Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a9e70e52ae16cfafda4973fc762c16f143ad5057d94aedcfbfd31615e8f9f822.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a9e70e52ae16cfafda4973fc762c16f143ad5057d94aedcfbfd31615e8f9f822.exe
-
Size
455KB
-
MD5
cea7f83c18ba553af131d7f9b25942b7
-
SHA1
8941504acd8cdc4f72a0cec54dc80cfdc160a1af
-
SHA256
a9e70e52ae16cfafda4973fc762c16f143ad5057d94aedcfbfd31615e8f9f822
-
SHA512
6a51961d20dba6eaabd9b43ea6b0592bb225b22d4a5d4df8b200ac09aafa0d4a59f2c363450e3cd361ceb4bc3ad67a2b45a52356c1f11f74dbbf49d7843feb89
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/5028-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-1288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-1355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5028 rxxrlll.exe 4360 462044.exe 1912 u422266.exe 3504 djpjd.exe 3364 lflflll.exe 4100 6686004.exe 3612 fxfxrff.exe 2308 rxlfrxr.exe 3608 k80448.exe 2796 5htnhh.exe 2220 nbbbtt.exe 1220 0622606.exe 2720 o242884.exe 2728 dddvv.exe 3872 6048226.exe 952 22060.exe 3824 2066004.exe 2108 rxxrfxr.exe 2348 bbtnhh.exe 2284 20048.exe 2576 00260.exe 1260 4426042.exe 2392 ffllfxx.exe 5068 u660048.exe 3852 1rfxffl.exe 3668 08604.exe 4912 lxrlllr.exe 3832 2660444.exe 4524 0680646.exe 5024 vpvpp.exe 872 btnnnh.exe 2572 xrlfxrl.exe 4092 k68822.exe 1976 u404444.exe 4448 6286826.exe 4568 8448648.exe 2104 422084.exe 3964 hnhtht.exe 1028 5nbntb.exe 2092 488648.exe 4180 dvdpd.exe 3960 9jvpd.exe 2012 4888604.exe 1644 vjdjv.exe 4428 84486.exe 2304 2288260.exe 2388 1nnbnh.exe 3396 m4088.exe 2952 fxlflff.exe 4444 0486042.exe 616 lrlxxlf.exe 4200 4208888.exe 3400 q62822.exe 932 jvvjv.exe 3364 bbntnb.exe 4480 pppjd.exe 4380 8282660.exe 2832 4482008.exe 4540 82608.exe 316 fxxxlrl.exe 4344 82882.exe 4576 20026.exe 624 u400444.exe 620 hbhbnn.exe -
resource yara_rule behavioral2/memory/5028-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-704-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2288260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 442604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8402268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 664604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2848826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 548 wrote to memory of 5028 548 a9e70e52ae16cfafda4973fc762c16f143ad5057d94aedcfbfd31615e8f9f822.exe 84 PID 548 wrote to memory of 5028 548 a9e70e52ae16cfafda4973fc762c16f143ad5057d94aedcfbfd31615e8f9f822.exe 84 PID 548 wrote to memory of 5028 548 a9e70e52ae16cfafda4973fc762c16f143ad5057d94aedcfbfd31615e8f9f822.exe 84 PID 5028 wrote to memory of 4360 5028 rxxrlll.exe 85 PID 5028 wrote to memory of 4360 5028 rxxrlll.exe 85 PID 5028 wrote to memory of 4360 5028 rxxrlll.exe 85 PID 4360 wrote to memory of 1912 4360 462044.exe 86 PID 4360 wrote to memory of 1912 4360 462044.exe 86 PID 4360 wrote to memory of 1912 4360 462044.exe 86 PID 1912 wrote to memory of 3504 1912 u422266.exe 87 PID 1912 wrote to memory of 3504 1912 u422266.exe 87 PID 1912 wrote to memory of 3504 1912 u422266.exe 87 PID 3504 wrote to memory of 3364 3504 djpjd.exe 88 PID 3504 wrote to memory of 3364 3504 djpjd.exe 88 PID 3504 wrote to memory of 3364 3504 djpjd.exe 88 PID 3364 wrote to memory of 4100 3364 lflflll.exe 89 PID 3364 wrote to memory of 4100 3364 lflflll.exe 89 PID 3364 wrote to memory of 4100 3364 lflflll.exe 89 PID 4100 wrote to memory of 3612 4100 6686004.exe 90 PID 4100 wrote to memory of 3612 4100 6686004.exe 90 PID 4100 wrote to memory of 3612 4100 6686004.exe 90 PID 3612 wrote to memory of 2308 3612 fxfxrff.exe 91 PID 3612 wrote to memory of 2308 3612 fxfxrff.exe 91 PID 3612 wrote to memory of 2308 3612 fxfxrff.exe 91 PID 2308 wrote to memory of 3608 2308 rxlfrxr.exe 92 PID 2308 wrote to memory of 3608 2308 rxlfrxr.exe 92 PID 2308 wrote to memory of 3608 2308 rxlfrxr.exe 92 PID 3608 wrote to memory of 2796 3608 k80448.exe 93 PID 3608 wrote to memory of 2796 3608 k80448.exe 93 PID 3608 wrote to memory of 2796 3608 k80448.exe 93 PID 2796 wrote to memory of 2220 2796 5htnhh.exe 94 PID 2796 wrote to memory of 2220 2796 5htnhh.exe 94 PID 2796 wrote to memory of 2220 2796 5htnhh.exe 94 PID 2220 wrote to memory of 1220 2220 nbbbtt.exe 95 PID 2220 wrote to memory of 1220 2220 nbbbtt.exe 95 PID 2220 wrote to memory of 1220 2220 nbbbtt.exe 95 PID 1220 wrote to memory of 2720 1220 0622606.exe 96 PID 1220 wrote to memory of 2720 1220 0622606.exe 96 PID 1220 wrote to memory of 2720 1220 0622606.exe 96 PID 2720 wrote to memory of 2728 2720 o242884.exe 97 PID 2720 wrote to memory of 2728 2720 o242884.exe 97 PID 2720 wrote to memory of 2728 2720 o242884.exe 97 PID 2728 wrote to memory of 3872 2728 dddvv.exe 98 PID 2728 wrote to memory of 3872 2728 dddvv.exe 98 PID 2728 wrote to memory of 3872 2728 dddvv.exe 98 PID 3872 wrote to memory of 952 3872 6048226.exe 99 PID 3872 wrote to memory of 952 3872 6048226.exe 99 PID 3872 wrote to memory of 952 3872 6048226.exe 99 PID 952 wrote to memory of 3824 952 22060.exe 100 PID 952 wrote to memory of 3824 952 22060.exe 100 PID 952 wrote to memory of 3824 952 22060.exe 100 PID 3824 wrote to memory of 2108 3824 2066004.exe 101 PID 3824 wrote to memory of 2108 3824 2066004.exe 101 PID 3824 wrote to memory of 2108 3824 2066004.exe 101 PID 2108 wrote to memory of 2348 2108 rxxrfxr.exe 102 PID 2108 wrote to memory of 2348 2108 rxxrfxr.exe 102 PID 2108 wrote to memory of 2348 2108 rxxrfxr.exe 102 PID 2348 wrote to memory of 2284 2348 bbtnhh.exe 103 PID 2348 wrote to memory of 2284 2348 bbtnhh.exe 103 PID 2348 wrote to memory of 2284 2348 bbtnhh.exe 103 PID 2284 wrote to memory of 2576 2284 20048.exe 104 PID 2284 wrote to memory of 2576 2284 20048.exe 104 PID 2284 wrote to memory of 2576 2284 20048.exe 104 PID 2576 wrote to memory of 1260 2576 00260.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9e70e52ae16cfafda4973fc762c16f143ad5057d94aedcfbfd31615e8f9f822.exe"C:\Users\Admin\AppData\Local\Temp\a9e70e52ae16cfafda4973fc762c16f143ad5057d94aedcfbfd31615e8f9f822.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\rxxrlll.exec:\rxxrlll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\462044.exec:\462044.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\u422266.exec:\u422266.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\djpjd.exec:\djpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\lflflll.exec:\lflflll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
\??\c:\6686004.exec:\6686004.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\fxfxrff.exec:\fxfxrff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\rxlfrxr.exec:\rxlfrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\k80448.exec:\k80448.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\5htnhh.exec:\5htnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\nbbbtt.exec:\nbbbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\0622606.exec:\0622606.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\o242884.exec:\o242884.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\dddvv.exec:\dddvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\6048226.exec:\6048226.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\22060.exec:\22060.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\2066004.exec:\2066004.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\rxxrfxr.exec:\rxxrfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\bbtnhh.exec:\bbtnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\20048.exec:\20048.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\00260.exec:\00260.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\4426042.exec:\4426042.exe23⤵
- Executes dropped EXE
PID:1260 -
\??\c:\ffllfxx.exec:\ffllfxx.exe24⤵
- Executes dropped EXE
PID:2392 -
\??\c:\u660048.exec:\u660048.exe25⤵
- Executes dropped EXE
PID:5068 -
\??\c:\1rfxffl.exec:\1rfxffl.exe26⤵
- Executes dropped EXE
PID:3852 -
\??\c:\08604.exec:\08604.exe27⤵
- Executes dropped EXE
PID:3668 -
\??\c:\lxrlllr.exec:\lxrlllr.exe28⤵
- Executes dropped EXE
PID:4912 -
\??\c:\2660444.exec:\2660444.exe29⤵
- Executes dropped EXE
PID:3832 -
\??\c:\0680646.exec:\0680646.exe30⤵
- Executes dropped EXE
PID:4524 -
\??\c:\vpvpp.exec:\vpvpp.exe31⤵
- Executes dropped EXE
PID:5024 -
\??\c:\btnnnh.exec:\btnnnh.exe32⤵
- Executes dropped EXE
PID:872 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe33⤵
- Executes dropped EXE
PID:2572 -
\??\c:\k68822.exec:\k68822.exe34⤵
- Executes dropped EXE
PID:4092 -
\??\c:\u404444.exec:\u404444.exe35⤵
- Executes dropped EXE
PID:1976 -
\??\c:\6286826.exec:\6286826.exe36⤵
- Executes dropped EXE
PID:4448 -
\??\c:\8448648.exec:\8448648.exe37⤵
- Executes dropped EXE
PID:4568 -
\??\c:\422084.exec:\422084.exe38⤵
- Executes dropped EXE
PID:2104 -
\??\c:\hnhtht.exec:\hnhtht.exe39⤵
- Executes dropped EXE
PID:3964 -
\??\c:\5nbntb.exec:\5nbntb.exe40⤵
- Executes dropped EXE
PID:1028 -
\??\c:\488648.exec:\488648.exe41⤵
- Executes dropped EXE
PID:2092 -
\??\c:\dvdpd.exec:\dvdpd.exe42⤵
- Executes dropped EXE
PID:4180 -
\??\c:\9jvpd.exec:\9jvpd.exe43⤵
- Executes dropped EXE
PID:3960 -
\??\c:\4888604.exec:\4888604.exe44⤵
- Executes dropped EXE
PID:2012 -
\??\c:\vjdjv.exec:\vjdjv.exe45⤵
- Executes dropped EXE
PID:1644 -
\??\c:\84486.exec:\84486.exe46⤵
- Executes dropped EXE
PID:4428 -
\??\c:\2288260.exec:\2288260.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2304 -
\??\c:\1nnbnh.exec:\1nnbnh.exe48⤵
- Executes dropped EXE
PID:2388 -
\??\c:\m4088.exec:\m4088.exe49⤵
- Executes dropped EXE
PID:3396 -
\??\c:\fxlflff.exec:\fxlflff.exe50⤵
- Executes dropped EXE
PID:2952 -
\??\c:\0486042.exec:\0486042.exe51⤵
- Executes dropped EXE
PID:4444 -
\??\c:\lrlxxlf.exec:\lrlxxlf.exe52⤵
- Executes dropped EXE
PID:616 -
\??\c:\4208888.exec:\4208888.exe53⤵
- Executes dropped EXE
PID:4200 -
\??\c:\q62822.exec:\q62822.exe54⤵
- Executes dropped EXE
PID:3400 -
\??\c:\jvvjv.exec:\jvvjv.exe55⤵
- Executes dropped EXE
PID:932 -
\??\c:\bbntnb.exec:\bbntnb.exe56⤵
- Executes dropped EXE
PID:3364 -
\??\c:\pppjd.exec:\pppjd.exe57⤵
- Executes dropped EXE
PID:4480 -
\??\c:\8282660.exec:\8282660.exe58⤵
- Executes dropped EXE
PID:4380 -
\??\c:\4482008.exec:\4482008.exe59⤵
- Executes dropped EXE
PID:2832 -
\??\c:\82608.exec:\82608.exe60⤵
- Executes dropped EXE
PID:4540 -
\??\c:\fxxxlrl.exec:\fxxxlrl.exe61⤵
- Executes dropped EXE
PID:316 -
\??\c:\82882.exec:\82882.exe62⤵
- Executes dropped EXE
PID:4344 -
\??\c:\20026.exec:\20026.exe63⤵
- Executes dropped EXE
PID:4576 -
\??\c:\u400444.exec:\u400444.exe64⤵
- Executes dropped EXE
PID:624 -
\??\c:\hbhbnn.exec:\hbhbnn.exe65⤵
- Executes dropped EXE
PID:620 -
\??\c:\bttnbb.exec:\bttnbb.exe66⤵PID:3844
-
\??\c:\1pdpd.exec:\1pdpd.exe67⤵PID:2944
-
\??\c:\w24208.exec:\w24208.exe68⤵PID:1600
-
\??\c:\86004.exec:\86004.exe69⤵PID:2720
-
\??\c:\xrlrllr.exec:\xrlrllr.exe70⤵PID:3936
-
\??\c:\w84266.exec:\w84266.exe71⤵PID:2244
-
\??\c:\lllxlfr.exec:\lllxlfr.exe72⤵PID:3240
-
\??\c:\ddpdv.exec:\ddpdv.exe73⤵PID:3712
-
\??\c:\llfxflx.exec:\llfxflx.exe74⤵PID:4708
-
\??\c:\06604.exec:\06604.exe75⤵PID:4668
-
\??\c:\xxllrxf.exec:\xxllrxf.exe76⤵PID:4464
-
\??\c:\20262.exec:\20262.exe77⤵PID:2360
-
\??\c:\vpvjd.exec:\vpvjd.exe78⤵PID:2432
-
\??\c:\46488.exec:\46488.exe79⤵PID:2996
-
\??\c:\080426.exec:\080426.exe80⤵PID:1436
-
\??\c:\rllxxrl.exec:\rllxxrl.exe81⤵PID:2312
-
\??\c:\k06048.exec:\k06048.exe82⤵PID:1504
-
\??\c:\xlllxxf.exec:\xlllxxf.exe83⤵PID:3156
-
\??\c:\pjddv.exec:\pjddv.exe84⤵PID:3016
-
\??\c:\5hbtbb.exec:\5hbtbb.exe85⤵PID:1676
-
\??\c:\402200.exec:\402200.exe86⤵PID:3892
-
\??\c:\42284.exec:\42284.exe87⤵PID:5016
-
\??\c:\xxxlfrl.exec:\xxxlfrl.exe88⤵PID:2508
-
\??\c:\flrfrfr.exec:\flrfrfr.exe89⤵PID:3568
-
\??\c:\dvdvp.exec:\dvdvp.exe90⤵PID:3732
-
\??\c:\nbhhhh.exec:\nbhhhh.exe91⤵PID:5020
-
\??\c:\thbbtn.exec:\thbbtn.exe92⤵PID:3412
-
\??\c:\862604.exec:\862604.exe93⤵PID:2984
-
\??\c:\22420.exec:\22420.exe94⤵PID:1584
-
\??\c:\824844.exec:\824844.exe95⤵PID:3020
-
\??\c:\ntbnhb.exec:\ntbnhb.exe96⤵PID:1096
-
\??\c:\866488.exec:\866488.exe97⤵PID:1300
-
\??\c:\c820820.exec:\c820820.exe98⤵PID:3488
-
\??\c:\xllfrrf.exec:\xllfrrf.exe99⤵PID:3060
-
\??\c:\28048.exec:\28048.exe100⤵PID:4088
-
\??\c:\frrlrll.exec:\frrlrll.exe101⤵PID:2560
-
\??\c:\48422.exec:\48422.exe102⤵PID:3868
-
\??\c:\vdpdv.exec:\vdpdv.exe103⤵PID:4132
-
\??\c:\rxfrfxl.exec:\rxfrfxl.exe104⤵PID:1972
-
\??\c:\04040.exec:\04040.exe105⤵PID:1968
-
\??\c:\lxrrfrf.exec:\lxrrfrf.exe106⤵PID:4404
-
\??\c:\jdvpv.exec:\jdvpv.exe107⤵PID:64
-
\??\c:\dppdj.exec:\dppdj.exe108⤵PID:312
-
\??\c:\i288200.exec:\i288200.exe109⤵PID:4424
-
\??\c:\jjpdv.exec:\jjpdv.exe110⤵PID:4412
-
\??\c:\rllfxxr.exec:\rllfxxr.exe111⤵PID:3944
-
\??\c:\frxlfxr.exec:\frxlfxr.exe112⤵PID:3368
-
\??\c:\0620482.exec:\0620482.exe113⤵PID:2444
-
\??\c:\606048.exec:\606048.exe114⤵PID:2732
-
\??\c:\jvdjd.exec:\jvdjd.exe115⤵PID:1924
-
\??\c:\206262.exec:\206262.exe116⤵PID:4672
-
\??\c:\86042.exec:\86042.exe117⤵PID:2292
-
\??\c:\pvdpd.exec:\pvdpd.exe118⤵PID:2436
-
\??\c:\442604.exec:\442604.exe119⤵
- System Location Discovery: System Language Discovery
PID:4944 -
\??\c:\pdpjd.exec:\pdpjd.exe120⤵PID:5112
-
\??\c:\xlrfrrf.exec:\xlrfrrf.exe121⤵PID:4528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-