Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 18:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad81641efd6057cbb3117f2bcb0a457789444f4313a17aa1a1b371405cf4b8a5.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ad81641efd6057cbb3117f2bcb0a457789444f4313a17aa1a1b371405cf4b8a5.exe
-
Size
453KB
-
MD5
c8c7c21816054c0c009066b168c4c969
-
SHA1
40fa896b2235fdb5121ddf8ea6772c6ef4bea805
-
SHA256
ad81641efd6057cbb3117f2bcb0a457789444f4313a17aa1a1b371405cf4b8a5
-
SHA512
9af638a8b359cfd47296e19c490b5015909818425b988ca36f3a684c980051f31daeccf03373a52d7892622ad84fda8bba7bce47d94ad80f01c2ca29048413a1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1728-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/564-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-862-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-1304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-1632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4712 llfxllx.exe 4748 8264264.exe 440 88842.exe 4700 628204.exe 2720 1hhtbh.exe 4140 ntthtn.exe 3396 62086.exe 1840 thbnhb.exe 1404 e62648.exe 5052 u442042.exe 564 8604204.exe 1704 vjppj.exe 2728 44422.exe 2292 i242266.exe 2660 ffrxxrf.exe 3824 2282648.exe 4312 6248204.exe 4652 xfxlxlx.exe 1064 vvvpd.exe 1800 2886422.exe 1284 o408644.exe 1992 262648.exe 1068 42648.exe 1244 0248622.exe 2508 jvppp.exe 3936 2264260.exe 1908 06820.exe 216 2844488.exe 560 m2820.exe 3496 lfllxxr.exe 1020 284644.exe 1640 xlfrfxf.exe 5076 a6208.exe 1852 nbbnnb.exe 4236 6842200.exe 4228 tnhtht.exe 2100 5ddvp.exe 1228 frxrxlr.exe 1844 0008604.exe 5060 1rfrfrf.exe 1476 44048.exe 1692 0442064.exe 4008 lxxlfxl.exe 3432 btbbbt.exe 4772 2062862.exe 2716 xxxrfxr.exe 4200 2686206.exe 4756 024044.exe 2772 06642.exe 4380 jpvpd.exe 3572 dvpvd.exe 2844 xllrfxl.exe 532 42608.exe 3968 pppjj.exe 2608 xrlfrlf.exe 3336 1rfxrlf.exe 2720 vjjjd.exe 4532 046000.exe 3704 ffffrlx.exe 3952 02204.exe 984 4262666.exe 1840 bhnhtn.exe 1404 4044804.exe 3244 62860.exe -
resource yara_rule behavioral2/memory/1728-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/564-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-862-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-1304-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2686206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6248664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2026606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flffxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4800000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6626426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 4712 1728 ad81641efd6057cbb3117f2bcb0a457789444f4313a17aa1a1b371405cf4b8a5.exe 83 PID 1728 wrote to memory of 4712 1728 ad81641efd6057cbb3117f2bcb0a457789444f4313a17aa1a1b371405cf4b8a5.exe 83 PID 1728 wrote to memory of 4712 1728 ad81641efd6057cbb3117f2bcb0a457789444f4313a17aa1a1b371405cf4b8a5.exe 83 PID 4712 wrote to memory of 4748 4712 llfxllx.exe 84 PID 4712 wrote to memory of 4748 4712 llfxllx.exe 84 PID 4712 wrote to memory of 4748 4712 llfxllx.exe 84 PID 4748 wrote to memory of 440 4748 8264264.exe 85 PID 4748 wrote to memory of 440 4748 8264264.exe 85 PID 4748 wrote to memory of 440 4748 8264264.exe 85 PID 440 wrote to memory of 4700 440 88842.exe 86 PID 440 wrote to memory of 4700 440 88842.exe 86 PID 440 wrote to memory of 4700 440 88842.exe 86 PID 4700 wrote to memory of 2720 4700 628204.exe 87 PID 4700 wrote to memory of 2720 4700 628204.exe 87 PID 4700 wrote to memory of 2720 4700 628204.exe 87 PID 2720 wrote to memory of 4140 2720 1hhtbh.exe 88 PID 2720 wrote to memory of 4140 2720 1hhtbh.exe 88 PID 2720 wrote to memory of 4140 2720 1hhtbh.exe 88 PID 4140 wrote to memory of 3396 4140 ntthtn.exe 89 PID 4140 wrote to memory of 3396 4140 ntthtn.exe 89 PID 4140 wrote to memory of 3396 4140 ntthtn.exe 89 PID 3396 wrote to memory of 1840 3396 62086.exe 90 PID 3396 wrote to memory of 1840 3396 62086.exe 90 PID 3396 wrote to memory of 1840 3396 62086.exe 90 PID 1840 wrote to memory of 1404 1840 thbnhb.exe 91 PID 1840 wrote to memory of 1404 1840 thbnhb.exe 91 PID 1840 wrote to memory of 1404 1840 thbnhb.exe 91 PID 1404 wrote to memory of 5052 1404 e62648.exe 92 PID 1404 wrote to memory of 5052 1404 e62648.exe 92 PID 1404 wrote to memory of 5052 1404 e62648.exe 92 PID 5052 wrote to memory of 564 5052 u442042.exe 93 PID 5052 wrote to memory of 564 5052 u442042.exe 93 PID 5052 wrote to memory of 564 5052 u442042.exe 93 PID 564 wrote to memory of 1704 564 8604204.exe 94 PID 564 wrote to memory of 1704 564 8604204.exe 94 PID 564 wrote to memory of 1704 564 8604204.exe 94 PID 1704 wrote to memory of 2728 1704 vjppj.exe 95 PID 1704 wrote to memory of 2728 1704 vjppj.exe 95 PID 1704 wrote to memory of 2728 1704 vjppj.exe 95 PID 2728 wrote to memory of 2292 2728 44422.exe 96 PID 2728 wrote to memory of 2292 2728 44422.exe 96 PID 2728 wrote to memory of 2292 2728 44422.exe 96 PID 2292 wrote to memory of 2660 2292 i242266.exe 97 PID 2292 wrote to memory of 2660 2292 i242266.exe 97 PID 2292 wrote to memory of 2660 2292 i242266.exe 97 PID 2660 wrote to memory of 3824 2660 ffrxxrf.exe 98 PID 2660 wrote to memory of 3824 2660 ffrxxrf.exe 98 PID 2660 wrote to memory of 3824 2660 ffrxxrf.exe 98 PID 3824 wrote to memory of 4312 3824 2282648.exe 99 PID 3824 wrote to memory of 4312 3824 2282648.exe 99 PID 3824 wrote to memory of 4312 3824 2282648.exe 99 PID 4312 wrote to memory of 4652 4312 6248204.exe 100 PID 4312 wrote to memory of 4652 4312 6248204.exe 100 PID 4312 wrote to memory of 4652 4312 6248204.exe 100 PID 4652 wrote to memory of 1064 4652 xfxlxlx.exe 101 PID 4652 wrote to memory of 1064 4652 xfxlxlx.exe 101 PID 4652 wrote to memory of 1064 4652 xfxlxlx.exe 101 PID 1064 wrote to memory of 1800 1064 vvvpd.exe 102 PID 1064 wrote to memory of 1800 1064 vvvpd.exe 102 PID 1064 wrote to memory of 1800 1064 vvvpd.exe 102 PID 1800 wrote to memory of 1284 1800 2886422.exe 103 PID 1800 wrote to memory of 1284 1800 2886422.exe 103 PID 1800 wrote to memory of 1284 1800 2886422.exe 103 PID 1284 wrote to memory of 1992 1284 o408644.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad81641efd6057cbb3117f2bcb0a457789444f4313a17aa1a1b371405cf4b8a5.exe"C:\Users\Admin\AppData\Local\Temp\ad81641efd6057cbb3117f2bcb0a457789444f4313a17aa1a1b371405cf4b8a5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\llfxllx.exec:\llfxllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\8264264.exec:\8264264.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\88842.exec:\88842.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\628204.exec:\628204.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\1hhtbh.exec:\1hhtbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\ntthtn.exec:\ntthtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\62086.exec:\62086.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\thbnhb.exec:\thbnhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\e62648.exec:\e62648.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\u442042.exec:\u442042.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\8604204.exec:\8604204.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:564 -
\??\c:\vjppj.exec:\vjppj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\44422.exec:\44422.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\i242266.exec:\i242266.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\ffrxxrf.exec:\ffrxxrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\2282648.exec:\2282648.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\6248204.exec:\6248204.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\xfxlxlx.exec:\xfxlxlx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\vvvpd.exec:\vvvpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\2886422.exec:\2886422.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\o408644.exec:\o408644.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\262648.exec:\262648.exe23⤵
- Executes dropped EXE
PID:1992 -
\??\c:\42648.exec:\42648.exe24⤵
- Executes dropped EXE
PID:1068 -
\??\c:\0248622.exec:\0248622.exe25⤵
- Executes dropped EXE
PID:1244 -
\??\c:\jvppp.exec:\jvppp.exe26⤵
- Executes dropped EXE
PID:2508 -
\??\c:\2264260.exec:\2264260.exe27⤵
- Executes dropped EXE
PID:3936 -
\??\c:\06820.exec:\06820.exe28⤵
- Executes dropped EXE
PID:1908 -
\??\c:\2844488.exec:\2844488.exe29⤵
- Executes dropped EXE
PID:216 -
\??\c:\m2820.exec:\m2820.exe30⤵
- Executes dropped EXE
PID:560 -
\??\c:\lfllxxr.exec:\lfllxxr.exe31⤵
- Executes dropped EXE
PID:3496 -
\??\c:\284644.exec:\284644.exe32⤵
- Executes dropped EXE
PID:1020 -
\??\c:\xlfrfxf.exec:\xlfrfxf.exe33⤵
- Executes dropped EXE
PID:1640 -
\??\c:\a6208.exec:\a6208.exe34⤵
- Executes dropped EXE
PID:5076 -
\??\c:\nbbnnb.exec:\nbbnnb.exe35⤵
- Executes dropped EXE
PID:1852 -
\??\c:\6842200.exec:\6842200.exe36⤵
- Executes dropped EXE
PID:4236 -
\??\c:\tnhtht.exec:\tnhtht.exe37⤵
- Executes dropped EXE
PID:4228 -
\??\c:\5ddvp.exec:\5ddvp.exe38⤵
- Executes dropped EXE
PID:2100 -
\??\c:\frxrxlr.exec:\frxrxlr.exe39⤵
- Executes dropped EXE
PID:1228 -
\??\c:\0008604.exec:\0008604.exe40⤵
- Executes dropped EXE
PID:1844 -
\??\c:\1rfrfrf.exec:\1rfrfrf.exe41⤵
- Executes dropped EXE
PID:5060 -
\??\c:\44048.exec:\44048.exe42⤵
- Executes dropped EXE
PID:1476 -
\??\c:\0442064.exec:\0442064.exe43⤵
- Executes dropped EXE
PID:1692 -
\??\c:\lxxlfxl.exec:\lxxlfxl.exe44⤵
- Executes dropped EXE
PID:4008 -
\??\c:\btbbbt.exec:\btbbbt.exe45⤵
- Executes dropped EXE
PID:3432 -
\??\c:\2062862.exec:\2062862.exe46⤵
- Executes dropped EXE
PID:4772 -
\??\c:\xxxrfxr.exec:\xxxrfxr.exe47⤵
- Executes dropped EXE
PID:2716 -
\??\c:\2686206.exec:\2686206.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4200 -
\??\c:\024044.exec:\024044.exe49⤵
- Executes dropped EXE
PID:4756 -
\??\c:\06642.exec:\06642.exe50⤵
- Executes dropped EXE
PID:2772 -
\??\c:\jpvpd.exec:\jpvpd.exe51⤵
- Executes dropped EXE
PID:4380 -
\??\c:\dvpvd.exec:\dvpvd.exe52⤵
- Executes dropped EXE
PID:3572 -
\??\c:\xllrfxl.exec:\xllrfxl.exe53⤵
- Executes dropped EXE
PID:2844 -
\??\c:\42608.exec:\42608.exe54⤵
- Executes dropped EXE
PID:532 -
\??\c:\pppjj.exec:\pppjj.exe55⤵
- Executes dropped EXE
PID:3968 -
\??\c:\xrlfrlf.exec:\xrlfrlf.exe56⤵
- Executes dropped EXE
PID:2608 -
\??\c:\1rfxrlf.exec:\1rfxrlf.exe57⤵
- Executes dropped EXE
PID:3336 -
\??\c:\vjjjd.exec:\vjjjd.exe58⤵
- Executes dropped EXE
PID:2720 -
\??\c:\046000.exec:\046000.exe59⤵
- Executes dropped EXE
PID:4532 -
\??\c:\ffffrlx.exec:\ffffrlx.exe60⤵
- Executes dropped EXE
PID:3704 -
\??\c:\02204.exec:\02204.exe61⤵
- Executes dropped EXE
PID:3952 -
\??\c:\4262666.exec:\4262666.exe62⤵
- Executes dropped EXE
PID:984 -
\??\c:\bhnhtn.exec:\bhnhtn.exe63⤵
- Executes dropped EXE
PID:1840 -
\??\c:\4044804.exec:\4044804.exe64⤵
- Executes dropped EXE
PID:1404 -
\??\c:\62860.exec:\62860.exe65⤵
- Executes dropped EXE
PID:3244 -
\??\c:\u686660.exec:\u686660.exe66⤵PID:2164
-
\??\c:\bhthnt.exec:\bhthnt.exe67⤵PID:756
-
\??\c:\ttnbnh.exec:\ttnbnh.exe68⤵PID:1380
-
\??\c:\806828.exec:\806828.exe69⤵PID:2640
-
\??\c:\k68644.exec:\k68644.exe70⤵PID:1416
-
\??\c:\2626448.exec:\2626448.exe71⤵PID:2292
-
\??\c:\vddpd.exec:\vddpd.exe72⤵PID:2704
-
\??\c:\e84488.exec:\e84488.exe73⤵PID:2068
-
\??\c:\jdvjj.exec:\jdvjj.exe74⤵PID:4100
-
\??\c:\8404226.exec:\8404226.exe75⤵PID:2788
-
\??\c:\244426.exec:\244426.exe76⤵PID:456
-
\??\c:\8460444.exec:\8460444.exe77⤵PID:4184
-
\??\c:\tbttbt.exec:\tbttbt.exe78⤵PID:1064
-
\??\c:\64486.exec:\64486.exe79⤵PID:2516
-
\??\c:\xrfrfrf.exec:\xrfrfrf.exe80⤵PID:2052
-
\??\c:\vdvpv.exec:\vdvpv.exe81⤵PID:220
-
\??\c:\pdjdj.exec:\pdjdj.exe82⤵PID:1252
-
\??\c:\7nbthb.exec:\7nbthb.exe83⤵PID:1044
-
\??\c:\1hnhtt.exec:\1hnhtt.exe84⤵PID:3312
-
\??\c:\40660.exec:\40660.exe85⤵PID:4376
-
\??\c:\vjpjv.exec:\vjpjv.exe86⤵PID:3720
-
\??\c:\llfxrrf.exec:\llfxrrf.exe87⤵PID:4972
-
\??\c:\rflxrrr.exec:\rflxrrr.exe88⤵PID:2084
-
\??\c:\44262.exec:\44262.exe89⤵PID:4572
-
\??\c:\4404226.exec:\4404226.exe90⤵PID:2676
-
\??\c:\28482.exec:\28482.exe91⤵PID:2988
-
\??\c:\pvddv.exec:\pvddv.exe92⤵PID:3088
-
\??\c:\dvjdd.exec:\dvjdd.exe93⤵PID:2324
-
\??\c:\402204.exec:\402204.exe94⤵PID:1020
-
\??\c:\bhtnnh.exec:\bhtnnh.exe95⤵PID:1640
-
\??\c:\frlfxxx.exec:\frlfxxx.exe96⤵PID:3656
-
\??\c:\nhhnhh.exec:\nhhnhh.exe97⤵PID:2360
-
\??\c:\4460044.exec:\4460044.exe98⤵PID:1852
-
\??\c:\rlfxxxx.exec:\rlfxxxx.exe99⤵PID:4804
-
\??\c:\0282284.exec:\0282284.exe100⤵PID:2976
-
\??\c:\9nbbnn.exec:\9nbbnn.exe101⤵PID:3424
-
\??\c:\224822.exec:\224822.exe102⤵PID:652
-
\??\c:\vdpvd.exec:\vdpvd.exe103⤵PID:3632
-
\??\c:\60660.exec:\60660.exe104⤵PID:5060
-
\??\c:\xlrrfff.exec:\xlrrfff.exe105⤵PID:780
-
\??\c:\26486.exec:\26486.exe106⤵PID:2312
-
\??\c:\hbhnhh.exec:\hbhnhh.exe107⤵PID:4424
-
\??\c:\xrlffff.exec:\xrlffff.exe108⤵PID:1912
-
\??\c:\40666.exec:\40666.exe109⤵PID:5068
-
\??\c:\6066666.exec:\6066666.exe110⤵PID:1184
-
\??\c:\2648268.exec:\2648268.exe111⤵PID:4796
-
\??\c:\vjjvj.exec:\vjjvj.exe112⤵PID:4280
-
\??\c:\htnnhh.exec:\htnnhh.exe113⤵PID:4308
-
\??\c:\vjppj.exec:\vjppj.exe114⤵PID:1728
-
\??\c:\26244.exec:\26244.exe115⤵PID:4712
-
\??\c:\lxlllfx.exec:\lxlllfx.exe116⤵PID:4852
-
\??\c:\006048.exec:\006048.exe117⤵PID:1848
-
\??\c:\6622600.exec:\6622600.exe118⤵PID:1196
-
\??\c:\jvjdp.exec:\jvjdp.exe119⤵
- System Location Discovery: System Language Discovery
PID:3968 -
\??\c:\3vpdv.exec:\3vpdv.exe120⤵PID:3932
-
\??\c:\840488.exec:\840488.exe121⤵PID:2196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-