Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 13:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe
-
Size
452KB
-
MD5
8e8808c2d771557dc8659462242b2f51
-
SHA1
e71c1397686aea58de2bcac3a7a8751b417b5549
-
SHA256
79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9
-
SHA512
8f2a9b7fb69589d66c95e3b061bafcae0aa2391e8dcc188e17eead506e5b1c9ee28c4c92410975af16e37829bee0962bc59b03be5cd1474674fc0ce831ffb227
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2024-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-872-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-904-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-1143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-1195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-1886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2304 4226400.exe 3840 824400.exe 3500 xffxrrl.exe 1536 00604.exe 936 c826480.exe 3032 862664.exe 5108 0408824.exe 4868 lrxlxlf.exe 2956 vjppp.exe 4440 s4042.exe 2256 648260.exe 1260 0064820.exe 1184 246604.exe 640 088080.exe 380 3xrrffl.exe 3796 20660.exe 3880 480448.exe 1320 s0648.exe 1756 4066008.exe 2476 7jjdd.exe 3896 bbhthb.exe 5084 1frlffx.exe 4480 llxllfx.exe 4704 i660486.exe 4240 7rfxrlx.exe 4896 00882.exe 1700 484286.exe 1480 8620826.exe 2216 rlxxlfx.exe 1084 5rxlflf.exe 4784 xlrrrrf.exe 3952 9dvpj.exe 2032 5lfrfxl.exe 4100 8886048.exe 2596 bnnhtt.exe 2728 tnnnbt.exe 2376 htthtn.exe 428 dvppj.exe 3936 nhnhhh.exe 5052 bbbnnh.exe 4760 fflxffr.exe 768 w66048.exe 2184 nbnbtn.exe 4260 w22826.exe 2168 822022.exe 3484 0404000.exe 3124 dpjvp.exe 3384 s2804.exe 3924 bnnbtn.exe 3500 284204.exe 1352 64044.exe 4576 86822.exe 3312 200666.exe 4640 thtnhb.exe 2164 3fxlfxr.exe 1232 822608.exe 2884 9hnbnh.exe 1668 6222604.exe 1684 86204.exe 3792 vjjvp.exe 4364 thnhhb.exe 1328 pvvjd.exe 5060 86040.exe 5036 rflffxr.exe -
resource yara_rule behavioral2/memory/2024-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-872-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-891-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0080826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 662462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q22060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w66048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 800426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2064820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2304 2024 79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe 83 PID 2024 wrote to memory of 2304 2024 79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe 83 PID 2024 wrote to memory of 2304 2024 79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe 83 PID 2304 wrote to memory of 3840 2304 4226400.exe 84 PID 2304 wrote to memory of 3840 2304 4226400.exe 84 PID 2304 wrote to memory of 3840 2304 4226400.exe 84 PID 3840 wrote to memory of 3500 3840 824400.exe 85 PID 3840 wrote to memory of 3500 3840 824400.exe 85 PID 3840 wrote to memory of 3500 3840 824400.exe 85 PID 3500 wrote to memory of 1536 3500 xffxrrl.exe 86 PID 3500 wrote to memory of 1536 3500 xffxrrl.exe 86 PID 3500 wrote to memory of 1536 3500 xffxrrl.exe 86 PID 1536 wrote to memory of 936 1536 00604.exe 87 PID 1536 wrote to memory of 936 1536 00604.exe 87 PID 1536 wrote to memory of 936 1536 00604.exe 87 PID 936 wrote to memory of 3032 936 c826480.exe 88 PID 936 wrote to memory of 3032 936 c826480.exe 88 PID 936 wrote to memory of 3032 936 c826480.exe 88 PID 3032 wrote to memory of 5108 3032 862664.exe 89 PID 3032 wrote to memory of 5108 3032 862664.exe 89 PID 3032 wrote to memory of 5108 3032 862664.exe 89 PID 5108 wrote to memory of 4868 5108 0408824.exe 90 PID 5108 wrote to memory of 4868 5108 0408824.exe 90 PID 5108 wrote to memory of 4868 5108 0408824.exe 90 PID 4868 wrote to memory of 2956 4868 lrxlxlf.exe 91 PID 4868 wrote to memory of 2956 4868 lrxlxlf.exe 91 PID 4868 wrote to memory of 2956 4868 lrxlxlf.exe 91 PID 2956 wrote to memory of 4440 2956 vjppp.exe 92 PID 2956 wrote to memory of 4440 2956 vjppp.exe 92 PID 2956 wrote to memory of 4440 2956 vjppp.exe 92 PID 4440 wrote to memory of 2256 4440 s4042.exe 93 PID 4440 wrote to memory of 2256 4440 s4042.exe 93 PID 4440 wrote to memory of 2256 4440 s4042.exe 93 PID 2256 wrote to memory of 1260 2256 648260.exe 94 PID 2256 wrote to memory of 1260 2256 648260.exe 94 PID 2256 wrote to memory of 1260 2256 648260.exe 94 PID 1260 wrote to memory of 1184 1260 0064820.exe 95 PID 1260 wrote to memory of 1184 1260 0064820.exe 95 PID 1260 wrote to memory of 1184 1260 0064820.exe 95 PID 1184 wrote to memory of 640 1184 246604.exe 96 PID 1184 wrote to memory of 640 1184 246604.exe 96 PID 1184 wrote to memory of 640 1184 246604.exe 96 PID 640 wrote to memory of 380 640 088080.exe 97 PID 640 wrote to memory of 380 640 088080.exe 97 PID 640 wrote to memory of 380 640 088080.exe 97 PID 380 wrote to memory of 3796 380 3xrrffl.exe 98 PID 380 wrote to memory of 3796 380 3xrrffl.exe 98 PID 380 wrote to memory of 3796 380 3xrrffl.exe 98 PID 3796 wrote to memory of 3880 3796 20660.exe 99 PID 3796 wrote to memory of 3880 3796 20660.exe 99 PID 3796 wrote to memory of 3880 3796 20660.exe 99 PID 3880 wrote to memory of 1320 3880 480448.exe 100 PID 3880 wrote to memory of 1320 3880 480448.exe 100 PID 3880 wrote to memory of 1320 3880 480448.exe 100 PID 1320 wrote to memory of 1756 1320 s0648.exe 101 PID 1320 wrote to memory of 1756 1320 s0648.exe 101 PID 1320 wrote to memory of 1756 1320 s0648.exe 101 PID 1756 wrote to memory of 2476 1756 4066008.exe 102 PID 1756 wrote to memory of 2476 1756 4066008.exe 102 PID 1756 wrote to memory of 2476 1756 4066008.exe 102 PID 2476 wrote to memory of 3896 2476 7jjdd.exe 103 PID 2476 wrote to memory of 3896 2476 7jjdd.exe 103 PID 2476 wrote to memory of 3896 2476 7jjdd.exe 103 PID 3896 wrote to memory of 5084 3896 bbhthb.exe 154
Processes
-
C:\Users\Admin\AppData\Local\Temp\79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe"C:\Users\Admin\AppData\Local\Temp\79c3da8d8c01febe465e0fe0d4da474b9d5e1516850f54ca6e9a03bfcbe77ed9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\4226400.exec:\4226400.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\824400.exec:\824400.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\xffxrrl.exec:\xffxrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\00604.exec:\00604.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\c826480.exec:\c826480.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\862664.exec:\862664.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\0408824.exec:\0408824.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\lrxlxlf.exec:\lrxlxlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\vjppp.exec:\vjppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\s4042.exec:\s4042.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\648260.exec:\648260.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\0064820.exec:\0064820.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\246604.exec:\246604.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\088080.exec:\088080.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\3xrrffl.exec:\3xrrffl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\20660.exec:\20660.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
\??\c:\480448.exec:\480448.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\s0648.exec:\s0648.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\4066008.exec:\4066008.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\7jjdd.exec:\7jjdd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\bbhthb.exec:\bbhthb.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\1frlffx.exec:\1frlffx.exe23⤵
- Executes dropped EXE
PID:5084 -
\??\c:\llxllfx.exec:\llxllfx.exe24⤵
- Executes dropped EXE
PID:4480 -
\??\c:\i660486.exec:\i660486.exe25⤵
- Executes dropped EXE
PID:4704 -
\??\c:\7rfxrlx.exec:\7rfxrlx.exe26⤵
- Executes dropped EXE
PID:4240 -
\??\c:\00882.exec:\00882.exe27⤵
- Executes dropped EXE
PID:4896 -
\??\c:\484286.exec:\484286.exe28⤵
- Executes dropped EXE
PID:1700 -
\??\c:\8620826.exec:\8620826.exe29⤵
- Executes dropped EXE
PID:1480 -
\??\c:\rlxxlfx.exec:\rlxxlfx.exe30⤵
- Executes dropped EXE
PID:2216 -
\??\c:\5rxlflf.exec:\5rxlflf.exe31⤵
- Executes dropped EXE
PID:1084 -
\??\c:\xlrrrrf.exec:\xlrrrrf.exe32⤵
- Executes dropped EXE
PID:4784 -
\??\c:\9dvpj.exec:\9dvpj.exe33⤵
- Executes dropped EXE
PID:3952 -
\??\c:\5lfrfxl.exec:\5lfrfxl.exe34⤵
- Executes dropped EXE
PID:2032 -
\??\c:\8886048.exec:\8886048.exe35⤵
- Executes dropped EXE
PID:4100 -
\??\c:\bnnhtt.exec:\bnnhtt.exe36⤵
- Executes dropped EXE
PID:2596 -
\??\c:\tnnnbt.exec:\tnnnbt.exe37⤵
- Executes dropped EXE
PID:2728 -
\??\c:\htthtn.exec:\htthtn.exe38⤵
- Executes dropped EXE
PID:2376 -
\??\c:\dvppj.exec:\dvppj.exe39⤵
- Executes dropped EXE
PID:428 -
\??\c:\nhnhhh.exec:\nhnhhh.exe40⤵
- Executes dropped EXE
PID:3936 -
\??\c:\bbbnnh.exec:\bbbnnh.exe41⤵
- Executes dropped EXE
PID:5052 -
\??\c:\fflxffr.exec:\fflxffr.exe42⤵
- Executes dropped EXE
PID:4760 -
\??\c:\w66048.exec:\w66048.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:768 -
\??\c:\nbnbtn.exec:\nbnbtn.exe44⤵
- Executes dropped EXE
PID:2184 -
\??\c:\w22826.exec:\w22826.exe45⤵
- Executes dropped EXE
PID:4260 -
\??\c:\822022.exec:\822022.exe46⤵
- Executes dropped EXE
PID:2168 -
\??\c:\0404000.exec:\0404000.exe47⤵
- Executes dropped EXE
PID:3484 -
\??\c:\dpjvp.exec:\dpjvp.exe48⤵
- Executes dropped EXE
PID:3124 -
\??\c:\s2804.exec:\s2804.exe49⤵
- Executes dropped EXE
PID:3384 -
\??\c:\bnnbtn.exec:\bnnbtn.exe50⤵
- Executes dropped EXE
PID:3924 -
\??\c:\284204.exec:\284204.exe51⤵
- Executes dropped EXE
PID:3500 -
\??\c:\64044.exec:\64044.exe52⤵
- Executes dropped EXE
PID:1352 -
\??\c:\86822.exec:\86822.exe53⤵
- Executes dropped EXE
PID:4576 -
\??\c:\200666.exec:\200666.exe54⤵
- Executes dropped EXE
PID:3312 -
\??\c:\thtnhb.exec:\thtnhb.exe55⤵
- Executes dropped EXE
PID:4640 -
\??\c:\3fxlfxr.exec:\3fxlfxr.exe56⤵
- Executes dropped EXE
PID:2164 -
\??\c:\822608.exec:\822608.exe57⤵
- Executes dropped EXE
PID:1232 -
\??\c:\9hnbnh.exec:\9hnbnh.exe58⤵
- Executes dropped EXE
PID:2884 -
\??\c:\6222604.exec:\6222604.exe59⤵
- Executes dropped EXE
PID:1668 -
\??\c:\86204.exec:\86204.exe60⤵
- Executes dropped EXE
PID:1684 -
\??\c:\vjjvp.exec:\vjjvp.exe61⤵
- Executes dropped EXE
PID:3792 -
\??\c:\thnhhb.exec:\thnhhb.exe62⤵
- Executes dropped EXE
PID:4364 -
\??\c:\pvvjd.exec:\pvvjd.exe63⤵
- Executes dropped EXE
PID:1328 -
\??\c:\86040.exec:\86040.exe64⤵
- Executes dropped EXE
PID:5060 -
\??\c:\rflffxr.exec:\rflffxr.exe65⤵
- Executes dropped EXE
PID:5036 -
\??\c:\6460440.exec:\6460440.exe66⤵PID:4056
-
\??\c:\42266.exec:\42266.exe67⤵PID:1936
-
\??\c:\rxxlxxl.exec:\rxxlxxl.exe68⤵PID:404
-
\??\c:\i408260.exec:\i408260.exe69⤵PID:1584
-
\??\c:\xffxrrf.exec:\xffxrrf.exe70⤵PID:1872
-
\??\c:\800486.exec:\800486.exe71⤵PID:3172
-
\??\c:\8442648.exec:\8442648.exe72⤵PID:3528
-
\??\c:\jpddj.exec:\jpddj.exe73⤵PID:5084
-
\??\c:\6226048.exec:\6226048.exe74⤵PID:4900
-
\??\c:\826604.exec:\826604.exe75⤵PID:1672
-
\??\c:\dpvpv.exec:\dpvpv.exe76⤵PID:2312
-
\??\c:\dvdpd.exec:\dvdpd.exe77⤵PID:3804
-
\??\c:\1ntnbt.exec:\1ntnbt.exe78⤵PID:532
-
\??\c:\ttbtnt.exec:\ttbtnt.exe79⤵PID:2064
-
\??\c:\flrlxff.exec:\flrlxff.exe80⤵PID:2300
-
\??\c:\6686044.exec:\6686044.exe81⤵PID:3140
-
\??\c:\g8448.exec:\g8448.exe82⤵PID:2032
-
\??\c:\e00860.exec:\e00860.exe83⤵PID:1712
-
\??\c:\hhbttn.exec:\hhbttn.exe84⤵PID:4204
-
\??\c:\rffrlxl.exec:\rffrlxl.exe85⤵PID:1448
-
\??\c:\062004.exec:\062004.exe86⤵PID:4396
-
\??\c:\3pjdv.exec:\3pjdv.exe87⤵PID:1000
-
\??\c:\tththb.exec:\tththb.exe88⤵PID:4332
-
\??\c:\00082.exec:\00082.exe89⤵PID:3944
-
\??\c:\0444204.exec:\0444204.exe90⤵PID:4988
-
\??\c:\bnnhbh.exec:\bnnhbh.exe91⤵PID:3740
-
\??\c:\pjdjp.exec:\pjdjp.exe92⤵PID:2020
-
\??\c:\c288260.exec:\c288260.exe93⤵PID:228
-
\??\c:\1pjdv.exec:\1pjdv.exe94⤵PID:232
-
\??\c:\2004484.exec:\2004484.exe95⤵PID:212
-
\??\c:\bbtnnh.exec:\bbtnnh.exe96⤵PID:2908
-
\??\c:\228600.exec:\228600.exe97⤵PID:4004
-
\??\c:\vjpdp.exec:\vjpdp.exe98⤵PID:2876
-
\??\c:\i684880.exec:\i684880.exe99⤵PID:1856
-
\??\c:\868626.exec:\868626.exe100⤵PID:1352
-
\??\c:\6626048.exec:\6626048.exe101⤵PID:2668
-
\??\c:\nbbbtn.exec:\nbbbtn.exe102⤵PID:3688
-
\??\c:\llrfrll.exec:\llrfrll.exe103⤵PID:3820
-
\??\c:\jjpjj.exec:\jjpjj.exe104⤵PID:3312
-
\??\c:\u620448.exec:\u620448.exe105⤵PID:4640
-
\??\c:\200482.exec:\200482.exe106⤵
- System Location Discovery: System Language Discovery
PID:4740 -
\??\c:\hnhhhn.exec:\hnhhhn.exe107⤵PID:4268
-
\??\c:\jdpjd.exec:\jdpjd.exe108⤵PID:2884
-
\??\c:\88420.exec:\88420.exe109⤵PID:4560
-
\??\c:\g8008.exec:\g8008.exe110⤵PID:3064
-
\??\c:\08422.exec:\08422.exe111⤵PID:1652
-
\??\c:\2064820.exec:\2064820.exe112⤵
- System Location Discovery: System Language Discovery
PID:1240 -
\??\c:\644264.exec:\644264.exe113⤵PID:2940
-
\??\c:\rxlfxfx.exec:\rxlfxfx.exe114⤵PID:4568
-
\??\c:\206464.exec:\206464.exe115⤵PID:4436
-
\??\c:\q22060.exec:\q22060.exe116⤵
- System Location Discovery: System Language Discovery
PID:4440 -
\??\c:\pdjvv.exec:\pdjvv.exe117⤵PID:2652
-
\??\c:\fflxlfx.exec:\fflxlfx.exe118⤵PID:4056
-
\??\c:\66820.exec:\66820.exe119⤵PID:4392
-
\??\c:\pdppd.exec:\pdppd.exe120⤵PID:1524
-
\??\c:\040048.exec:\040048.exe121⤵PID:3352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-