Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 02:37
Behavioral task
behavioral1
Sample
b7465945db75ea959b66dc7340603f467bf453983faf154a6d0e7e0d8c783307.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b7465945db75ea959b66dc7340603f467bf453983faf154a6d0e7e0d8c783307.exe
-
Size
331KB
-
MD5
10303adc2ecec517d48b269f14db74e0
-
SHA1
9698a4c9e106847b3fc1af09b2392bed54030c7d
-
SHA256
b7465945db75ea959b66dc7340603f467bf453983faf154a6d0e7e0d8c783307
-
SHA512
31349210b0e5bf54111560b435c3a418b635737e3f791ea790631190af7d10db7e2f2235826af056c9e44dc8639e319adff4080cadc5331f7affc1e1000f10f0
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7t8:94wFHoStJdSjylh2b77BoTMA9gX59sT0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4180-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1128-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1956-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2392-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2116-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4292-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4728-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3748-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2324-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/388-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4628-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1052-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4948-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4784-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2068-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4968-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3288-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1168-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2476-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2560-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4728-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3820-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5052-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3292-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3208-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3076-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/624-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1388-366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/748-394-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3460-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-430-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-467-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-474-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2456-483-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-524-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2764-575-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/808-590-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-595-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/924-799-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1260-862-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1128 9lfxxxx.exe 2552 6080262.exe 1956 046826.exe 4484 808628.exe 3536 208822.exe 2392 04228.exe 4812 fxrrlrl.exe 4684 48060.exe 2116 0448604.exe 3020 jvvpj.exe 4292 xflfxrl.exe 4584 7vvpd.exe 224 2688882.exe 1960 dpvvv.exe 4728 48440.exe 3748 2062626.exe 748 jvdvj.exe 4972 llrlxrl.exe 5088 hnttnn.exe 4688 8448846.exe 2324 888482.exe 388 06264.exe 4628 lrxlfrf.exe 2428 nbtnbb.exe 4260 hhhthb.exe 440 jjjpp.exe 3616 9xxrxrf.exe 1444 s4082.exe 4824 rffrrlf.exe 4604 644268.exe 4860 vddvp.exe 4864 htbtnh.exe 4660 pvjdd.exe 1052 lflfxrl.exe 2340 628266.exe 1132 5fxrrrf.exe 4536 tbhbbn.exe 4400 rflxrfx.exe 4948 48026.exe 3308 vdjdp.exe 4608 vvjdv.exe 4784 q84204.exe 1636 nbhbnn.exe 396 rfxxfff.exe 4496 xrlrfxr.exe 2068 bbnhbb.exe 1396 a6424.exe 4968 bnhbtn.exe 4428 pjjdv.exe 5080 lrfxffx.exe 4464 000488.exe 3288 vpvvp.exe 1776 vppjj.exe 1572 200426.exe 1168 flrllfx.exe 2008 w02666.exe 2384 440482.exe 4264 4400000.exe 4308 6000044.exe 900 8288848.exe 4576 bnthbb.exe 2476 266868.exe 4348 5ppjj.exe 4212 068226.exe -
resource yara_rule behavioral2/memory/4180-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000f000000023a30-3.dat upx behavioral2/memory/4180-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2552-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1128-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023a69-12.dat upx behavioral2/memory/2552-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1956-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023a3a-9.dat upx behavioral2/files/0x000d000000023a6a-20.dat upx behavioral2/files/0x000f000000023aa7-24.dat upx behavioral2/memory/3536-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4484-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023aa9-30.dat upx behavioral2/memory/3536-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023ac9-35.dat upx behavioral2/memory/2392-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023acb-40.dat upx behavioral2/memory/4812-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023acd-45.dat upx behavioral2/memory/4684-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2116-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ace-52.dat upx behavioral2/files/0x0008000000023ad4-55.dat upx behavioral2/files/0x000e000000023a3b-59.dat upx behavioral2/memory/4292-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ad5-65.dat upx behavioral2/memory/4584-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b7b-69.dat upx behavioral2/memory/224-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7c-74.dat upx behavioral2/files/0x000a000000023b7d-78.dat upx behavioral2/memory/4728-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3748-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-85.dat upx behavioral2/files/0x000a000000023b7f-89.dat upx behavioral2/memory/4972-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-93.dat upx behavioral2/files/0x000a000000023b81-97.dat upx behavioral2/files/0x000a000000023b82-101.dat upx behavioral2/memory/4688-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-106.dat upx behavioral2/memory/2324-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-111.dat upx behavioral2/memory/388-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-117.dat upx behavioral2/memory/4628-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-121.dat upx behavioral2/files/0x000a000000023b87-126.dat upx behavioral2/memory/4260-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-131.dat upx behavioral2/files/0x000a000000023b89-134.dat upx behavioral2/memory/3616-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-139.dat upx behavioral2/files/0x000a000000023b8c-149.dat upx behavioral2/files/0x000a000000023b8b-145.dat upx behavioral2/memory/4824-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-153.dat upx behavioral2/memory/4864-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4660-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1052-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4536-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4948-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4604-174-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2444888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6460048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6802026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4180 wrote to memory of 1128 4180 b7465945db75ea959b66dc7340603f467bf453983faf154a6d0e7e0d8c783307.exe 84 PID 4180 wrote to memory of 1128 4180 b7465945db75ea959b66dc7340603f467bf453983faf154a6d0e7e0d8c783307.exe 84 PID 4180 wrote to memory of 1128 4180 b7465945db75ea959b66dc7340603f467bf453983faf154a6d0e7e0d8c783307.exe 84 PID 1128 wrote to memory of 2552 1128 9lfxxxx.exe 85 PID 1128 wrote to memory of 2552 1128 9lfxxxx.exe 85 PID 1128 wrote to memory of 2552 1128 9lfxxxx.exe 85 PID 2552 wrote to memory of 1956 2552 6080262.exe 86 PID 2552 wrote to memory of 1956 2552 6080262.exe 86 PID 2552 wrote to memory of 1956 2552 6080262.exe 86 PID 1956 wrote to memory of 4484 1956 046826.exe 87 PID 1956 wrote to memory of 4484 1956 046826.exe 87 PID 1956 wrote to memory of 4484 1956 046826.exe 87 PID 4484 wrote to memory of 3536 4484 808628.exe 88 PID 4484 wrote to memory of 3536 4484 808628.exe 88 PID 4484 wrote to memory of 3536 4484 808628.exe 88 PID 3536 wrote to memory of 2392 3536 208822.exe 89 PID 3536 wrote to memory of 2392 3536 208822.exe 89 PID 3536 wrote to memory of 2392 3536 208822.exe 89 PID 2392 wrote to memory of 4812 2392 04228.exe 90 PID 2392 wrote to memory of 4812 2392 04228.exe 90 PID 2392 wrote to memory of 4812 2392 04228.exe 90 PID 4812 wrote to memory of 4684 4812 fxrrlrl.exe 91 PID 4812 wrote to memory of 4684 4812 fxrrlrl.exe 91 PID 4812 wrote to memory of 4684 4812 fxrrlrl.exe 91 PID 4684 wrote to memory of 2116 4684 48060.exe 92 PID 4684 wrote to memory of 2116 4684 48060.exe 92 PID 4684 wrote to memory of 2116 4684 48060.exe 92 PID 2116 wrote to memory of 3020 2116 0448604.exe 93 PID 2116 wrote to memory of 3020 2116 0448604.exe 93 PID 2116 wrote to memory of 3020 2116 0448604.exe 93 PID 3020 wrote to memory of 4292 3020 jvvpj.exe 94 PID 3020 wrote to memory of 4292 3020 jvvpj.exe 94 PID 3020 wrote to memory of 4292 3020 jvvpj.exe 94 PID 4292 wrote to memory of 4584 4292 xflfxrl.exe 95 PID 4292 wrote to memory of 4584 4292 xflfxrl.exe 95 PID 4292 wrote to memory of 4584 4292 xflfxrl.exe 95 PID 4584 wrote to memory of 224 4584 7vvpd.exe 96 PID 4584 wrote to memory of 224 4584 7vvpd.exe 96 PID 4584 wrote to memory of 224 4584 7vvpd.exe 96 PID 224 wrote to memory of 1960 224 2688882.exe 97 PID 224 wrote to memory of 1960 224 2688882.exe 97 PID 224 wrote to memory of 1960 224 2688882.exe 97 PID 1960 wrote to memory of 4728 1960 dpvvv.exe 98 PID 1960 wrote to memory of 4728 1960 dpvvv.exe 98 PID 1960 wrote to memory of 4728 1960 dpvvv.exe 98 PID 4728 wrote to memory of 3748 4728 48440.exe 99 PID 4728 wrote to memory of 3748 4728 48440.exe 99 PID 4728 wrote to memory of 3748 4728 48440.exe 99 PID 3748 wrote to memory of 748 3748 2062626.exe 100 PID 3748 wrote to memory of 748 3748 2062626.exe 100 PID 3748 wrote to memory of 748 3748 2062626.exe 100 PID 748 wrote to memory of 4972 748 jvdvj.exe 101 PID 748 wrote to memory of 4972 748 jvdvj.exe 101 PID 748 wrote to memory of 4972 748 jvdvj.exe 101 PID 4972 wrote to memory of 5088 4972 llrlxrl.exe 102 PID 4972 wrote to memory of 5088 4972 llrlxrl.exe 102 PID 4972 wrote to memory of 5088 4972 llrlxrl.exe 102 PID 5088 wrote to memory of 4688 5088 hnttnn.exe 103 PID 5088 wrote to memory of 4688 5088 hnttnn.exe 103 PID 5088 wrote to memory of 4688 5088 hnttnn.exe 103 PID 4688 wrote to memory of 2324 4688 8448846.exe 104 PID 4688 wrote to memory of 2324 4688 8448846.exe 104 PID 4688 wrote to memory of 2324 4688 8448846.exe 104 PID 2324 wrote to memory of 388 2324 888482.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7465945db75ea959b66dc7340603f467bf453983faf154a6d0e7e0d8c783307.exe"C:\Users\Admin\AppData\Local\Temp\b7465945db75ea959b66dc7340603f467bf453983faf154a6d0e7e0d8c783307.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\9lfxxxx.exec:\9lfxxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\6080262.exec:\6080262.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\046826.exec:\046826.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\808628.exec:\808628.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\208822.exec:\208822.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\04228.exec:\04228.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\fxrrlrl.exec:\fxrrlrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\48060.exec:\48060.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\0448604.exec:\0448604.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\jvvpj.exec:\jvvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\xflfxrl.exec:\xflfxrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\7vvpd.exec:\7vvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\2688882.exec:\2688882.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\dpvvv.exec:\dpvvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\48440.exec:\48440.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\2062626.exec:\2062626.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\jvdvj.exec:\jvdvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\llrlxrl.exec:\llrlxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\hnttnn.exec:\hnttnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\8448846.exec:\8448846.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\888482.exec:\888482.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\06264.exec:\06264.exe23⤵
- Executes dropped EXE
PID:388 -
\??\c:\lrxlfrf.exec:\lrxlfrf.exe24⤵
- Executes dropped EXE
PID:4628 -
\??\c:\nbtnbb.exec:\nbtnbb.exe25⤵
- Executes dropped EXE
PID:2428 -
\??\c:\hhhthb.exec:\hhhthb.exe26⤵
- Executes dropped EXE
PID:4260 -
\??\c:\jjjpp.exec:\jjjpp.exe27⤵
- Executes dropped EXE
PID:440 -
\??\c:\9xxrxrf.exec:\9xxrxrf.exe28⤵
- Executes dropped EXE
PID:3616 -
\??\c:\s4082.exec:\s4082.exe29⤵
- Executes dropped EXE
PID:1444 -
\??\c:\rffrrlf.exec:\rffrrlf.exe30⤵
- Executes dropped EXE
PID:4824 -
\??\c:\644268.exec:\644268.exe31⤵
- Executes dropped EXE
PID:4604 -
\??\c:\vddvp.exec:\vddvp.exe32⤵
- Executes dropped EXE
PID:4860 -
\??\c:\htbtnh.exec:\htbtnh.exe33⤵
- Executes dropped EXE
PID:4864 -
\??\c:\pvjdd.exec:\pvjdd.exe34⤵
- Executes dropped EXE
PID:4660 -
\??\c:\lflfxrl.exec:\lflfxrl.exe35⤵
- Executes dropped EXE
PID:1052 -
\??\c:\628266.exec:\628266.exe36⤵
- Executes dropped EXE
PID:2340 -
\??\c:\5fxrrrf.exec:\5fxrrrf.exe37⤵
- Executes dropped EXE
PID:1132 -
\??\c:\tbhbbn.exec:\tbhbbn.exe38⤵
- Executes dropped EXE
PID:4536 -
\??\c:\rflxrfx.exec:\rflxrfx.exe39⤵
- Executes dropped EXE
PID:4400 -
\??\c:\48026.exec:\48026.exe40⤵
- Executes dropped EXE
PID:4948 -
\??\c:\vdjdp.exec:\vdjdp.exe41⤵
- Executes dropped EXE
PID:3308 -
\??\c:\vvjdv.exec:\vvjdv.exe42⤵
- Executes dropped EXE
PID:4608 -
\??\c:\q84204.exec:\q84204.exe43⤵
- Executes dropped EXE
PID:4784 -
\??\c:\nbhbnn.exec:\nbhbnn.exe44⤵
- Executes dropped EXE
PID:1636 -
\??\c:\rfxxfff.exec:\rfxxfff.exe45⤵
- Executes dropped EXE
PID:396 -
\??\c:\xrlrfxr.exec:\xrlrfxr.exe46⤵
- Executes dropped EXE
PID:4496 -
\??\c:\bbnhbb.exec:\bbnhbb.exe47⤵
- Executes dropped EXE
PID:2068 -
\??\c:\a6424.exec:\a6424.exe48⤵
- Executes dropped EXE
PID:1396 -
\??\c:\bnhbtn.exec:\bnhbtn.exe49⤵
- Executes dropped EXE
PID:4968 -
\??\c:\pjjdv.exec:\pjjdv.exe50⤵
- Executes dropped EXE
PID:4428 -
\??\c:\lrfxffx.exec:\lrfxffx.exe51⤵
- Executes dropped EXE
PID:5080 -
\??\c:\000488.exec:\000488.exe52⤵
- Executes dropped EXE
PID:4464 -
\??\c:\vpvvp.exec:\vpvvp.exe53⤵
- Executes dropped EXE
PID:3288 -
\??\c:\vppjj.exec:\vppjj.exe54⤵
- Executes dropped EXE
PID:1776 -
\??\c:\200426.exec:\200426.exe55⤵
- Executes dropped EXE
PID:1572 -
\??\c:\flrllfx.exec:\flrllfx.exe56⤵
- Executes dropped EXE
PID:1168 -
\??\c:\w02666.exec:\w02666.exe57⤵
- Executes dropped EXE
PID:2008 -
\??\c:\440482.exec:\440482.exe58⤵
- Executes dropped EXE
PID:2384 -
\??\c:\4400000.exec:\4400000.exe59⤵
- Executes dropped EXE
PID:4264 -
\??\c:\6000044.exec:\6000044.exe60⤵
- Executes dropped EXE
PID:4308 -
\??\c:\8288848.exec:\8288848.exe61⤵
- Executes dropped EXE
PID:900 -
\??\c:\bnthbb.exec:\bnthbb.exe62⤵
- Executes dropped EXE
PID:4576 -
\??\c:\266868.exec:\266868.exe63⤵
- Executes dropped EXE
PID:2476 -
\??\c:\5ppjj.exec:\5ppjj.exe64⤵
- Executes dropped EXE
PID:4348 -
\??\c:\068226.exec:\068226.exe65⤵
- Executes dropped EXE
PID:4212 -
\??\c:\frxfrrr.exec:\frxfrrr.exe66⤵PID:3868
-
\??\c:\btnhbt.exec:\btnhbt.exe67⤵PID:768
-
\??\c:\9flfxxl.exec:\9flfxxl.exe68⤵PID:2888
-
\??\c:\2404884.exec:\2404884.exe69⤵PID:2560
-
\??\c:\vddvp.exec:\vddvp.exe70⤵PID:2032
-
\??\c:\404664.exec:\404664.exe71⤵PID:1488
-
\??\c:\tnhbtt.exec:\tnhbtt.exe72⤵PID:4728
-
\??\c:\22848.exec:\22848.exe73⤵PID:3540
-
\??\c:\840822.exec:\840822.exe74⤵PID:1468
-
\??\c:\0804822.exec:\0804822.exe75⤵PID:2604
-
\??\c:\pddvv.exec:\pddvv.exe76⤵PID:4616
-
\??\c:\pjjdv.exec:\pjjdv.exe77⤵PID:2284
-
\??\c:\c488060.exec:\c488060.exe78⤵PID:4460
-
\??\c:\bntnbt.exec:\bntnbt.exe79⤵PID:5108
-
\??\c:\nnbtbb.exec:\nnbtbb.exe80⤵
- System Location Discovery: System Language Discovery
PID:3820 -
\??\c:\60226.exec:\60226.exe81⤵PID:1744
-
\??\c:\88826.exec:\88826.exe82⤵PID:5052
-
\??\c:\84482.exec:\84482.exe83⤵PID:4036
-
\??\c:\hhbnnh.exec:\hhbnnh.exe84⤵PID:3656
-
\??\c:\04262.exec:\04262.exe85⤵PID:3292
-
\??\c:\828204.exec:\828204.exe86⤵PID:2744
-
\??\c:\7rlfxlf.exec:\7rlfxlf.exe87⤵PID:1732
-
\??\c:\q46448.exec:\q46448.exe88⤵PID:4144
-
\??\c:\28066.exec:\28066.exe89⤵PID:1656
-
\??\c:\6460048.exec:\6460048.exe90⤵
- System Location Discovery: System Language Discovery
PID:3244 -
\??\c:\llrrffx.exec:\llrrffx.exe91⤵PID:2196
-
\??\c:\pdvpd.exec:\pdvpd.exe92⤵PID:4860
-
\??\c:\dpjvp.exec:\dpjvp.exe93⤵PID:2844
-
\??\c:\tnntnt.exec:\tnntnt.exe94⤵PID:4056
-
\??\c:\fxrlrlx.exec:\fxrlrlx.exe95⤵PID:4900
-
\??\c:\hhttht.exec:\hhttht.exe96⤵PID:5100
-
\??\c:\jjjdv.exec:\jjjdv.exe97⤵PID:2148
-
\??\c:\jvvpj.exec:\jvvpj.exe98⤵PID:4580
-
\??\c:\2688826.exec:\2688826.exe99⤵PID:3208
-
\??\c:\6622600.exec:\6622600.exe100⤵PID:5008
-
\??\c:\4040400.exec:\4040400.exe101⤵PID:1832
-
\??\c:\flxxrfl.exec:\flxxrfl.exe102⤵PID:4556
-
\??\c:\264006.exec:\264006.exe103⤵PID:1788
-
\??\c:\0620482.exec:\0620482.exe104⤵PID:2928
-
\??\c:\llrllll.exec:\llrllll.exe105⤵PID:2400
-
\??\c:\w02882.exec:\w02882.exe106⤵PID:4940
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe107⤵PID:2864
-
\??\c:\xlfxlfx.exec:\xlfxlfx.exe108⤵PID:1236
-
\??\c:\08820.exec:\08820.exe109⤵PID:3076
-
\??\c:\lfxrlfr.exec:\lfxrlfr.exe110⤵PID:1176
-
\??\c:\tbbbtn.exec:\tbbbtn.exe111⤵PID:4412
-
\??\c:\4844282.exec:\4844282.exe112⤵PID:2520
-
\??\c:\nhhbnh.exec:\nhhbnh.exe113⤵PID:3152
-
\??\c:\422200.exec:\422200.exe114⤵PID:2552
-
\??\c:\4284844.exec:\4284844.exe115⤵PID:3288
-
\??\c:\464420.exec:\464420.exe116⤵PID:548
-
\??\c:\2224882.exec:\2224882.exe117⤵PID:4484
-
\??\c:\rlxlrlr.exec:\rlxlrlr.exe118⤵PID:624
-
\??\c:\2844880.exec:\2844880.exe119⤵PID:2008
-
\??\c:\1tnbtn.exec:\1tnbtn.exe120⤵PID:2384
-
\??\c:\828422.exec:\828422.exe121⤵PID:4264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-