Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 02:58
Behavioral task
behavioral1
Sample
a2fc275d335e5ec9de13b543500fa370e97d1269147be07220779d678b266420.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a2fc275d335e5ec9de13b543500fa370e97d1269147be07220779d678b266420.exe
-
Size
331KB
-
MD5
958137e15ddb683bdab8ef037d82db90
-
SHA1
0ae6dd802f6b7e43f069b94c3d3894f5f5d3896b
-
SHA256
a2fc275d335e5ec9de13b543500fa370e97d1269147be07220779d678b266420
-
SHA512
938fe091f9a99a6429b75a3dbab82d71a37cd38fe83c0985ec1fb8b09629c11652ac5be42c964197ba76e2f63cbe53f9d90b3ed45840135121656d7bf39468bf
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tB:94wFHoStJdSjylh2b77BoTMA9gX59sT5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3972-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4780-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1180-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2512-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1524-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1816-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2704-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2592-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3804-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3756-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1252-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2148-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/396-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1128-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2492-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2912-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3156-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3768-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2392-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1200-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1472-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1432-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/988-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3692-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1552-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1740-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3068-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3408-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1968-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1888-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3492-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1012-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1156-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4576-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2980-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1244-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-496-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3296-521-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-634-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1668-1013-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4440 c062260.exe 4932 u620488.exe 1968 jjddj.exe 4780 3pppj.exe 3408 1frlfff.exe 4712 w84222.exe 3068 a0604.exe 4952 xflffxr.exe 1740 9llfxxl.exe 1616 4626226.exe 1552 7pppj.exe 2960 m2822.exe 3692 lffxrlf.exe 988 1tnnhn.exe 2940 g4664.exe 1432 3bbthn.exe 1472 4860826.exe 1200 rlrfxrl.exe 2392 0688222.exe 4004 k68226.exe 3768 pjjvj.exe 208 1vvpj.exe 2244 rllffxr.exe 3156 llffxxr.exe 4028 frxrlrl.exe 3924 88848.exe 3324 a8040.exe 4480 djppj.exe 2912 2066000.exe 4964 hhbhbb.exe 2492 nhbtnh.exe 5040 q68888.exe 224 tttnhb.exe 2040 nbnhnn.exe 1280 fxfxfxf.exe 4364 0848228.exe 3380 pvdpj.exe 4784 w02204.exe 3480 80260.exe 3144 8288222.exe 1128 2806004.exe 396 rxffxxr.exe 4916 866488.exe 4416 lfxrlfx.exe 3244 4426262.exe 2400 6004822.exe 3560 5bhbbb.exe 3028 jdddj.exe 1064 rlrrrll.exe 3520 0282660.exe 3364 468822.exe 3276 ntbbtt.exe 796 60220.exe 1656 9thnhh.exe 2908 lflfffx.exe 4820 c404888.exe 1252 m8822.exe 4228 q06664.exe 3516 2604260.exe 1924 2688484.exe 4716 1ppjv.exe 2864 3rlflfx.exe 4424 40260.exe 5052 c404826.exe -
resource yara_rule behavioral2/memory/3972-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023c28-3.dat upx behavioral2/memory/3972-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c8b-9.dat upx behavioral2/memory/4440-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-11.dat upx behavioral2/memory/1968-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-24.dat upx behavioral2/memory/4780-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-29.dat upx behavioral2/files/0x0007000000023c9e-36.dat upx behavioral2/files/0x0007000000023ca3-61.dat upx behavioral2/files/0x0007000000023ca5-70.dat upx behavioral2/files/0x0007000000023caa-95.dat upx behavioral2/files/0x0007000000023cad-110.dat upx behavioral2/memory/4028-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-147.dat upx behavioral2/memory/2864-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1180-276-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2512-286-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1524-301-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1816-279-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3248-273-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2704-266-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2592-253-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3804-250-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3756-239-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1924-225-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1252-218-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4820-215-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1064-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2148-306-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3244-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4416-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/396-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1128-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3480-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2040-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/224-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-156.dat upx behavioral2/memory/2492-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-151.dat upx behavioral2/memory/2912-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-142.dat upx behavioral2/memory/4480-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-137.dat upx behavioral2/files/0x0007000000023cb2-133.dat upx behavioral2/files/0x0007000000023cb1-129.dat upx behavioral2/files/0x0007000000023cb0-124.dat upx behavioral2/memory/3156-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-119.dat upx behavioral2/files/0x0007000000023cae-115.dat upx behavioral2/memory/208-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3768-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-105.dat upx behavioral2/memory/4004-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-100.dat upx behavioral2/memory/2392-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1200-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-90.dat upx behavioral2/memory/1472-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-85.dat upx behavioral2/memory/1432-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-80.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2400488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q84040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u620488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o400604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3972 wrote to memory of 4440 3972 a2fc275d335e5ec9de13b543500fa370e97d1269147be07220779d678b266420.exe 82 PID 3972 wrote to memory of 4440 3972 a2fc275d335e5ec9de13b543500fa370e97d1269147be07220779d678b266420.exe 82 PID 3972 wrote to memory of 4440 3972 a2fc275d335e5ec9de13b543500fa370e97d1269147be07220779d678b266420.exe 82 PID 4440 wrote to memory of 4932 4440 c062260.exe 83 PID 4440 wrote to memory of 4932 4440 c062260.exe 83 PID 4440 wrote to memory of 4932 4440 c062260.exe 83 PID 4932 wrote to memory of 1968 4932 u620488.exe 84 PID 4932 wrote to memory of 1968 4932 u620488.exe 84 PID 4932 wrote to memory of 1968 4932 u620488.exe 84 PID 1968 wrote to memory of 4780 1968 jjddj.exe 85 PID 1968 wrote to memory of 4780 1968 jjddj.exe 85 PID 1968 wrote to memory of 4780 1968 jjddj.exe 85 PID 4780 wrote to memory of 3408 4780 3pppj.exe 86 PID 4780 wrote to memory of 3408 4780 3pppj.exe 86 PID 4780 wrote to memory of 3408 4780 3pppj.exe 86 PID 3408 wrote to memory of 4712 3408 1frlfff.exe 165 PID 3408 wrote to memory of 4712 3408 1frlfff.exe 165 PID 3408 wrote to memory of 4712 3408 1frlfff.exe 165 PID 4712 wrote to memory of 3068 4712 w84222.exe 88 PID 4712 wrote to memory of 3068 4712 w84222.exe 88 PID 4712 wrote to memory of 3068 4712 w84222.exe 88 PID 3068 wrote to memory of 4952 3068 a0604.exe 89 PID 3068 wrote to memory of 4952 3068 a0604.exe 89 PID 3068 wrote to memory of 4952 3068 a0604.exe 89 PID 4952 wrote to memory of 1740 4952 xflffxr.exe 90 PID 4952 wrote to memory of 1740 4952 xflffxr.exe 90 PID 4952 wrote to memory of 1740 4952 xflffxr.exe 90 PID 1740 wrote to memory of 1616 1740 9llfxxl.exe 91 PID 1740 wrote to memory of 1616 1740 9llfxxl.exe 91 PID 1740 wrote to memory of 1616 1740 9llfxxl.exe 91 PID 1616 wrote to memory of 1552 1616 4626226.exe 171 PID 1616 wrote to memory of 1552 1616 4626226.exe 171 PID 1616 wrote to memory of 1552 1616 4626226.exe 171 PID 1552 wrote to memory of 2960 1552 7pppj.exe 93 PID 1552 wrote to memory of 2960 1552 7pppj.exe 93 PID 1552 wrote to memory of 2960 1552 7pppj.exe 93 PID 2960 wrote to memory of 3692 2960 m2822.exe 173 PID 2960 wrote to memory of 3692 2960 m2822.exe 173 PID 2960 wrote to memory of 3692 2960 m2822.exe 173 PID 3692 wrote to memory of 988 3692 lffxrlf.exe 95 PID 3692 wrote to memory of 988 3692 lffxrlf.exe 95 PID 3692 wrote to memory of 988 3692 lffxrlf.exe 95 PID 988 wrote to memory of 2940 988 1tnnhn.exe 96 PID 988 wrote to memory of 2940 988 1tnnhn.exe 96 PID 988 wrote to memory of 2940 988 1tnnhn.exe 96 PID 2940 wrote to memory of 1432 2940 g4664.exe 97 PID 2940 wrote to memory of 1432 2940 g4664.exe 97 PID 2940 wrote to memory of 1432 2940 g4664.exe 97 PID 1432 wrote to memory of 1472 1432 3bbthn.exe 98 PID 1432 wrote to memory of 1472 1432 3bbthn.exe 98 PID 1432 wrote to memory of 1472 1432 3bbthn.exe 98 PID 1472 wrote to memory of 1200 1472 4860826.exe 99 PID 1472 wrote to memory of 1200 1472 4860826.exe 99 PID 1472 wrote to memory of 1200 1472 4860826.exe 99 PID 1200 wrote to memory of 2392 1200 rlrfxrl.exe 100 PID 1200 wrote to memory of 2392 1200 rlrfxrl.exe 100 PID 1200 wrote to memory of 2392 1200 rlrfxrl.exe 100 PID 2392 wrote to memory of 4004 2392 0688222.exe 101 PID 2392 wrote to memory of 4004 2392 0688222.exe 101 PID 2392 wrote to memory of 4004 2392 0688222.exe 101 PID 4004 wrote to memory of 3768 4004 k68226.exe 102 PID 4004 wrote to memory of 3768 4004 k68226.exe 102 PID 4004 wrote to memory of 3768 4004 k68226.exe 102 PID 3768 wrote to memory of 208 3768 pjjvj.exe 180
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2fc275d335e5ec9de13b543500fa370e97d1269147be07220779d678b266420.exe"C:\Users\Admin\AppData\Local\Temp\a2fc275d335e5ec9de13b543500fa370e97d1269147be07220779d678b266420.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\c062260.exec:\c062260.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\u620488.exec:\u620488.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\jjddj.exec:\jjddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\3pppj.exec:\3pppj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\1frlfff.exec:\1frlfff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\w84222.exec:\w84222.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\a0604.exec:\a0604.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\xflffxr.exec:\xflffxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\9llfxxl.exec:\9llfxxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\4626226.exec:\4626226.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\7pppj.exec:\7pppj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\m2822.exec:\m2822.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\lffxrlf.exec:\lffxrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\1tnnhn.exec:\1tnnhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
\??\c:\g4664.exec:\g4664.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\3bbthn.exec:\3bbthn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\4860826.exec:\4860826.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\rlrfxrl.exec:\rlrfxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\0688222.exec:\0688222.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\k68226.exec:\k68226.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\pjjvj.exec:\pjjvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\1vvpj.exec:\1vvpj.exe23⤵
- Executes dropped EXE
PID:208 -
\??\c:\rllffxr.exec:\rllffxr.exe24⤵
- Executes dropped EXE
PID:2244 -
\??\c:\llffxxr.exec:\llffxxr.exe25⤵
- Executes dropped EXE
PID:3156 -
\??\c:\frxrlrl.exec:\frxrlrl.exe26⤵
- Executes dropped EXE
PID:4028 -
\??\c:\88848.exec:\88848.exe27⤵
- Executes dropped EXE
PID:3924 -
\??\c:\a8040.exec:\a8040.exe28⤵
- Executes dropped EXE
PID:3324 -
\??\c:\djppj.exec:\djppj.exe29⤵
- Executes dropped EXE
PID:4480 -
\??\c:\2066000.exec:\2066000.exe30⤵
- Executes dropped EXE
PID:2912 -
\??\c:\hhbhbb.exec:\hhbhbb.exe31⤵
- Executes dropped EXE
PID:4964 -
\??\c:\nhbtnh.exec:\nhbtnh.exe32⤵
- Executes dropped EXE
PID:2492 -
\??\c:\q68888.exec:\q68888.exe33⤵
- Executes dropped EXE
PID:5040 -
\??\c:\tttnhb.exec:\tttnhb.exe34⤵
- Executes dropped EXE
PID:224 -
\??\c:\nbnhnn.exec:\nbnhnn.exe35⤵
- Executes dropped EXE
PID:2040 -
\??\c:\fxfxfxf.exec:\fxfxfxf.exe36⤵
- Executes dropped EXE
PID:1280 -
\??\c:\0848228.exec:\0848228.exe37⤵
- Executes dropped EXE
PID:4364 -
\??\c:\pvdpj.exec:\pvdpj.exe38⤵
- Executes dropped EXE
PID:3380 -
\??\c:\w02204.exec:\w02204.exe39⤵
- Executes dropped EXE
PID:4784 -
\??\c:\80260.exec:\80260.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3480 -
\??\c:\8288222.exec:\8288222.exe41⤵
- Executes dropped EXE
PID:3144 -
\??\c:\2806004.exec:\2806004.exe42⤵
- Executes dropped EXE
PID:1128 -
\??\c:\rxffxxr.exec:\rxffxxr.exe43⤵
- Executes dropped EXE
PID:396 -
\??\c:\866488.exec:\866488.exe44⤵
- Executes dropped EXE
PID:4916 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe45⤵
- Executes dropped EXE
PID:4416 -
\??\c:\4426262.exec:\4426262.exe46⤵
- Executes dropped EXE
PID:3244 -
\??\c:\6004822.exec:\6004822.exe47⤵
- Executes dropped EXE
PID:2400 -
\??\c:\5bhbbb.exec:\5bhbbb.exe48⤵
- Executes dropped EXE
PID:3560 -
\??\c:\jdddj.exec:\jdddj.exe49⤵
- Executes dropped EXE
PID:3028 -
\??\c:\rlrrrll.exec:\rlrrrll.exe50⤵
- Executes dropped EXE
PID:1064 -
\??\c:\0282660.exec:\0282660.exe51⤵
- Executes dropped EXE
PID:3520 -
\??\c:\468822.exec:\468822.exe52⤵
- Executes dropped EXE
PID:3364 -
\??\c:\ntbbtt.exec:\ntbbtt.exe53⤵
- Executes dropped EXE
PID:3276 -
\??\c:\60220.exec:\60220.exe54⤵
- Executes dropped EXE
PID:796 -
\??\c:\9thnhh.exec:\9thnhh.exe55⤵
- Executes dropped EXE
PID:1656 -
\??\c:\lflfffx.exec:\lflfffx.exe56⤵
- Executes dropped EXE
PID:2908 -
\??\c:\c404888.exec:\c404888.exe57⤵
- Executes dropped EXE
PID:4820 -
\??\c:\m8822.exec:\m8822.exe58⤵
- Executes dropped EXE
PID:1252 -
\??\c:\q06664.exec:\q06664.exe59⤵
- Executes dropped EXE
PID:4228 -
\??\c:\2604260.exec:\2604260.exe60⤵
- Executes dropped EXE
PID:3516 -
\??\c:\2688484.exec:\2688484.exe61⤵
- Executes dropped EXE
PID:1924 -
\??\c:\1ppjv.exec:\1ppjv.exe62⤵
- Executes dropped EXE
PID:4716 -
\??\c:\3rlflfx.exec:\3rlflfx.exe63⤵
- Executes dropped EXE
PID:2864 -
\??\c:\40260.exec:\40260.exe64⤵
- Executes dropped EXE
PID:4424 -
\??\c:\c404826.exec:\c404826.exe65⤵
- Executes dropped EXE
PID:5052 -
\??\c:\xllfrlf.exec:\xllfrlf.exe66⤵PID:4236
-
\??\c:\o804828.exec:\o804828.exe67⤵PID:3756
-
\??\c:\jvvpj.exec:\jvvpj.exe68⤵PID:3320
-
\??\c:\ffllxxr.exec:\ffllxxr.exe69⤵PID:860
-
\??\c:\bnnnhh.exec:\bnnnhh.exe70⤵PID:3724
-
\??\c:\tnbttn.exec:\tnbttn.exe71⤵PID:3900
-
\??\c:\662880.exec:\662880.exe72⤵PID:3804
-
\??\c:\6826000.exec:\6826000.exe73⤵PID:2592
-
\??\c:\24600.exec:\24600.exe74⤵PID:4312
-
\??\c:\1tbtbb.exec:\1tbtbb.exe75⤵PID:4176
-
\??\c:\88486.exec:\88486.exe76⤵PID:3512
-
\??\c:\2666048.exec:\2666048.exe77⤵PID:5020
-
\??\c:\64220.exec:\64220.exe78⤵PID:1244
-
\??\c:\w04640.exec:\w04640.exe79⤵PID:2704
-
\??\c:\pdjdp.exec:\pdjdp.exe80⤵PID:4976
-
\??\c:\k66048.exec:\k66048.exe81⤵PID:3928
-
\??\c:\426082.exec:\426082.exe82⤵PID:3248
-
\??\c:\rrrfxxl.exec:\rrrfxxl.exe83⤵PID:1180
-
\??\c:\202088.exec:\202088.exe84⤵PID:1816
-
\??\c:\q46022.exec:\q46022.exe85⤵PID:4712
-
\??\c:\2624820.exec:\2624820.exe86⤵PID:4084
-
\??\c:\0486204.exec:\0486204.exe87⤵PID:2512
-
\??\c:\tbhhhb.exec:\tbhhhb.exe88⤵PID:3348
-
\??\c:\8604884.exec:\8604884.exe89⤵PID:3188
-
\??\c:\8020048.exec:\8020048.exe90⤵PID:3440
-
\??\c:\k06600.exec:\k06600.exe91⤵PID:1552
-
\??\c:\6066246.exec:\6066246.exe92⤵PID:4188
-
\??\c:\pvdpj.exec:\pvdpj.exe93⤵PID:3692
-
\??\c:\5xxfxff.exec:\5xxfxff.exe94⤵PID:1524
-
\??\c:\7ppjd.exec:\7ppjd.exe95⤵PID:1684
-
\??\c:\7fffxxx.exec:\7fffxxx.exe96⤵PID:2148
-
\??\c:\28882.exec:\28882.exe97⤵PID:2392
-
\??\c:\400482.exec:\400482.exe98⤵PID:4984
-
\??\c:\nhhttb.exec:\nhhttb.exe99⤵PID:2180
-
\??\c:\e62600.exec:\e62600.exe100⤵PID:208
-
\??\c:\62482.exec:\62482.exe101⤵PID:3156
-
\??\c:\640262.exec:\640262.exe102⤵PID:3992
-
\??\c:\dddvv.exec:\dddvv.exe103⤵PID:3324
-
\??\c:\c408488.exec:\c408488.exe104⤵PID:4528
-
\??\c:\rrxxrxx.exec:\rrxxrxx.exe105⤵PID:3004
-
\??\c:\xxffffl.exec:\xxffffl.exe106⤵PID:2492
-
\??\c:\9bbtnn.exec:\9bbtnn.exe107⤵PID:5004
-
\??\c:\1lrxxxr.exec:\1lrxxxr.exe108⤵PID:2692
-
\??\c:\040842.exec:\040842.exe109⤵PID:768
-
\??\c:\g2824.exec:\g2824.exe110⤵PID:1280
-
\??\c:\8226660.exec:\8226660.exe111⤵PID:1096
-
\??\c:\nhhnnb.exec:\nhhnnb.exe112⤵PID:4784
-
\??\c:\4882660.exec:\4882660.exe113⤵PID:1888
-
\??\c:\602224.exec:\602224.exe114⤵PID:3492
-
\??\c:\3ffxfff.exec:\3ffxfff.exe115⤵PID:396
-
\??\c:\lffxllf.exec:\lffxllf.exe116⤵PID:2824
-
\??\c:\0886444.exec:\0886444.exe117⤵PID:4848
-
\??\c:\0666048.exec:\0666048.exe118⤵PID:3836
-
\??\c:\bbhbbb.exec:\bbhbbb.exe119⤵PID:2068
-
\??\c:\a2228.exec:\a2228.exe120⤵PID:1028
-
\??\c:\8426444.exec:\8426444.exe121⤵PID:1012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-