Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 00:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
77c24a7fd8754d0b8cf05feac2478ff1b4fc202303a856475424a0b5f548fad8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
77c24a7fd8754d0b8cf05feac2478ff1b4fc202303a856475424a0b5f548fad8.exe
-
Size
456KB
-
MD5
ed74182686793d6838e9c386d1d7360a
-
SHA1
0c4356db67546e546e0646dc11cc15096fa99131
-
SHA256
77c24a7fd8754d0b8cf05feac2478ff1b4fc202303a856475424a0b5f548fad8
-
SHA512
70cc7d52081a40e8be76c11b342c10b6049559288beafd0ae14935c5cffb0b31da42600e7c08b521a00a235728ae899b6c2efeb85cbc64d77f584d233603734f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRB:q7Tc2NYHUrAwfMp3CDRB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3192-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-816-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-1219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-1400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-1651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-1745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3192 7dvpp.exe 3092 fxxlffx.exe 4204 88266.exe 4708 3rrfrll.exe 1940 lffxxlx.exe 4636 w84080.exe 856 60420.exe 3012 xxfrlxl.exe 1452 2806806.exe 3368 xrlxlfr.exe 2648 dvpjp.exe 2296 s0626.exe 2376 bttnbt.exe 4248 jjdvp.exe 364 vdjjd.exe 4288 jpvjd.exe 1632 q46404.exe 4468 8848260.exe 1292 600488.exe 932 824844.exe 3472 xxrxrxl.exe 3332 o282660.exe 2404 7hnhtn.exe 1704 bbtnhb.exe 2888 88006.exe 4696 46224.exe 5028 ppdpv.exe 1588 9pvjv.exe 640 64282.exe 3044 4848888.exe 1608 vdjdv.exe 4260 6082404.exe 2420 htbhnn.exe 3516 w24048.exe 428 4286882.exe 3140 200448.exe 4376 4060888.exe 2428 lxxxrxr.exe 852 flfxfrr.exe 4956 m6642.exe 4580 3hnhth.exe 4540 800860.exe 3192 06820.exe 3308 lrxlffx.exe 1248 28284.exe 2184 3ntnnn.exe 4396 nbbnht.exe 4384 8842082.exe 2848 22864.exe 780 42826.exe 3928 264486.exe 5008 bhnhnn.exe 2916 vvdvj.exe 3292 jjdpd.exe 1868 nbhtnn.exe 3692 rrrlfxr.exe 4548 m8608.exe 4432 s2282.exe 1624 nnnhbt.exe 1972 htnnhh.exe 3880 6448660.exe 2636 lfrrxxx.exe 4976 xxlfrlr.exe 5072 3pdvj.exe -
resource yara_rule behavioral2/memory/3192-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-1137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-1219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-1400-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o642648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbttl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i240886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w86862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0626004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u082004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8066004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3424 wrote to memory of 3192 3424 77c24a7fd8754d0b8cf05feac2478ff1b4fc202303a856475424a0b5f548fad8.exe 83 PID 3424 wrote to memory of 3192 3424 77c24a7fd8754d0b8cf05feac2478ff1b4fc202303a856475424a0b5f548fad8.exe 83 PID 3424 wrote to memory of 3192 3424 77c24a7fd8754d0b8cf05feac2478ff1b4fc202303a856475424a0b5f548fad8.exe 83 PID 3192 wrote to memory of 3092 3192 7dvpp.exe 84 PID 3192 wrote to memory of 3092 3192 7dvpp.exe 84 PID 3192 wrote to memory of 3092 3192 7dvpp.exe 84 PID 3092 wrote to memory of 4204 3092 fxxlffx.exe 85 PID 3092 wrote to memory of 4204 3092 fxxlffx.exe 85 PID 3092 wrote to memory of 4204 3092 fxxlffx.exe 85 PID 4204 wrote to memory of 4708 4204 88266.exe 86 PID 4204 wrote to memory of 4708 4204 88266.exe 86 PID 4204 wrote to memory of 4708 4204 88266.exe 86 PID 4708 wrote to memory of 1940 4708 3rrfrll.exe 87 PID 4708 wrote to memory of 1940 4708 3rrfrll.exe 87 PID 4708 wrote to memory of 1940 4708 3rrfrll.exe 87 PID 1940 wrote to memory of 4636 1940 lffxxlx.exe 88 PID 1940 wrote to memory of 4636 1940 lffxxlx.exe 88 PID 1940 wrote to memory of 4636 1940 lffxxlx.exe 88 PID 4636 wrote to memory of 856 4636 w84080.exe 89 PID 4636 wrote to memory of 856 4636 w84080.exe 89 PID 4636 wrote to memory of 856 4636 w84080.exe 89 PID 856 wrote to memory of 3012 856 60420.exe 90 PID 856 wrote to memory of 3012 856 60420.exe 90 PID 856 wrote to memory of 3012 856 60420.exe 90 PID 3012 wrote to memory of 1452 3012 xxfrlxl.exe 91 PID 3012 wrote to memory of 1452 3012 xxfrlxl.exe 91 PID 3012 wrote to memory of 1452 3012 xxfrlxl.exe 91 PID 1452 wrote to memory of 3368 1452 2806806.exe 92 PID 1452 wrote to memory of 3368 1452 2806806.exe 92 PID 1452 wrote to memory of 3368 1452 2806806.exe 92 PID 3368 wrote to memory of 2648 3368 xrlxlfr.exe 93 PID 3368 wrote to memory of 2648 3368 xrlxlfr.exe 93 PID 3368 wrote to memory of 2648 3368 xrlxlfr.exe 93 PID 2648 wrote to memory of 2296 2648 dvpjp.exe 94 PID 2648 wrote to memory of 2296 2648 dvpjp.exe 94 PID 2648 wrote to memory of 2296 2648 dvpjp.exe 94 PID 2296 wrote to memory of 2376 2296 s0626.exe 95 PID 2296 wrote to memory of 2376 2296 s0626.exe 95 PID 2296 wrote to memory of 2376 2296 s0626.exe 95 PID 2376 wrote to memory of 4248 2376 bttnbt.exe 96 PID 2376 wrote to memory of 4248 2376 bttnbt.exe 96 PID 2376 wrote to memory of 4248 2376 bttnbt.exe 96 PID 4248 wrote to memory of 364 4248 jjdvp.exe 97 PID 4248 wrote to memory of 364 4248 jjdvp.exe 97 PID 4248 wrote to memory of 364 4248 jjdvp.exe 97 PID 364 wrote to memory of 4288 364 vdjjd.exe 98 PID 364 wrote to memory of 4288 364 vdjjd.exe 98 PID 364 wrote to memory of 4288 364 vdjjd.exe 98 PID 4288 wrote to memory of 1632 4288 jpvjd.exe 99 PID 4288 wrote to memory of 1632 4288 jpvjd.exe 99 PID 4288 wrote to memory of 1632 4288 jpvjd.exe 99 PID 1632 wrote to memory of 4468 1632 q46404.exe 100 PID 1632 wrote to memory of 4468 1632 q46404.exe 100 PID 1632 wrote to memory of 4468 1632 q46404.exe 100 PID 4468 wrote to memory of 1292 4468 8848260.exe 101 PID 4468 wrote to memory of 1292 4468 8848260.exe 101 PID 4468 wrote to memory of 1292 4468 8848260.exe 101 PID 1292 wrote to memory of 932 1292 600488.exe 102 PID 1292 wrote to memory of 932 1292 600488.exe 102 PID 1292 wrote to memory of 932 1292 600488.exe 102 PID 932 wrote to memory of 3472 932 824844.exe 103 PID 932 wrote to memory of 3472 932 824844.exe 103 PID 932 wrote to memory of 3472 932 824844.exe 103 PID 3472 wrote to memory of 3332 3472 xxrxrxl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\77c24a7fd8754d0b8cf05feac2478ff1b4fc202303a856475424a0b5f548fad8.exe"C:\Users\Admin\AppData\Local\Temp\77c24a7fd8754d0b8cf05feac2478ff1b4fc202303a856475424a0b5f548fad8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\7dvpp.exec:\7dvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\fxxlffx.exec:\fxxlffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\88266.exec:\88266.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\3rrfrll.exec:\3rrfrll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\lffxxlx.exec:\lffxxlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\w84080.exec:\w84080.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\60420.exec:\60420.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\xxfrlxl.exec:\xxfrlxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\2806806.exec:\2806806.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\xrlxlfr.exec:\xrlxlfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\dvpjp.exec:\dvpjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\s0626.exec:\s0626.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\bttnbt.exec:\bttnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\jjdvp.exec:\jjdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\vdjjd.exec:\vdjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364 -
\??\c:\jpvjd.exec:\jpvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\q46404.exec:\q46404.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\8848260.exec:\8848260.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\600488.exec:\600488.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\824844.exec:\824844.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\xxrxrxl.exec:\xxrxrxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\o282660.exec:\o282660.exe23⤵
- Executes dropped EXE
PID:3332 -
\??\c:\7hnhtn.exec:\7hnhtn.exe24⤵
- Executes dropped EXE
PID:2404 -
\??\c:\bbtnhb.exec:\bbtnhb.exe25⤵
- Executes dropped EXE
PID:1704 -
\??\c:\88006.exec:\88006.exe26⤵
- Executes dropped EXE
PID:2888 -
\??\c:\46224.exec:\46224.exe27⤵
- Executes dropped EXE
PID:4696 -
\??\c:\ppdpv.exec:\ppdpv.exe28⤵
- Executes dropped EXE
PID:5028 -
\??\c:\9pvjv.exec:\9pvjv.exe29⤵
- Executes dropped EXE
PID:1588 -
\??\c:\64282.exec:\64282.exe30⤵
- Executes dropped EXE
PID:640 -
\??\c:\4848888.exec:\4848888.exe31⤵
- Executes dropped EXE
PID:3044 -
\??\c:\vdjdv.exec:\vdjdv.exe32⤵
- Executes dropped EXE
PID:1608 -
\??\c:\6082404.exec:\6082404.exe33⤵
- Executes dropped EXE
PID:4260 -
\??\c:\htbhnn.exec:\htbhnn.exe34⤵
- Executes dropped EXE
PID:2420 -
\??\c:\w24048.exec:\w24048.exe35⤵
- Executes dropped EXE
PID:3516 -
\??\c:\4286882.exec:\4286882.exe36⤵
- Executes dropped EXE
PID:428 -
\??\c:\200448.exec:\200448.exe37⤵
- Executes dropped EXE
PID:3140 -
\??\c:\4060888.exec:\4060888.exe38⤵
- Executes dropped EXE
PID:4376 -
\??\c:\lxxxrxr.exec:\lxxxrxr.exe39⤵
- Executes dropped EXE
PID:2428 -
\??\c:\flfxfrr.exec:\flfxfrr.exe40⤵
- Executes dropped EXE
PID:852 -
\??\c:\m6642.exec:\m6642.exe41⤵
- Executes dropped EXE
PID:4956 -
\??\c:\3hnhth.exec:\3hnhth.exe42⤵
- Executes dropped EXE
PID:4580 -
\??\c:\800860.exec:\800860.exe43⤵
- Executes dropped EXE
PID:4540 -
\??\c:\06820.exec:\06820.exe44⤵
- Executes dropped EXE
PID:3192 -
\??\c:\lrxlffx.exec:\lrxlffx.exe45⤵
- Executes dropped EXE
PID:3308 -
\??\c:\28284.exec:\28284.exe46⤵
- Executes dropped EXE
PID:1248 -
\??\c:\3ntnnn.exec:\3ntnnn.exe47⤵
- Executes dropped EXE
PID:2184 -
\??\c:\nbbnht.exec:\nbbnht.exe48⤵
- Executes dropped EXE
PID:4396 -
\??\c:\8842082.exec:\8842082.exe49⤵
- Executes dropped EXE
PID:4384 -
\??\c:\22864.exec:\22864.exe50⤵
- Executes dropped EXE
PID:2848 -
\??\c:\42826.exec:\42826.exe51⤵
- Executes dropped EXE
PID:780 -
\??\c:\264486.exec:\264486.exe52⤵
- Executes dropped EXE
PID:3928 -
\??\c:\bhnhnn.exec:\bhnhnn.exe53⤵
- Executes dropped EXE
PID:5008 -
\??\c:\vvdvj.exec:\vvdvj.exe54⤵
- Executes dropped EXE
PID:2916 -
\??\c:\jjdpd.exec:\jjdpd.exe55⤵
- Executes dropped EXE
PID:3292 -
\??\c:\nbhtnn.exec:\nbhtnn.exe56⤵
- Executes dropped EXE
PID:1868 -
\??\c:\rrrlfxr.exec:\rrrlfxr.exe57⤵
- Executes dropped EXE
PID:3692 -
\??\c:\m8608.exec:\m8608.exe58⤵
- Executes dropped EXE
PID:4548 -
\??\c:\s2282.exec:\s2282.exe59⤵
- Executes dropped EXE
PID:4432 -
\??\c:\nnnhbt.exec:\nnnhbt.exe60⤵
- Executes dropped EXE
PID:1624 -
\??\c:\htnnhh.exec:\htnnhh.exe61⤵
- Executes dropped EXE
PID:1972 -
\??\c:\6448660.exec:\6448660.exe62⤵
- Executes dropped EXE
PID:3880 -
\??\c:\lfrrxxx.exec:\lfrrxxx.exe63⤵
- Executes dropped EXE
PID:2636 -
\??\c:\xxlfrlr.exec:\xxlfrlr.exe64⤵
- Executes dropped EXE
PID:4976 -
\??\c:\3pdvj.exec:\3pdvj.exe65⤵
- Executes dropped EXE
PID:5072 -
\??\c:\840826.exec:\840826.exe66⤵PID:4784
-
\??\c:\8666228.exec:\8666228.exe67⤵PID:5052
-
\??\c:\7bbthb.exec:\7bbthb.exe68⤵PID:2504
-
\??\c:\64420.exec:\64420.exe69⤵PID:3024
-
\??\c:\8264862.exec:\8264862.exe70⤵PID:1100
-
\??\c:\9vpvj.exec:\9vpvj.exe71⤵PID:2088
-
\??\c:\006622.exec:\006622.exe72⤵PID:3472
-
\??\c:\462004.exec:\462004.exe73⤵PID:208
-
\??\c:\pppdv.exec:\pppdv.exe74⤵PID:4568
-
\??\c:\864860.exec:\864860.exe75⤵PID:1708
-
\??\c:\1hnhbt.exec:\1hnhbt.exe76⤵PID:1772
-
\??\c:\0440206.exec:\0440206.exe77⤵PID:1488
-
\??\c:\w88264.exec:\w88264.exe78⤵PID:1468
-
\??\c:\26608.exec:\26608.exe79⤵PID:1916
-
\??\c:\htbtnh.exec:\htbtnh.exe80⤵PID:2384
-
\??\c:\i608642.exec:\i608642.exe81⤵PID:3600
-
\??\c:\6664864.exec:\6664864.exe82⤵PID:3696
-
\??\c:\xxfrfxx.exec:\xxfrfxx.exe83⤵
- System Location Discovery: System Language Discovery
PID:640 -
\??\c:\fllllll.exec:\fllllll.exe84⤵PID:944
-
\??\c:\4886608.exec:\4886608.exe85⤵PID:532
-
\??\c:\9jvpj.exec:\9jvpj.exe86⤵PID:2972
-
\??\c:\o620860.exec:\o620860.exe87⤵PID:2060
-
\??\c:\xffrlxl.exec:\xffrlxl.exe88⤵PID:2864
-
\??\c:\vpjdv.exec:\vpjdv.exe89⤵PID:5064
-
\??\c:\pjdvj.exec:\pjdvj.exe90⤵PID:2100
-
\??\c:\20448.exec:\20448.exe91⤵PID:3452
-
\??\c:\1hhttn.exec:\1hhttn.exe92⤵PID:2656
-
\??\c:\606084.exec:\606084.exe93⤵PID:3420
-
\??\c:\5xrfrlf.exec:\5xrfrlf.exe94⤵PID:4496
-
\??\c:\a0642.exec:\a0642.exe95⤵PID:4512
-
\??\c:\22486.exec:\22486.exe96⤵PID:896
-
\??\c:\vvdvp.exec:\vvdvp.exe97⤵PID:1368
-
\??\c:\lxrfrlf.exec:\lxrfrlf.exe98⤵PID:4540
-
\??\c:\w66422.exec:\w66422.exe99⤵PID:3688
-
\??\c:\lxfrfxr.exec:\lxfrfxr.exe100⤵PID:3504
-
\??\c:\8808208.exec:\8808208.exe101⤵PID:4044
-
\??\c:\k66482.exec:\k66482.exe102⤵PID:1068
-
\??\c:\dppdp.exec:\dppdp.exe103⤵PID:3976
-
\??\c:\0020826.exec:\0020826.exe104⤵PID:3380
-
\??\c:\6004866.exec:\6004866.exe105⤵PID:1524
-
\??\c:\86822.exec:\86822.exe106⤵PID:4632
-
\??\c:\i240886.exec:\i240886.exe107⤵
- System Location Discovery: System Language Discovery
PID:1940 -
\??\c:\xllxrlf.exec:\xllxrlf.exe108⤵PID:1784
-
\??\c:\nbhhbb.exec:\nbhhbb.exe109⤵
- System Location Discovery: System Language Discovery
PID:4636 -
\??\c:\04426.exec:\04426.exe110⤵PID:620
-
\??\c:\04600.exec:\04600.exe111⤵PID:1256
-
\??\c:\llfrlxr.exec:\llfrlxr.exe112⤵PID:3012
-
\??\c:\vdvjv.exec:\vdvjv.exe113⤵PID:3684
-
\??\c:\frrllll.exec:\frrllll.exe114⤵PID:512
-
\??\c:\htnhtn.exec:\htnhtn.exe115⤵PID:2256
-
\??\c:\864226.exec:\864226.exe116⤵PID:116
-
\??\c:\ffxfxrr.exec:\ffxfxrr.exe117⤵PID:3368
-
\??\c:\1pjvp.exec:\1pjvp.exe118⤵PID:3584
-
\??\c:\7bthtb.exec:\7bthtb.exe119⤵PID:1748
-
\??\c:\2842608.exec:\2842608.exe120⤵PID:4124
-
\??\c:\ppdvp.exec:\ppdvp.exe121⤵PID:1820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-