Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 15:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe
-
Size
452KB
-
MD5
d4b1b44d56dd69e24e55635c0a5094a9
-
SHA1
3c8fc3f42c8ebdea7e6c452a191e2b9eb5f864a9
-
SHA256
90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34
-
SHA512
3f6057f28e128189ef72d84c7e72a76a4ab58ca1c0bafe1a86efd57735d109c34c4a6bb522459d45cae9f0fd7c17daa15826a8db9be94bdcd8701de7d30b4a25
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1436-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/472-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/572-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-727-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-962-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-1203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-1576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 472 flxlxxr.exe 1436 m2842.exe 1268 4406208.exe 224 u608608.exe 4408 pvpdp.exe 1140 6608042.exe 3792 6286482.exe 2140 w82642.exe 3948 jjvpd.exe 648 w22640.exe 3960 xxlfxxr.exe 3608 ppjdv.exe 2328 m6826.exe 2244 fxlrxxf.exe 2188 u286648.exe 1076 5xlffff.exe 4120 068822.exe 3844 088882.exe 5092 7lxrffx.exe 4200 thbbbb.exe 3176 xflfxrr.exe 572 0022884.exe 2896 400444.exe 1756 400482.exe 2808 260860.exe 3624 dvdvp.exe 3060 3vdpv.exe 1464 nhbbnh.exe 2300 fxllrlr.exe 4588 w88682.exe 4884 tbhttn.exe 2664 nhhthh.exe 2116 04826.exe 1688 thbttt.exe 4440 vdjvp.exe 1136 bnhbtt.exe 1532 5dvjv.exe 1616 246206.exe 1620 xffrfxl.exe 3172 rlrfrfr.exe 4792 64088.exe 4800 bbhtbb.exe 2204 5pdvp.exe 4272 e62082.exe 4468 848264.exe 4144 7ntnnn.exe 472 pdvdp.exe 4932 26268.exe 1436 ffrfrfr.exe 1268 m2604.exe 1928 lllfrxr.exe 4984 028848.exe 3504 e22682.exe 4348 022462.exe 700 6026200.exe 3712 bhnhbt.exe 4008 1lfxfxr.exe 1460 q84804.exe 3796 00222.exe 3008 pvvpd.exe 3056 hhnbnn.exe 1560 0604260.exe 4604 202042.exe 4044 000866.exe -
resource yara_rule behavioral2/memory/1436-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/472-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/572-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-781-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfffxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6282226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 402688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 446200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6082828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2600 wrote to memory of 472 2600 90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe 85 PID 2600 wrote to memory of 472 2600 90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe 85 PID 2600 wrote to memory of 472 2600 90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe 85 PID 472 wrote to memory of 1436 472 flxlxxr.exe 86 PID 472 wrote to memory of 1436 472 flxlxxr.exe 86 PID 472 wrote to memory of 1436 472 flxlxxr.exe 86 PID 1436 wrote to memory of 1268 1436 m2842.exe 87 PID 1436 wrote to memory of 1268 1436 m2842.exe 87 PID 1436 wrote to memory of 1268 1436 m2842.exe 87 PID 1268 wrote to memory of 224 1268 4406208.exe 88 PID 1268 wrote to memory of 224 1268 4406208.exe 88 PID 1268 wrote to memory of 224 1268 4406208.exe 88 PID 224 wrote to memory of 4408 224 u608608.exe 89 PID 224 wrote to memory of 4408 224 u608608.exe 89 PID 224 wrote to memory of 4408 224 u608608.exe 89 PID 4408 wrote to memory of 1140 4408 pvpdp.exe 90 PID 4408 wrote to memory of 1140 4408 pvpdp.exe 90 PID 4408 wrote to memory of 1140 4408 pvpdp.exe 90 PID 1140 wrote to memory of 3792 1140 6608042.exe 91 PID 1140 wrote to memory of 3792 1140 6608042.exe 91 PID 1140 wrote to memory of 3792 1140 6608042.exe 91 PID 3792 wrote to memory of 2140 3792 6286482.exe 92 PID 3792 wrote to memory of 2140 3792 6286482.exe 92 PID 3792 wrote to memory of 2140 3792 6286482.exe 92 PID 2140 wrote to memory of 3948 2140 w82642.exe 93 PID 2140 wrote to memory of 3948 2140 w82642.exe 93 PID 2140 wrote to memory of 3948 2140 w82642.exe 93 PID 3948 wrote to memory of 648 3948 jjvpd.exe 94 PID 3948 wrote to memory of 648 3948 jjvpd.exe 94 PID 3948 wrote to memory of 648 3948 jjvpd.exe 94 PID 648 wrote to memory of 3960 648 w22640.exe 95 PID 648 wrote to memory of 3960 648 w22640.exe 95 PID 648 wrote to memory of 3960 648 w22640.exe 95 PID 3960 wrote to memory of 3608 3960 xxlfxxr.exe 96 PID 3960 wrote to memory of 3608 3960 xxlfxxr.exe 96 PID 3960 wrote to memory of 3608 3960 xxlfxxr.exe 96 PID 3608 wrote to memory of 2328 3608 ppjdv.exe 97 PID 3608 wrote to memory of 2328 3608 ppjdv.exe 97 PID 3608 wrote to memory of 2328 3608 ppjdv.exe 97 PID 2328 wrote to memory of 2244 2328 m6826.exe 98 PID 2328 wrote to memory of 2244 2328 m6826.exe 98 PID 2328 wrote to memory of 2244 2328 m6826.exe 98 PID 2244 wrote to memory of 2188 2244 fxlrxxf.exe 99 PID 2244 wrote to memory of 2188 2244 fxlrxxf.exe 99 PID 2244 wrote to memory of 2188 2244 fxlrxxf.exe 99 PID 2188 wrote to memory of 1076 2188 u286648.exe 100 PID 2188 wrote to memory of 1076 2188 u286648.exe 100 PID 2188 wrote to memory of 1076 2188 u286648.exe 100 PID 1076 wrote to memory of 4120 1076 5xlffff.exe 101 PID 1076 wrote to memory of 4120 1076 5xlffff.exe 101 PID 1076 wrote to memory of 4120 1076 5xlffff.exe 101 PID 4120 wrote to memory of 3844 4120 068822.exe 102 PID 4120 wrote to memory of 3844 4120 068822.exe 102 PID 4120 wrote to memory of 3844 4120 068822.exe 102 PID 3844 wrote to memory of 5092 3844 088882.exe 103 PID 3844 wrote to memory of 5092 3844 088882.exe 103 PID 3844 wrote to memory of 5092 3844 088882.exe 103 PID 5092 wrote to memory of 4200 5092 7lxrffx.exe 104 PID 5092 wrote to memory of 4200 5092 7lxrffx.exe 104 PID 5092 wrote to memory of 4200 5092 7lxrffx.exe 104 PID 4200 wrote to memory of 3176 4200 thbbbb.exe 105 PID 4200 wrote to memory of 3176 4200 thbbbb.exe 105 PID 4200 wrote to memory of 3176 4200 thbbbb.exe 105 PID 3176 wrote to memory of 572 3176 xflfxrr.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe"C:\Users\Admin\AppData\Local\Temp\90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\flxlxxr.exec:\flxlxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:472 -
\??\c:\m2842.exec:\m2842.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\4406208.exec:\4406208.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\u608608.exec:\u608608.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\pvpdp.exec:\pvpdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\6608042.exec:\6608042.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\6286482.exec:\6286482.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\w82642.exec:\w82642.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\jjvpd.exec:\jjvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\w22640.exec:\w22640.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\xxlfxxr.exec:\xxlfxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\ppjdv.exec:\ppjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\m6826.exec:\m6826.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\fxlrxxf.exec:\fxlrxxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\u286648.exec:\u286648.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\5xlffff.exec:\5xlffff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\068822.exec:\068822.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\088882.exec:\088882.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\7lxrffx.exec:\7lxrffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\thbbbb.exec:\thbbbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\xflfxrr.exec:\xflfxrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\0022884.exec:\0022884.exe23⤵
- Executes dropped EXE
PID:572 -
\??\c:\400444.exec:\400444.exe24⤵
- Executes dropped EXE
PID:2896 -
\??\c:\400482.exec:\400482.exe25⤵
- Executes dropped EXE
PID:1756 -
\??\c:\260860.exec:\260860.exe26⤵
- Executes dropped EXE
PID:2808 -
\??\c:\dvdvp.exec:\dvdvp.exe27⤵
- Executes dropped EXE
PID:3624 -
\??\c:\3vdpv.exec:\3vdpv.exe28⤵
- Executes dropped EXE
PID:3060 -
\??\c:\nhbbnh.exec:\nhbbnh.exe29⤵
- Executes dropped EXE
PID:1464 -
\??\c:\fxllrlr.exec:\fxllrlr.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300 -
\??\c:\w88682.exec:\w88682.exe31⤵
- Executes dropped EXE
PID:4588 -
\??\c:\tbhttn.exec:\tbhttn.exe32⤵
- Executes dropped EXE
PID:4884 -
\??\c:\nhhthh.exec:\nhhthh.exe33⤵
- Executes dropped EXE
PID:2664 -
\??\c:\04826.exec:\04826.exe34⤵
- Executes dropped EXE
PID:2116 -
\??\c:\thbttt.exec:\thbttt.exe35⤵
- Executes dropped EXE
PID:1688 -
\??\c:\vdjvp.exec:\vdjvp.exe36⤵
- Executes dropped EXE
PID:4440 -
\??\c:\bnhbtt.exec:\bnhbtt.exe37⤵
- Executes dropped EXE
PID:1136 -
\??\c:\5dvjv.exec:\5dvjv.exe38⤵
- Executes dropped EXE
PID:1532 -
\??\c:\246206.exec:\246206.exe39⤵
- Executes dropped EXE
PID:1616 -
\??\c:\xffrfxl.exec:\xffrfxl.exe40⤵
- Executes dropped EXE
PID:1620 -
\??\c:\rlrfrfr.exec:\rlrfrfr.exe41⤵
- Executes dropped EXE
PID:3172 -
\??\c:\64088.exec:\64088.exe42⤵
- Executes dropped EXE
PID:4792 -
\??\c:\bbhtbb.exec:\bbhtbb.exe43⤵
- Executes dropped EXE
PID:4800 -
\??\c:\5pdvp.exec:\5pdvp.exe44⤵
- Executes dropped EXE
PID:2204 -
\??\c:\e62082.exec:\e62082.exe45⤵
- Executes dropped EXE
PID:4272 -
\??\c:\848264.exec:\848264.exe46⤵
- Executes dropped EXE
PID:4468 -
\??\c:\7ntnnn.exec:\7ntnnn.exe47⤵
- Executes dropped EXE
PID:4144 -
\??\c:\pdvdp.exec:\pdvdp.exe48⤵
- Executes dropped EXE
PID:472 -
\??\c:\26268.exec:\26268.exe49⤵
- Executes dropped EXE
PID:4932 -
\??\c:\ffrfrfr.exec:\ffrfrfr.exe50⤵
- Executes dropped EXE
PID:1436 -
\??\c:\m2604.exec:\m2604.exe51⤵
- Executes dropped EXE
PID:1268 -
\??\c:\lllfrxr.exec:\lllfrxr.exe52⤵
- Executes dropped EXE
PID:1928 -
\??\c:\028848.exec:\028848.exe53⤵
- Executes dropped EXE
PID:4984 -
\??\c:\e22682.exec:\e22682.exe54⤵
- Executes dropped EXE
PID:3504 -
\??\c:\022462.exec:\022462.exe55⤵
- Executes dropped EXE
PID:4348 -
\??\c:\6026200.exec:\6026200.exe56⤵
- Executes dropped EXE
PID:700 -
\??\c:\bhnhbt.exec:\bhnhbt.exe57⤵
- Executes dropped EXE
PID:3712 -
\??\c:\1lfxfxr.exec:\1lfxfxr.exe58⤵
- Executes dropped EXE
PID:4008 -
\??\c:\q84804.exec:\q84804.exe59⤵
- Executes dropped EXE
PID:1460 -
\??\c:\00222.exec:\00222.exe60⤵
- Executes dropped EXE
PID:3796 -
\??\c:\pvvpd.exec:\pvvpd.exe61⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hhnbnn.exec:\hhnbnn.exe62⤵
- Executes dropped EXE
PID:3056 -
\??\c:\0604260.exec:\0604260.exe63⤵
- Executes dropped EXE
PID:1560 -
\??\c:\202042.exec:\202042.exe64⤵
- Executes dropped EXE
PID:4604 -
\??\c:\000866.exec:\000866.exe65⤵
- Executes dropped EXE
PID:4044 -
\??\c:\1jpdp.exec:\1jpdp.exe66⤵PID:1144
-
\??\c:\2260426.exec:\2260426.exe67⤵PID:4084
-
\??\c:\862026.exec:\862026.exe68⤵PID:1760
-
\??\c:\2020060.exec:\2020060.exe69⤵PID:4280
-
\??\c:\42202.exec:\42202.exe70⤵PID:4268
-
\??\c:\4482082.exec:\4482082.exe71⤵PID:3940
-
\??\c:\7ttnhb.exec:\7ttnhb.exe72⤵PID:740
-
\??\c:\nbtbnh.exec:\nbtbnh.exe73⤵PID:4120
-
\??\c:\604204.exec:\604204.exe74⤵PID:2780
-
\??\c:\fflxlfx.exec:\fflxlfx.exe75⤵PID:4196
-
\??\c:\1hthhb.exec:\1hthhb.exe76⤵PID:4484
-
\??\c:\444204.exec:\444204.exe77⤵PID:2356
-
\??\c:\hbbnbb.exec:\hbbnbb.exe78⤵PID:1484
-
\??\c:\lrlxlxl.exec:\lrlxlxl.exe79⤵PID:3176
-
\??\c:\0404228.exec:\0404228.exe80⤵PID:2360
-
\??\c:\7bttht.exec:\7bttht.exe81⤵PID:4524
-
\??\c:\lxxxlfx.exec:\lxxxlfx.exe82⤵PID:4948
-
\??\c:\nhhbnh.exec:\nhhbnh.exe83⤵PID:4000
-
\??\c:\20600.exec:\20600.exe84⤵PID:2892
-
\??\c:\jppdp.exec:\jppdp.exe85⤵PID:3156
-
\??\c:\u220820.exec:\u220820.exe86⤵PID:2548
-
\??\c:\606442.exec:\606442.exe87⤵PID:3060
-
\??\c:\lrxlxlf.exec:\lrxlxlf.exe88⤵PID:424
-
\??\c:\864428.exec:\864428.exe89⤵PID:3308
-
\??\c:\thbbnh.exec:\thbbnh.exe90⤵PID:3188
-
\??\c:\48208.exec:\48208.exe91⤵PID:4588
-
\??\c:\ddjvj.exec:\ddjvj.exe92⤵PID:1576
-
\??\c:\682682.exec:\682682.exe93⤵PID:1284
-
\??\c:\nbhbnh.exec:\nbhbnh.exe94⤵PID:2540
-
\??\c:\7ddpv.exec:\7ddpv.exe95⤵PID:3036
-
\??\c:\s6208.exec:\s6208.exe96⤵PID:1104
-
\??\c:\jjpdp.exec:\jjpdp.exe97⤵PID:4600
-
\??\c:\0886082.exec:\0886082.exe98⤵PID:2900
-
\??\c:\5bbnhh.exec:\5bbnhh.exe99⤵PID:3216
-
\??\c:\262682.exec:\262682.exe100⤵PID:3868
-
\??\c:\vjdvv.exec:\vjdvv.exe101⤵PID:1620
-
\??\c:\m8488.exec:\m8488.exe102⤵PID:4464
-
\??\c:\m2464.exec:\m2464.exe103⤵PID:4792
-
\??\c:\466022.exec:\466022.exe104⤵PID:4800
-
\??\c:\tntthn.exec:\tntthn.exe105⤵PID:2204
-
\??\c:\rfxrfxr.exec:\rfxrfxr.exe106⤵PID:4412
-
\??\c:\jvpdv.exec:\jvpdv.exe107⤵PID:2408
-
\??\c:\0626820.exec:\0626820.exe108⤵PID:1168
-
\??\c:\3nnttn.exec:\3nnttn.exe109⤵PID:3604
-
\??\c:\xfrxlxl.exec:\xfrxlxl.exe110⤵PID:5012
-
\??\c:\206048.exec:\206048.exe111⤵
- System Location Discovery: System Language Discovery
PID:860 -
\??\c:\htnhtt.exec:\htnhtt.exe112⤵PID:224
-
\??\c:\xflfllr.exec:\xflfllr.exe113⤵PID:3904
-
\??\c:\868806.exec:\868806.exe114⤵PID:4772
-
\??\c:\fxxrfff.exec:\fxxrfff.exe115⤵
- System Location Discovery: System Language Discovery
PID:2804 -
\??\c:\vjjdv.exec:\vjjdv.exe116⤵PID:4860
-
\??\c:\8620448.exec:\8620448.exe117⤵PID:3792
-
\??\c:\dddpd.exec:\dddpd.exe118⤵PID:2144
-
\??\c:\xlrflxx.exec:\xlrflxx.exe119⤵PID:2024
-
\??\c:\82448.exec:\82448.exe120⤵PID:3708
-
\??\c:\64048.exec:\64048.exe121⤵PID:4704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-