Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe
-
Size
453KB
-
MD5
84c842440c7a4c2d36db43bc1d018005
-
SHA1
f81db179b3401747130914396e96966fd3235fdd
-
SHA256
a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2
-
SHA512
8e7e999fcb24497c17eab0f1ad808121aebb76fe770deba48599df81b15de91e0741ebe8ddafcd32ca28ea52e6c06e1694e27cef73a0dde2d818246b44dfd2c4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4704-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-772-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-1240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-1253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-1639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4724 6622288.exe 3064 hbthbt.exe 2132 m4826.exe 2416 9lllxxx.exe 184 jdvpp.exe 4388 688226.exe 4512 flxffrl.exe 1384 xxxrrrx.exe 852 rllxxll.exe 2020 2044444.exe 2928 408862.exe 4876 ttbttb.exe 1948 djjjj.exe 2980 vdjdd.exe 652 86408.exe 1548 448880.exe 4292 fffflll.exe 2264 fffrrxx.exe 3008 640640.exe 584 jdpjp.exe 1952 4240088.exe 3988 rfrrxxx.exe 4784 2244006.exe 856 6004466.exe 4380 ttbtth.exe 5020 lflllrl.exe 4288 7pvvp.exe 464 2668800.exe 1128 lrxxxxx.exe 3384 0622220.exe 1600 1fxrrrx.exe 2844 864024.exe 816 rlllllr.exe 4420 26440.exe 4680 648608.exe 5004 fxrxlll.exe 3120 246222.exe 3928 vdddp.exe 456 vjddd.exe 3132 bttnnn.exe 4304 jpdvp.exe 3572 vvvpp.exe 3356 4066660.exe 1792 48800.exe 1352 6622666.exe 436 nhbbhh.exe 1032 s2044.exe 4952 606000.exe 3868 64882.exe 4344 46422.exe 3720 88042.exe 5048 82440.exe 2144 frxrfrl.exe 5060 tttnhb.exe 2132 g4482.exe 2856 28482.exe 4460 884444.exe 184 7btnbb.exe 992 828866.exe 548 i048860.exe 3124 q28222.exe 2940 jdjjv.exe 1168 llrllll.exe 4936 rllffxr.exe -
resource yara_rule behavioral2/memory/4704-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-879-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8604826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0448882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4704 wrote to memory of 4724 4704 a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe 83 PID 4704 wrote to memory of 4724 4704 a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe 83 PID 4704 wrote to memory of 4724 4704 a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe 83 PID 4724 wrote to memory of 3064 4724 6622288.exe 84 PID 4724 wrote to memory of 3064 4724 6622288.exe 84 PID 4724 wrote to memory of 3064 4724 6622288.exe 84 PID 3064 wrote to memory of 2132 3064 hbthbt.exe 85 PID 3064 wrote to memory of 2132 3064 hbthbt.exe 85 PID 3064 wrote to memory of 2132 3064 hbthbt.exe 85 PID 2132 wrote to memory of 2416 2132 m4826.exe 86 PID 2132 wrote to memory of 2416 2132 m4826.exe 86 PID 2132 wrote to memory of 2416 2132 m4826.exe 86 PID 2416 wrote to memory of 184 2416 9lllxxx.exe 87 PID 2416 wrote to memory of 184 2416 9lllxxx.exe 87 PID 2416 wrote to memory of 184 2416 9lllxxx.exe 87 PID 184 wrote to memory of 4388 184 jdvpp.exe 88 PID 184 wrote to memory of 4388 184 jdvpp.exe 88 PID 184 wrote to memory of 4388 184 jdvpp.exe 88 PID 4388 wrote to memory of 4512 4388 688226.exe 89 PID 4388 wrote to memory of 4512 4388 688226.exe 89 PID 4388 wrote to memory of 4512 4388 688226.exe 89 PID 4512 wrote to memory of 1384 4512 flxffrl.exe 90 PID 4512 wrote to memory of 1384 4512 flxffrl.exe 90 PID 4512 wrote to memory of 1384 4512 flxffrl.exe 90 PID 1384 wrote to memory of 852 1384 xxxrrrx.exe 91 PID 1384 wrote to memory of 852 1384 xxxrrrx.exe 91 PID 1384 wrote to memory of 852 1384 xxxrrrx.exe 91 PID 852 wrote to memory of 2020 852 rllxxll.exe 92 PID 852 wrote to memory of 2020 852 rllxxll.exe 92 PID 852 wrote to memory of 2020 852 rllxxll.exe 92 PID 2020 wrote to memory of 2928 2020 2044444.exe 93 PID 2020 wrote to memory of 2928 2020 2044444.exe 93 PID 2020 wrote to memory of 2928 2020 2044444.exe 93 PID 2928 wrote to memory of 4876 2928 408862.exe 94 PID 2928 wrote to memory of 4876 2928 408862.exe 94 PID 2928 wrote to memory of 4876 2928 408862.exe 94 PID 4876 wrote to memory of 1948 4876 ttbttb.exe 95 PID 4876 wrote to memory of 1948 4876 ttbttb.exe 95 PID 4876 wrote to memory of 1948 4876 ttbttb.exe 95 PID 1948 wrote to memory of 2980 1948 djjjj.exe 96 PID 1948 wrote to memory of 2980 1948 djjjj.exe 96 PID 1948 wrote to memory of 2980 1948 djjjj.exe 96 PID 2980 wrote to memory of 652 2980 vdjdd.exe 97 PID 2980 wrote to memory of 652 2980 vdjdd.exe 97 PID 2980 wrote to memory of 652 2980 vdjdd.exe 97 PID 652 wrote to memory of 1548 652 86408.exe 98 PID 652 wrote to memory of 1548 652 86408.exe 98 PID 652 wrote to memory of 1548 652 86408.exe 98 PID 1548 wrote to memory of 4292 1548 448880.exe 99 PID 1548 wrote to memory of 4292 1548 448880.exe 99 PID 1548 wrote to memory of 4292 1548 448880.exe 99 PID 4292 wrote to memory of 2264 4292 fffflll.exe 100 PID 4292 wrote to memory of 2264 4292 fffflll.exe 100 PID 4292 wrote to memory of 2264 4292 fffflll.exe 100 PID 2264 wrote to memory of 3008 2264 fffrrxx.exe 101 PID 2264 wrote to memory of 3008 2264 fffrrxx.exe 101 PID 2264 wrote to memory of 3008 2264 fffrrxx.exe 101 PID 3008 wrote to memory of 584 3008 640640.exe 102 PID 3008 wrote to memory of 584 3008 640640.exe 102 PID 3008 wrote to memory of 584 3008 640640.exe 102 PID 584 wrote to memory of 1952 584 jdpjp.exe 103 PID 584 wrote to memory of 1952 584 jdpjp.exe 103 PID 584 wrote to memory of 1952 584 jdpjp.exe 103 PID 1952 wrote to memory of 3988 1952 4240088.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe"C:\Users\Admin\AppData\Local\Temp\a7224fb2f175128346d36be98edaf2bec8a866f863126223155a1dfc3f1fe6c2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\6622288.exec:\6622288.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\hbthbt.exec:\hbthbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\m4826.exec:\m4826.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\9lllxxx.exec:\9lllxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\jdvpp.exec:\jdvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\688226.exec:\688226.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\flxffrl.exec:\flxffrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\xxxrrrx.exec:\xxxrrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\rllxxll.exec:\rllxxll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\2044444.exec:\2044444.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\408862.exec:\408862.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\ttbttb.exec:\ttbttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\djjjj.exec:\djjjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\vdjdd.exec:\vdjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\86408.exec:\86408.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\448880.exec:\448880.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\fffflll.exec:\fffflll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\fffrrxx.exec:\fffrrxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\640640.exec:\640640.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\jdpjp.exec:\jdpjp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\4240088.exec:\4240088.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\rfrrxxx.exec:\rfrrxxx.exe23⤵
- Executes dropped EXE
PID:3988 -
\??\c:\2244006.exec:\2244006.exe24⤵
- Executes dropped EXE
PID:4784 -
\??\c:\6004466.exec:\6004466.exe25⤵
- Executes dropped EXE
PID:856 -
\??\c:\ttbtth.exec:\ttbtth.exe26⤵
- Executes dropped EXE
PID:4380 -
\??\c:\lflllrl.exec:\lflllrl.exe27⤵
- Executes dropped EXE
PID:5020 -
\??\c:\7pvvp.exec:\7pvvp.exe28⤵
- Executes dropped EXE
PID:4288 -
\??\c:\2668800.exec:\2668800.exe29⤵
- Executes dropped EXE
PID:464 -
\??\c:\lrxxxxx.exec:\lrxxxxx.exe30⤵
- Executes dropped EXE
PID:1128 -
\??\c:\0622220.exec:\0622220.exe31⤵
- Executes dropped EXE
PID:3384 -
\??\c:\1fxrrrx.exec:\1fxrrrx.exe32⤵
- Executes dropped EXE
PID:1600 -
\??\c:\864024.exec:\864024.exe33⤵
- Executes dropped EXE
PID:2844 -
\??\c:\rlllllr.exec:\rlllllr.exe34⤵
- Executes dropped EXE
PID:816 -
\??\c:\26440.exec:\26440.exe35⤵
- Executes dropped EXE
PID:4420 -
\??\c:\648608.exec:\648608.exe36⤵
- Executes dropped EXE
PID:4680 -
\??\c:\fxrxlll.exec:\fxrxlll.exe37⤵
- Executes dropped EXE
PID:5004 -
\??\c:\246222.exec:\246222.exe38⤵
- Executes dropped EXE
PID:3120 -
\??\c:\vdddp.exec:\vdddp.exe39⤵
- Executes dropped EXE
PID:3928 -
\??\c:\vjddd.exec:\vjddd.exe40⤵
- Executes dropped EXE
PID:456 -
\??\c:\bttnnn.exec:\bttnnn.exe41⤵
- Executes dropped EXE
PID:3132 -
\??\c:\jpdvp.exec:\jpdvp.exe42⤵
- Executes dropped EXE
PID:4304 -
\??\c:\vvvpp.exec:\vvvpp.exe43⤵
- Executes dropped EXE
PID:3572 -
\??\c:\4066660.exec:\4066660.exe44⤵
- Executes dropped EXE
PID:3356 -
\??\c:\48800.exec:\48800.exe45⤵
- Executes dropped EXE
PID:1792 -
\??\c:\6622666.exec:\6622666.exe46⤵
- Executes dropped EXE
PID:1352 -
\??\c:\nhbbhh.exec:\nhbbhh.exe47⤵
- Executes dropped EXE
PID:436 -
\??\c:\s2044.exec:\s2044.exe48⤵
- Executes dropped EXE
PID:1032 -
\??\c:\606000.exec:\606000.exe49⤵
- Executes dropped EXE
PID:4952 -
\??\c:\64882.exec:\64882.exe50⤵
- Executes dropped EXE
PID:3868 -
\??\c:\46422.exec:\46422.exe51⤵
- Executes dropped EXE
PID:4344 -
\??\c:\88042.exec:\88042.exe52⤵
- Executes dropped EXE
PID:3720 -
\??\c:\82440.exec:\82440.exe53⤵
- Executes dropped EXE
PID:5048 -
\??\c:\frxrfrl.exec:\frxrfrl.exe54⤵
- Executes dropped EXE
PID:2144 -
\??\c:\tttnhb.exec:\tttnhb.exe55⤵
- Executes dropped EXE
PID:5060 -
\??\c:\g4482.exec:\g4482.exe56⤵
- Executes dropped EXE
PID:2132 -
\??\c:\28482.exec:\28482.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
\??\c:\884444.exec:\884444.exe58⤵
- Executes dropped EXE
PID:4460 -
\??\c:\7btnbb.exec:\7btnbb.exe59⤵
- Executes dropped EXE
PID:184 -
\??\c:\828866.exec:\828866.exe60⤵
- Executes dropped EXE
PID:992 -
\??\c:\i048860.exec:\i048860.exe61⤵
- Executes dropped EXE
PID:548 -
\??\c:\q28222.exec:\q28222.exe62⤵
- Executes dropped EXE
PID:3124 -
\??\c:\jdjjv.exec:\jdjjv.exe63⤵
- Executes dropped EXE
PID:2940 -
\??\c:\llrllll.exec:\llrllll.exe64⤵
- Executes dropped EXE
PID:1168 -
\??\c:\rllffxr.exec:\rllffxr.exe65⤵
- Executes dropped EXE
PID:4936 -
\??\c:\2682226.exec:\2682226.exe66⤵PID:4896
-
\??\c:\e84882.exec:\e84882.exe67⤵PID:232
-
\??\c:\3bhttt.exec:\3bhttt.exe68⤵PID:4540
-
\??\c:\28482.exec:\28482.exe69⤵PID:4392
-
\??\c:\880802.exec:\880802.exe70⤵PID:1392
-
\??\c:\ppjvp.exec:\ppjvp.exe71⤵PID:5108
-
\??\c:\rrffrrr.exec:\rrffrrr.exe72⤵PID:4012
-
\??\c:\024260.exec:\024260.exe73⤵PID:4892
-
\??\c:\60228.exec:\60228.exe74⤵PID:3468
-
\??\c:\888260.exec:\888260.exe75⤵PID:3168
-
\??\c:\2466066.exec:\2466066.exe76⤵PID:1356
-
\??\c:\thnhbb.exec:\thnhbb.exe77⤵PID:4888
-
\??\c:\k80208.exec:\k80208.exe78⤵PID:4968
-
\??\c:\0626442.exec:\0626442.exe79⤵PID:5076
-
\??\c:\g6004.exec:\g6004.exe80⤵PID:1656
-
\??\c:\vjjdv.exec:\vjjdv.exe81⤵PID:2840
-
\??\c:\jvdpj.exec:\jvdpj.exe82⤵PID:736
-
\??\c:\nbnnnn.exec:\nbnnnn.exe83⤵PID:4784
-
\??\c:\w62604.exec:\w62604.exe84⤵PID:4800
-
\??\c:\vjppp.exec:\vjppp.exe85⤵PID:4000
-
\??\c:\04480.exec:\04480.exe86⤵PID:3528
-
\??\c:\6220482.exec:\6220482.exe87⤵PID:408
-
\??\c:\7hhbtt.exec:\7hhbtt.exe88⤵PID:536
-
\??\c:\k02626.exec:\k02626.exe89⤵PID:1396
-
\??\c:\80642.exec:\80642.exe90⤵PID:956
-
\??\c:\02888.exec:\02888.exe91⤵PID:920
-
\??\c:\882888.exec:\882888.exe92⤵PID:4624
-
\??\c:\rlllfff.exec:\rlllfff.exe93⤵PID:2568
-
\??\c:\2628282.exec:\2628282.exe94⤵PID:5084
-
\??\c:\lrxrllf.exec:\lrxrllf.exe95⤵PID:1180
-
\??\c:\468222.exec:\468222.exe96⤵PID:816
-
\??\c:\vjjdv.exec:\vjjdv.exe97⤵PID:3764
-
\??\c:\jvdpd.exec:\jvdpd.exe98⤵PID:4680
-
\??\c:\vjppv.exec:\vjppv.exe99⤵PID:3732
-
\??\c:\httnhb.exec:\httnhb.exe100⤵PID:3308
-
\??\c:\flffrrl.exec:\flffrrl.exe101⤵PID:1164
-
\??\c:\4884866.exec:\4884866.exe102⤵PID:2412
-
\??\c:\402608.exec:\402608.exe103⤵PID:944
-
\??\c:\i282660.exec:\i282660.exe104⤵PID:1828
-
\??\c:\0000880.exec:\0000880.exe105⤵PID:2764
-
\??\c:\c066660.exec:\c066660.exe106⤵PID:2904
-
\??\c:\600488.exec:\600488.exe107⤵PID:3388
-
\??\c:\40228.exec:\40228.exe108⤵PID:2768
-
\??\c:\0844822.exec:\0844822.exe109⤵PID:924
-
\??\c:\862222.exec:\862222.exe110⤵PID:2188
-
\??\c:\dvvvv.exec:\dvvvv.exe111⤵PID:2712
-
\??\c:\fxlfrlr.exec:\fxlfrlr.exe112⤵PID:4284
-
\??\c:\rlrrrxl.exec:\rlrrrxl.exe113⤵PID:3924
-
\??\c:\8202864.exec:\8202864.exe114⤵PID:3560
-
\??\c:\8000484.exec:\8000484.exe115⤵PID:4760
-
\??\c:\rflfxfx.exec:\rflfxfx.exe116⤵PID:264
-
\??\c:\dvjvd.exec:\dvjvd.exe117⤵PID:2340
-
\??\c:\648266.exec:\648266.exe118⤵PID:1008
-
\??\c:\2660882.exec:\2660882.exe119⤵PID:1144
-
\??\c:\a4262.exec:\a4262.exe120⤵PID:2132
-
\??\c:\lrrfllf.exec:\lrrfllf.exe121⤵PID:2856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-