Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 23:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
878ffa1f58d1fb860a6fb3070569e229c684c430555c2c41679926737a7090b6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
878ffa1f58d1fb860a6fb3070569e229c684c430555c2c41679926737a7090b6.exe
-
Size
455KB
-
MD5
283c9364bbff0bd00d26d2f288e1542e
-
SHA1
68e823a497f4682b40a4ab50ff23d7653c7d5783
-
SHA256
878ffa1f58d1fb860a6fb3070569e229c684c430555c2c41679926737a7090b6
-
SHA512
1cdae995124ae1bbfbdc2b4610ed0032c2f98e96d3410d3917484190337d0b6945facf5b6c10304dc272758b9caa6675e351f181d2385d444532279dedaac56c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1360-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-1526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1344 04024.exe 816 rfxrlfx.exe 3148 8688480.exe 3660 020864.exe 2008 48604.exe 1848 826486.exe 1168 jvdjp.exe 728 g8008.exe 2276 40626.exe 2924 6040460.exe 3644 200206.exe 4184 ffrlxrl.exe 5044 1hbtnn.exe 3044 7dvpv.exe 1208 xfflrlx.exe 556 82080.exe 1988 ddjjp.exe 2448 8260022.exe 2172 40608.exe 4848 802222.exe 1512 44446.exe 628 420448.exe 452 ppppj.exe 4368 nhhttt.exe 4740 ddvdj.exe 4884 tbhbtn.exe 116 o484800.exe 2056 266088.exe 2956 ffflrrf.exe 1924 86682.exe 3060 86806.exe 2868 828866.exe 4472 hbbtnn.exe 1736 xrrlxxr.exe 2100 0004448.exe 836 tttnbt.exe 4416 66204.exe 3416 6468848.exe 3144 0082840.exe 2588 80048.exe 1944 6262006.exe 3656 xrfxrfx.exe 3532 htnhbb.exe 3792 5rxrxxx.exe 4504 6226842.exe 1760 484888.exe 2020 xrrrllx.exe 5040 lxfrrfr.exe 920 bhnhbh.exe 4444 bnhbtn.exe 4876 826826.exe 4340 0882888.exe 2288 684266.exe 4488 fllfxxl.exe 4800 rrxxrxr.exe 436 vpjdp.exe 2220 826022.exe 2856 o644488.exe 4324 280048.exe 1660 08646.exe 4700 lffxfll.exe 2280 fxxxxxr.exe 1564 rfxrlxr.exe 4932 llfxxff.exe -
resource yara_rule behavioral2/memory/1360-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-692-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k24686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q40206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4804606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4488406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0204888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2682264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c862200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1360 wrote to memory of 1344 1360 878ffa1f58d1fb860a6fb3070569e229c684c430555c2c41679926737a7090b6.exe 83 PID 1360 wrote to memory of 1344 1360 878ffa1f58d1fb860a6fb3070569e229c684c430555c2c41679926737a7090b6.exe 83 PID 1360 wrote to memory of 1344 1360 878ffa1f58d1fb860a6fb3070569e229c684c430555c2c41679926737a7090b6.exe 83 PID 1344 wrote to memory of 816 1344 04024.exe 84 PID 1344 wrote to memory of 816 1344 04024.exe 84 PID 1344 wrote to memory of 816 1344 04024.exe 84 PID 816 wrote to memory of 3148 816 rfxrlfx.exe 85 PID 816 wrote to memory of 3148 816 rfxrlfx.exe 85 PID 816 wrote to memory of 3148 816 rfxrlfx.exe 85 PID 3148 wrote to memory of 3660 3148 8688480.exe 86 PID 3148 wrote to memory of 3660 3148 8688480.exe 86 PID 3148 wrote to memory of 3660 3148 8688480.exe 86 PID 3660 wrote to memory of 2008 3660 020864.exe 87 PID 3660 wrote to memory of 2008 3660 020864.exe 87 PID 3660 wrote to memory of 2008 3660 020864.exe 87 PID 2008 wrote to memory of 1848 2008 48604.exe 88 PID 2008 wrote to memory of 1848 2008 48604.exe 88 PID 2008 wrote to memory of 1848 2008 48604.exe 88 PID 1848 wrote to memory of 1168 1848 826486.exe 89 PID 1848 wrote to memory of 1168 1848 826486.exe 89 PID 1848 wrote to memory of 1168 1848 826486.exe 89 PID 1168 wrote to memory of 728 1168 jvdjp.exe 90 PID 1168 wrote to memory of 728 1168 jvdjp.exe 90 PID 1168 wrote to memory of 728 1168 jvdjp.exe 90 PID 728 wrote to memory of 2276 728 g8008.exe 91 PID 728 wrote to memory of 2276 728 g8008.exe 91 PID 728 wrote to memory of 2276 728 g8008.exe 91 PID 2276 wrote to memory of 2924 2276 40626.exe 92 PID 2276 wrote to memory of 2924 2276 40626.exe 92 PID 2276 wrote to memory of 2924 2276 40626.exe 92 PID 2924 wrote to memory of 3644 2924 6040460.exe 93 PID 2924 wrote to memory of 3644 2924 6040460.exe 93 PID 2924 wrote to memory of 3644 2924 6040460.exe 93 PID 3644 wrote to memory of 4184 3644 200206.exe 94 PID 3644 wrote to memory of 4184 3644 200206.exe 94 PID 3644 wrote to memory of 4184 3644 200206.exe 94 PID 4184 wrote to memory of 5044 4184 ffrlxrl.exe 95 PID 4184 wrote to memory of 5044 4184 ffrlxrl.exe 95 PID 4184 wrote to memory of 5044 4184 ffrlxrl.exe 95 PID 5044 wrote to memory of 3044 5044 1hbtnn.exe 96 PID 5044 wrote to memory of 3044 5044 1hbtnn.exe 96 PID 5044 wrote to memory of 3044 5044 1hbtnn.exe 96 PID 3044 wrote to memory of 1208 3044 7dvpv.exe 97 PID 3044 wrote to memory of 1208 3044 7dvpv.exe 97 PID 3044 wrote to memory of 1208 3044 7dvpv.exe 97 PID 1208 wrote to memory of 556 1208 xfflrlx.exe 98 PID 1208 wrote to memory of 556 1208 xfflrlx.exe 98 PID 1208 wrote to memory of 556 1208 xfflrlx.exe 98 PID 556 wrote to memory of 1988 556 82080.exe 99 PID 556 wrote to memory of 1988 556 82080.exe 99 PID 556 wrote to memory of 1988 556 82080.exe 99 PID 1988 wrote to memory of 2448 1988 ddjjp.exe 100 PID 1988 wrote to memory of 2448 1988 ddjjp.exe 100 PID 1988 wrote to memory of 2448 1988 ddjjp.exe 100 PID 2448 wrote to memory of 2172 2448 8260022.exe 101 PID 2448 wrote to memory of 2172 2448 8260022.exe 101 PID 2448 wrote to memory of 2172 2448 8260022.exe 101 PID 2172 wrote to memory of 4848 2172 40608.exe 102 PID 2172 wrote to memory of 4848 2172 40608.exe 102 PID 2172 wrote to memory of 4848 2172 40608.exe 102 PID 4848 wrote to memory of 1512 4848 802222.exe 103 PID 4848 wrote to memory of 1512 4848 802222.exe 103 PID 4848 wrote to memory of 1512 4848 802222.exe 103 PID 1512 wrote to memory of 628 1512 44446.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\878ffa1f58d1fb860a6fb3070569e229c684c430555c2c41679926737a7090b6.exe"C:\Users\Admin\AppData\Local\Temp\878ffa1f58d1fb860a6fb3070569e229c684c430555c2c41679926737a7090b6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\04024.exec:\04024.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\8688480.exec:\8688480.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\020864.exec:\020864.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\48604.exec:\48604.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\826486.exec:\826486.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\jvdjp.exec:\jvdjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\g8008.exec:\g8008.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728 -
\??\c:\40626.exec:\40626.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\6040460.exec:\6040460.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\200206.exec:\200206.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\ffrlxrl.exec:\ffrlxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\1hbtnn.exec:\1hbtnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\7dvpv.exec:\7dvpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\xfflrlx.exec:\xfflrlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\82080.exec:\82080.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\ddjjp.exec:\ddjjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\8260022.exec:\8260022.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\40608.exec:\40608.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\802222.exec:\802222.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\44446.exec:\44446.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\420448.exec:\420448.exe23⤵
- Executes dropped EXE
PID:628 -
\??\c:\ppppj.exec:\ppppj.exe24⤵
- Executes dropped EXE
PID:452 -
\??\c:\nhhttt.exec:\nhhttt.exe25⤵
- Executes dropped EXE
PID:4368 -
\??\c:\ddvdj.exec:\ddvdj.exe26⤵
- Executes dropped EXE
PID:4740 -
\??\c:\tbhbtn.exec:\tbhbtn.exe27⤵
- Executes dropped EXE
PID:4884 -
\??\c:\o484800.exec:\o484800.exe28⤵
- Executes dropped EXE
PID:116 -
\??\c:\266088.exec:\266088.exe29⤵
- Executes dropped EXE
PID:2056 -
\??\c:\ffflrrf.exec:\ffflrrf.exe30⤵
- Executes dropped EXE
PID:2956 -
\??\c:\86682.exec:\86682.exe31⤵
- Executes dropped EXE
PID:1924 -
\??\c:\86806.exec:\86806.exe32⤵
- Executes dropped EXE
PID:3060 -
\??\c:\828866.exec:\828866.exe33⤵
- Executes dropped EXE
PID:2868 -
\??\c:\hbbtnn.exec:\hbbtnn.exe34⤵
- Executes dropped EXE
PID:4472 -
\??\c:\xrrlxxr.exec:\xrrlxxr.exe35⤵
- Executes dropped EXE
PID:1736 -
\??\c:\0004448.exec:\0004448.exe36⤵
- Executes dropped EXE
PID:2100 -
\??\c:\tttnbt.exec:\tttnbt.exe37⤵
- Executes dropped EXE
PID:836 -
\??\c:\66204.exec:\66204.exe38⤵
- Executes dropped EXE
PID:4416 -
\??\c:\6468848.exec:\6468848.exe39⤵
- Executes dropped EXE
PID:3416 -
\??\c:\0082840.exec:\0082840.exe40⤵
- Executes dropped EXE
PID:3144 -
\??\c:\80048.exec:\80048.exe41⤵
- Executes dropped EXE
PID:2588 -
\??\c:\6262006.exec:\6262006.exe42⤵
- Executes dropped EXE
PID:1944 -
\??\c:\xrfxrfx.exec:\xrfxrfx.exe43⤵
- Executes dropped EXE
PID:3656 -
\??\c:\htnhbb.exec:\htnhbb.exe44⤵
- Executes dropped EXE
PID:3532 -
\??\c:\5rxrxxx.exec:\5rxrxxx.exe45⤵
- Executes dropped EXE
PID:3792 -
\??\c:\6226842.exec:\6226842.exe46⤵
- Executes dropped EXE
PID:4504 -
\??\c:\484888.exec:\484888.exe47⤵
- Executes dropped EXE
PID:1760 -
\??\c:\xrrrllx.exec:\xrrrllx.exe48⤵
- Executes dropped EXE
PID:2020 -
\??\c:\lxfrrfr.exec:\lxfrrfr.exe49⤵
- Executes dropped EXE
PID:5040 -
\??\c:\bhnhbh.exec:\bhnhbh.exe50⤵
- Executes dropped EXE
PID:920 -
\??\c:\48046.exec:\48046.exe51⤵PID:2028
-
\??\c:\bnhbtn.exec:\bnhbtn.exe52⤵
- Executes dropped EXE
PID:4444 -
\??\c:\826826.exec:\826826.exe53⤵
- Executes dropped EXE
PID:4876 -
\??\c:\0882888.exec:\0882888.exe54⤵
- Executes dropped EXE
PID:4340 -
\??\c:\684266.exec:\684266.exe55⤵
- Executes dropped EXE
PID:2288 -
\??\c:\fllfxxl.exec:\fllfxxl.exe56⤵
- Executes dropped EXE
PID:4488 -
\??\c:\rrxxrxr.exec:\rrxxrxr.exe57⤵
- Executes dropped EXE
PID:4800 -
\??\c:\vpjdp.exec:\vpjdp.exe58⤵
- Executes dropped EXE
PID:436 -
\??\c:\826022.exec:\826022.exe59⤵
- Executes dropped EXE
PID:2220 -
\??\c:\o644488.exec:\o644488.exe60⤵
- Executes dropped EXE
PID:2856 -
\??\c:\280048.exec:\280048.exe61⤵
- Executes dropped EXE
PID:4324 -
\??\c:\08646.exec:\08646.exe62⤵
- Executes dropped EXE
PID:1660 -
\??\c:\lffxfll.exec:\lffxfll.exe63⤵
- Executes dropped EXE
PID:4700 -
\??\c:\fxxxxxr.exec:\fxxxxxr.exe64⤵
- Executes dropped EXE
PID:2280 -
\??\c:\rfxrlxr.exec:\rfxrlxr.exe65⤵
- Executes dropped EXE
PID:1564 -
\??\c:\llfxxff.exec:\llfxxff.exe66⤵
- Executes dropped EXE
PID:4932 -
\??\c:\g2448.exec:\g2448.exe67⤵PID:840
-
\??\c:\ddpjv.exec:\ddpjv.exe68⤵PID:1048
-
\??\c:\llxxfrl.exec:\llxxfrl.exe69⤵PID:3624
-
\??\c:\4624844.exec:\4624844.exe70⤵PID:2496
-
\??\c:\lxfxxff.exec:\lxfxxff.exe71⤵PID:2936
-
\??\c:\xrlffff.exec:\xrlffff.exe72⤵
- System Location Discovery: System Language Discovery
PID:4552 -
\??\c:\bhnhhb.exec:\bhnhhb.exe73⤵PID:4616
-
\??\c:\666606.exec:\666606.exe74⤵PID:2660
-
\??\c:\4062026.exec:\4062026.exe75⤵PID:1244
-
\??\c:\s6226.exec:\s6226.exe76⤵PID:1844
-
\??\c:\804642.exec:\804642.exe77⤵PID:4540
-
\??\c:\028266.exec:\028266.exe78⤵PID:2172
-
\??\c:\624448.exec:\624448.exe79⤵PID:1976
-
\??\c:\0844884.exec:\0844884.exe80⤵PID:1836
-
\??\c:\lxffxxx.exec:\lxffxxx.exe81⤵PID:3116
-
\??\c:\frrfffl.exec:\frrfffl.exe82⤵PID:392
-
\??\c:\rrllxff.exec:\rrllxff.exe83⤵PID:2012
-
\??\c:\88882.exec:\88882.exe84⤵PID:452
-
\??\c:\44826.exec:\44826.exe85⤵PID:3380
-
\??\c:\26828.exec:\26828.exe86⤵PID:5092
-
\??\c:\620444.exec:\620444.exe87⤵PID:4380
-
\??\c:\3rfxxxf.exec:\3rfxxxf.exe88⤵PID:4384
-
\??\c:\nnttnt.exec:\nnttnt.exe89⤵PID:3064
-
\??\c:\4888226.exec:\4888226.exe90⤵PID:812
-
\??\c:\7hntnn.exec:\7hntnn.exe91⤵PID:516
-
\??\c:\htbbbt.exec:\htbbbt.exe92⤵PID:3304
-
\??\c:\664000.exec:\664000.exe93⤵PID:3636
-
\??\c:\602222.exec:\602222.exe94⤵PID:3388
-
\??\c:\vjjjj.exec:\vjjjj.exe95⤵PID:1940
-
\??\c:\ddvvv.exec:\ddvvv.exe96⤵PID:2452
-
\??\c:\dpddd.exec:\dpddd.exe97⤵PID:3376
-
\??\c:\hbtntt.exec:\hbtntt.exe98⤵
- System Location Discovery: System Language Discovery
PID:736 -
\??\c:\bthbbb.exec:\bthbbb.exe99⤵
- System Location Discovery: System Language Discovery
PID:3988 -
\??\c:\24884.exec:\24884.exe100⤵PID:4952
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe101⤵PID:5032
-
\??\c:\flrrrxf.exec:\flrrrxf.exe102⤵PID:2700
-
\??\c:\6464642.exec:\6464642.exe103⤵PID:4604
-
\??\c:\24888.exec:\24888.exe104⤵PID:4300
-
\??\c:\hbhbtb.exec:\hbhbtb.exe105⤵PID:2588
-
\??\c:\llllxfx.exec:\llllxfx.exe106⤵PID:2300
-
\??\c:\hbnbth.exec:\hbnbth.exe107⤵PID:3656
-
\??\c:\dpdvp.exec:\dpdvp.exe108⤵PID:3532
-
\??\c:\bbbttt.exec:\bbbttt.exe109⤵PID:544
-
\??\c:\bttnnh.exec:\bttnnh.exe110⤵PID:1352
-
\??\c:\q84482.exec:\q84482.exe111⤵PID:2712
-
\??\c:\jjvpp.exec:\jjvpp.exe112⤵PID:2744
-
\??\c:\rrxxxxx.exec:\rrxxxxx.exe113⤵PID:3952
-
\??\c:\28666.exec:\28666.exe114⤵PID:3576
-
\??\c:\08408.exec:\08408.exe115⤵PID:780
-
\??\c:\c288222.exec:\c288222.exe116⤵PID:5112
-
\??\c:\06002.exec:\06002.exe117⤵PID:5024
-
\??\c:\4422828.exec:\4422828.exe118⤵PID:1824
-
\??\c:\4006644.exec:\4006644.exe119⤵PID:5008
-
\??\c:\nbhbtn.exec:\nbhbtn.exe120⤵PID:2304
-
\??\c:\668240.exec:\668240.exe121⤵PID:3660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-