Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 14:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe
-
Size
454KB
-
MD5
b3f0595ea78694aa53a7a9c4f9329dc0
-
SHA1
c2350c0a196d6afeb33bdab026e9035d9500fa0b
-
SHA256
c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5d
-
SHA512
563b66abd8b97a786905aecb2a6cbcef8bf677df548df886fbb1c51c1774b253f3d1d4d09aad240adc8bcc5c98fed139bd875db67720f3e0ca4c6f3366873dd5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2060-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3940 thhtnh.exe 2912 08060.exe 4848 xllxllf.exe 3680 u404488.exe 1788 3xxxxxl.exe 2068 hhhbbn.exe 1848 q84484.exe 1728 8800088.exe 4228 828222.exe 3328 lrrxrlx.exe 4728 tntnhh.exe 2896 6026228.exe 1380 486266.exe 752 nntnnh.exe 5068 vvvpp.exe 1700 224606.exe 1636 dvvpd.exe 3084 dppdd.exe 64 5xrrlll.exe 2012 9tttnt.exe 2564 flfrfxx.exe 3636 dvdvv.exe 60 vpppj.exe 372 208288.exe 844 82444.exe 3508 m4660.exe 2652 tnttnn.exe 1444 422660.exe 4548 46600.exe 852 9jddv.exe 4356 dvvdv.exe 1004 044866.exe 4412 rrxrrlx.exe 2128 a2264.exe 1296 0482604.exe 1676 8282660.exe 4596 o848004.exe 1724 46828.exe 2532 46666.exe 3688 048222.exe 1740 8288888.exe 1988 lflfxxr.exe 4556 9vdvd.exe 3188 06826.exe 2832 2644482.exe 4124 5xfxfxr.exe 464 228882.exe 3612 ddppj.exe 4428 nhnhhh.exe 1600 s8442.exe 3576 nhbbtt.exe 3940 264866.exe 4916 q22424.exe 1576 7ttnbb.exe 4572 9ntnnn.exe 3260 dpvpj.exe 3008 4666004.exe 1432 pvjdd.exe 2068 u404488.exe 3704 tthnnt.exe 4288 ttbbtt.exe 4600 w68282.exe 220 22608.exe 2276 fffxrlf.exe -
resource yara_rule behavioral2/memory/3940-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-622-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2028686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0248882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 622048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4406626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e80482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2008664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k64060.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2060 wrote to memory of 3940 2060 c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe 83 PID 2060 wrote to memory of 3940 2060 c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe 83 PID 2060 wrote to memory of 3940 2060 c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe 83 PID 3940 wrote to memory of 2912 3940 thhtnh.exe 84 PID 3940 wrote to memory of 2912 3940 thhtnh.exe 84 PID 3940 wrote to memory of 2912 3940 thhtnh.exe 84 PID 2912 wrote to memory of 4848 2912 08060.exe 85 PID 2912 wrote to memory of 4848 2912 08060.exe 85 PID 2912 wrote to memory of 4848 2912 08060.exe 85 PID 4848 wrote to memory of 3680 4848 xllxllf.exe 86 PID 4848 wrote to memory of 3680 4848 xllxllf.exe 86 PID 4848 wrote to memory of 3680 4848 xllxllf.exe 86 PID 3680 wrote to memory of 1788 3680 u404488.exe 87 PID 3680 wrote to memory of 1788 3680 u404488.exe 87 PID 3680 wrote to memory of 1788 3680 u404488.exe 87 PID 1788 wrote to memory of 2068 1788 3xxxxxl.exe 88 PID 1788 wrote to memory of 2068 1788 3xxxxxl.exe 88 PID 1788 wrote to memory of 2068 1788 3xxxxxl.exe 88 PID 2068 wrote to memory of 1848 2068 hhhbbn.exe 89 PID 2068 wrote to memory of 1848 2068 hhhbbn.exe 89 PID 2068 wrote to memory of 1848 2068 hhhbbn.exe 89 PID 1848 wrote to memory of 1728 1848 q84484.exe 90 PID 1848 wrote to memory of 1728 1848 q84484.exe 90 PID 1848 wrote to memory of 1728 1848 q84484.exe 90 PID 1728 wrote to memory of 4228 1728 8800088.exe 91 PID 1728 wrote to memory of 4228 1728 8800088.exe 91 PID 1728 wrote to memory of 4228 1728 8800088.exe 91 PID 4228 wrote to memory of 3328 4228 828222.exe 92 PID 4228 wrote to memory of 3328 4228 828222.exe 92 PID 4228 wrote to memory of 3328 4228 828222.exe 92 PID 3328 wrote to memory of 4728 3328 lrrxrlx.exe 93 PID 3328 wrote to memory of 4728 3328 lrrxrlx.exe 93 PID 3328 wrote to memory of 4728 3328 lrrxrlx.exe 93 PID 4728 wrote to memory of 2896 4728 tntnhh.exe 94 PID 4728 wrote to memory of 2896 4728 tntnhh.exe 94 PID 4728 wrote to memory of 2896 4728 tntnhh.exe 94 PID 2896 wrote to memory of 1380 2896 6026228.exe 95 PID 2896 wrote to memory of 1380 2896 6026228.exe 95 PID 2896 wrote to memory of 1380 2896 6026228.exe 95 PID 1380 wrote to memory of 752 1380 486266.exe 96 PID 1380 wrote to memory of 752 1380 486266.exe 96 PID 1380 wrote to memory of 752 1380 486266.exe 96 PID 752 wrote to memory of 5068 752 nntnnh.exe 97 PID 752 wrote to memory of 5068 752 nntnnh.exe 97 PID 752 wrote to memory of 5068 752 nntnnh.exe 97 PID 5068 wrote to memory of 1700 5068 vvvpp.exe 98 PID 5068 wrote to memory of 1700 5068 vvvpp.exe 98 PID 5068 wrote to memory of 1700 5068 vvvpp.exe 98 PID 1700 wrote to memory of 1636 1700 224606.exe 99 PID 1700 wrote to memory of 1636 1700 224606.exe 99 PID 1700 wrote to memory of 1636 1700 224606.exe 99 PID 1636 wrote to memory of 3084 1636 dvvpd.exe 100 PID 1636 wrote to memory of 3084 1636 dvvpd.exe 100 PID 1636 wrote to memory of 3084 1636 dvvpd.exe 100 PID 3084 wrote to memory of 64 3084 dppdd.exe 101 PID 3084 wrote to memory of 64 3084 dppdd.exe 101 PID 3084 wrote to memory of 64 3084 dppdd.exe 101 PID 64 wrote to memory of 2012 64 5xrrlll.exe 102 PID 64 wrote to memory of 2012 64 5xrrlll.exe 102 PID 64 wrote to memory of 2012 64 5xrrlll.exe 102 PID 2012 wrote to memory of 2564 2012 9tttnt.exe 103 PID 2012 wrote to memory of 2564 2012 9tttnt.exe 103 PID 2012 wrote to memory of 2564 2012 9tttnt.exe 103 PID 2564 wrote to memory of 3636 2564 flfrfxx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe"C:\Users\Admin\AppData\Local\Temp\c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\thhtnh.exec:\thhtnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\08060.exec:\08060.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\xllxllf.exec:\xllxllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\u404488.exec:\u404488.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\3xxxxxl.exec:\3xxxxxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\hhhbbn.exec:\hhhbbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\q84484.exec:\q84484.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\8800088.exec:\8800088.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\828222.exec:\828222.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\lrrxrlx.exec:\lrrxrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\tntnhh.exec:\tntnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\6026228.exec:\6026228.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\486266.exec:\486266.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\nntnnh.exec:\nntnnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\vvvpp.exec:\vvvpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\224606.exec:\224606.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\dvvpd.exec:\dvvpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\dppdd.exec:\dppdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\5xrrlll.exec:\5xrrlll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\9tttnt.exec:\9tttnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\flfrfxx.exec:\flfrfxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\dvdvv.exec:\dvdvv.exe23⤵
- Executes dropped EXE
PID:3636 -
\??\c:\vpppj.exec:\vpppj.exe24⤵
- Executes dropped EXE
PID:60 -
\??\c:\208288.exec:\208288.exe25⤵
- Executes dropped EXE
PID:372 -
\??\c:\82444.exec:\82444.exe26⤵
- Executes dropped EXE
PID:844 -
\??\c:\m4660.exec:\m4660.exe27⤵
- Executes dropped EXE
PID:3508 -
\??\c:\tnttnn.exec:\tnttnn.exe28⤵
- Executes dropped EXE
PID:2652 -
\??\c:\422660.exec:\422660.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1444 -
\??\c:\46600.exec:\46600.exe30⤵
- Executes dropped EXE
PID:4548 -
\??\c:\9jddv.exec:\9jddv.exe31⤵
- Executes dropped EXE
PID:852 -
\??\c:\dvvdv.exec:\dvvdv.exe32⤵
- Executes dropped EXE
PID:4356 -
\??\c:\044866.exec:\044866.exe33⤵
- Executes dropped EXE
PID:1004 -
\??\c:\rrxrrlx.exec:\rrxrrlx.exe34⤵
- Executes dropped EXE
PID:4412 -
\??\c:\a2264.exec:\a2264.exe35⤵
- Executes dropped EXE
PID:2128 -
\??\c:\0482604.exec:\0482604.exe36⤵
- Executes dropped EXE
PID:1296 -
\??\c:\8282660.exec:\8282660.exe37⤵
- Executes dropped EXE
PID:1676 -
\??\c:\o848004.exec:\o848004.exe38⤵
- Executes dropped EXE
PID:4596 -
\??\c:\46828.exec:\46828.exe39⤵
- Executes dropped EXE
PID:1724 -
\??\c:\46666.exec:\46666.exe40⤵
- Executes dropped EXE
PID:2532 -
\??\c:\048222.exec:\048222.exe41⤵
- Executes dropped EXE
PID:3688 -
\??\c:\8288888.exec:\8288888.exe42⤵
- Executes dropped EXE
PID:1740 -
\??\c:\lflfxxr.exec:\lflfxxr.exe43⤵
- Executes dropped EXE
PID:1988 -
\??\c:\9vdvd.exec:\9vdvd.exe44⤵
- Executes dropped EXE
PID:4556 -
\??\c:\06826.exec:\06826.exe45⤵
- Executes dropped EXE
PID:3188 -
\??\c:\2644482.exec:\2644482.exe46⤵
- Executes dropped EXE
PID:2832 -
\??\c:\5xfxfxr.exec:\5xfxfxr.exe47⤵
- Executes dropped EXE
PID:4124 -
\??\c:\228882.exec:\228882.exe48⤵
- Executes dropped EXE
PID:464 -
\??\c:\ddppj.exec:\ddppj.exe49⤵
- Executes dropped EXE
PID:3612 -
\??\c:\nhnhhh.exec:\nhnhhh.exe50⤵
- Executes dropped EXE
PID:4428 -
\??\c:\s8442.exec:\s8442.exe51⤵
- Executes dropped EXE
PID:1600 -
\??\c:\nhbbtt.exec:\nhbbtt.exe52⤵
- Executes dropped EXE
PID:3576 -
\??\c:\264866.exec:\264866.exe53⤵
- Executes dropped EXE
PID:3940 -
\??\c:\q22424.exec:\q22424.exe54⤵
- Executes dropped EXE
PID:4916 -
\??\c:\7ttnbb.exec:\7ttnbb.exe55⤵
- Executes dropped EXE
PID:1576 -
\??\c:\9ntnnn.exec:\9ntnnn.exe56⤵
- Executes dropped EXE
PID:4572 -
\??\c:\dpvpj.exec:\dpvpj.exe57⤵
- Executes dropped EXE
PID:3260 -
\??\c:\4666004.exec:\4666004.exe58⤵
- Executes dropped EXE
PID:3008 -
\??\c:\pvjdd.exec:\pvjdd.exe59⤵
- Executes dropped EXE
PID:1432 -
\??\c:\u404488.exec:\u404488.exe60⤵
- Executes dropped EXE
PID:2068 -
\??\c:\tthnnt.exec:\tthnnt.exe61⤵
- Executes dropped EXE
PID:3704 -
\??\c:\ttbbtt.exec:\ttbbtt.exe62⤵
- Executes dropped EXE
PID:4288 -
\??\c:\w68282.exec:\w68282.exe63⤵
- Executes dropped EXE
PID:4600 -
\??\c:\22608.exec:\22608.exe64⤵
- Executes dropped EXE
PID:220 -
\??\c:\fffxrlf.exec:\fffxrlf.exe65⤵
- Executes dropped EXE
PID:2276 -
\??\c:\c404848.exec:\c404848.exe66⤵PID:4680
-
\??\c:\2804848.exec:\2804848.exe67⤵PID:3256
-
\??\c:\hbbbhh.exec:\hbbbhh.exe68⤵PID:216
-
\??\c:\42482.exec:\42482.exe69⤵PID:740
-
\??\c:\dpvpj.exec:\dpvpj.exe70⤵PID:2100
-
\??\c:\5hnbtn.exec:\5hnbtn.exe71⤵PID:2320
-
\??\c:\0426222.exec:\0426222.exe72⤵PID:384
-
\??\c:\46468.exec:\46468.exe73⤵PID:3128
-
\??\c:\2882666.exec:\2882666.exe74⤵PID:1692
-
\??\c:\2848882.exec:\2848882.exe75⤵PID:4000
-
\??\c:\rlrlxxr.exec:\rlrlxxr.exe76⤵PID:2044
-
\??\c:\q66082.exec:\q66082.exe77⤵PID:64
-
\??\c:\dpvpd.exec:\dpvpd.exe78⤵PID:3756
-
\??\c:\rlxrlff.exec:\rlxrlff.exe79⤵PID:2248
-
\??\c:\thnhbb.exec:\thnhbb.exe80⤵PID:1108
-
\??\c:\86260.exec:\86260.exe81⤵PID:2636
-
\??\c:\6644222.exec:\6644222.exe82⤵PID:4296
-
\??\c:\c466044.exec:\c466044.exe83⤵PID:4496
-
\??\c:\c628864.exec:\c628864.exe84⤵PID:2776
-
\??\c:\u404804.exec:\u404804.exe85⤵PID:1812
-
\??\c:\k84826.exec:\k84826.exe86⤵PID:4516
-
\??\c:\06822.exec:\06822.exe87⤵PID:1176
-
\??\c:\0400888.exec:\0400888.exe88⤵PID:4460
-
\??\c:\rrlfrlf.exec:\rrlfrlf.exe89⤵PID:3304
-
\??\c:\frxrfxx.exec:\frxrfxx.exe90⤵PID:1588
-
\??\c:\a2826.exec:\a2826.exe91⤵PID:3628
-
\??\c:\m8226.exec:\m8226.exe92⤵PID:4352
-
\??\c:\frlffxr.exec:\frlffxr.exe93⤵PID:4972
-
\??\c:\4020820.exec:\4020820.exe94⤵PID:1004
-
\??\c:\lrrlffx.exec:\lrrlffx.exe95⤵PID:1616
-
\??\c:\622666.exec:\622666.exe96⤵PID:3664
-
\??\c:\nbbthh.exec:\nbbthh.exe97⤵PID:2928
-
\??\c:\c664226.exec:\c664226.exe98⤵PID:4540
-
\??\c:\268266.exec:\268266.exe99⤵PID:5040
-
\??\c:\jvdpj.exec:\jvdpj.exe100⤵PID:4844
-
\??\c:\nnnhhh.exec:\nnnhhh.exe101⤵PID:2104
-
\??\c:\btntbh.exec:\btntbh.exe102⤵PID:2236
-
\??\c:\8866022.exec:\8866022.exe103⤵PID:2964
-
\??\c:\60466.exec:\60466.exe104⤵PID:1740
-
\??\c:\0248000.exec:\0248000.exe105⤵PID:1988
-
\??\c:\bnbnhb.exec:\bnbnhb.exe106⤵PID:4556
-
\??\c:\a6866.exec:\a6866.exe107⤵PID:4984
-
\??\c:\nnntnb.exec:\nnntnb.exe108⤵PID:3904
-
\??\c:\vvvpp.exec:\vvvpp.exe109⤵PID:4124
-
\??\c:\dvdvp.exec:\dvdvp.exe110⤵PID:2460
-
\??\c:\jjvvv.exec:\jjvvv.exe111⤵PID:3612
-
\??\c:\jvdpj.exec:\jvdpj.exe112⤵PID:2500
-
\??\c:\tthttt.exec:\tthttt.exe113⤵PID:2696
-
\??\c:\644204.exec:\644204.exe114⤵PID:2176
-
\??\c:\4448608.exec:\4448608.exe115⤵PID:692
-
\??\c:\862084.exec:\862084.exe116⤵PID:4264
-
\??\c:\ppppp.exec:\ppppp.exe117⤵PID:648
-
\??\c:\g4886.exec:\g4886.exe118⤵PID:952
-
\??\c:\444204.exec:\444204.exe119⤵PID:4552
-
\??\c:\66602.exec:\66602.exe120⤵PID:3672
-
\??\c:\8282628.exec:\8282628.exe121⤵PID:2612
-
\??\c:\228604.exec:\228604.exe122⤵PID:4952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-