Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 23:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d677f84c71cbf1839acb4e52cf6b61d3b507d83df7868b190be3be96f8f5e6f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8d677f84c71cbf1839acb4e52cf6b61d3b507d83df7868b190be3be96f8f5e6f.exe
-
Size
456KB
-
MD5
80dc06011ccb2447decac408b3b2188b
-
SHA1
333a757200d292c88a4ef7c679717d8839f5b8e0
-
SHA256
8d677f84c71cbf1839acb4e52cf6b61d3b507d83df7868b190be3be96f8f5e6f
-
SHA512
3b615edf9e2fdd6a24912bbdb808d1d699734cbe500fed4e664dd7de29d5d4bfafc7ae2c5ae9cd491889b09581b893c59ad9a356ae4a712724648b2bc8ac7c3d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR1:q7Tc2NYHUrAwfMp3CDR1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2544-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/508-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-871-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-881-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1156 64482.exe 2396 6400826.exe 2856 dvpjd.exe 3632 86800.exe 368 208604.exe 5068 044866.exe 3712 606426.exe 1404 66260.exe 4624 04262.exe 508 m8426.exe 2176 622422.exe 4028 llrlxrl.exe 2916 640422.exe 2516 vddvj.exe 4680 6228200.exe 220 9tthbb.exe 5116 4288604.exe 3536 frfxlfx.exe 400 844260.exe 384 thhhht.exe 1124 646444.exe 432 djjdd.exe 3568 2022688.exe 2932 xrfxrxr.exe 316 600202.exe 4844 62048.exe 2328 hnnttn.exe 3732 lxlflfl.exe 904 3fxxrrx.exe 2504 btttnn.exe 3116 402604.exe 1316 28082.exe 1128 3vjjd.exe 3504 040668.exe 5092 5vdpv.exe 228 624826.exe 4080 pjpvp.exe 2792 4060440.exe 4392 xlrlxlr.exe 4876 dpvpj.exe 2544 440860.exe 1724 9hhbnn.exe 4596 hhbnhh.exe 3884 642086.exe 1084 jjjdv.exe 1568 dvvvp.exe 1408 pjdvd.exe 3800 2060606.exe 3416 880886.exe 2040 xrrfffr.exe 3652 pvvpd.exe 2860 88426.exe 3488 2664204.exe 2668 e24880.exe 3452 022204.exe 1328 jvdpj.exe 2068 m2826.exe 4624 4848826.exe 2664 440866.exe 4252 9rrfrxr.exe 4264 thbthb.exe 1700 lxrfxxr.exe 996 84048.exe 1212 fxfrlll.exe -
resource yara_rule behavioral2/memory/2544-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/508-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-795-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2804220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4444648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0842404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0842660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 1156 2544 8d677f84c71cbf1839acb4e52cf6b61d3b507d83df7868b190be3be96f8f5e6f.exe 83 PID 2544 wrote to memory of 1156 2544 8d677f84c71cbf1839acb4e52cf6b61d3b507d83df7868b190be3be96f8f5e6f.exe 83 PID 2544 wrote to memory of 1156 2544 8d677f84c71cbf1839acb4e52cf6b61d3b507d83df7868b190be3be96f8f5e6f.exe 83 PID 1156 wrote to memory of 2396 1156 64482.exe 84 PID 1156 wrote to memory of 2396 1156 64482.exe 84 PID 1156 wrote to memory of 2396 1156 64482.exe 84 PID 2396 wrote to memory of 2856 2396 6400826.exe 85 PID 2396 wrote to memory of 2856 2396 6400826.exe 85 PID 2396 wrote to memory of 2856 2396 6400826.exe 85 PID 2856 wrote to memory of 3632 2856 dvpjd.exe 86 PID 2856 wrote to memory of 3632 2856 dvpjd.exe 86 PID 2856 wrote to memory of 3632 2856 dvpjd.exe 86 PID 3632 wrote to memory of 368 3632 86800.exe 87 PID 3632 wrote to memory of 368 3632 86800.exe 87 PID 3632 wrote to memory of 368 3632 86800.exe 87 PID 368 wrote to memory of 5068 368 208604.exe 88 PID 368 wrote to memory of 5068 368 208604.exe 88 PID 368 wrote to memory of 5068 368 208604.exe 88 PID 5068 wrote to memory of 3712 5068 044866.exe 89 PID 5068 wrote to memory of 3712 5068 044866.exe 89 PID 5068 wrote to memory of 3712 5068 044866.exe 89 PID 3712 wrote to memory of 1404 3712 606426.exe 90 PID 3712 wrote to memory of 1404 3712 606426.exe 90 PID 3712 wrote to memory of 1404 3712 606426.exe 90 PID 1404 wrote to memory of 4624 1404 66260.exe 91 PID 1404 wrote to memory of 4624 1404 66260.exe 91 PID 1404 wrote to memory of 4624 1404 66260.exe 91 PID 4624 wrote to memory of 508 4624 04262.exe 92 PID 4624 wrote to memory of 508 4624 04262.exe 92 PID 4624 wrote to memory of 508 4624 04262.exe 92 PID 508 wrote to memory of 2176 508 m8426.exe 93 PID 508 wrote to memory of 2176 508 m8426.exe 93 PID 508 wrote to memory of 2176 508 m8426.exe 93 PID 2176 wrote to memory of 4028 2176 622422.exe 94 PID 2176 wrote to memory of 4028 2176 622422.exe 94 PID 2176 wrote to memory of 4028 2176 622422.exe 94 PID 4028 wrote to memory of 2916 4028 llrlxrl.exe 95 PID 4028 wrote to memory of 2916 4028 llrlxrl.exe 95 PID 4028 wrote to memory of 2916 4028 llrlxrl.exe 95 PID 2916 wrote to memory of 2516 2916 640422.exe 96 PID 2916 wrote to memory of 2516 2916 640422.exe 96 PID 2916 wrote to memory of 2516 2916 640422.exe 96 PID 2516 wrote to memory of 4680 2516 vddvj.exe 97 PID 2516 wrote to memory of 4680 2516 vddvj.exe 97 PID 2516 wrote to memory of 4680 2516 vddvj.exe 97 PID 4680 wrote to memory of 220 4680 6228200.exe 98 PID 4680 wrote to memory of 220 4680 6228200.exe 98 PID 4680 wrote to memory of 220 4680 6228200.exe 98 PID 220 wrote to memory of 5116 220 9tthbb.exe 99 PID 220 wrote to memory of 5116 220 9tthbb.exe 99 PID 220 wrote to memory of 5116 220 9tthbb.exe 99 PID 5116 wrote to memory of 3536 5116 4288604.exe 100 PID 5116 wrote to memory of 3536 5116 4288604.exe 100 PID 5116 wrote to memory of 3536 5116 4288604.exe 100 PID 3536 wrote to memory of 400 3536 frfxlfx.exe 101 PID 3536 wrote to memory of 400 3536 frfxlfx.exe 101 PID 3536 wrote to memory of 400 3536 frfxlfx.exe 101 PID 400 wrote to memory of 384 400 844260.exe 102 PID 400 wrote to memory of 384 400 844260.exe 102 PID 400 wrote to memory of 384 400 844260.exe 102 PID 384 wrote to memory of 1124 384 thhhht.exe 103 PID 384 wrote to memory of 1124 384 thhhht.exe 103 PID 384 wrote to memory of 1124 384 thhhht.exe 103 PID 1124 wrote to memory of 432 1124 646444.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d677f84c71cbf1839acb4e52cf6b61d3b507d83df7868b190be3be96f8f5e6f.exe"C:\Users\Admin\AppData\Local\Temp\8d677f84c71cbf1839acb4e52cf6b61d3b507d83df7868b190be3be96f8f5e6f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\64482.exec:\64482.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\6400826.exec:\6400826.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\dvpjd.exec:\dvpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\86800.exec:\86800.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\208604.exec:\208604.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\044866.exec:\044866.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\606426.exec:\606426.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\66260.exec:\66260.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\04262.exec:\04262.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\m8426.exec:\m8426.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:508 -
\??\c:\622422.exec:\622422.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\llrlxrl.exec:\llrlxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\640422.exec:\640422.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\vddvj.exec:\vddvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\6228200.exec:\6228200.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\9tthbb.exec:\9tthbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\4288604.exec:\4288604.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\frfxlfx.exec:\frfxlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\844260.exec:\844260.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\thhhht.exec:\thhhht.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\646444.exec:\646444.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\djjdd.exec:\djjdd.exe23⤵
- Executes dropped EXE
PID:432 -
\??\c:\2022688.exec:\2022688.exe24⤵
- Executes dropped EXE
PID:3568 -
\??\c:\xrfxrxr.exec:\xrfxrxr.exe25⤵
- Executes dropped EXE
PID:2932 -
\??\c:\600202.exec:\600202.exe26⤵
- Executes dropped EXE
PID:316 -
\??\c:\62048.exec:\62048.exe27⤵
- Executes dropped EXE
PID:4844 -
\??\c:\hnnttn.exec:\hnnttn.exe28⤵
- Executes dropped EXE
PID:2328 -
\??\c:\lxlflfl.exec:\lxlflfl.exe29⤵
- Executes dropped EXE
PID:3732 -
\??\c:\3fxxrrx.exec:\3fxxrrx.exe30⤵
- Executes dropped EXE
PID:904 -
\??\c:\btttnn.exec:\btttnn.exe31⤵
- Executes dropped EXE
PID:2504 -
\??\c:\402604.exec:\402604.exe32⤵
- Executes dropped EXE
PID:3116 -
\??\c:\28082.exec:\28082.exe33⤵
- Executes dropped EXE
PID:1316 -
\??\c:\3vjjd.exec:\3vjjd.exe34⤵
- Executes dropped EXE
PID:1128 -
\??\c:\040668.exec:\040668.exe35⤵
- Executes dropped EXE
PID:3504 -
\??\c:\5vdpv.exec:\5vdpv.exe36⤵
- Executes dropped EXE
PID:5092 -
\??\c:\624826.exec:\624826.exe37⤵
- Executes dropped EXE
PID:228 -
\??\c:\pjpvp.exec:\pjpvp.exe38⤵
- Executes dropped EXE
PID:4080 -
\??\c:\4060440.exec:\4060440.exe39⤵
- Executes dropped EXE
PID:2792 -
\??\c:\xlrlxlr.exec:\xlrlxlr.exe40⤵
- Executes dropped EXE
PID:4392 -
\??\c:\dpvpj.exec:\dpvpj.exe41⤵
- Executes dropped EXE
PID:4876 -
\??\c:\440860.exec:\440860.exe42⤵
- Executes dropped EXE
PID:2544 -
\??\c:\9hhbnn.exec:\9hhbnn.exe43⤵
- Executes dropped EXE
PID:1724 -
\??\c:\hhbnhh.exec:\hhbnhh.exe44⤵
- Executes dropped EXE
PID:4596 -
\??\c:\642086.exec:\642086.exe45⤵
- Executes dropped EXE
PID:3884 -
\??\c:\jjjdv.exec:\jjjdv.exe46⤵
- Executes dropped EXE
PID:1084 -
\??\c:\dvvvp.exec:\dvvvp.exe47⤵
- Executes dropped EXE
PID:1568 -
\??\c:\pjdvd.exec:\pjdvd.exe48⤵
- Executes dropped EXE
PID:1408 -
\??\c:\2060606.exec:\2060606.exe49⤵
- Executes dropped EXE
PID:3800 -
\??\c:\880886.exec:\880886.exe50⤵
- Executes dropped EXE
PID:3416 -
\??\c:\xrrfffr.exec:\xrrfffr.exe51⤵
- Executes dropped EXE
PID:2040 -
\??\c:\pvvpd.exec:\pvvpd.exe52⤵
- Executes dropped EXE
PID:3652 -
\??\c:\88426.exec:\88426.exe53⤵
- Executes dropped EXE
PID:2860 -
\??\c:\2664204.exec:\2664204.exe54⤵
- Executes dropped EXE
PID:3488 -
\??\c:\e24880.exec:\e24880.exe55⤵
- Executes dropped EXE
PID:2668 -
\??\c:\022204.exec:\022204.exe56⤵
- Executes dropped EXE
PID:3452 -
\??\c:\jvdpj.exec:\jvdpj.exe57⤵
- Executes dropped EXE
PID:1328 -
\??\c:\m2826.exec:\m2826.exe58⤵
- Executes dropped EXE
PID:2068 -
\??\c:\4848826.exec:\4848826.exe59⤵
- Executes dropped EXE
PID:4624 -
\??\c:\440866.exec:\440866.exe60⤵
- Executes dropped EXE
PID:2664 -
\??\c:\9rrfrxr.exec:\9rrfrxr.exe61⤵
- Executes dropped EXE
PID:4252 -
\??\c:\thbthb.exec:\thbthb.exe62⤵
- Executes dropped EXE
PID:4264 -
\??\c:\lxrfxxr.exec:\lxrfxxr.exe63⤵
- Executes dropped EXE
PID:1700 -
\??\c:\84048.exec:\84048.exe64⤵
- Executes dropped EXE
PID:996 -
\??\c:\fxfrlll.exec:\fxfrlll.exe65⤵
- Executes dropped EXE
PID:1212 -
\??\c:\3lrxrrl.exec:\3lrxrrl.exe66⤵PID:2416
-
\??\c:\dpdpj.exec:\dpdpj.exe67⤵PID:1184
-
\??\c:\62868.exec:\62868.exe68⤵PID:1116
-
\??\c:\2466086.exec:\2466086.exe69⤵PID:2824
-
\??\c:\42886.exec:\42886.exe70⤵PID:3516
-
\??\c:\0842404.exec:\0842404.exe71⤵
- System Location Discovery: System Language Discovery
PID:3120 -
\??\c:\ntbtnh.exec:\ntbtnh.exe72⤵PID:2384
-
\??\c:\dpjdv.exec:\dpjdv.exe73⤵PID:2768
-
\??\c:\044844.exec:\044844.exe74⤵PID:2624
-
\??\c:\dpdpd.exec:\dpdpd.exe75⤵PID:2532
-
\??\c:\1tbtnt.exec:\1tbtnt.exe76⤵PID:2928
-
\??\c:\8468222.exec:\8468222.exe77⤵PID:2884
-
\??\c:\tthbtt.exec:\tthbtt.exe78⤵PID:2640
-
\??\c:\628082.exec:\628082.exe79⤵PID:1608
-
\??\c:\4826486.exec:\4826486.exe80⤵PID:3404
-
\??\c:\rxxxflr.exec:\rxxxflr.exe81⤵PID:4848
-
\??\c:\xllrfxx.exec:\xllrfxx.exe82⤵PID:3908
-
\??\c:\rffrxrl.exec:\rffrxrl.exe83⤵PID:3568
-
\??\c:\i464224.exec:\i464224.exe84⤵PID:1652
-
\??\c:\9ntbnb.exec:\9ntbnb.exe85⤵PID:4956
-
\??\c:\vdjvj.exec:\vdjvj.exe86⤵PID:316
-
\??\c:\jpvjp.exec:\jpvjp.exe87⤵PID:4464
-
\??\c:\llrrffx.exec:\llrrffx.exe88⤵PID:2300
-
\??\c:\c666482.exec:\c666482.exe89⤵PID:3580
-
\??\c:\426048.exec:\426048.exe90⤵PID:824
-
\??\c:\04426.exec:\04426.exe91⤵PID:4296
-
\??\c:\9jjvj.exec:\9jjvj.exe92⤵PID:3052
-
\??\c:\9pjdv.exec:\9pjdv.exe93⤵PID:3796
-
\??\c:\nhnhtb.exec:\nhnhtb.exe94⤵PID:964
-
\??\c:\644648.exec:\644648.exe95⤵PID:1424
-
\??\c:\482008.exec:\482008.exe96⤵PID:3672
-
\??\c:\vjjjv.exec:\vjjjv.exe97⤵PID:1076
-
\??\c:\fxfrfxr.exec:\fxfrfxr.exe98⤵PID:1956
-
\??\c:\3vjvj.exec:\3vjvj.exe99⤵PID:636
-
\??\c:\e44820.exec:\e44820.exe100⤵PID:1008
-
\??\c:\rxfxxfl.exec:\rxfxxfl.exe101⤵PID:2820
-
\??\c:\flrlfxr.exec:\flrlfxr.exe102⤵PID:908
-
\??\c:\lllxlxf.exec:\lllxlxf.exe103⤵PID:4696
-
\??\c:\xrxlffr.exec:\xrxlffr.exe104⤵PID:1620
-
\??\c:\246600.exec:\246600.exe105⤵PID:2092
-
\??\c:\28060.exec:\28060.exe106⤵PID:2212
-
\??\c:\xlllflf.exec:\xlllflf.exe107⤵PID:1156
-
\??\c:\266004.exec:\266004.exe108⤵PID:3996
-
\??\c:\xrfxffl.exec:\xrfxffl.exe109⤵PID:2344
-
\??\c:\2464226.exec:\2464226.exe110⤵PID:3968
-
\??\c:\3htbth.exec:\3htbth.exe111⤵PID:2488
-
\??\c:\26260.exec:\26260.exe112⤵PID:5032
-
\??\c:\884266.exec:\884266.exe113⤵PID:1176
-
\??\c:\lffxllf.exec:\lffxllf.exe114⤵PID:5080
-
\??\c:\8406448.exec:\8406448.exe115⤵PID:2040
-
\??\c:\k24262.exec:\k24262.exe116⤵PID:3160
-
\??\c:\pvdvp.exec:\pvdvp.exe117⤵PID:2860
-
\??\c:\jvdvp.exec:\jvdvp.exe118⤵PID:3488
-
\??\c:\42882.exec:\42882.exe119⤵PID:916
-
\??\c:\jppdv.exec:\jppdv.exe120⤵PID:4560
-
\??\c:\htnttt.exec:\htnttt.exe121⤵
- System Location Discovery: System Language Discovery
PID:3148 -
\??\c:\i060044.exec:\i060044.exe122⤵PID:3972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-