Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7bc1aeb94b1d8de06240d0efbc1f8115e5a2a7eca12be740de879385d574c1ee.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7bc1aeb94b1d8de06240d0efbc1f8115e5a2a7eca12be740de879385d574c1ee.exe
-
Size
454KB
-
MD5
bc3a3ff9eb2723ce1444598f6407afea
-
SHA1
beaa3d6574f6ba744483abef7a3cfc0234770e33
-
SHA256
7bc1aeb94b1d8de06240d0efbc1f8115e5a2a7eca12be740de879385d574c1ee
-
SHA512
e68ccfa1ee5d5a488af3aae73410c8b4367963a2c37e833fd1d343beb1d644fbfc97f831f08c7804e1c435252495c41f69c6c4d85b6652d97b9935e0f166b0b6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3284-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/472-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-1170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-1451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-2272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2696 6626082.exe 2420 642828.exe 3972 7fxlfxl.exe 1912 xlxlxlx.exe 3832 m2086.exe 4224 1jjvp.exe 4472 4688226.exe 472 xxxrfrl.exe 2832 frllffl.exe 2240 80040.exe 1472 6844040.exe 2816 468648.exe 404 1llrlfx.exe 4992 lfrrffx.exe 3332 9ttbnn.exe 3316 htbtbt.exe 740 nnhnbt.exe 3964 5frlxlf.exe 3436 bnhbhh.exe 980 frlfllx.exe 4960 jvdjv.exe 4080 e40204.exe 2488 648604.exe 3740 xlrffxx.exe 2356 6044062.exe 1328 e06004.exe 2212 8028040.exe 1340 jjdvd.exe 4576 a2282.exe 2384 ddvdp.exe 2224 llxrllx.exe 1676 pvvpd.exe 1236 286048.exe 4808 vjpjp.exe 3496 thtnnn.exe 4104 9jvvv.exe 3644 a2264.exe 3488 648448.exe 844 rxrfxrf.exe 4716 dpdvd.exe 5084 428484.exe 3700 dpjjd.exe 4672 4466484.exe 3924 420482.exe 3252 8684444.exe 3544 8888826.exe 380 2060826.exe 5076 bhnhbh.exe 4504 u668264.exe 3480 vvvjd.exe 1080 400402.exe 3352 xxrxxlr.exe 2420 jvpdv.exe 3788 084606.exe 4600 422200.exe 4088 7dpvj.exe 2136 xrxrlll.exe 848 240488.exe 4660 00406.exe 3880 242004.exe 4664 5dvjd.exe 1636 tttnbt.exe 1872 m4042.exe 232 k02288.exe -
resource yara_rule behavioral2/memory/3284-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/472-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-1007-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8888826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c800044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4282222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 088260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4466048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 282020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8028040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 244826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3284 wrote to memory of 2696 3284 7bc1aeb94b1d8de06240d0efbc1f8115e5a2a7eca12be740de879385d574c1ee.exe 83 PID 3284 wrote to memory of 2696 3284 7bc1aeb94b1d8de06240d0efbc1f8115e5a2a7eca12be740de879385d574c1ee.exe 83 PID 3284 wrote to memory of 2696 3284 7bc1aeb94b1d8de06240d0efbc1f8115e5a2a7eca12be740de879385d574c1ee.exe 83 PID 2696 wrote to memory of 2420 2696 6626082.exe 84 PID 2696 wrote to memory of 2420 2696 6626082.exe 84 PID 2696 wrote to memory of 2420 2696 6626082.exe 84 PID 2420 wrote to memory of 3972 2420 642828.exe 85 PID 2420 wrote to memory of 3972 2420 642828.exe 85 PID 2420 wrote to memory of 3972 2420 642828.exe 85 PID 3972 wrote to memory of 1912 3972 7fxlfxl.exe 86 PID 3972 wrote to memory of 1912 3972 7fxlfxl.exe 86 PID 3972 wrote to memory of 1912 3972 7fxlfxl.exe 86 PID 1912 wrote to memory of 3832 1912 xlxlxlx.exe 87 PID 1912 wrote to memory of 3832 1912 xlxlxlx.exe 87 PID 1912 wrote to memory of 3832 1912 xlxlxlx.exe 87 PID 3832 wrote to memory of 4224 3832 m2086.exe 88 PID 3832 wrote to memory of 4224 3832 m2086.exe 88 PID 3832 wrote to memory of 4224 3832 m2086.exe 88 PID 4224 wrote to memory of 4472 4224 1jjvp.exe 89 PID 4224 wrote to memory of 4472 4224 1jjvp.exe 89 PID 4224 wrote to memory of 4472 4224 1jjvp.exe 89 PID 4472 wrote to memory of 472 4472 4688226.exe 90 PID 4472 wrote to memory of 472 4472 4688226.exe 90 PID 4472 wrote to memory of 472 4472 4688226.exe 90 PID 472 wrote to memory of 2832 472 xxxrfrl.exe 91 PID 472 wrote to memory of 2832 472 xxxrfrl.exe 91 PID 472 wrote to memory of 2832 472 xxxrfrl.exe 91 PID 2832 wrote to memory of 2240 2832 frllffl.exe 92 PID 2832 wrote to memory of 2240 2832 frllffl.exe 92 PID 2832 wrote to memory of 2240 2832 frllffl.exe 92 PID 2240 wrote to memory of 1472 2240 80040.exe 93 PID 2240 wrote to memory of 1472 2240 80040.exe 93 PID 2240 wrote to memory of 1472 2240 80040.exe 93 PID 1472 wrote to memory of 2816 1472 6844040.exe 94 PID 1472 wrote to memory of 2816 1472 6844040.exe 94 PID 1472 wrote to memory of 2816 1472 6844040.exe 94 PID 2816 wrote to memory of 404 2816 468648.exe 95 PID 2816 wrote to memory of 404 2816 468648.exe 95 PID 2816 wrote to memory of 404 2816 468648.exe 95 PID 404 wrote to memory of 4992 404 1llrlfx.exe 96 PID 404 wrote to memory of 4992 404 1llrlfx.exe 96 PID 404 wrote to memory of 4992 404 1llrlfx.exe 96 PID 4992 wrote to memory of 3332 4992 lfrrffx.exe 97 PID 4992 wrote to memory of 3332 4992 lfrrffx.exe 97 PID 4992 wrote to memory of 3332 4992 lfrrffx.exe 97 PID 3332 wrote to memory of 3316 3332 9ttbnn.exe 98 PID 3332 wrote to memory of 3316 3332 9ttbnn.exe 98 PID 3332 wrote to memory of 3316 3332 9ttbnn.exe 98 PID 3316 wrote to memory of 740 3316 htbtbt.exe 99 PID 3316 wrote to memory of 740 3316 htbtbt.exe 99 PID 3316 wrote to memory of 740 3316 htbtbt.exe 99 PID 740 wrote to memory of 3964 740 nnhnbt.exe 100 PID 740 wrote to memory of 3964 740 nnhnbt.exe 100 PID 740 wrote to memory of 3964 740 nnhnbt.exe 100 PID 3964 wrote to memory of 3436 3964 5frlxlf.exe 101 PID 3964 wrote to memory of 3436 3964 5frlxlf.exe 101 PID 3964 wrote to memory of 3436 3964 5frlxlf.exe 101 PID 3436 wrote to memory of 980 3436 bnhbhh.exe 102 PID 3436 wrote to memory of 980 3436 bnhbhh.exe 102 PID 3436 wrote to memory of 980 3436 bnhbhh.exe 102 PID 980 wrote to memory of 4960 980 frlfllx.exe 103 PID 980 wrote to memory of 4960 980 frlfllx.exe 103 PID 980 wrote to memory of 4960 980 frlfllx.exe 103 PID 4960 wrote to memory of 4080 4960 jvdjv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bc1aeb94b1d8de06240d0efbc1f8115e5a2a7eca12be740de879385d574c1ee.exe"C:\Users\Admin\AppData\Local\Temp\7bc1aeb94b1d8de06240d0efbc1f8115e5a2a7eca12be740de879385d574c1ee.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\6626082.exec:\6626082.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\642828.exec:\642828.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\7fxlfxl.exec:\7fxlfxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\xlxlxlx.exec:\xlxlxlx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\m2086.exec:\m2086.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\1jjvp.exec:\1jjvp.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\4688226.exec:\4688226.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\xxxrfrl.exec:\xxxrfrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:472 -
\??\c:\frllffl.exec:\frllffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\80040.exec:\80040.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\6844040.exec:\6844040.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\468648.exec:\468648.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\1llrlfx.exec:\1llrlfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\lfrrffx.exec:\lfrrffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\9ttbnn.exec:\9ttbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\htbtbt.exec:\htbtbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\nnhnbt.exec:\nnhnbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\5frlxlf.exec:\5frlxlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\bnhbhh.exec:\bnhbhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\frlfllx.exec:\frlfllx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\jvdjv.exec:\jvdjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\e40204.exec:\e40204.exe23⤵
- Executes dropped EXE
PID:4080 -
\??\c:\648604.exec:\648604.exe24⤵
- Executes dropped EXE
PID:2488 -
\??\c:\xlrffxx.exec:\xlrffxx.exe25⤵
- Executes dropped EXE
PID:3740 -
\??\c:\6044062.exec:\6044062.exe26⤵
- Executes dropped EXE
PID:2356 -
\??\c:\e06004.exec:\e06004.exe27⤵
- Executes dropped EXE
PID:1328 -
\??\c:\8028040.exec:\8028040.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2212 -
\??\c:\jjdvd.exec:\jjdvd.exe29⤵
- Executes dropped EXE
PID:1340 -
\??\c:\a2282.exec:\a2282.exe30⤵
- Executes dropped EXE
PID:4576 -
\??\c:\ddvdp.exec:\ddvdp.exe31⤵
- Executes dropped EXE
PID:2384 -
\??\c:\llxrllx.exec:\llxrllx.exe32⤵
- Executes dropped EXE
PID:2224 -
\??\c:\pvvpd.exec:\pvvpd.exe33⤵
- Executes dropped EXE
PID:1676 -
\??\c:\286048.exec:\286048.exe34⤵
- Executes dropped EXE
PID:1236 -
\??\c:\vjpjp.exec:\vjpjp.exe35⤵
- Executes dropped EXE
PID:4808 -
\??\c:\thtnnn.exec:\thtnnn.exe36⤵
- Executes dropped EXE
PID:3496 -
\??\c:\9jvvv.exec:\9jvvv.exe37⤵
- Executes dropped EXE
PID:4104 -
\??\c:\a2264.exec:\a2264.exe38⤵
- Executes dropped EXE
PID:3644 -
\??\c:\648448.exec:\648448.exe39⤵
- Executes dropped EXE
PID:3488 -
\??\c:\rxrfxrf.exec:\rxrfxrf.exe40⤵
- Executes dropped EXE
PID:844 -
\??\c:\dpdvd.exec:\dpdvd.exe41⤵
- Executes dropped EXE
PID:4716 -
\??\c:\428484.exec:\428484.exe42⤵
- Executes dropped EXE
PID:5084 -
\??\c:\dpjjd.exec:\dpjjd.exe43⤵
- Executes dropped EXE
PID:3700 -
\??\c:\4466484.exec:\4466484.exe44⤵
- Executes dropped EXE
PID:4672 -
\??\c:\420482.exec:\420482.exe45⤵
- Executes dropped EXE
PID:3924 -
\??\c:\8684444.exec:\8684444.exe46⤵
- Executes dropped EXE
PID:3252 -
\??\c:\8888826.exec:\8888826.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3544 -
\??\c:\2060826.exec:\2060826.exe48⤵
- Executes dropped EXE
PID:380 -
\??\c:\bhnhbh.exec:\bhnhbh.exe49⤵
- Executes dropped EXE
PID:5076 -
\??\c:\u668264.exec:\u668264.exe50⤵
- Executes dropped EXE
PID:4504 -
\??\c:\vvvjd.exec:\vvvjd.exe51⤵
- Executes dropped EXE
PID:3480 -
\??\c:\400402.exec:\400402.exe52⤵
- Executes dropped EXE
PID:1080 -
\??\c:\xxrxxlr.exec:\xxrxxlr.exe53⤵
- Executes dropped EXE
PID:3352 -
\??\c:\jvpdv.exec:\jvpdv.exe54⤵
- Executes dropped EXE
PID:2420 -
\??\c:\084606.exec:\084606.exe55⤵
- Executes dropped EXE
PID:3788 -
\??\c:\422200.exec:\422200.exe56⤵
- Executes dropped EXE
PID:4600 -
\??\c:\7dpvj.exec:\7dpvj.exe57⤵
- Executes dropped EXE
PID:4088 -
\??\c:\xrxrlll.exec:\xrxrlll.exe58⤵
- Executes dropped EXE
PID:2136 -
\??\c:\240488.exec:\240488.exe59⤵
- Executes dropped EXE
PID:848 -
\??\c:\00406.exec:\00406.exe60⤵
- Executes dropped EXE
PID:4660 -
\??\c:\242004.exec:\242004.exe61⤵
- Executes dropped EXE
PID:3880 -
\??\c:\5dvjd.exec:\5dvjd.exe62⤵
- Executes dropped EXE
PID:4664 -
\??\c:\tttnbt.exec:\tttnbt.exe63⤵
- Executes dropped EXE
PID:1636 -
\??\c:\m4042.exec:\m4042.exe64⤵
- Executes dropped EXE
PID:1872 -
\??\c:\k02288.exec:\k02288.exe65⤵
- Executes dropped EXE
PID:232 -
\??\c:\xrxrrxx.exec:\xrxrrxx.exe66⤵PID:4444
-
\??\c:\42826.exec:\42826.exe67⤵PID:3188
-
\??\c:\vjpvv.exec:\vjpvv.exe68⤵PID:3092
-
\??\c:\020280.exec:\020280.exe69⤵PID:3260
-
\??\c:\nbhhbt.exec:\nbhhbt.exe70⤵PID:4924
-
\??\c:\rlflflx.exec:\rlflflx.exe71⤵PID:2164
-
\??\c:\7bttnn.exec:\7bttnn.exe72⤵PID:4548
-
\??\c:\c026004.exec:\c026004.exe73⤵PID:1940
-
\??\c:\6404848.exec:\6404848.exe74⤵PID:1984
-
\??\c:\002202.exec:\002202.exe75⤵PID:2868
-
\??\c:\6666464.exec:\6666464.exe76⤵PID:4272
-
\??\c:\9hbttn.exec:\9hbttn.exe77⤵PID:4908
-
\??\c:\btttnh.exec:\btttnh.exe78⤵PID:4140
-
\??\c:\rlxxrfx.exec:\rlxxrfx.exe79⤵PID:4748
-
\??\c:\vvddj.exec:\vvddj.exe80⤵PID:2728
-
\??\c:\8026000.exec:\8026000.exe81⤵PID:1928
-
\??\c:\62482.exec:\62482.exe82⤵PID:3244
-
\??\c:\nhbnhb.exec:\nhbnhb.exe83⤵PID:1012
-
\??\c:\rfxlffx.exec:\rfxlffx.exe84⤵PID:3552
-
\??\c:\8060882.exec:\8060882.exe85⤵PID:5096
-
\??\c:\hbhbtt.exec:\hbhbtt.exe86⤵PID:3472
-
\??\c:\6060404.exec:\6060404.exe87⤵PID:1408
-
\??\c:\lxffxxr.exec:\lxffxxr.exe88⤵PID:3028
-
\??\c:\nnnhbb.exec:\nnnhbb.exe89⤵PID:3176
-
\??\c:\02860.exec:\02860.exe90⤵PID:4972
-
\??\c:\o444844.exec:\o444844.exe91⤵PID:1180
-
\??\c:\0626004.exec:\0626004.exe92⤵PID:2328
-
\??\c:\ffxrlxr.exec:\ffxrlxr.exe93⤵PID:4576
-
\??\c:\bnhntn.exec:\bnhntn.exe94⤵
- System Location Discovery: System Language Discovery
PID:2432 -
\??\c:\pdjvp.exec:\pdjvp.exe95⤵PID:884
-
\??\c:\608604.exec:\608604.exe96⤵PID:1016
-
\??\c:\24048.exec:\24048.exe97⤵PID:3172
-
\??\c:\840482.exec:\840482.exe98⤵PID:2408
-
\??\c:\bbnhnn.exec:\bbnhnn.exe99⤵PID:1564
-
\??\c:\dppjd.exec:\dppjd.exe100⤵PID:2400
-
\??\c:\2808660.exec:\2808660.exe101⤵PID:2028
-
\??\c:\vvjvp.exec:\vvjvp.exe102⤵PID:4056
-
\??\c:\28600.exec:\28600.exe103⤵PID:4004
-
\??\c:\26460.exec:\26460.exe104⤵PID:3256
-
\??\c:\ddvpj.exec:\ddvpj.exe105⤵PID:2236
-
\??\c:\5hhbtn.exec:\5hhbtn.exe106⤵PID:2912
-
\??\c:\u242082.exec:\u242082.exe107⤵PID:3528
-
\??\c:\hntnnh.exec:\hntnnh.exe108⤵PID:3736
-
\??\c:\9hbnhb.exec:\9hbnhb.exe109⤵PID:3904
-
\??\c:\1nbbtt.exec:\1nbbtt.exe110⤵PID:456
-
\??\c:\6286004.exec:\6286004.exe111⤵PID:2436
-
\??\c:\6082228.exec:\6082228.exe112⤵PID:3908
-
\??\c:\q08666.exec:\q08666.exe113⤵PID:3752
-
\??\c:\484226.exec:\484226.exe114⤵PID:4500
-
\??\c:\86262.exec:\86262.exe115⤵PID:2984
-
\??\c:\fffxrrr.exec:\fffxrrr.exe116⤵PID:672
-
\??\c:\22826.exec:\22826.exe117⤵PID:8
-
\??\c:\ntbtbb.exec:\ntbtbb.exe118⤵PID:3352
-
\??\c:\3jdpj.exec:\3jdpj.exe119⤵PID:1076
-
\??\c:\ttnhnn.exec:\ttnhnn.exe120⤵PID:4540
-
\??\c:\4084024.exec:\4084024.exe121⤵PID:1600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-