Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 19:39
Behavioral task
behavioral1
Sample
105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe
-
Size
332KB
-
MD5
718282396c93a1b834a49a61ec1caeac
-
SHA1
6c5a47a597ecf7d48d3244e2fe5a22387231fe21
-
SHA256
105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87
-
SHA512
6b76f7361a43683237ea7d052a45266ab2c6dc246246db230563b4dc9d9e2560a245b99c137a222909291042512d33fa844b68c05963e7d2fc846535d4aee91d
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbel:R4wFHoSHYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3052-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4852-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1976-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5088-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1712-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2560-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1812-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4344-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3728-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3680-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1892-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3740-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4464-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4184-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3388-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3316-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3584-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/336-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2180-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4752-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1980-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/912-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2708-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/644-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2088-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1096-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2056-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4848-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1568-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1892-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2696-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2400-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3188-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2596-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3000-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/960-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3680-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/728-466-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-533-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-538-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3784-637-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-734-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1624-983-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3972 42266.exe 3616 2622604.exe 4852 1hhbnh.exe 5088 64048.exe 1976 6408824.exe 464 pvdvj.exe 1712 864206.exe 2560 48604.exe 2932 4400422.exe 1812 xffllrf.exe 4344 dvdvj.exe 4532 202206.exe 1808 84666.exe 3728 6264644.exe 3680 fffrlxr.exe 1568 420422.exe 3740 dpjdp.exe 1892 428404.exe 4464 488468.exe 4184 648820.exe 3388 668246.exe 3316 fllxlfr.exe 5048 24640.exe 4456 hhnbtn.exe 3584 2660688.exe 228 frrfrrf.exe 2248 62642.exe 4712 hthbth.exe 4528 vjdpj.exe 1612 0842044.exe 336 nnnhtn.exe 2180 xlfxlfr.exe 4772 0886486.exe 4752 xrlfxrl.exe 1980 022642.exe 2008 rlfrrxl.exe 912 lfrlxrl.exe 2708 c488626.exe 644 248660.exe 4260 488828.exe 2972 2664822.exe 3188 lrxrrrx.exe 2176 e40826.exe 3664 662828.exe 3232 2084888.exe 3548 pppvj.exe 2088 bthhtt.exe 3708 jjvpj.exe 784 fflfllf.exe 4840 i004482.exe 1364 btbthh.exe 3692 202082.exe 1096 bnhnbb.exe 3684 jvvpd.exe 4000 2204444.exe 2056 frfflfl.exe 2320 rllrllf.exe 4852 22448.exe 2956 440484.exe 1160 xlrlffx.exe 1660 rllxfxx.exe 1384 flrlffx.exe 2100 0844804.exe 1712 djpjd.exe -
resource yara_rule behavioral2/memory/3052-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c35-3.dat upx behavioral2/memory/3052-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c93-8.dat upx behavioral2/memory/3972-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-11.dat upx behavioral2/memory/3616-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-18.dat upx behavioral2/memory/4852-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-23.dat upx behavioral2/memory/1976-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5088-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-30.dat upx behavioral2/files/0x0007000000023ca1-34.dat upx behavioral2/memory/1712-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-38.dat upx behavioral2/files/0x0007000000023ca3-42.dat upx behavioral2/memory/2560-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-47.dat upx behavioral2/files/0x0007000000023ca5-51.dat upx behavioral2/memory/1812-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-56.dat upx behavioral2/memory/4344-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c95-61.dat upx behavioral2/memory/1808-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4532-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-67.dat upx behavioral2/files/0x0007000000023ca9-72.dat upx behavioral2/memory/3680-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3728-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-78.dat upx behavioral2/memory/3680-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-82.dat upx behavioral2/memory/3740-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-87.dat upx behavioral2/memory/1892-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3740-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-94.dat upx behavioral2/memory/4464-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-98.dat upx behavioral2/files/0x0007000000023caf-102.dat upx behavioral2/memory/4184-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3388-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-107.dat upx behavioral2/memory/3316-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-112.dat upx behavioral2/files/0x0007000000023cb2-117.dat upx behavioral2/memory/5048-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-122.dat upx behavioral2/memory/4456-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-127.dat upx behavioral2/memory/3584-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-133.dat upx behavioral2/memory/2248-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-137.dat upx behavioral2/files/0x0007000000023cb7-140.dat upx behavioral2/memory/4712-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-145.dat upx behavioral2/files/0x0007000000023cb9-150.dat upx behavioral2/files/0x0007000000023cba-154.dat upx behavioral2/memory/336-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2180-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4772-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4752-165-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4000048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8200448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 066648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 440822.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3052 wrote to memory of 3972 3052 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 84 PID 3052 wrote to memory of 3972 3052 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 84 PID 3052 wrote to memory of 3972 3052 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 84 PID 3972 wrote to memory of 3616 3972 42266.exe 85 PID 3972 wrote to memory of 3616 3972 42266.exe 85 PID 3972 wrote to memory of 3616 3972 42266.exe 85 PID 3616 wrote to memory of 4852 3616 2622604.exe 86 PID 3616 wrote to memory of 4852 3616 2622604.exe 86 PID 3616 wrote to memory of 4852 3616 2622604.exe 86 PID 4852 wrote to memory of 5088 4852 1hhbnh.exe 87 PID 4852 wrote to memory of 5088 4852 1hhbnh.exe 87 PID 4852 wrote to memory of 5088 4852 1hhbnh.exe 87 PID 5088 wrote to memory of 1976 5088 64048.exe 88 PID 5088 wrote to memory of 1976 5088 64048.exe 88 PID 5088 wrote to memory of 1976 5088 64048.exe 88 PID 1976 wrote to memory of 464 1976 6408824.exe 89 PID 1976 wrote to memory of 464 1976 6408824.exe 89 PID 1976 wrote to memory of 464 1976 6408824.exe 89 PID 464 wrote to memory of 1712 464 pvdvj.exe 90 PID 464 wrote to memory of 1712 464 pvdvj.exe 90 PID 464 wrote to memory of 1712 464 pvdvj.exe 90 PID 1712 wrote to memory of 2560 1712 864206.exe 91 PID 1712 wrote to memory of 2560 1712 864206.exe 91 PID 1712 wrote to memory of 2560 1712 864206.exe 91 PID 2560 wrote to memory of 2932 2560 48604.exe 92 PID 2560 wrote to memory of 2932 2560 48604.exe 92 PID 2560 wrote to memory of 2932 2560 48604.exe 92 PID 2932 wrote to memory of 1812 2932 4400422.exe 93 PID 2932 wrote to memory of 1812 2932 4400422.exe 93 PID 2932 wrote to memory of 1812 2932 4400422.exe 93 PID 1812 wrote to memory of 4344 1812 xffllrf.exe 94 PID 1812 wrote to memory of 4344 1812 xffllrf.exe 94 PID 1812 wrote to memory of 4344 1812 xffllrf.exe 94 PID 4344 wrote to memory of 4532 4344 dvdvj.exe 95 PID 4344 wrote to memory of 4532 4344 dvdvj.exe 95 PID 4344 wrote to memory of 4532 4344 dvdvj.exe 95 PID 4532 wrote to memory of 1808 4532 202206.exe 96 PID 4532 wrote to memory of 1808 4532 202206.exe 96 PID 4532 wrote to memory of 1808 4532 202206.exe 96 PID 1808 wrote to memory of 3728 1808 84666.exe 97 PID 1808 wrote to memory of 3728 1808 84666.exe 97 PID 1808 wrote to memory of 3728 1808 84666.exe 97 PID 3728 wrote to memory of 3680 3728 6264644.exe 98 PID 3728 wrote to memory of 3680 3728 6264644.exe 98 PID 3728 wrote to memory of 3680 3728 6264644.exe 98 PID 3680 wrote to memory of 1568 3680 fffrlxr.exe 99 PID 3680 wrote to memory of 1568 3680 fffrlxr.exe 99 PID 3680 wrote to memory of 1568 3680 fffrlxr.exe 99 PID 1568 wrote to memory of 3740 1568 420422.exe 100 PID 1568 wrote to memory of 3740 1568 420422.exe 100 PID 1568 wrote to memory of 3740 1568 420422.exe 100 PID 3740 wrote to memory of 1892 3740 dpjdp.exe 101 PID 3740 wrote to memory of 1892 3740 dpjdp.exe 101 PID 3740 wrote to memory of 1892 3740 dpjdp.exe 101 PID 1892 wrote to memory of 4464 1892 428404.exe 102 PID 1892 wrote to memory of 4464 1892 428404.exe 102 PID 1892 wrote to memory of 4464 1892 428404.exe 102 PID 4464 wrote to memory of 4184 4464 488468.exe 103 PID 4464 wrote to memory of 4184 4464 488468.exe 103 PID 4464 wrote to memory of 4184 4464 488468.exe 103 PID 4184 wrote to memory of 3388 4184 648820.exe 104 PID 4184 wrote to memory of 3388 4184 648820.exe 104 PID 4184 wrote to memory of 3388 4184 648820.exe 104 PID 3388 wrote to memory of 3316 3388 668246.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe"C:\Users\Admin\AppData\Local\Temp\105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\42266.exec:\42266.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\2622604.exec:\2622604.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\1hhbnh.exec:\1hhbnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\64048.exec:\64048.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\6408824.exec:\6408824.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\pvdvj.exec:\pvdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\864206.exec:\864206.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\48604.exec:\48604.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\4400422.exec:\4400422.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\xffllrf.exec:\xffllrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\dvdvj.exec:\dvdvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\202206.exec:\202206.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\84666.exec:\84666.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\6264644.exec:\6264644.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\fffrlxr.exec:\fffrlxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\420422.exec:\420422.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\dpjdp.exec:\dpjdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\428404.exec:\428404.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\488468.exec:\488468.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\648820.exec:\648820.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\668246.exec:\668246.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\fllxlfr.exec:\fllxlfr.exe23⤵
- Executes dropped EXE
PID:3316 -
\??\c:\24640.exec:\24640.exe24⤵
- Executes dropped EXE
PID:5048 -
\??\c:\hhnbtn.exec:\hhnbtn.exe25⤵
- Executes dropped EXE
PID:4456 -
\??\c:\2660688.exec:\2660688.exe26⤵
- Executes dropped EXE
PID:3584 -
\??\c:\frrfrrf.exec:\frrfrrf.exe27⤵
- Executes dropped EXE
PID:228 -
\??\c:\62642.exec:\62642.exe28⤵
- Executes dropped EXE
PID:2248 -
\??\c:\hthbth.exec:\hthbth.exe29⤵
- Executes dropped EXE
PID:4712 -
\??\c:\vjdpj.exec:\vjdpj.exe30⤵
- Executes dropped EXE
PID:4528 -
\??\c:\0842044.exec:\0842044.exe31⤵
- Executes dropped EXE
PID:1612 -
\??\c:\nnnhtn.exec:\nnnhtn.exe32⤵
- Executes dropped EXE
PID:336 -
\??\c:\xlfxlfr.exec:\xlfxlfr.exe33⤵
- Executes dropped EXE
PID:2180 -
\??\c:\0886486.exec:\0886486.exe34⤵
- Executes dropped EXE
PID:4772 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe35⤵
- Executes dropped EXE
PID:4752 -
\??\c:\022642.exec:\022642.exe36⤵
- Executes dropped EXE
PID:1980 -
\??\c:\rlfrrxl.exec:\rlfrrxl.exe37⤵
- Executes dropped EXE
PID:2008 -
\??\c:\lfrlxrl.exec:\lfrlxrl.exe38⤵
- Executes dropped EXE
PID:912 -
\??\c:\c488626.exec:\c488626.exe39⤵
- Executes dropped EXE
PID:2708 -
\??\c:\248660.exec:\248660.exe40⤵
- Executes dropped EXE
PID:644 -
\??\c:\488828.exec:\488828.exe41⤵
- Executes dropped EXE
PID:4260 -
\??\c:\2664822.exec:\2664822.exe42⤵
- Executes dropped EXE
PID:2972 -
\??\c:\lrxrrrx.exec:\lrxrrrx.exe43⤵
- Executes dropped EXE
PID:3188 -
\??\c:\e40826.exec:\e40826.exe44⤵
- Executes dropped EXE
PID:2176 -
\??\c:\662828.exec:\662828.exe45⤵
- Executes dropped EXE
PID:3664 -
\??\c:\2084888.exec:\2084888.exe46⤵
- Executes dropped EXE
PID:3232 -
\??\c:\pppvj.exec:\pppvj.exe47⤵
- Executes dropped EXE
PID:3548 -
\??\c:\bthhtt.exec:\bthhtt.exe48⤵
- Executes dropped EXE
PID:2088 -
\??\c:\jjvpj.exec:\jjvpj.exe49⤵
- Executes dropped EXE
PID:3708 -
\??\c:\fflfllf.exec:\fflfllf.exe50⤵
- Executes dropped EXE
PID:784 -
\??\c:\i004482.exec:\i004482.exe51⤵
- Executes dropped EXE
PID:4840 -
\??\c:\btbthh.exec:\btbthh.exe52⤵
- Executes dropped EXE
PID:1364 -
\??\c:\202082.exec:\202082.exe53⤵
- Executes dropped EXE
PID:3692 -
\??\c:\bnhnbb.exec:\bnhnbb.exe54⤵
- Executes dropped EXE
PID:1096 -
\??\c:\24082.exec:\24082.exe55⤵PID:4916
-
\??\c:\jvvpd.exec:\jvvpd.exe56⤵
- Executes dropped EXE
PID:3684 -
\??\c:\2204444.exec:\2204444.exe57⤵
- Executes dropped EXE
PID:4000 -
\??\c:\frfflfl.exec:\frfflfl.exe58⤵
- Executes dropped EXE
PID:2056 -
\??\c:\rllrllf.exec:\rllrllf.exe59⤵
- Executes dropped EXE
PID:2320 -
\??\c:\22448.exec:\22448.exe60⤵
- Executes dropped EXE
PID:4852 -
\??\c:\440484.exec:\440484.exe61⤵
- Executes dropped EXE
PID:2956 -
\??\c:\xlrlffx.exec:\xlrlffx.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1160 -
\??\c:\rllxfxx.exec:\rllxfxx.exe63⤵
- Executes dropped EXE
PID:1660 -
\??\c:\flrlffx.exec:\flrlffx.exe64⤵
- Executes dropped EXE
PID:1384 -
\??\c:\0844804.exec:\0844804.exe65⤵
- Executes dropped EXE
PID:2100 -
\??\c:\djpjd.exec:\djpjd.exe66⤵
- Executes dropped EXE
PID:1712 -
\??\c:\8444226.exec:\8444226.exe67⤵PID:4032
-
\??\c:\xlfxxrr.exec:\xlfxxrr.exe68⤵
- System Location Discovery: System Language Discovery
PID:4540 -
\??\c:\nhhnht.exec:\nhhnht.exe69⤵PID:2988
-
\??\c:\040026.exec:\040026.exe70⤵PID:2964
-
\??\c:\0248666.exec:\0248666.exe71⤵PID:744
-
\??\c:\xfrllfx.exec:\xfrllfx.exe72⤵
- System Location Discovery: System Language Discovery
PID:4324 -
\??\c:\djvjj.exec:\djvjj.exe73⤵PID:1888
-
\??\c:\vjpdv.exec:\vjpdv.exe74⤵PID:3524
-
\??\c:\tbbntn.exec:\tbbntn.exe75⤵PID:2600
-
\??\c:\088086.exec:\088086.exe76⤵PID:4848
-
\??\c:\26642.exec:\26642.exe77⤵PID:3924
-
\??\c:\6248660.exec:\6248660.exe78⤵PID:2228
-
\??\c:\bnbttt.exec:\bnbttt.exe79⤵PID:5012
-
\??\c:\hbtnhb.exec:\hbtnhb.exe80⤵PID:1388
-
\??\c:\hbnnnn.exec:\hbnnnn.exe81⤵PID:1568
-
\??\c:\1nhhbb.exec:\1nhhbb.exe82⤵PID:2516
-
\??\c:\jdvdv.exec:\jdvdv.exe83⤵PID:1892
-
\??\c:\8400882.exec:\8400882.exe84⤵PID:2760
-
\??\c:\jvjdj.exec:\jvjdj.exe85⤵PID:4464
-
\??\c:\8802864.exec:\8802864.exe86⤵PID:2220
-
\??\c:\664688.exec:\664688.exe87⤵PID:4312
-
\??\c:\406026.exec:\406026.exe88⤵PID:452
-
\??\c:\vppdj.exec:\vppdj.exe89⤵PID:3404
-
\??\c:\06886.exec:\06886.exe90⤵PID:3944
-
\??\c:\pvdvp.exec:\pvdvp.exe91⤵PID:4416
-
\??\c:\hbbthh.exec:\hbbthh.exe92⤵PID:2336
-
\??\c:\402266.exec:\402266.exe93⤵PID:4824
-
\??\c:\rrfxffl.exec:\rrfxffl.exe94⤵PID:212
-
\??\c:\0620046.exec:\0620046.exe95⤵PID:928
-
\??\c:\jddvj.exec:\jddvj.exe96⤵PID:1864
-
\??\c:\ppvvj.exec:\ppvvj.exe97⤵PID:5040
-
\??\c:\o882604.exec:\o882604.exe98⤵PID:372
-
\??\c:\9ddpd.exec:\9ddpd.exe99⤵PID:5056
-
\??\c:\bthbbb.exec:\bthbbb.exe100⤵PID:4104
-
\??\c:\w66086.exec:\w66086.exe101⤵PID:4320
-
\??\c:\c220264.exec:\c220264.exe102⤵PID:3312
-
\??\c:\482086.exec:\482086.exe103⤵PID:3012
-
\??\c:\48604.exec:\48604.exe104⤵PID:2180
-
\??\c:\262204.exec:\262204.exe105⤵PID:4772
-
\??\c:\ntttnh.exec:\ntttnh.exe106⤵PID:4012
-
\??\c:\flllxfx.exec:\flllxfx.exe107⤵PID:4476
-
\??\c:\hbbhbh.exec:\hbbhbh.exe108⤵PID:2696
-
\??\c:\ddjdd.exec:\ddjdd.exe109⤵PID:5072
-
\??\c:\xlflxrf.exec:\xlflxrf.exe110⤵PID:3936
-
\??\c:\224822.exec:\224822.exe111⤵PID:3984
-
\??\c:\vpjdp.exec:\vpjdp.exe112⤵PID:3432
-
\??\c:\vvpdj.exec:\vvpdj.exe113⤵PID:4164
-
\??\c:\dpppj.exec:\dpppj.exe114⤵PID:2400
-
\??\c:\606604.exec:\606604.exe115⤵PID:3188
-
\??\c:\btnhth.exec:\btnhth.exe116⤵PID:2596
-
\??\c:\1fffxxx.exec:\1fffxxx.exe117⤵PID:4264
-
\??\c:\rllfxxr.exec:\rllfxxr.exe118⤵PID:4216
-
\??\c:\hbhbtn.exec:\hbhbtn.exe119⤵PID:2236
-
\??\c:\002826.exec:\002826.exe120⤵PID:3000
-
\??\c:\0844040.exec:\0844040.exe121⤵PID:4796
-
\??\c:\o806226.exec:\o806226.exe122⤵PID:3472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-