Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 00:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe
-
Size
453KB
-
MD5
e86944fd01d67e75db3dc8bcb51a3eef
-
SHA1
47fa15207d2d7d54fa3a120a17ffe0b6da1547ba
-
SHA256
0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3
-
SHA512
ed421fcb45bc77dd35d6c69aedeeada7a31ddd6a80642ce692914bcca4c0572f7203340c089b0f70334b1224539598173a1ce4fb533187989be854d55c21e809
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4328-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-804-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-815-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-837-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-1348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-1482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4544 26266.exe 3104 k08260.exe 3960 frrxrrl.exe 4652 xflfxfx.exe 5032 802000.exe 116 4844440.exe 2024 o804004.exe 3476 o622662.exe 4860 rrxxxlf.exe 2420 662600.exe 4228 008084.exe 412 0622266.exe 3880 e22828.exe 2812 fflflff.exe 4176 xrfxxxr.exe 3268 2004826.exe 3092 jjppp.exe 212 tnbtbb.exe 2064 xxxrlfx.exe 972 068228.exe 1052 5nnhtt.exe 644 nbhtbt.exe 1528 flxrrrl.exe 3024 7hhnnb.exe 4060 i886486.exe 3012 g4424.exe 3552 jjppv.exe 3068 ppvvv.exe 1136 g2426.exe 4580 0082000.exe 4656 w28266.exe 3524 jjvdd.exe 800 08486.exe 1972 020848.exe 336 hbnhnh.exe 3532 s2486.exe 3640 268222.exe 4676 dddvp.exe 4592 bthbbb.exe 672 680426.exe 4444 bhhttn.exe 2132 djpjd.exe 4500 3ffrfxx.exe 4608 648648.exe 3432 dvvpp.exe 888 fxrllfl.exe 2948 vjdjv.exe 1564 88202.exe 3764 84420.exe 4440 jddpd.exe 4028 jdjdd.exe 3636 8448048.exe 3744 86642.exe 3572 84480.exe 348 488604.exe 4224 fxflxrf.exe 2284 5ffrrxl.exe 3596 242082.exe 4488 lrrlxxl.exe 3796 a8842.exe 3692 lfxlxrl.exe 2556 6440442.exe 4908 4608260.exe 5112 dpdvj.exe -
resource yara_rule behavioral2/memory/4328-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-808-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-815-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-837-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i006626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i626004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0804040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6406004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8448804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2248.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4328 wrote to memory of 4544 4328 0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe 83 PID 4328 wrote to memory of 4544 4328 0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe 83 PID 4328 wrote to memory of 4544 4328 0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe 83 PID 4544 wrote to memory of 3104 4544 26266.exe 84 PID 4544 wrote to memory of 3104 4544 26266.exe 84 PID 4544 wrote to memory of 3104 4544 26266.exe 84 PID 3104 wrote to memory of 3960 3104 k08260.exe 85 PID 3104 wrote to memory of 3960 3104 k08260.exe 85 PID 3104 wrote to memory of 3960 3104 k08260.exe 85 PID 3960 wrote to memory of 4652 3960 frrxrrl.exe 86 PID 3960 wrote to memory of 4652 3960 frrxrrl.exe 86 PID 3960 wrote to memory of 4652 3960 frrxrrl.exe 86 PID 4652 wrote to memory of 5032 4652 xflfxfx.exe 87 PID 4652 wrote to memory of 5032 4652 xflfxfx.exe 87 PID 4652 wrote to memory of 5032 4652 xflfxfx.exe 87 PID 5032 wrote to memory of 116 5032 802000.exe 88 PID 5032 wrote to memory of 116 5032 802000.exe 88 PID 5032 wrote to memory of 116 5032 802000.exe 88 PID 116 wrote to memory of 2024 116 4844440.exe 89 PID 116 wrote to memory of 2024 116 4844440.exe 89 PID 116 wrote to memory of 2024 116 4844440.exe 89 PID 2024 wrote to memory of 3476 2024 o804004.exe 90 PID 2024 wrote to memory of 3476 2024 o804004.exe 90 PID 2024 wrote to memory of 3476 2024 o804004.exe 90 PID 3476 wrote to memory of 4860 3476 o622662.exe 91 PID 3476 wrote to memory of 4860 3476 o622662.exe 91 PID 3476 wrote to memory of 4860 3476 o622662.exe 91 PID 4860 wrote to memory of 2420 4860 rrxxxlf.exe 92 PID 4860 wrote to memory of 2420 4860 rrxxxlf.exe 92 PID 4860 wrote to memory of 2420 4860 rrxxxlf.exe 92 PID 2420 wrote to memory of 4228 2420 662600.exe 93 PID 2420 wrote to memory of 4228 2420 662600.exe 93 PID 2420 wrote to memory of 4228 2420 662600.exe 93 PID 4228 wrote to memory of 412 4228 008084.exe 94 PID 4228 wrote to memory of 412 4228 008084.exe 94 PID 4228 wrote to memory of 412 4228 008084.exe 94 PID 412 wrote to memory of 3880 412 0622266.exe 95 PID 412 wrote to memory of 3880 412 0622266.exe 95 PID 412 wrote to memory of 3880 412 0622266.exe 95 PID 3880 wrote to memory of 2812 3880 e22828.exe 96 PID 3880 wrote to memory of 2812 3880 e22828.exe 96 PID 3880 wrote to memory of 2812 3880 e22828.exe 96 PID 2812 wrote to memory of 4176 2812 fflflff.exe 97 PID 2812 wrote to memory of 4176 2812 fflflff.exe 97 PID 2812 wrote to memory of 4176 2812 fflflff.exe 97 PID 4176 wrote to memory of 3268 4176 xrfxxxr.exe 98 PID 4176 wrote to memory of 3268 4176 xrfxxxr.exe 98 PID 4176 wrote to memory of 3268 4176 xrfxxxr.exe 98 PID 3268 wrote to memory of 3092 3268 2004826.exe 99 PID 3268 wrote to memory of 3092 3268 2004826.exe 99 PID 3268 wrote to memory of 3092 3268 2004826.exe 99 PID 3092 wrote to memory of 212 3092 jjppp.exe 100 PID 3092 wrote to memory of 212 3092 jjppp.exe 100 PID 3092 wrote to memory of 212 3092 jjppp.exe 100 PID 212 wrote to memory of 2064 212 tnbtbb.exe 101 PID 212 wrote to memory of 2064 212 tnbtbb.exe 101 PID 212 wrote to memory of 2064 212 tnbtbb.exe 101 PID 2064 wrote to memory of 972 2064 xxxrlfx.exe 102 PID 2064 wrote to memory of 972 2064 xxxrlfx.exe 102 PID 2064 wrote to memory of 972 2064 xxxrlfx.exe 102 PID 972 wrote to memory of 1052 972 068228.exe 103 PID 972 wrote to memory of 1052 972 068228.exe 103 PID 972 wrote to memory of 1052 972 068228.exe 103 PID 1052 wrote to memory of 644 1052 5nnhtt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe"C:\Users\Admin\AppData\Local\Temp\0a7c384b4cb1757672c034a508d1545abe06b56b75caf3e4571d8883f6e355d3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\26266.exec:\26266.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\k08260.exec:\k08260.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\frrxrrl.exec:\frrxrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\xflfxfx.exec:\xflfxfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\802000.exec:\802000.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\4844440.exec:\4844440.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\o804004.exec:\o804004.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\o622662.exec:\o622662.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\rrxxxlf.exec:\rrxxxlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\662600.exec:\662600.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\008084.exec:\008084.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\0622266.exec:\0622266.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\e22828.exec:\e22828.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\fflflff.exec:\fflflff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\xrfxxxr.exec:\xrfxxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\2004826.exec:\2004826.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\jjppp.exec:\jjppp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\tnbtbb.exec:\tnbtbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\068228.exec:\068228.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\5nnhtt.exec:\5nnhtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\nbhtbt.exec:\nbhtbt.exe23⤵
- Executes dropped EXE
PID:644 -
\??\c:\flxrrrl.exec:\flxrrrl.exe24⤵
- Executes dropped EXE
PID:1528 -
\??\c:\7hhnnb.exec:\7hhnnb.exe25⤵
- Executes dropped EXE
PID:3024 -
\??\c:\i886486.exec:\i886486.exe26⤵
- Executes dropped EXE
PID:4060 -
\??\c:\g4424.exec:\g4424.exe27⤵
- Executes dropped EXE
PID:3012 -
\??\c:\jjppv.exec:\jjppv.exe28⤵
- Executes dropped EXE
PID:3552 -
\??\c:\ppvvv.exec:\ppvvv.exe29⤵
- Executes dropped EXE
PID:3068 -
\??\c:\g2426.exec:\g2426.exe30⤵
- Executes dropped EXE
PID:1136 -
\??\c:\0082000.exec:\0082000.exe31⤵
- Executes dropped EXE
PID:4580 -
\??\c:\w28266.exec:\w28266.exe32⤵
- Executes dropped EXE
PID:4656 -
\??\c:\jjvdd.exec:\jjvdd.exe33⤵
- Executes dropped EXE
PID:3524 -
\??\c:\08486.exec:\08486.exe34⤵
- Executes dropped EXE
PID:800 -
\??\c:\020848.exec:\020848.exe35⤵
- Executes dropped EXE
PID:1972 -
\??\c:\hbnhnh.exec:\hbnhnh.exe36⤵
- Executes dropped EXE
PID:336 -
\??\c:\s2486.exec:\s2486.exe37⤵
- Executes dropped EXE
PID:3532 -
\??\c:\268222.exec:\268222.exe38⤵
- Executes dropped EXE
PID:3640 -
\??\c:\dddvp.exec:\dddvp.exe39⤵
- Executes dropped EXE
PID:4676 -
\??\c:\bthbbb.exec:\bthbbb.exe40⤵
- Executes dropped EXE
PID:4592 -
\??\c:\680426.exec:\680426.exe41⤵
- Executes dropped EXE
PID:672 -
\??\c:\bhhttn.exec:\bhhttn.exe42⤵
- Executes dropped EXE
PID:4444 -
\??\c:\djpjd.exec:\djpjd.exe43⤵
- Executes dropped EXE
PID:2132 -
\??\c:\3ffrfxx.exec:\3ffrfxx.exe44⤵
- Executes dropped EXE
PID:4500 -
\??\c:\648648.exec:\648648.exe45⤵
- Executes dropped EXE
PID:4608 -
\??\c:\dvvpp.exec:\dvvpp.exe46⤵
- Executes dropped EXE
PID:3432 -
\??\c:\w62004.exec:\w62004.exe47⤵PID:3856
-
\??\c:\fxrllfl.exec:\fxrllfl.exe48⤵
- Executes dropped EXE
PID:888 -
\??\c:\vjdjv.exec:\vjdjv.exe49⤵
- Executes dropped EXE
PID:2948 -
\??\c:\88202.exec:\88202.exe50⤵
- Executes dropped EXE
PID:1564 -
\??\c:\84420.exec:\84420.exe51⤵
- Executes dropped EXE
PID:3764 -
\??\c:\jddpd.exec:\jddpd.exe52⤵
- Executes dropped EXE
PID:4440 -
\??\c:\jdjdd.exec:\jdjdd.exe53⤵
- Executes dropped EXE
PID:4028 -
\??\c:\8448048.exec:\8448048.exe54⤵
- Executes dropped EXE
PID:3636 -
\??\c:\86642.exec:\86642.exe55⤵
- Executes dropped EXE
PID:3744 -
\??\c:\84480.exec:\84480.exe56⤵
- Executes dropped EXE
PID:3572 -
\??\c:\488604.exec:\488604.exe57⤵
- Executes dropped EXE
PID:348 -
\??\c:\fxflxrf.exec:\fxflxrf.exe58⤵
- Executes dropped EXE
PID:4224 -
\??\c:\5ffrrxl.exec:\5ffrrxl.exe59⤵
- Executes dropped EXE
PID:2284 -
\??\c:\242082.exec:\242082.exe60⤵
- Executes dropped EXE
PID:3596 -
\??\c:\lrrlxxl.exec:\lrrlxxl.exe61⤵
- Executes dropped EXE
PID:4488 -
\??\c:\a8842.exec:\a8842.exe62⤵
- Executes dropped EXE
PID:3796 -
\??\c:\lfxlxrl.exec:\lfxlxrl.exe63⤵
- Executes dropped EXE
PID:3692 -
\??\c:\6440442.exec:\6440442.exe64⤵
- Executes dropped EXE
PID:2556 -
\??\c:\4608260.exec:\4608260.exe65⤵
- Executes dropped EXE
PID:4908 -
\??\c:\dpdvj.exec:\dpdvj.exe66⤵
- Executes dropped EXE
PID:5112 -
\??\c:\46248.exec:\46248.exe67⤵PID:1404
-
\??\c:\806082.exec:\806082.exe68⤵PID:2868
-
\??\c:\jjjvd.exec:\jjjvd.exe69⤵PID:4176
-
\??\c:\jpjjv.exec:\jpjjv.exe70⤵PID:5080
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe71⤵
- System Location Discovery: System Language Discovery
PID:2784 -
\??\c:\22086.exec:\22086.exe72⤵PID:4104
-
\??\c:\vvpjv.exec:\vvpjv.exe73⤵PID:2460
-
\??\c:\hbhthb.exec:\hbhthb.exe74⤵PID:2260
-
\??\c:\tbhhbh.exec:\tbhhbh.exe75⤵PID:2000
-
\??\c:\i248826.exec:\i248826.exe76⤵PID:3548
-
\??\c:\86086.exec:\86086.exe77⤵PID:1904
-
\??\c:\7jvpp.exec:\7jvpp.exe78⤵PID:3568
-
\??\c:\444860.exec:\444860.exe79⤵PID:4648
-
\??\c:\lrrlrxr.exec:\lrrlrxr.exe80⤵PID:3024
-
\??\c:\dpjvj.exec:\dpjvj.exe81⤵PID:2272
-
\??\c:\3tnntt.exec:\3tnntt.exe82⤵PID:5016
-
\??\c:\1xlxfxl.exec:\1xlxfxl.exe83⤵PID:1364
-
\??\c:\5djdj.exec:\5djdj.exe84⤵PID:64
-
\??\c:\vdjdv.exec:\vdjdv.exe85⤵PID:3068
-
\??\c:\c888228.exec:\c888228.exe86⤵PID:4384
-
\??\c:\26688.exec:\26688.exe87⤵PID:496
-
\??\c:\624204.exec:\624204.exe88⤵PID:5056
-
\??\c:\g4004.exec:\g4004.exe89⤵PID:4988
-
\??\c:\6004264.exec:\6004264.exe90⤵PID:2200
-
\??\c:\040424.exec:\040424.exe91⤵PID:4832
-
\??\c:\222082.exec:\222082.exe92⤵PID:828
-
\??\c:\i622660.exec:\i622660.exe93⤵PID:5060
-
\??\c:\8622604.exec:\8622604.exe94⤵PID:3640
-
\??\c:\42826.exec:\42826.exe95⤵PID:2380
-
\??\c:\vdjdp.exec:\vdjdp.exe96⤵PID:2488
-
\??\c:\28042.exec:\28042.exe97⤵PID:4536
-
\??\c:\68482.exec:\68482.exe98⤵PID:4468
-
\??\c:\djpjd.exec:\djpjd.exe99⤵PID:2772
-
\??\c:\djjjd.exec:\djjjd.exe100⤵PID:1952
-
\??\c:\262622.exec:\262622.exe101⤵PID:1056
-
\??\c:\frxlflf.exec:\frxlflf.exe102⤵PID:4608
-
\??\c:\86286.exec:\86286.exe103⤵PID:4428
-
\??\c:\fxrlrlx.exec:\fxrlrlx.exe104⤵PID:4328
-
\??\c:\24604.exec:\24604.exe105⤵PID:1556
-
\??\c:\dpjjj.exec:\dpjjj.exe106⤵PID:3104
-
\??\c:\rlflrlx.exec:\rlflrlx.exe107⤵PID:488
-
\??\c:\4622660.exec:\4622660.exe108⤵PID:3496
-
\??\c:\1btnbn.exec:\1btnbn.exe109⤵PID:3264
-
\??\c:\btttnt.exec:\btttnt.exe110⤵PID:4512
-
\??\c:\1ffxllr.exec:\1ffxllr.exe111⤵PID:2008
-
\??\c:\s8864.exec:\s8864.exe112⤵PID:3744
-
\??\c:\w04866.exec:\w04866.exe113⤵PID:1120
-
\??\c:\vppdp.exec:\vppdp.exe114⤵PID:2032
-
\??\c:\2622082.exec:\2622082.exe115⤵PID:348
-
\??\c:\42604.exec:\42604.exe116⤵PID:5068
-
\??\c:\ttnbtn.exec:\ttnbtn.exe117⤵PID:936
-
\??\c:\a8202.exec:\a8202.exe118⤵PID:4848
-
\??\c:\rflfrrf.exec:\rflfrrf.exe119⤵PID:4488
-
\??\c:\thbnbn.exec:\thbnbn.exe120⤵PID:3796
-
\??\c:\bththb.exec:\bththb.exe121⤵PID:2912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-