Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 00:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe
-
Size
454KB
-
MD5
d399fec59036c3243272d5111689a68a
-
SHA1
719026f8e5441555cd2f2979c4618a79dde49350
-
SHA256
7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2
-
SHA512
7c4859c5b44146c74c431451f1a2c4fe66290bb9271437e534f33ead8e933af2cc007b2b7f263a7386684fda9ce37908b157c3aaa8a1b28b6b84dba184604000
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeK:q7Tc2NYHUrAwfMp3CDK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3832-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-892-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-935-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-1436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4584 26226.exe 1748 806000.exe 1456 rlflxrf.exe 3580 rxflrxf.exe 2916 fxffxrx.exe 1112 42262.exe 3264 8200606.exe 2396 httnhh.exe 3456 680048.exe 760 s4606.exe 2196 q40044.exe 396 4622662.exe 316 246000.exe 2892 8800004.exe 4404 8822828.exe 1996 5ttnnn.exe 5020 dvjdd.exe 436 08240.exe 3344 6082440.exe 2860 3vdvp.exe 1340 6282660.exe 2700 266264.exe 5004 220240.exe 1500 280044.exe 1204 02222.exe 3908 nbbhht.exe 1312 vpjjd.exe 4464 jvdvj.exe 4824 frrlflx.exe 1896 jpppj.exe 1360 9ntnhh.exe 1388 8662288.exe 4912 04048.exe 4316 s0484.exe 4128 062648.exe 2852 42082.exe 4536 g4488.exe 2920 thnnhh.exe 228 822600.exe 980 s0266.exe 3692 thnttt.exe 3248 nhnhbb.exe 3376 rfllfff.exe 668 e26684.exe 1392 bbbttt.exe 2792 482660.exe 2320 pdjjj.exe 3532 dvddj.exe 4420 ttbtnt.exe 3960 vjpjd.exe 344 nhnnnn.exe 4880 pjvpp.exe 2140 4844004.exe 4724 840044.exe 4372 88442.exe 4416 8282228.exe 4928 0226046.exe 1184 024482.exe 4356 4004482.exe 4408 xxllrrl.exe 824 ppvvv.exe 560 086604.exe 776 4688226.exe 1272 7xxrrrl.exe -
resource yara_rule behavioral2/memory/3832-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-869-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-882-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-892-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6846866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8460004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0026604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u000048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0282266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3832 wrote to memory of 4584 3832 7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe 146 PID 3832 wrote to memory of 4584 3832 7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe 146 PID 3832 wrote to memory of 4584 3832 7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe 146 PID 4584 wrote to memory of 1748 4584 26226.exe 147 PID 4584 wrote to memory of 1748 4584 26226.exe 147 PID 4584 wrote to memory of 1748 4584 26226.exe 147 PID 1748 wrote to memory of 1456 1748 806000.exe 84 PID 1748 wrote to memory of 1456 1748 806000.exe 84 PID 1748 wrote to memory of 1456 1748 806000.exe 84 PID 1456 wrote to memory of 3580 1456 rlflxrf.exe 85 PID 1456 wrote to memory of 3580 1456 rlflxrf.exe 85 PID 1456 wrote to memory of 3580 1456 rlflxrf.exe 85 PID 3580 wrote to memory of 2916 3580 rxflrxf.exe 86 PID 3580 wrote to memory of 2916 3580 rxflrxf.exe 86 PID 3580 wrote to memory of 2916 3580 rxflrxf.exe 86 PID 2916 wrote to memory of 1112 2916 fxffxrx.exe 87 PID 2916 wrote to memory of 1112 2916 fxffxrx.exe 87 PID 2916 wrote to memory of 1112 2916 fxffxrx.exe 87 PID 1112 wrote to memory of 3264 1112 42262.exe 88 PID 1112 wrote to memory of 3264 1112 42262.exe 88 PID 1112 wrote to memory of 3264 1112 42262.exe 88 PID 3264 wrote to memory of 2396 3264 8200606.exe 89 PID 3264 wrote to memory of 2396 3264 8200606.exe 89 PID 3264 wrote to memory of 2396 3264 8200606.exe 89 PID 2396 wrote to memory of 3456 2396 httnhh.exe 90 PID 2396 wrote to memory of 3456 2396 httnhh.exe 90 PID 2396 wrote to memory of 3456 2396 httnhh.exe 90 PID 3456 wrote to memory of 760 3456 680048.exe 91 PID 3456 wrote to memory of 760 3456 680048.exe 91 PID 3456 wrote to memory of 760 3456 680048.exe 91 PID 760 wrote to memory of 2196 760 s4606.exe 92 PID 760 wrote to memory of 2196 760 s4606.exe 92 PID 760 wrote to memory of 2196 760 s4606.exe 92 PID 2196 wrote to memory of 396 2196 q40044.exe 93 PID 2196 wrote to memory of 396 2196 q40044.exe 93 PID 2196 wrote to memory of 396 2196 q40044.exe 93 PID 396 wrote to memory of 316 396 4622662.exe 94 PID 396 wrote to memory of 316 396 4622662.exe 94 PID 396 wrote to memory of 316 396 4622662.exe 94 PID 316 wrote to memory of 2892 316 246000.exe 95 PID 316 wrote to memory of 2892 316 246000.exe 95 PID 316 wrote to memory of 2892 316 246000.exe 95 PID 2892 wrote to memory of 4404 2892 8800004.exe 96 PID 2892 wrote to memory of 4404 2892 8800004.exe 96 PID 2892 wrote to memory of 4404 2892 8800004.exe 96 PID 4404 wrote to memory of 1996 4404 8822828.exe 97 PID 4404 wrote to memory of 1996 4404 8822828.exe 97 PID 4404 wrote to memory of 1996 4404 8822828.exe 97 PID 1996 wrote to memory of 5020 1996 5ttnnn.exe 98 PID 1996 wrote to memory of 5020 1996 5ttnnn.exe 98 PID 1996 wrote to memory of 5020 1996 5ttnnn.exe 98 PID 5020 wrote to memory of 436 5020 dvjdd.exe 99 PID 5020 wrote to memory of 436 5020 dvjdd.exe 99 PID 5020 wrote to memory of 436 5020 dvjdd.exe 99 PID 436 wrote to memory of 3344 436 08240.exe 100 PID 436 wrote to memory of 3344 436 08240.exe 100 PID 436 wrote to memory of 3344 436 08240.exe 100 PID 3344 wrote to memory of 2860 3344 6082440.exe 101 PID 3344 wrote to memory of 2860 3344 6082440.exe 101 PID 3344 wrote to memory of 2860 3344 6082440.exe 101 PID 2860 wrote to memory of 1340 2860 3vdvp.exe 102 PID 2860 wrote to memory of 1340 2860 3vdvp.exe 102 PID 2860 wrote to memory of 1340 2860 3vdvp.exe 102 PID 1340 wrote to memory of 2700 1340 6282660.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe"C:\Users\Admin\AppData\Local\Temp\7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\26226.exec:\26226.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\806000.exec:\806000.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\rlflxrf.exec:\rlflxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\rxflrxf.exec:\rxflrxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\fxffxrx.exec:\fxffxrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\42262.exec:\42262.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\8200606.exec:\8200606.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\httnhh.exec:\httnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\680048.exec:\680048.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\s4606.exec:\s4606.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\q40044.exec:\q40044.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\4622662.exec:\4622662.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\246000.exec:\246000.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\8800004.exec:\8800004.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\8822828.exec:\8822828.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\5ttnnn.exec:\5ttnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\dvjdd.exec:\dvjdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\08240.exec:\08240.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\6082440.exec:\6082440.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\3vdvp.exec:\3vdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\6282660.exec:\6282660.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\266264.exec:\266264.exe23⤵
- Executes dropped EXE
PID:2700 -
\??\c:\220240.exec:\220240.exe24⤵
- Executes dropped EXE
PID:5004 -
\??\c:\280044.exec:\280044.exe25⤵
- Executes dropped EXE
PID:1500 -
\??\c:\02222.exec:\02222.exe26⤵
- Executes dropped EXE
PID:1204 -
\??\c:\nbbhht.exec:\nbbhht.exe27⤵
- Executes dropped EXE
PID:3908 -
\??\c:\vpjjd.exec:\vpjjd.exe28⤵
- Executes dropped EXE
PID:1312 -
\??\c:\jvdvj.exec:\jvdvj.exe29⤵
- Executes dropped EXE
PID:4464 -
\??\c:\frrlflx.exec:\frrlflx.exe30⤵
- Executes dropped EXE
PID:4824 -
\??\c:\jpppj.exec:\jpppj.exe31⤵
- Executes dropped EXE
PID:1896 -
\??\c:\9ntnhh.exec:\9ntnhh.exe32⤵
- Executes dropped EXE
PID:1360 -
\??\c:\8662288.exec:\8662288.exe33⤵
- Executes dropped EXE
PID:1388 -
\??\c:\04048.exec:\04048.exe34⤵
- Executes dropped EXE
PID:4912 -
\??\c:\s0484.exec:\s0484.exe35⤵
- Executes dropped EXE
PID:4316 -
\??\c:\062648.exec:\062648.exe36⤵
- Executes dropped EXE
PID:4128 -
\??\c:\42082.exec:\42082.exe37⤵
- Executes dropped EXE
PID:2852 -
\??\c:\g4488.exec:\g4488.exe38⤵
- Executes dropped EXE
PID:4536 -
\??\c:\thnnhh.exec:\thnnhh.exe39⤵
- Executes dropped EXE
PID:2920 -
\??\c:\822600.exec:\822600.exe40⤵
- Executes dropped EXE
PID:228 -
\??\c:\s0266.exec:\s0266.exe41⤵
- Executes dropped EXE
PID:980 -
\??\c:\thnttt.exec:\thnttt.exe42⤵
- Executes dropped EXE
PID:3692 -
\??\c:\nhnhbb.exec:\nhnhbb.exe43⤵
- Executes dropped EXE
PID:3248 -
\??\c:\rfllfff.exec:\rfllfff.exe44⤵
- Executes dropped EXE
PID:3376 -
\??\c:\e26684.exec:\e26684.exe45⤵
- Executes dropped EXE
PID:668 -
\??\c:\bbbttt.exec:\bbbttt.exe46⤵
- Executes dropped EXE
PID:1392 -
\??\c:\482660.exec:\482660.exe47⤵
- Executes dropped EXE
PID:2792 -
\??\c:\pdjjj.exec:\pdjjj.exe48⤵
- Executes dropped EXE
PID:2320 -
\??\c:\dvddj.exec:\dvddj.exe49⤵
- Executes dropped EXE
PID:3532 -
\??\c:\ttbtnt.exec:\ttbtnt.exe50⤵
- Executes dropped EXE
PID:4420 -
\??\c:\vjpjd.exec:\vjpjd.exe51⤵
- Executes dropped EXE
PID:3960 -
\??\c:\nhnnnn.exec:\nhnnnn.exe52⤵
- Executes dropped EXE
PID:344 -
\??\c:\pjvpp.exec:\pjvpp.exe53⤵
- Executes dropped EXE
PID:4880 -
\??\c:\4844004.exec:\4844004.exe54⤵
- Executes dropped EXE
PID:2140 -
\??\c:\840044.exec:\840044.exe55⤵
- Executes dropped EXE
PID:4724 -
\??\c:\88442.exec:\88442.exe56⤵
- Executes dropped EXE
PID:4372 -
\??\c:\8282228.exec:\8282228.exe57⤵
- Executes dropped EXE
PID:4416 -
\??\c:\0226046.exec:\0226046.exe58⤵
- Executes dropped EXE
PID:4928 -
\??\c:\024482.exec:\024482.exe59⤵
- Executes dropped EXE
PID:1184 -
\??\c:\4004482.exec:\4004482.exe60⤵
- Executes dropped EXE
PID:4356 -
\??\c:\xxllrrl.exec:\xxllrrl.exe61⤵
- Executes dropped EXE
PID:4408 -
\??\c:\ppvvv.exec:\ppvvv.exe62⤵
- Executes dropped EXE
PID:824 -
\??\c:\086604.exec:\086604.exe63⤵
- Executes dropped EXE
PID:560 -
\??\c:\4688226.exec:\4688226.exe64⤵
- Executes dropped EXE
PID:776 -
\??\c:\7xxrrrl.exec:\7xxrrrl.exe65⤵
- Executes dropped EXE
PID:1272 -
\??\c:\9hbbhh.exec:\9hbbhh.exe66⤵PID:4584
-
\??\c:\5fxxrrr.exec:\5fxxrrr.exe67⤵PID:1748
-
\??\c:\464484.exec:\464484.exe68⤵PID:4748
-
\??\c:\lllxxrl.exec:\lllxxrl.exe69⤵PID:4700
-
\??\c:\4022662.exec:\4022662.exe70⤵PID:2208
-
\??\c:\480044.exec:\480044.exe71⤵PID:2160
-
\??\c:\w02266.exec:\w02266.exe72⤵PID:5028
-
\??\c:\vpdvp.exec:\vpdvp.exe73⤵PID:5100
-
\??\c:\g2440.exec:\g2440.exe74⤵PID:3888
-
\??\c:\1hhbtt.exec:\1hhbtt.exe75⤵PID:4860
-
\??\c:\lllffxr.exec:\lllffxr.exe76⤵PID:3348
-
\??\c:\48822.exec:\48822.exe77⤵PID:316
-
\??\c:\hhnbhb.exec:\hhnbhb.exe78⤵PID:2892
-
\??\c:\888226.exec:\888226.exe79⤵PID:2452
-
\??\c:\282824.exec:\282824.exe80⤵PID:1016
-
\??\c:\486044.exec:\486044.exe81⤵PID:3524
-
\??\c:\8460044.exec:\8460044.exe82⤵PID:3764
-
\??\c:\5jppp.exec:\5jppp.exe83⤵PID:4332
-
\??\c:\80660.exec:\80660.exe84⤵PID:1716
-
\??\c:\9xflfrx.exec:\9xflfrx.exe85⤵PID:900
-
\??\c:\g4600.exec:\g4600.exe86⤵PID:2700
-
\??\c:\fxlfrlr.exec:\fxlfrlr.exe87⤵PID:1500
-
\??\c:\5lxxrrr.exec:\5lxxrrr.exe88⤵PID:464
-
\??\c:\httnhh.exec:\httnhh.exe89⤵PID:4796
-
\??\c:\nhbttt.exec:\nhbttt.exe90⤵PID:652
-
\??\c:\8248002.exec:\8248002.exe91⤵PID:1636
-
\??\c:\2844888.exec:\2844888.exe92⤵PID:1976
-
\??\c:\846000.exec:\846000.exe93⤵PID:5092
-
\??\c:\vvpdp.exec:\vvpdp.exe94⤵PID:100
-
\??\c:\6420044.exec:\6420044.exe95⤵PID:224
-
\??\c:\8244006.exec:\8244006.exe96⤵PID:4316
-
\??\c:\868448.exec:\868448.exe97⤵PID:1728
-
\??\c:\862662.exec:\862662.exe98⤵PID:3180
-
\??\c:\40226.exec:\40226.exe99⤵PID:4536
-
\??\c:\pjvpv.exec:\pjvpv.exe100⤵PID:228
-
\??\c:\hhhbtb.exec:\hhhbtb.exe101⤵PID:3152
-
\??\c:\rxfrllf.exec:\rxfrllf.exe102⤵PID:2036
-
\??\c:\vjddd.exec:\vjddd.exe103⤵PID:3248
-
\??\c:\46604.exec:\46604.exe104⤵PID:3000
-
\??\c:\600662.exec:\600662.exe105⤵PID:1640
-
\??\c:\5xxrllf.exec:\5xxrllf.exe106⤵PID:2600
-
\??\c:\nhtthh.exec:\nhtthh.exe107⤵PID:2820
-
\??\c:\640488.exec:\640488.exe108⤵PID:3964
-
\??\c:\ffxxrrl.exec:\ffxxrrl.exe109⤵PID:1096
-
\??\c:\nhnhbt.exec:\nhnhbt.exe110⤵PID:1296
-
\??\c:\fffffff.exec:\fffffff.exe111⤵PID:2436
-
\??\c:\hbhbbb.exec:\hbhbbb.exe112⤵PID:2140
-
\??\c:\rrxrllf.exec:\rrxrllf.exe113⤵PID:4996
-
\??\c:\hhbbhn.exec:\hhbbhn.exe114⤵PID:2392
-
\??\c:\htntbb.exec:\htntbb.exe115⤵PID:4184
-
\??\c:\hbbhhh.exec:\hbbhhh.exe116⤵PID:3328
-
\??\c:\68266.exec:\68266.exe117⤵PID:1656
-
\??\c:\664484.exec:\664484.exe118⤵PID:1464
-
\??\c:\xfxfxll.exec:\xfxfxll.exe119⤵PID:4636
-
\??\c:\httntt.exec:\httntt.exe120⤵PID:560
-
\??\c:\fxlxxxf.exec:\fxlxxxf.exe121⤵PID:776
-
\??\c:\64602.exec:\64602.exe122⤵PID:2340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-