Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 03:56
Behavioral task
behavioral1
Sample
c8efa39c492a913d3df03d01edb71d4f6799aba7763262baf781a66bdc9057dd.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c8efa39c492a913d3df03d01edb71d4f6799aba7763262baf781a66bdc9057dd.exe
-
Size
106KB
-
MD5
9f2c5012bc2c4b0a238f7e2a81e13214
-
SHA1
8eceda9b7c13edbab2fda91ae9d88c7a628c1b3c
-
SHA256
c8efa39c492a913d3df03d01edb71d4f6799aba7763262baf781a66bdc9057dd
-
SHA512
fb0022b6665862615a6baed1feafebcd90d91fde5a86a6776fa21cca6fd43378901ab3fd4d7efdb31aa61c66431770e5629f652e850b884c50bbd8303227f6fb
-
SSDEEP
3072:khOmTsF93UYfwC6GIoutpYKkeu3gYNyANxhPDBz9:kcm4FmowdHoSprW3NHLJ9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2704-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3472-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4464-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2896-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3696-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2896-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3828-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1844-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3476-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2432-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/940-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3256-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5088-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3852-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2972-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1376-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/968-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3744-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/452-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3780-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2072-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3476-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1252-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2948-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3504-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4304-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3116-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3852-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1728-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4104-404-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2524-433-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3276-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4988-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-501-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/428-514-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3764-530-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2972-561-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4148-622-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2940-632-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-642-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2288-661-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2752-665-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/832-795-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1768-1537-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2704 rxrffrr.exe 3668 hbtttt.exe 3472 7ffxrll.exe 4464 dvddj.exe 3548 4820404.exe 4452 5xfffxx.exe 3696 1djjd.exe 2896 60044.exe 3828 604488.exe 2248 00600.exe 1844 6240428.exe 3476 480664.exe 400 flrrlrx.exe 3688 040668.exe 964 600668.exe 5060 822822.exe 1708 86844.exe 4616 8628666.exe 4936 024000.exe 5100 8648626.exe 2432 00660.exe 2544 28008.exe 4176 c022666.exe 4800 44644.exe 2516 g6020.exe 428 26800.exe 2128 hnnnbb.exe 2800 48446.exe 940 jvpvd.exe 3088 pjjjd.exe 3256 pdvjp.exe 3900 jjddj.exe 5088 84000.exe 4960 llrrrxr.exe 3852 00244.exe 1128 062660.exe 412 4240486.exe 2972 nhhhbb.exe 1580 vddpd.exe 2408 ffllfrr.exe 1632 ddjjd.exe 4100 hnhhhh.exe 4432 xrrlllx.exe 1376 hhbhtb.exe 4984 1tbnhb.exe 3756 2804444.exe 3976 bnbtnh.exe 4348 220028.exe 968 624404.exe 4464 vdpjd.exe 3620 082880.exe 3744 0426004.exe 1828 u060444.exe 452 llrlffx.exe 2896 hbhhhh.exe 3484 dpvpp.exe 3780 846004.exe 2952 4888844.exe 2072 rrxxxxx.exe 3476 djppj.exe 3044 3lllllf.exe 1252 thtthn.exe 2948 8224800.exe 732 6622222.exe -
resource yara_rule behavioral2/memory/5108-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000021649-3.dat upx behavioral2/memory/2704-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5108-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b50-10.dat upx behavioral2/files/0x000a000000023b68-13.dat upx behavioral2/memory/3668-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b69-22.dat upx behavioral2/memory/3472-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4464-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6a-29.dat upx behavioral2/memory/4464-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6c-40.dat upx behavioral2/files/0x000a000000023b6b-36.dat upx behavioral2/memory/3548-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6d-45.dat upx behavioral2/memory/2896-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3696-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6f-52.dat upx behavioral2/memory/2896-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b70-58.dat upx behavioral2/memory/3828-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b71-63.dat upx behavioral2/memory/1844-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b72-70.dat upx behavioral2/memory/1844-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2248-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b73-76.dat upx behavioral2/memory/3476-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/400-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b74-84.dat upx behavioral2/files/0x000a000000023b75-88.dat upx behavioral2/memory/3688-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b76-94.dat upx behavioral2/files/0x000a000000023b77-99.dat upx behavioral2/files/0x000a000000023b78-104.dat upx behavioral2/files/0x000a000000023b79-109.dat upx behavioral2/memory/4616-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b63-115.dat upx behavioral2/files/0x000a000000023b7a-120.dat upx behavioral2/memory/5100-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-127.dat upx behavioral2/memory/2432-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7c-133.dat upx behavioral2/memory/2544-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-138.dat upx behavioral2/files/0x000a000000023b7e-142.dat upx behavioral2/memory/4800-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-150.dat upx behavioral2/memory/2516-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-154.dat upx behavioral2/memory/2128-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b81-161.dat upx behavioral2/files/0x000a000000023b83-167.dat upx behavioral2/memory/2800-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-171.dat upx behavioral2/files/0x000b000000023b85-177.dat upx behavioral2/memory/940-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b86-184.dat upx behavioral2/memory/3900-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3256-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5088-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3852-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2972-210-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2044444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q86666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0424846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 028822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64482.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5108 wrote to memory of 2704 5108 c8efa39c492a913d3df03d01edb71d4f6799aba7763262baf781a66bdc9057dd.exe 83 PID 5108 wrote to memory of 2704 5108 c8efa39c492a913d3df03d01edb71d4f6799aba7763262baf781a66bdc9057dd.exe 83 PID 5108 wrote to memory of 2704 5108 c8efa39c492a913d3df03d01edb71d4f6799aba7763262baf781a66bdc9057dd.exe 83 PID 2704 wrote to memory of 3668 2704 rxrffrr.exe 84 PID 2704 wrote to memory of 3668 2704 rxrffrr.exe 84 PID 2704 wrote to memory of 3668 2704 rxrffrr.exe 84 PID 3668 wrote to memory of 3472 3668 hbtttt.exe 85 PID 3668 wrote to memory of 3472 3668 hbtttt.exe 85 PID 3668 wrote to memory of 3472 3668 hbtttt.exe 85 PID 3472 wrote to memory of 4464 3472 7ffxrll.exe 86 PID 3472 wrote to memory of 4464 3472 7ffxrll.exe 86 PID 3472 wrote to memory of 4464 3472 7ffxrll.exe 86 PID 4464 wrote to memory of 3548 4464 dvddj.exe 87 PID 4464 wrote to memory of 3548 4464 dvddj.exe 87 PID 4464 wrote to memory of 3548 4464 dvddj.exe 87 PID 3548 wrote to memory of 4452 3548 4820404.exe 88 PID 3548 wrote to memory of 4452 3548 4820404.exe 88 PID 3548 wrote to memory of 4452 3548 4820404.exe 88 PID 4452 wrote to memory of 3696 4452 5xfffxx.exe 89 PID 4452 wrote to memory of 3696 4452 5xfffxx.exe 89 PID 4452 wrote to memory of 3696 4452 5xfffxx.exe 89 PID 3696 wrote to memory of 2896 3696 1djjd.exe 90 PID 3696 wrote to memory of 2896 3696 1djjd.exe 90 PID 3696 wrote to memory of 2896 3696 1djjd.exe 90 PID 2896 wrote to memory of 3828 2896 60044.exe 91 PID 2896 wrote to memory of 3828 2896 60044.exe 91 PID 2896 wrote to memory of 3828 2896 60044.exe 91 PID 3828 wrote to memory of 2248 3828 604488.exe 92 PID 3828 wrote to memory of 2248 3828 604488.exe 92 PID 3828 wrote to memory of 2248 3828 604488.exe 92 PID 2248 wrote to memory of 1844 2248 00600.exe 93 PID 2248 wrote to memory of 1844 2248 00600.exe 93 PID 2248 wrote to memory of 1844 2248 00600.exe 93 PID 1844 wrote to memory of 3476 1844 6240428.exe 94 PID 1844 wrote to memory of 3476 1844 6240428.exe 94 PID 1844 wrote to memory of 3476 1844 6240428.exe 94 PID 3476 wrote to memory of 400 3476 480664.exe 95 PID 3476 wrote to memory of 400 3476 480664.exe 95 PID 3476 wrote to memory of 400 3476 480664.exe 95 PID 400 wrote to memory of 3688 400 flrrlrx.exe 96 PID 400 wrote to memory of 3688 400 flrrlrx.exe 96 PID 400 wrote to memory of 3688 400 flrrlrx.exe 96 PID 3688 wrote to memory of 964 3688 040668.exe 97 PID 3688 wrote to memory of 964 3688 040668.exe 97 PID 3688 wrote to memory of 964 3688 040668.exe 97 PID 964 wrote to memory of 5060 964 600668.exe 98 PID 964 wrote to memory of 5060 964 600668.exe 98 PID 964 wrote to memory of 5060 964 600668.exe 98 PID 5060 wrote to memory of 1708 5060 822822.exe 99 PID 5060 wrote to memory of 1708 5060 822822.exe 99 PID 5060 wrote to memory of 1708 5060 822822.exe 99 PID 1708 wrote to memory of 4616 1708 86844.exe 100 PID 1708 wrote to memory of 4616 1708 86844.exe 100 PID 1708 wrote to memory of 4616 1708 86844.exe 100 PID 4616 wrote to memory of 4936 4616 8628666.exe 101 PID 4616 wrote to memory of 4936 4616 8628666.exe 101 PID 4616 wrote to memory of 4936 4616 8628666.exe 101 PID 4936 wrote to memory of 5100 4936 024000.exe 102 PID 4936 wrote to memory of 5100 4936 024000.exe 102 PID 4936 wrote to memory of 5100 4936 024000.exe 102 PID 5100 wrote to memory of 2432 5100 8648626.exe 103 PID 5100 wrote to memory of 2432 5100 8648626.exe 103 PID 5100 wrote to memory of 2432 5100 8648626.exe 103 PID 2432 wrote to memory of 2544 2432 00660.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8efa39c492a913d3df03d01edb71d4f6799aba7763262baf781a66bdc9057dd.exe"C:\Users\Admin\AppData\Local\Temp\c8efa39c492a913d3df03d01edb71d4f6799aba7763262baf781a66bdc9057dd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\rxrffrr.exec:\rxrffrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\hbtttt.exec:\hbtttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\7ffxrll.exec:\7ffxrll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\dvddj.exec:\dvddj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\4820404.exec:\4820404.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\5xfffxx.exec:\5xfffxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\1djjd.exec:\1djjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\60044.exec:\60044.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\604488.exec:\604488.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\00600.exec:\00600.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\6240428.exec:\6240428.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\480664.exec:\480664.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\flrrlrx.exec:\flrrlrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\040668.exec:\040668.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\600668.exec:\600668.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\822822.exec:\822822.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\86844.exec:\86844.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\8628666.exec:\8628666.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\024000.exec:\024000.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\8648626.exec:\8648626.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\00660.exec:\00660.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\28008.exec:\28008.exe23⤵
- Executes dropped EXE
PID:2544 -
\??\c:\c022666.exec:\c022666.exe24⤵
- Executes dropped EXE
PID:4176 -
\??\c:\44644.exec:\44644.exe25⤵
- Executes dropped EXE
PID:4800 -
\??\c:\g6020.exec:\g6020.exe26⤵
- Executes dropped EXE
PID:2516 -
\??\c:\26800.exec:\26800.exe27⤵
- Executes dropped EXE
PID:428 -
\??\c:\hnnnbb.exec:\hnnnbb.exe28⤵
- Executes dropped EXE
PID:2128 -
\??\c:\48446.exec:\48446.exe29⤵
- Executes dropped EXE
PID:2800 -
\??\c:\jvpvd.exec:\jvpvd.exe30⤵
- Executes dropped EXE
PID:940 -
\??\c:\pjjjd.exec:\pjjjd.exe31⤵
- Executes dropped EXE
PID:3088 -
\??\c:\pdvjp.exec:\pdvjp.exe32⤵
- Executes dropped EXE
PID:3256 -
\??\c:\jjddj.exec:\jjddj.exe33⤵
- Executes dropped EXE
PID:3900 -
\??\c:\84000.exec:\84000.exe34⤵
- Executes dropped EXE
PID:5088 -
\??\c:\llrrrxr.exec:\llrrrxr.exe35⤵
- Executes dropped EXE
PID:4960 -
\??\c:\00244.exec:\00244.exe36⤵
- Executes dropped EXE
PID:3852 -
\??\c:\062660.exec:\062660.exe37⤵
- Executes dropped EXE
PID:1128 -
\??\c:\4240486.exec:\4240486.exe38⤵
- Executes dropped EXE
PID:412 -
\??\c:\nhhhbb.exec:\nhhhbb.exe39⤵
- Executes dropped EXE
PID:2972 -
\??\c:\vddpd.exec:\vddpd.exe40⤵
- Executes dropped EXE
PID:1580 -
\??\c:\ffllfrr.exec:\ffllfrr.exe41⤵
- Executes dropped EXE
PID:2408 -
\??\c:\ddjjd.exec:\ddjjd.exe42⤵
- Executes dropped EXE
PID:1632 -
\??\c:\hnhhhh.exec:\hnhhhh.exe43⤵
- Executes dropped EXE
PID:4100 -
\??\c:\xrrlllx.exec:\xrrlllx.exe44⤵
- Executes dropped EXE
PID:4432 -
\??\c:\hhbhtb.exec:\hhbhtb.exe45⤵
- Executes dropped EXE
PID:1376 -
\??\c:\1tbnhb.exec:\1tbnhb.exe46⤵
- Executes dropped EXE
PID:4984 -
\??\c:\2804444.exec:\2804444.exe47⤵
- Executes dropped EXE
PID:3756 -
\??\c:\bnbtnh.exec:\bnbtnh.exe48⤵
- Executes dropped EXE
PID:3976 -
\??\c:\220028.exec:\220028.exe49⤵
- Executes dropped EXE
PID:4348 -
\??\c:\624404.exec:\624404.exe50⤵
- Executes dropped EXE
PID:968 -
\??\c:\vdpjd.exec:\vdpjd.exe51⤵
- Executes dropped EXE
PID:4464 -
\??\c:\082880.exec:\082880.exe52⤵
- Executes dropped EXE
PID:3620 -
\??\c:\0426004.exec:\0426004.exe53⤵
- Executes dropped EXE
PID:3744 -
\??\c:\u060444.exec:\u060444.exe54⤵
- Executes dropped EXE
PID:1828 -
\??\c:\llrlffx.exec:\llrlffx.exe55⤵
- Executes dropped EXE
PID:452 -
\??\c:\hbhhhh.exec:\hbhhhh.exe56⤵
- Executes dropped EXE
PID:2896 -
\??\c:\dpvpp.exec:\dpvpp.exe57⤵
- Executes dropped EXE
PID:3484 -
\??\c:\846004.exec:\846004.exe58⤵
- Executes dropped EXE
PID:3780 -
\??\c:\4888844.exec:\4888844.exe59⤵
- Executes dropped EXE
PID:2952 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe60⤵
- Executes dropped EXE
PID:2072 -
\??\c:\djppj.exec:\djppj.exe61⤵
- Executes dropped EXE
PID:3476 -
\??\c:\3lllllf.exec:\3lllllf.exe62⤵
- Executes dropped EXE
PID:3044 -
\??\c:\thtthn.exec:\thtthn.exe63⤵
- Executes dropped EXE
PID:1252 -
\??\c:\8224800.exec:\8224800.exe64⤵
- Executes dropped EXE
PID:2948 -
\??\c:\6622222.exec:\6622222.exe65⤵
- Executes dropped EXE
PID:732 -
\??\c:\ppdjp.exec:\ppdjp.exe66⤵PID:1540
-
\??\c:\4888800.exec:\4888800.exe67⤵PID:1660
-
\??\c:\fxrrlll.exec:\fxrrlll.exe68⤵PID:4552
-
\??\c:\xxrfrfr.exec:\xxrfrfr.exe69⤵PID:2288
-
\??\c:\vdvpj.exec:\vdvpj.exe70⤵PID:5100
-
\??\c:\046644.exec:\046644.exe71⤵PID:4972
-
\??\c:\thtnhn.exec:\thtnhn.exe72⤵PID:3348
-
\??\c:\80200.exec:\80200.exe73⤵PID:4112
-
\??\c:\6400820.exec:\6400820.exe74⤵PID:3504
-
\??\c:\nbbbtt.exec:\nbbbtt.exe75⤵PID:2764
-
\??\c:\rlfxxxr.exec:\rlfxxxr.exe76⤵PID:4140
-
\??\c:\w40666.exec:\w40666.exe77⤵PID:1036
-
\??\c:\9djdv.exec:\9djdv.exe78⤵PID:4204
-
\??\c:\26882.exec:\26882.exe79⤵PID:3424
-
\??\c:\66400.exec:\66400.exe80⤵
- System Location Discovery: System Language Discovery
PID:2748 -
\??\c:\vvpjp.exec:\vvpjp.exe81⤵PID:3764
-
\??\c:\20626.exec:\20626.exe82⤵PID:3148
-
\??\c:\xlrlllf.exec:\xlrlllf.exe83⤵PID:1132
-
\??\c:\g0660.exec:\g0660.exe84⤵PID:4304
-
\??\c:\4244446.exec:\4244446.exe85⤵PID:4196
-
\??\c:\824600.exec:\824600.exe86⤵PID:3116
-
\??\c:\ddvvp.exec:\ddvvp.exe87⤵PID:8
-
\??\c:\2206206.exec:\2206206.exe88⤵PID:4960
-
\??\c:\vpppv.exec:\vpppv.exe89⤵PID:3852
-
\??\c:\4866404.exec:\4866404.exe90⤵PID:5076
-
\??\c:\3xfxrrf.exec:\3xfxrrf.exe91⤵PID:412
-
\??\c:\ffrlflf.exec:\ffrlflf.exe92⤵PID:2292
-
\??\c:\vpjdv.exec:\vpjdv.exe93⤵PID:1728
-
\??\c:\g8024.exec:\g8024.exe94⤵PID:4472
-
\??\c:\k88644.exec:\k88644.exe95⤵PID:3264
-
\??\c:\84408.exec:\84408.exe96⤵PID:3164
-
\??\c:\622888.exec:\622888.exe97⤵PID:4104
-
\??\c:\1lxrrrx.exec:\1lxrrrx.exe98⤵PID:3572
-
\??\c:\jjpvd.exec:\jjpvd.exe99⤵PID:4912
-
\??\c:\64080.exec:\64080.exe100⤵PID:1560
-
\??\c:\42048.exec:\42048.exe101⤵PID:1740
-
\??\c:\xfxxllr.exec:\xfxxllr.exe102⤵PID:2084
-
\??\c:\088888.exec:\088888.exe103⤵PID:3940
-
\??\c:\rrffrrf.exec:\rrffrrf.exe104⤵PID:3828
-
\??\c:\8626060.exec:\8626060.exe105⤵PID:2524
-
\??\c:\nbbnhh.exec:\nbbnhh.exe106⤵PID:2184
-
\??\c:\jdpvp.exec:\jdpvp.exe107⤵PID:4072
-
\??\c:\rflffll.exec:\rflffll.exe108⤵PID:3108
-
\??\c:\00022.exec:\00022.exe109⤵PID:1096
-
\??\c:\42288.exec:\42288.exe110⤵PID:3476
-
\??\c:\bhhbbb.exec:\bhhbbb.exe111⤵PID:1668
-
\??\c:\068828.exec:\068828.exe112⤵PID:2940
-
\??\c:\662662.exec:\662662.exe113⤵PID:3276
-
\??\c:\2202822.exec:\2202822.exe114⤵PID:5048
-
\??\c:\00428.exec:\00428.exe115⤵PID:1860
-
\??\c:\0844062.exec:\0844062.exe116⤵PID:2400
-
\??\c:\s0822.exec:\s0822.exe117⤵PID:4032
-
\??\c:\262286.exec:\262286.exe118⤵PID:4988
-
\??\c:\6204222.exec:\6204222.exe119⤵PID:1012
-
\??\c:\8282288.exec:\8282288.exe120⤵PID:2352
-
\??\c:\24804.exec:\24804.exe121⤵PID:2752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-