\c:\fxfxffl.exec:\fxfxffl.exe71⤵PID:3132
-
\??\c:\rxffrrr.exec:\rxffrrr.exe72⤵
- System Location Discovery: System Language Discovery
PID:3376 -
\??\c:\88486.exec:\88486.exe73⤵PID:2756
-
\??\c:\bbbnbb.exec:\bbbnbb.exe74⤵PID:1948
-
\??\c:\7nhbbb.exec:\7nhbbb.exe75⤵PID:3700
-
\??\c:\80260.exec:\80260.exe76⤵PID:1484
-
\??\c:\6420820.exec:\6420820.exe77⤵PID:2920
-
\??\c:\5xfxrrl.exec:\5xfxrrl.exe78⤵PID:3152
-
\??\c:\fffrfxr.exec:\fffrfxr.exe79⤵PID:2980
-
\??\c:\jjdpd.exec:\jjdpd.exe80⤵PID:4696
-
\??\c:\622266.exec:\622266.exe81⤵PID:1848
-
\??\c:\vpjdv.exec:\vpjdv.exe82⤵PID:688
-
\??\c:\xlfrfxx.exec:\xlfrfxx.exe83⤵PID:2216
-
\??\c:\422086.exec:\422086.exe84⤵PID:1976
-
\??\c:\04682.exec:\04682.exe85⤵PID:324
-
\??\c:\00426.exec:\00426.exe86⤵PID:1468
-
\??\c:\1hhbth.exec:\1hhbth.exe87⤵PID:3896
-
\??\c:\60044.exec:\60044.exe88⤵PID:1308
-
\??\c:\htnnbb.exec:\htnnbb.exe89⤵PID:4664
-
\??\c:\82260.exec:\82260.exe90⤵PID:2072
-
\??\c:\9lrlrrx.exec:\9lrlrrx.exe91⤵PID:1996
-
\??\c:\6226008.exec:\6226008.exe92⤵PID:2036
-
\??\c:\jddvp.exec:\jddvp.exe93⤵PID:4256
-
\??\c:\thnbtn.exec:\thnbtn.exe94⤵PID:2084
-
\??\c:\jvvpp.exec:\jvvpp.exe95⤵PID:3184
-
\??\c:\dpjdp.exec:\dpjdp.exe96⤵PID:2648
-
\??\c:\c442048.exec:\c442048.exe97⤵PID:4140
-
\??\c:\606008.exec:\606008.exe98⤵PID:4584
-
\??\c:\2060040.exec:\2060040.exe99⤵PID:2560
-
\??\c:\3ffxrrl.exec:\3ffxrrl.exe100⤵PID:2124
-
\??\c:\7pdpj.exec:\7pdpj.exe101⤵PID:4828
-
\??\c:\lflfrrl.exec:\lflfrrl.exe102⤵PID:3804
-
\??\c:\22040.exec:\22040.exe103⤵PID:1840
-
\??\c:\frrlfxx.exec:\frrlfxx.exe104⤵PID:3064
-
\??\c:\jvpdp.exec:\jvpdp.exe105⤵PID:2440
-
\??\c:\0646284.exec:\0646284.exe106⤵PID:1028
-
\??\c:\4442086.exec:\4442086.exe107⤵PID:4024
-
\??\c:\426082.exec:\426082.exe108⤵PID:2748
-
\??\c:\866422.exec:\866422.exe109⤵PID:2820
-
\??\c:\4220426.exec:\4220426.exe110⤵PID:1812
-
\??\c:\220008.exec:\220008.exe111⤵PID:2392
-
\??\c:\hnnbnh.exec:\hnnbnh.exe112⤵PID:3232
-
\??\c:\u604608.exec:\u604608.exe113⤵PID:4832
-
\??\c:\thtnbn.exec:\thtnbn.exe114⤵PID:3728
-
\??\c:\0406006.exec:\0406006.exe115⤵PID:736
-
\??\c:\pvpjv.exec:\pvpjv.exe116⤵PID:3928
-
\??\c:\4008208.exec:\4008208.exe117⤵PID:4868
-
\??\c:\0448660.exec:\0448660.exe118⤵PID:3364
-
\??\c:\8464828.exec:\8464828.exe119⤵PID:3704
-
\??\c:\m4048.exec:\m4048.exe120⤵PID:4576
-
\??\c:\nnnbbt.exec:\nnnbbt.exe121⤵PID:4436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-