Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 21:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe
-
Size
454KB
-
MD5
be7921a406d588b299bd44790020616f
-
SHA1
be50e71289be2158afe8e30795722c0e7b43a477
-
SHA256
2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39
-
SHA512
4afabc0c7ec2102b9eb67401f326adc2394d341a102bedaa4304da208983b4719dfb48394a70372bf78c676584a6266a51323c6698ce66b1f7c99f628eecc248
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeVV:q7Tc2NYHUrAwfMp3CDVV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2624-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-768-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2444 4066066.exe 5032 1xlfffx.exe 1044 86088.exe 3624 rlfflll.exe 1772 xlrrrrx.exe 1488 426048.exe 3100 pdjjp.exe 996 w00044.exe 1368 dvjvp.exe 1796 86260.exe 1412 8480444.exe 4892 djvvp.exe 1516 thhhhh.exe 3268 808266.exe 4948 6844840.exe 4400 e66042.exe 4280 pvjvj.exe 1720 9ppdv.exe 4124 66260.exe 5116 xxlfxxr.exe 4896 48604.exe 1612 82426.exe 1736 7hhbtt.exe 1684 402448.exe 2648 68082.exe 2592 hhhhhb.exe 616 008886.exe 2900 2666004.exe 5080 djppj.exe 344 frrxrxr.exe 3696 lxllllr.exe 700 0060000.exe 4416 6004804.exe 2588 20088.exe 804 0660004.exe 3112 862088.exe 2164 xflxrll.exe 4256 4208460.exe 740 thnhbt.exe 3288 e28604.exe 1724 jpdpj.exe 2796 664886.exe 4392 lrxrllf.exe 2840 4246004.exe 1508 m4484.exe 2996 606860.exe 2012 80860.exe 4368 3jjdp.exe 1280 024482.exe 3320 084200.exe 4644 ddvvp.exe 4964 g8864.exe 828 lffffxr.exe 2288 dpvjv.exe 1636 8688822.exe 3296 c080628.exe 1556 tbhtnn.exe 2728 40006.exe 5040 thhthb.exe 1932 8842206.exe 4504 hhbtnn.exe 1968 2666044.exe 1772 bhntnn.exe 2100 hbntnt.exe -
resource yara_rule behavioral2/memory/2624-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/616-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-665-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2666660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 022060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2666044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4024824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2444 2624 2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe 83 PID 2624 wrote to memory of 2444 2624 2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe 83 PID 2624 wrote to memory of 2444 2624 2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe 83 PID 2444 wrote to memory of 5032 2444 4066066.exe 84 PID 2444 wrote to memory of 5032 2444 4066066.exe 84 PID 2444 wrote to memory of 5032 2444 4066066.exe 84 PID 5032 wrote to memory of 1044 5032 1xlfffx.exe 85 PID 5032 wrote to memory of 1044 5032 1xlfffx.exe 85 PID 5032 wrote to memory of 1044 5032 1xlfffx.exe 85 PID 1044 wrote to memory of 3624 1044 86088.exe 86 PID 1044 wrote to memory of 3624 1044 86088.exe 86 PID 1044 wrote to memory of 3624 1044 86088.exe 86 PID 3624 wrote to memory of 1772 3624 rlfflll.exe 87 PID 3624 wrote to memory of 1772 3624 rlfflll.exe 87 PID 3624 wrote to memory of 1772 3624 rlfflll.exe 87 PID 1772 wrote to memory of 1488 1772 xlrrrrx.exe 88 PID 1772 wrote to memory of 1488 1772 xlrrrrx.exe 88 PID 1772 wrote to memory of 1488 1772 xlrrrrx.exe 88 PID 1488 wrote to memory of 3100 1488 426048.exe 89 PID 1488 wrote to memory of 3100 1488 426048.exe 89 PID 1488 wrote to memory of 3100 1488 426048.exe 89 PID 3100 wrote to memory of 996 3100 pdjjp.exe 90 PID 3100 wrote to memory of 996 3100 pdjjp.exe 90 PID 3100 wrote to memory of 996 3100 pdjjp.exe 90 PID 996 wrote to memory of 1368 996 w00044.exe 91 PID 996 wrote to memory of 1368 996 w00044.exe 91 PID 996 wrote to memory of 1368 996 w00044.exe 91 PID 1368 wrote to memory of 1796 1368 dvjvp.exe 92 PID 1368 wrote to memory of 1796 1368 dvjvp.exe 92 PID 1368 wrote to memory of 1796 1368 dvjvp.exe 92 PID 1796 wrote to memory of 1412 1796 86260.exe 93 PID 1796 wrote to memory of 1412 1796 86260.exe 93 PID 1796 wrote to memory of 1412 1796 86260.exe 93 PID 1412 wrote to memory of 4892 1412 8480444.exe 94 PID 1412 wrote to memory of 4892 1412 8480444.exe 94 PID 1412 wrote to memory of 4892 1412 8480444.exe 94 PID 4892 wrote to memory of 1516 4892 djvvp.exe 95 PID 4892 wrote to memory of 1516 4892 djvvp.exe 95 PID 4892 wrote to memory of 1516 4892 djvvp.exe 95 PID 1516 wrote to memory of 3268 1516 thhhhh.exe 96 PID 1516 wrote to memory of 3268 1516 thhhhh.exe 96 PID 1516 wrote to memory of 3268 1516 thhhhh.exe 96 PID 3268 wrote to memory of 4948 3268 808266.exe 97 PID 3268 wrote to memory of 4948 3268 808266.exe 97 PID 3268 wrote to memory of 4948 3268 808266.exe 97 PID 4948 wrote to memory of 4400 4948 6844840.exe 98 PID 4948 wrote to memory of 4400 4948 6844840.exe 98 PID 4948 wrote to memory of 4400 4948 6844840.exe 98 PID 4400 wrote to memory of 4280 4400 e66042.exe 99 PID 4400 wrote to memory of 4280 4400 e66042.exe 99 PID 4400 wrote to memory of 4280 4400 e66042.exe 99 PID 4280 wrote to memory of 1720 4280 pvjvj.exe 100 PID 4280 wrote to memory of 1720 4280 pvjvj.exe 100 PID 4280 wrote to memory of 1720 4280 pvjvj.exe 100 PID 1720 wrote to memory of 4124 1720 9ppdv.exe 101 PID 1720 wrote to memory of 4124 1720 9ppdv.exe 101 PID 1720 wrote to memory of 4124 1720 9ppdv.exe 101 PID 4124 wrote to memory of 5116 4124 66260.exe 102 PID 4124 wrote to memory of 5116 4124 66260.exe 102 PID 4124 wrote to memory of 5116 4124 66260.exe 102 PID 5116 wrote to memory of 4896 5116 xxlfxxr.exe 103 PID 5116 wrote to memory of 4896 5116 xxlfxxr.exe 103 PID 5116 wrote to memory of 4896 5116 xxlfxxr.exe 103 PID 4896 wrote to memory of 1612 4896 48604.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe"C:\Users\Admin\AppData\Local\Temp\2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\4066066.exec:\4066066.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\1xlfffx.exec:\1xlfffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\86088.exec:\86088.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\rlfflll.exec:\rlfflll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\xlrrrrx.exec:\xlrrrrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\426048.exec:\426048.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\pdjjp.exec:\pdjjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\w00044.exec:\w00044.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\dvjvp.exec:\dvjvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\86260.exec:\86260.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\8480444.exec:\8480444.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\djvvp.exec:\djvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\thhhhh.exec:\thhhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\808266.exec:\808266.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\6844840.exec:\6844840.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\e66042.exec:\e66042.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\pvjvj.exec:\pvjvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\9ppdv.exec:\9ppdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\66260.exec:\66260.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\xxlfxxr.exec:\xxlfxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\48604.exec:\48604.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\82426.exec:\82426.exe23⤵
- Executes dropped EXE
PID:1612 -
\??\c:\7hhbtt.exec:\7hhbtt.exe24⤵
- Executes dropped EXE
PID:1736 -
\??\c:\402448.exec:\402448.exe25⤵
- Executes dropped EXE
PID:1684 -
\??\c:\68082.exec:\68082.exe26⤵
- Executes dropped EXE
PID:2648 -
\??\c:\hhhhhb.exec:\hhhhhb.exe27⤵
- Executes dropped EXE
PID:2592 -
\??\c:\008886.exec:\008886.exe28⤵
- Executes dropped EXE
PID:616 -
\??\c:\2666004.exec:\2666004.exe29⤵
- Executes dropped EXE
PID:2900 -
\??\c:\djppj.exec:\djppj.exe30⤵
- Executes dropped EXE
PID:5080 -
\??\c:\frrxrxr.exec:\frrxrxr.exe31⤵
- Executes dropped EXE
PID:344 -
\??\c:\lxllllr.exec:\lxllllr.exe32⤵
- Executes dropped EXE
PID:3696 -
\??\c:\0060000.exec:\0060000.exe33⤵
- Executes dropped EXE
PID:700 -
\??\c:\6004804.exec:\6004804.exe34⤵
- Executes dropped EXE
PID:4416 -
\??\c:\20088.exec:\20088.exe35⤵
- Executes dropped EXE
PID:2588 -
\??\c:\0660004.exec:\0660004.exe36⤵
- Executes dropped EXE
PID:804 -
\??\c:\862088.exec:\862088.exe37⤵
- Executes dropped EXE
PID:3112 -
\??\c:\xflxrll.exec:\xflxrll.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
\??\c:\4208460.exec:\4208460.exe39⤵
- Executes dropped EXE
PID:4256 -
\??\c:\thnhbt.exec:\thnhbt.exe40⤵
- Executes dropped EXE
PID:740 -
\??\c:\e28604.exec:\e28604.exe41⤵
- Executes dropped EXE
PID:3288 -
\??\c:\jpdpj.exec:\jpdpj.exe42⤵
- Executes dropped EXE
PID:1724 -
\??\c:\664886.exec:\664886.exe43⤵
- Executes dropped EXE
PID:2796 -
\??\c:\lrxrllf.exec:\lrxrllf.exe44⤵
- Executes dropped EXE
PID:4392 -
\??\c:\4246004.exec:\4246004.exe45⤵
- Executes dropped EXE
PID:2840 -
\??\c:\m4484.exec:\m4484.exe46⤵
- Executes dropped EXE
PID:1508 -
\??\c:\606860.exec:\606860.exe47⤵
- Executes dropped EXE
PID:2996 -
\??\c:\80860.exec:\80860.exe48⤵
- Executes dropped EXE
PID:2012 -
\??\c:\3jjdp.exec:\3jjdp.exe49⤵
- Executes dropped EXE
PID:4368 -
\??\c:\024482.exec:\024482.exe50⤵
- Executes dropped EXE
PID:1280 -
\??\c:\084200.exec:\084200.exe51⤵
- Executes dropped EXE
PID:3320 -
\??\c:\ddvvp.exec:\ddvvp.exe52⤵
- Executes dropped EXE
PID:4644 -
\??\c:\g8864.exec:\g8864.exe53⤵
- Executes dropped EXE
PID:4964 -
\??\c:\lffffxr.exec:\lffffxr.exe54⤵
- Executes dropped EXE
PID:828 -
\??\c:\dpvjv.exec:\dpvjv.exe55⤵
- Executes dropped EXE
PID:2288 -
\??\c:\lrlfxrr.exec:\lrlfxrr.exe56⤵PID:4060
-
\??\c:\8688822.exec:\8688822.exe57⤵
- Executes dropped EXE
PID:1636 -
\??\c:\c080628.exec:\c080628.exe58⤵
- Executes dropped EXE
PID:3296 -
\??\c:\tbhtnn.exec:\tbhtnn.exe59⤵
- Executes dropped EXE
PID:1556 -
\??\c:\40006.exec:\40006.exe60⤵
- Executes dropped EXE
PID:2728 -
\??\c:\thhthb.exec:\thhthb.exe61⤵
- Executes dropped EXE
PID:5040 -
\??\c:\8842206.exec:\8842206.exe62⤵
- Executes dropped EXE
PID:1932 -
\??\c:\hhbtnn.exec:\hhbtnn.exe63⤵
- Executes dropped EXE
PID:4504 -
\??\c:\2666044.exec:\2666044.exe64⤵
- Executes dropped EXE
PID:1968 -
\??\c:\bhntnn.exec:\bhntnn.exe65⤵
- Executes dropped EXE
PID:1772 -
\??\c:\hbntnt.exec:\hbntnt.exe66⤵
- Executes dropped EXE
PID:2100 -
\??\c:\3tbtnn.exec:\3tbtnn.exe67⤵PID:976
-
\??\c:\64048.exec:\64048.exe68⤵PID:2328
-
\??\c:\042622.exec:\042622.exe69⤵PID:4404
-
\??\c:\26226.exec:\26226.exe70⤵PID:5020
-
\??\c:\pjdvp.exec:\pjdvp.exe71⤵PID:4532
-
\??\c:\jpvvv.exec:\jpvvv.exe72⤵PID:2572
-
\??\c:\64482.exec:\64482.exe73⤵PID:1412
-
\??\c:\tnntht.exec:\tnntht.exe74⤵PID:3636
-
\??\c:\60626.exec:\60626.exe75⤵PID:2704
-
\??\c:\jdppv.exec:\jdppv.exe76⤵PID:1516
-
\??\c:\djpjd.exec:\djpjd.exe77⤵PID:3396
-
\??\c:\nhnhnn.exec:\nhnhnn.exe78⤵PID:1152
-
\??\c:\26604.exec:\26604.exe79⤵PID:3860
-
\??\c:\024822.exec:\024822.exe80⤵PID:1404
-
\??\c:\220666.exec:\220666.exe81⤵PID:4144
-
\??\c:\60408.exec:\60408.exe82⤵PID:2976
-
\??\c:\6848882.exec:\6848882.exe83⤵PID:1304
-
\??\c:\ntttnn.exec:\ntttnn.exe84⤵PID:1736
-
\??\c:\tnhbhb.exec:\tnhbhb.exe85⤵PID:4156
-
\??\c:\llxxrxx.exec:\llxxrxx.exe86⤵PID:3324
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe87⤵PID:444
-
\??\c:\840066.exec:\840066.exe88⤵PID:1268
-
\??\c:\c404826.exec:\c404826.exe89⤵PID:5080
-
\??\c:\flrrrrf.exec:\flrrrrf.exe90⤵PID:1680
-
\??\c:\btbbtt.exec:\btbbtt.exe91⤵PID:4272
-
\??\c:\vdjvp.exec:\vdjvp.exe92⤵PID:836
-
\??\c:\9rxfxxr.exec:\9rxfxxr.exe93⤵PID:2364
-
\??\c:\1llfxff.exec:\1llfxff.exe94⤵PID:3632
-
\??\c:\u286004.exec:\u286004.exe95⤵PID:1524
-
\??\c:\e20822.exec:\e20822.exe96⤵PID:1624
-
\??\c:\40226.exec:\40226.exe97⤵PID:2968
-
\??\c:\g0604.exec:\g0604.exe98⤵PID:2000
-
\??\c:\6882266.exec:\6882266.exe99⤵PID:1808
-
\??\c:\pjpjj.exec:\pjpjj.exe100⤵PID:2796
-
\??\c:\bhtnnn.exec:\bhtnnn.exe101⤵PID:3836
-
\??\c:\88804.exec:\88804.exe102⤵PID:4564
-
\??\c:\428644.exec:\428644.exe103⤵PID:2224
-
\??\c:\bntnhh.exec:\bntnhh.exe104⤵PID:3700
-
\??\c:\fxlfxxx.exec:\fxlfxxx.exe105⤵PID:2012
-
\??\c:\0282622.exec:\0282622.exe106⤵PID:3464
-
\??\c:\pdjpj.exec:\pdjpj.exe107⤵PID:3320
-
\??\c:\3htnhn.exec:\3htnhn.exe108⤵PID:4644
-
\??\c:\44000.exec:\44000.exe109⤵PID:5012
-
\??\c:\04260.exec:\04260.exe110⤵PID:5028
-
\??\c:\bnnnhh.exec:\bnnnhh.exe111⤵PID:644
-
\??\c:\20604.exec:\20604.exe112⤵PID:1636
-
\??\c:\c822660.exec:\c822660.exe113⤵PID:4648
-
\??\c:\484882.exec:\484882.exe114⤵PID:2624
-
\??\c:\2806600.exec:\2806600.exe115⤵PID:2444
-
\??\c:\20260.exec:\20260.exe116⤵PID:1872
-
\??\c:\2222004.exec:\2222004.exe117⤵PID:772
-
\??\c:\dpvpj.exec:\dpvpj.exe118⤵PID:4104
-
\??\c:\jpdpj.exec:\jpdpj.exe119⤵PID:1448
-
\??\c:\1nhbtt.exec:\1nhbtt.exe120⤵
- System Location Discovery: System Language Discovery
PID:1944 -
\??\c:\k62648.exec:\k62648.exe121⤵PID:2020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-