Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe
-
Size
456KB
-
MD5
a6e086eeea2c5c8625757c4ec7f5b755
-
SHA1
8de4d498e1bd91331ce320c31821191dae114b8f
-
SHA256
8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea
-
SHA512
625313061f18eac70ccd0b4cef9e98e92a21740c3b3919f83e6df7215cb1c380a18ee40a70cff5a985ae0a35b8fb7560b38ad163411aacf1d11daa0c8d4a4aa0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR2:q7Tc2NYHUrAwfMp3CDR2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2928-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-938-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-990-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-995-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-1067-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-1074-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-1306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2928 xrxxlrf.exe 388 040426.exe 3688 288660.exe 3228 rlfrlfx.exe 2256 82822.exe 2412 vdjvj.exe 4392 408828.exe 4012 7nthth.exe 2216 400886.exe 4112 tnbthb.exe 428 66648.exe 3532 q62042.exe 1672 vjvjj.exe 1916 pjjvj.exe 4520 044882.exe 4000 o808600.exe 4668 vpjjd.exe 2404 08820.exe 2968 866060.exe 1468 htnthh.exe 4504 hnthbt.exe 392 202048.exe 3000 88826.exe 4168 jpdpp.exe 4648 66608.exe 3572 llrfrlf.exe 1976 q62266.exe 1316 pjdpj.exe 3804 rffxllf.exe 1744 q88282.exe 1180 644248.exe 2244 xrrllff.exe 3024 604826.exe 1616 4642666.exe 3168 m8600.exe 456 1rxrrrx.exe 1596 lrfxxxr.exe 1308 bnttnt.exe 1376 lrlllll.exe 2988 682600.exe 1036 jdvvv.exe 1956 628826.exe 1584 24604.exe 2852 xxxrlll.exe 1840 frxrlrl.exe 4492 82000.exe 3820 bhnbtt.exe 1056 c404800.exe 4396 04626.exe 1452 dpvpd.exe 4880 4000488.exe 1960 64482.exe 5088 9xxrrrl.exe 1164 rrxlllr.exe 4280 200222.exe 5004 vvjpv.exe 2596 02822.exe 3328 2288480.exe 2156 7rrlflf.exe 3232 86660.exe 4144 fllflrr.exe 4832 tnhhnn.exe 1108 202862.exe 4208 8028222.exe -
resource yara_rule behavioral2/memory/2928-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-938-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-990-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-995-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-1067-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2666062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6848484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i442042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k06420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c404800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4248822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w00848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2928 2916 8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe 85 PID 2916 wrote to memory of 2928 2916 8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe 85 PID 2916 wrote to memory of 2928 2916 8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe 85 PID 2928 wrote to memory of 388 2928 xrxxlrf.exe 86 PID 2928 wrote to memory of 388 2928 xrxxlrf.exe 86 PID 2928 wrote to memory of 388 2928 xrxxlrf.exe 86 PID 388 wrote to memory of 3688 388 040426.exe 87 PID 388 wrote to memory of 3688 388 040426.exe 87 PID 388 wrote to memory of 3688 388 040426.exe 87 PID 3688 wrote to memory of 3228 3688 288660.exe 88 PID 3688 wrote to memory of 3228 3688 288660.exe 88 PID 3688 wrote to memory of 3228 3688 288660.exe 88 PID 3228 wrote to memory of 2256 3228 rlfrlfx.exe 89 PID 3228 wrote to memory of 2256 3228 rlfrlfx.exe 89 PID 3228 wrote to memory of 2256 3228 rlfrlfx.exe 89 PID 2256 wrote to memory of 2412 2256 82822.exe 90 PID 2256 wrote to memory of 2412 2256 82822.exe 90 PID 2256 wrote to memory of 2412 2256 82822.exe 90 PID 2412 wrote to memory of 4392 2412 vdjvj.exe 91 PID 2412 wrote to memory of 4392 2412 vdjvj.exe 91 PID 2412 wrote to memory of 4392 2412 vdjvj.exe 91 PID 4392 wrote to memory of 4012 4392 408828.exe 92 PID 4392 wrote to memory of 4012 4392 408828.exe 92 PID 4392 wrote to memory of 4012 4392 408828.exe 92 PID 4012 wrote to memory of 2216 4012 7nthth.exe 93 PID 4012 wrote to memory of 2216 4012 7nthth.exe 93 PID 4012 wrote to memory of 2216 4012 7nthth.exe 93 PID 2216 wrote to memory of 4112 2216 400886.exe 94 PID 2216 wrote to memory of 4112 2216 400886.exe 94 PID 2216 wrote to memory of 4112 2216 400886.exe 94 PID 4112 wrote to memory of 428 4112 tnbthb.exe 95 PID 4112 wrote to memory of 428 4112 tnbthb.exe 95 PID 4112 wrote to memory of 428 4112 tnbthb.exe 95 PID 428 wrote to memory of 3532 428 66648.exe 96 PID 428 wrote to memory of 3532 428 66648.exe 96 PID 428 wrote to memory of 3532 428 66648.exe 96 PID 3532 wrote to memory of 1672 3532 q62042.exe 97 PID 3532 wrote to memory of 1672 3532 q62042.exe 97 PID 3532 wrote to memory of 1672 3532 q62042.exe 97 PID 1672 wrote to memory of 1916 1672 vjvjj.exe 98 PID 1672 wrote to memory of 1916 1672 vjvjj.exe 98 PID 1672 wrote to memory of 1916 1672 vjvjj.exe 98 PID 1916 wrote to memory of 4520 1916 pjjvj.exe 99 PID 1916 wrote to memory of 4520 1916 pjjvj.exe 99 PID 1916 wrote to memory of 4520 1916 pjjvj.exe 99 PID 4520 wrote to memory of 4000 4520 044882.exe 100 PID 4520 wrote to memory of 4000 4520 044882.exe 100 PID 4520 wrote to memory of 4000 4520 044882.exe 100 PID 4000 wrote to memory of 4668 4000 o808600.exe 101 PID 4000 wrote to memory of 4668 4000 o808600.exe 101 PID 4000 wrote to memory of 4668 4000 o808600.exe 101 PID 4668 wrote to memory of 2404 4668 vpjjd.exe 102 PID 4668 wrote to memory of 2404 4668 vpjjd.exe 102 PID 4668 wrote to memory of 2404 4668 vpjjd.exe 102 PID 2404 wrote to memory of 2968 2404 08820.exe 103 PID 2404 wrote to memory of 2968 2404 08820.exe 103 PID 2404 wrote to memory of 2968 2404 08820.exe 103 PID 2968 wrote to memory of 1468 2968 866060.exe 104 PID 2968 wrote to memory of 1468 2968 866060.exe 104 PID 2968 wrote to memory of 1468 2968 866060.exe 104 PID 1468 wrote to memory of 4504 1468 htnthh.exe 105 PID 1468 wrote to memory of 4504 1468 htnthh.exe 105 PID 1468 wrote to memory of 4504 1468 htnthh.exe 105 PID 4504 wrote to memory of 392 4504 hnthbt.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe"C:\Users\Admin\AppData\Local\Temp\8d34f298beebc72b97198e4bde422aced4328d8d53442266dc5019ffce8948ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\xrxxlrf.exec:\xrxxlrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\040426.exec:\040426.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\288660.exec:\288660.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\rlfrlfx.exec:\rlfrlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\82822.exec:\82822.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\vdjvj.exec:\vdjvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\408828.exec:\408828.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\7nthth.exec:\7nthth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\400886.exec:\400886.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\tnbthb.exec:\tnbthb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\66648.exec:\66648.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\q62042.exec:\q62042.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\vjvjj.exec:\vjvjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\pjjvj.exec:\pjjvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\044882.exec:\044882.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\o808600.exec:\o808600.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\vpjjd.exec:\vpjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\08820.exec:\08820.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\866060.exec:\866060.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\htnthh.exec:\htnthh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\hnthbt.exec:\hnthbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\202048.exec:\202048.exe23⤵
- Executes dropped EXE
PID:392 -
\??\c:\88826.exec:\88826.exe24⤵
- Executes dropped EXE
PID:3000 -
\??\c:\jpdpp.exec:\jpdpp.exe25⤵
- Executes dropped EXE
PID:4168 -
\??\c:\66608.exec:\66608.exe26⤵
- Executes dropped EXE
PID:4648 -
\??\c:\llrfrlf.exec:\llrfrlf.exe27⤵
- Executes dropped EXE
PID:3572 -
\??\c:\q62266.exec:\q62266.exe28⤵
- Executes dropped EXE
PID:1976 -
\??\c:\pjdpj.exec:\pjdpj.exe29⤵
- Executes dropped EXE
PID:1316 -
\??\c:\rffxllf.exec:\rffxllf.exe30⤵
- Executes dropped EXE
PID:3804 -
\??\c:\q88282.exec:\q88282.exe31⤵
- Executes dropped EXE
PID:1744 -
\??\c:\644248.exec:\644248.exe32⤵
- Executes dropped EXE
PID:1180 -
\??\c:\xrrllff.exec:\xrrllff.exe33⤵
- Executes dropped EXE
PID:2244 -
\??\c:\604826.exec:\604826.exe34⤵
- Executes dropped EXE
PID:3024 -
\??\c:\4642666.exec:\4642666.exe35⤵
- Executes dropped EXE
PID:1616 -
\??\c:\m8600.exec:\m8600.exe36⤵
- Executes dropped EXE
PID:3168 -
\??\c:\1rxrrrx.exec:\1rxrrrx.exe37⤵
- Executes dropped EXE
PID:456 -
\??\c:\lrfxxxr.exec:\lrfxxxr.exe38⤵
- Executes dropped EXE
PID:1596 -
\??\c:\bnttnt.exec:\bnttnt.exe39⤵
- Executes dropped EXE
PID:1308 -
\??\c:\lrlllll.exec:\lrlllll.exe40⤵
- Executes dropped EXE
PID:1376 -
\??\c:\682600.exec:\682600.exe41⤵
- Executes dropped EXE
PID:2988 -
\??\c:\jdvvv.exec:\jdvvv.exe42⤵
- Executes dropped EXE
PID:1036 -
\??\c:\628826.exec:\628826.exe43⤵
- Executes dropped EXE
PID:1956 -
\??\c:\24604.exec:\24604.exe44⤵
- Executes dropped EXE
PID:1584 -
\??\c:\xxxrlll.exec:\xxxrlll.exe45⤵
- Executes dropped EXE
PID:2852 -
\??\c:\frxrlrl.exec:\frxrlrl.exe46⤵
- Executes dropped EXE
PID:1840 -
\??\c:\82000.exec:\82000.exe47⤵
- Executes dropped EXE
PID:4492 -
\??\c:\bhnbtt.exec:\bhnbtt.exe48⤵
- Executes dropped EXE
PID:3820 -
\??\c:\c404800.exec:\c404800.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056 -
\??\c:\04626.exec:\04626.exe50⤵
- Executes dropped EXE
PID:4396 -
\??\c:\dpvpd.exec:\dpvpd.exe51⤵
- Executes dropped EXE
PID:1452 -
\??\c:\4000488.exec:\4000488.exe52⤵
- Executes dropped EXE
PID:4880 -
\??\c:\64482.exec:\64482.exe53⤵
- Executes dropped EXE
PID:1960 -
\??\c:\9xxrrrl.exec:\9xxrrrl.exe54⤵
- Executes dropped EXE
PID:5088 -
\??\c:\rrxlllr.exec:\rrxlllr.exe55⤵
- Executes dropped EXE
PID:1164 -
\??\c:\200222.exec:\200222.exe56⤵
- Executes dropped EXE
PID:4280 -
\??\c:\vvjpv.exec:\vvjpv.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5004 -
\??\c:\02822.exec:\02822.exe58⤵
- Executes dropped EXE
PID:2596 -
\??\c:\2288480.exec:\2288480.exe59⤵
- Executes dropped EXE
PID:3328 -
\??\c:\7rrlflf.exec:\7rrlflf.exe60⤵
- Executes dropped EXE
PID:2156 -
\??\c:\86660.exec:\86660.exe61⤵
- Executes dropped EXE
PID:3232 -
\??\c:\fllflrr.exec:\fllflrr.exe62⤵
- Executes dropped EXE
PID:4144 -
\??\c:\tnhhnn.exec:\tnhhnn.exe63⤵
- Executes dropped EXE
PID:4832 -
\??\c:\202862.exec:\202862.exe64⤵
- Executes dropped EXE
PID:1108 -
\??\c:\8028222.exec:\8028222.exe65⤵
- Executes dropped EXE
PID:4208 -
\??\c:\rflfxrr.exec:\rflfxrr.exe66⤵PID:4828
-
\??\c:\0608202.exec:\0608202.exe67⤵PID:4076
-
\??\c:\062266.exec:\062266.exe68⤵PID:1916
-
\??\c:\s6220.exec:\s6220.exe69⤵PID:3472
-
\??\c:\20080.exec:\20080.exe70⤵PID:3288
-
\??\c:\9nnbtt.exec:\9nnbtt.exe71⤵PID:2148
-
\??\c:\88864.exec:\88864.exe72⤵PID:4928
-
\??\c:\ddpdp.exec:\ddpdp.exe73⤵PID:4788
-
\??\c:\xxxlxlx.exec:\xxxlxlx.exe74⤵PID:380
-
\??\c:\1bhnbt.exec:\1bhnbt.exe75⤵PID:1144
-
\??\c:\rlrlffx.exec:\rlrlffx.exe76⤵PID:2352
-
\??\c:\8404222.exec:\8404222.exe77⤵PID:1528
-
\??\c:\9btnnn.exec:\9btnnn.exe78⤵PID:3196
-
\??\c:\40600.exec:\40600.exe79⤵PID:1496
-
\??\c:\6288222.exec:\6288222.exe80⤵PID:1312
-
\??\c:\rfrllff.exec:\rfrllff.exe81⤵PID:4464
-
\??\c:\88268.exec:\88268.exe82⤵PID:4168
-
\??\c:\48646.exec:\48646.exe83⤵PID:3460
-
\??\c:\hhtnbb.exec:\hhtnbb.exe84⤵PID:2744
-
\??\c:\8888260.exec:\8888260.exe85⤵PID:1444
-
\??\c:\k28260.exec:\k28260.exe86⤵PID:2064
-
\??\c:\80482.exec:\80482.exe87⤵PID:2800
-
\??\c:\080688.exec:\080688.exe88⤵PID:2112
-
\??\c:\64828.exec:\64828.exe89⤵PID:2252
-
\??\c:\tbbnhb.exec:\tbbnhb.exe90⤵PID:1744
-
\??\c:\nttnnb.exec:\nttnnb.exe91⤵PID:936
-
\??\c:\llrxxxx.exec:\llrxxxx.exe92⤵PID:4288
-
\??\c:\bnthbt.exec:\bnthbt.exe93⤵PID:2652
-
\??\c:\084242.exec:\084242.exe94⤵PID:1272
-
\??\c:\bbhhbn.exec:\bbhhbn.exe95⤵PID:1576
-
\??\c:\1jjdj.exec:\1jjdj.exe96⤵PID:4980
-
\??\c:\jpjjd.exec:\jpjjd.exe97⤵PID:2224
-
\??\c:\5vvpp.exec:\5vvpp.exe98⤵PID:3304
-
\??\c:\g6822.exec:\g6822.exe99⤵PID:3440
-
\??\c:\lffxlff.exec:\lffxlff.exe100⤵PID:4768
-
\??\c:\lflllff.exec:\lflllff.exe101⤵PID:4800
-
\??\c:\jvdjj.exec:\jvdjj.exe102⤵PID:4364
-
\??\c:\6448226.exec:\6448226.exe103⤵PID:3700
-
\??\c:\24082.exec:\24082.exe104⤵PID:4972
-
\??\c:\2460448.exec:\2460448.exe105⤵PID:4388
-
\??\c:\2666062.exec:\2666062.exe106⤵
- System Location Discovery: System Language Discovery
PID:4412 -
\??\c:\rllfffx.exec:\rllfffx.exe107⤵PID:2440
-
\??\c:\jvddp.exec:\jvddp.exe108⤵PID:964
-
\??\c:\1jdvv.exec:\1jdvv.exe109⤵
- System Location Discovery: System Language Discovery
PID:1056 -
\??\c:\82040.exec:\82040.exe110⤵PID:3340
-
\??\c:\dvjdv.exec:\dvjdv.exe111⤵PID:1452
-
\??\c:\48000.exec:\48000.exe112⤵PID:4880
-
\??\c:\86660.exec:\86660.exe113⤵PID:1960
-
\??\c:\8206628.exec:\8206628.exe114⤵PID:2824
-
\??\c:\rlxxffx.exec:\rlxxffx.exe115⤵PID:4084
-
\??\c:\86660.exec:\86660.exe116⤵PID:2256
-
\??\c:\flfxrfl.exec:\flfxrfl.exe117⤵PID:3628
-
\??\c:\604404.exec:\604404.exe118⤵PID:5104
-
\??\c:\xllfxxr.exec:\xllfxxr.exe119⤵PID:3280
-
\??\c:\o860662.exec:\o860662.exe120⤵PID:3328
-
\??\c:\868888.exec:\868888.exe121⤵PID:3568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-