Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6d62540f96ee7968e596946f696fd956a2d1932ffb71e745fccf3c26be5435a.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a6d62540f96ee7968e596946f696fd956a2d1932ffb71e745fccf3c26be5435a.exe
-
Size
455KB
-
MD5
aa97f363fc325c4030361c94df2e9071
-
SHA1
22a53f17d292159cb08e22c8067c301378d362b5
-
SHA256
a6d62540f96ee7968e596946f696fd956a2d1932ffb71e745fccf3c26be5435a
-
SHA512
a43715f274e65808b80eaa99bb91579120d550efe6ef8c7c30f731dfd1522e5d7717016d4b5d49db95074c3f5016ec80649ba35084e898ad503563c2914b2290
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2844-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/416-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-877-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-1109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-1242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-1616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 636 frlxfxr.exe 1984 4842608.exe 2268 c848260.exe 1740 028260.exe 408 ppddd.exe 1560 062604.exe 1028 828066.exe 692 66248.exe 2664 bhbtbb.exe 3032 xrlxfxx.exe 3528 vpdvv.exe 1464 lflrrxr.exe 4208 fffxrll.exe 1004 rrrxrxl.exe 4264 82608.exe 968 64864.exe 4484 vpjpj.exe 3640 xfrfxlr.exe 4080 04600.exe 2176 7dvpv.exe 2548 66484.exe 1420 06622.exe 4968 7xrfrll.exe 1852 lfxlffx.exe 3388 c226044.exe 2056 640422.exe 4912 6008260.exe 980 0424066.exe 3680 884826.exe 3400 vddvp.exe 2428 0848248.exe 4200 lxlxrrl.exe 2336 hnbntb.exe 2244 g2862.exe 416 2648286.exe 3568 nbhnth.exe 808 u800860.exe 4808 nhhhhh.exe 3504 o484466.exe 2168 4842682.exe 2996 266600.exe 3740 28668.exe 3252 602288.exe 1540 2604000.exe 1452 xlfxrrl.exe 3648 06204.exe 3760 xllfrll.exe 5100 6840482.exe 3776 2408226.exe 1652 824264.exe 3168 28624.exe 4232 htthtt.exe 4368 2688204.exe 636 4044040.exe 2300 nbbtnn.exe 1980 tnhbtt.exe 4952 hhtttn.exe 1760 604882.exe 2804 nbtnbt.exe 1588 0886426.exe 2772 8486424.exe 3096 u220400.exe 184 88864.exe 3268 24206.exe -
resource yara_rule behavioral2/memory/2844-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/416-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-877-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8000448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k48208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0800028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0060826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8260260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 624824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2844 wrote to memory of 636 2844 a6d62540f96ee7968e596946f696fd956a2d1932ffb71e745fccf3c26be5435a.exe 83 PID 2844 wrote to memory of 636 2844 a6d62540f96ee7968e596946f696fd956a2d1932ffb71e745fccf3c26be5435a.exe 83 PID 2844 wrote to memory of 636 2844 a6d62540f96ee7968e596946f696fd956a2d1932ffb71e745fccf3c26be5435a.exe 83 PID 636 wrote to memory of 1984 636 frlxfxr.exe 84 PID 636 wrote to memory of 1984 636 frlxfxr.exe 84 PID 636 wrote to memory of 1984 636 frlxfxr.exe 84 PID 1984 wrote to memory of 2268 1984 4842608.exe 85 PID 1984 wrote to memory of 2268 1984 4842608.exe 85 PID 1984 wrote to memory of 2268 1984 4842608.exe 85 PID 2268 wrote to memory of 1740 2268 c848260.exe 86 PID 2268 wrote to memory of 1740 2268 c848260.exe 86 PID 2268 wrote to memory of 1740 2268 c848260.exe 86 PID 1740 wrote to memory of 408 1740 028260.exe 87 PID 1740 wrote to memory of 408 1740 028260.exe 87 PID 1740 wrote to memory of 408 1740 028260.exe 87 PID 408 wrote to memory of 1560 408 ppddd.exe 88 PID 408 wrote to memory of 1560 408 ppddd.exe 88 PID 408 wrote to memory of 1560 408 ppddd.exe 88 PID 1560 wrote to memory of 1028 1560 062604.exe 89 PID 1560 wrote to memory of 1028 1560 062604.exe 89 PID 1560 wrote to memory of 1028 1560 062604.exe 89 PID 1028 wrote to memory of 692 1028 828066.exe 90 PID 1028 wrote to memory of 692 1028 828066.exe 90 PID 1028 wrote to memory of 692 1028 828066.exe 90 PID 692 wrote to memory of 2664 692 66248.exe 91 PID 692 wrote to memory of 2664 692 66248.exe 91 PID 692 wrote to memory of 2664 692 66248.exe 91 PID 2664 wrote to memory of 3032 2664 bhbtbb.exe 92 PID 2664 wrote to memory of 3032 2664 bhbtbb.exe 92 PID 2664 wrote to memory of 3032 2664 bhbtbb.exe 92 PID 3032 wrote to memory of 3528 3032 xrlxfxx.exe 93 PID 3032 wrote to memory of 3528 3032 xrlxfxx.exe 93 PID 3032 wrote to memory of 3528 3032 xrlxfxx.exe 93 PID 3528 wrote to memory of 1464 3528 vpdvv.exe 94 PID 3528 wrote to memory of 1464 3528 vpdvv.exe 94 PID 3528 wrote to memory of 1464 3528 vpdvv.exe 94 PID 1464 wrote to memory of 4208 1464 lflrrxr.exe 95 PID 1464 wrote to memory of 4208 1464 lflrrxr.exe 95 PID 1464 wrote to memory of 4208 1464 lflrrxr.exe 95 PID 4208 wrote to memory of 1004 4208 fffxrll.exe 96 PID 4208 wrote to memory of 1004 4208 fffxrll.exe 96 PID 4208 wrote to memory of 1004 4208 fffxrll.exe 96 PID 1004 wrote to memory of 4264 1004 rrrxrxl.exe 97 PID 1004 wrote to memory of 4264 1004 rrrxrxl.exe 97 PID 1004 wrote to memory of 4264 1004 rrrxrxl.exe 97 PID 4264 wrote to memory of 968 4264 82608.exe 98 PID 4264 wrote to memory of 968 4264 82608.exe 98 PID 4264 wrote to memory of 968 4264 82608.exe 98 PID 968 wrote to memory of 4484 968 64864.exe 99 PID 968 wrote to memory of 4484 968 64864.exe 99 PID 968 wrote to memory of 4484 968 64864.exe 99 PID 4484 wrote to memory of 3640 4484 vpjpj.exe 100 PID 4484 wrote to memory of 3640 4484 vpjpj.exe 100 PID 4484 wrote to memory of 3640 4484 vpjpj.exe 100 PID 3640 wrote to memory of 4080 3640 xfrfxlr.exe 101 PID 3640 wrote to memory of 4080 3640 xfrfxlr.exe 101 PID 3640 wrote to memory of 4080 3640 xfrfxlr.exe 101 PID 4080 wrote to memory of 2176 4080 04600.exe 102 PID 4080 wrote to memory of 2176 4080 04600.exe 102 PID 4080 wrote to memory of 2176 4080 04600.exe 102 PID 2176 wrote to memory of 2548 2176 7dvpv.exe 103 PID 2176 wrote to memory of 2548 2176 7dvpv.exe 103 PID 2176 wrote to memory of 2548 2176 7dvpv.exe 103 PID 2548 wrote to memory of 1420 2548 66484.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6d62540f96ee7968e596946f696fd956a2d1932ffb71e745fccf3c26be5435a.exe"C:\Users\Admin\AppData\Local\Temp\a6d62540f96ee7968e596946f696fd956a2d1932ffb71e745fccf3c26be5435a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\frlxfxr.exec:\frlxfxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\4842608.exec:\4842608.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\c848260.exec:\c848260.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\028260.exec:\028260.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\ppddd.exec:\ppddd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\062604.exec:\062604.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\828066.exec:\828066.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\66248.exec:\66248.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\bhbtbb.exec:\bhbtbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\xrlxfxx.exec:\xrlxfxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\vpdvv.exec:\vpdvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\lflrrxr.exec:\lflrrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\fffxrll.exec:\fffxrll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\rrrxrxl.exec:\rrrxrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\82608.exec:\82608.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\64864.exec:\64864.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\vpjpj.exec:\vpjpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\xfrfxlr.exec:\xfrfxlr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\04600.exec:\04600.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\7dvpv.exec:\7dvpv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\66484.exec:\66484.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\06622.exec:\06622.exe23⤵
- Executes dropped EXE
PID:1420 -
\??\c:\7xrfrll.exec:\7xrfrll.exe24⤵
- Executes dropped EXE
PID:4968 -
\??\c:\lfxlffx.exec:\lfxlffx.exe25⤵
- Executes dropped EXE
PID:1852 -
\??\c:\c226044.exec:\c226044.exe26⤵
- Executes dropped EXE
PID:3388 -
\??\c:\640422.exec:\640422.exe27⤵
- Executes dropped EXE
PID:2056 -
\??\c:\6008260.exec:\6008260.exe28⤵
- Executes dropped EXE
PID:4912 -
\??\c:\0424066.exec:\0424066.exe29⤵
- Executes dropped EXE
PID:980 -
\??\c:\884826.exec:\884826.exe30⤵
- Executes dropped EXE
PID:3680 -
\??\c:\vddvp.exec:\vddvp.exe31⤵
- Executes dropped EXE
PID:3400 -
\??\c:\0848248.exec:\0848248.exe32⤵
- Executes dropped EXE
PID:2428 -
\??\c:\lxlxrrl.exec:\lxlxrrl.exe33⤵
- Executes dropped EXE
PID:4200 -
\??\c:\hnbntb.exec:\hnbntb.exe34⤵
- Executes dropped EXE
PID:2336 -
\??\c:\g2862.exec:\g2862.exe35⤵
- Executes dropped EXE
PID:2244 -
\??\c:\2648286.exec:\2648286.exe36⤵
- Executes dropped EXE
PID:416 -
\??\c:\nbhnth.exec:\nbhnth.exe37⤵
- Executes dropped EXE
PID:3568 -
\??\c:\u800860.exec:\u800860.exe38⤵
- Executes dropped EXE
PID:808 -
\??\c:\nhhhhh.exec:\nhhhhh.exe39⤵
- Executes dropped EXE
PID:4808 -
\??\c:\o484466.exec:\o484466.exe40⤵
- Executes dropped EXE
PID:3504 -
\??\c:\4842682.exec:\4842682.exe41⤵
- Executes dropped EXE
PID:2168 -
\??\c:\266600.exec:\266600.exe42⤵
- Executes dropped EXE
PID:2996 -
\??\c:\28668.exec:\28668.exe43⤵
- Executes dropped EXE
PID:3740 -
\??\c:\602288.exec:\602288.exe44⤵
- Executes dropped EXE
PID:3252 -
\??\c:\2604000.exec:\2604000.exe45⤵
- Executes dropped EXE
PID:1540 -
\??\c:\xlfxrrl.exec:\xlfxrrl.exe46⤵
- Executes dropped EXE
PID:1452 -
\??\c:\06204.exec:\06204.exe47⤵
- Executes dropped EXE
PID:3648 -
\??\c:\xllfrll.exec:\xllfrll.exe48⤵
- Executes dropped EXE
PID:3760 -
\??\c:\6840482.exec:\6840482.exe49⤵
- Executes dropped EXE
PID:5100 -
\??\c:\2408226.exec:\2408226.exe50⤵
- Executes dropped EXE
PID:3776 -
\??\c:\824264.exec:\824264.exe51⤵
- Executes dropped EXE
PID:1652 -
\??\c:\28624.exec:\28624.exe52⤵
- Executes dropped EXE
PID:3168 -
\??\c:\htthtt.exec:\htthtt.exe53⤵
- Executes dropped EXE
PID:4232 -
\??\c:\2688204.exec:\2688204.exe54⤵
- Executes dropped EXE
PID:4368 -
\??\c:\4044040.exec:\4044040.exe55⤵
- Executes dropped EXE
PID:636 -
\??\c:\nbbtnn.exec:\nbbtnn.exe56⤵
- Executes dropped EXE
PID:2300 -
\??\c:\tnhbtt.exec:\tnhbtt.exe57⤵
- Executes dropped EXE
PID:1980 -
\??\c:\hhtttn.exec:\hhtttn.exe58⤵
- Executes dropped EXE
PID:4952 -
\??\c:\604882.exec:\604882.exe59⤵
- Executes dropped EXE
PID:1760 -
\??\c:\nbtnbt.exec:\nbtnbt.exe60⤵
- Executes dropped EXE
PID:2804 -
\??\c:\0886426.exec:\0886426.exe61⤵
- Executes dropped EXE
PID:1588 -
\??\c:\8486424.exec:\8486424.exe62⤵
- Executes dropped EXE
PID:2772 -
\??\c:\u220400.exec:\u220400.exe63⤵
- Executes dropped EXE
PID:3096 -
\??\c:\88864.exec:\88864.exe64⤵
- Executes dropped EXE
PID:184 -
\??\c:\24206.exec:\24206.exe65⤵
- Executes dropped EXE
PID:3268 -
\??\c:\6244406.exec:\6244406.exe66⤵PID:4536
-
\??\c:\htnhbt.exec:\htnhbt.exe67⤵PID:3840
-
\??\c:\rfffrxx.exec:\rfffrxx.exe68⤵PID:1832
-
\??\c:\5fxlffx.exec:\5fxlffx.exe69⤵PID:3896
-
\??\c:\dvpdv.exec:\dvpdv.exe70⤵PID:1116
-
\??\c:\866482.exec:\866482.exe71⤵PID:852
-
\??\c:\8248442.exec:\8248442.exe72⤵PID:4712
-
\??\c:\nttnbb.exec:\nttnbb.exe73⤵PID:1744
-
\??\c:\8688264.exec:\8688264.exe74⤵PID:4496
-
\??\c:\vjpvp.exec:\vjpvp.exe75⤵PID:4580
-
\??\c:\0rxrl.exec:\0rxrl.exe76⤵PID:3668
-
\??\c:\026082.exec:\026082.exe77⤵PID:1356
-
\??\c:\28864.exec:\28864.exe78⤵PID:5108
-
\??\c:\jvvpd.exec:\jvvpd.exe79⤵PID:4404
-
\??\c:\0442604.exec:\0442604.exe80⤵PID:5076
-
\??\c:\nnnntn.exec:\nnnntn.exe81⤵PID:2468
-
\??\c:\288248.exec:\288248.exe82⤵PID:4080
-
\??\c:\lrxfrlf.exec:\lrxfrlf.exe83⤵PID:3792
-
\??\c:\tbhbth.exec:\tbhbth.exe84⤵PID:2224
-
\??\c:\frxlxrr.exec:\frxlxrr.exe85⤵PID:3396
-
\??\c:\7ddvp.exec:\7ddvp.exe86⤵PID:3940
-
\??\c:\1xxrlfx.exec:\1xxrlfx.exe87⤵PID:4968
-
\??\c:\3dvjd.exec:\3dvjd.exe88⤵PID:1752
-
\??\c:\840426.exec:\840426.exe89⤵PID:4008
-
\??\c:\ttbtnh.exec:\ttbtnh.exe90⤵PID:3388
-
\??\c:\44682.exec:\44682.exe91⤵PID:3736
-
\??\c:\88826.exec:\88826.exe92⤵PID:924
-
\??\c:\6048266.exec:\6048266.exe93⤵PID:2556
-
\??\c:\g6604.exec:\g6604.exe94⤵PID:4864
-
\??\c:\djjdv.exec:\djjdv.exe95⤵PID:3680
-
\??\c:\60482.exec:\60482.exe96⤵PID:3016
-
\??\c:\a2604.exec:\a2604.exe97⤵PID:5060
-
\??\c:\bttnnh.exec:\bttnnh.exe98⤵PID:5112
-
\??\c:\86264.exec:\86264.exe99⤵PID:3368
-
\??\c:\lxrfxrl.exec:\lxrfxrl.exe100⤵PID:3564
-
\??\c:\4002042.exec:\4002042.exe101⤵PID:1668
-
\??\c:\2240684.exec:\2240684.exe102⤵PID:416
-
\??\c:\hnhbtn.exec:\hnhbtn.exe103⤵PID:3568
-
\??\c:\q84860.exec:\q84860.exe104⤵PID:808
-
\??\c:\jdvpd.exec:\jdvpd.exe105⤵PID:3024
-
\??\c:\9fflffx.exec:\9fflffx.exe106⤵PID:2948
-
\??\c:\q26860.exec:\q26860.exe107⤵PID:796
-
\??\c:\rlrllll.exec:\rlrllll.exe108⤵PID:3412
-
\??\c:\488626.exec:\488626.exe109⤵PID:4124
-
\??\c:\8660602.exec:\8660602.exe110⤵PID:4632
-
\??\c:\04260.exec:\04260.exe111⤵PID:1124
-
\??\c:\g6208.exec:\g6208.exe112⤵PID:3500
-
\??\c:\w62422.exec:\w62422.exe113⤵PID:3552
-
\??\c:\0660448.exec:\0660448.exe114⤵PID:3584
-
\??\c:\1xxfrxr.exec:\1xxfrxr.exe115⤵PID:4724
-
\??\c:\3vjvp.exec:\3vjvp.exe116⤵PID:4844
-
\??\c:\fxllrrf.exec:\fxllrrf.exe117⤵PID:4664
-
\??\c:\vvppp.exec:\vvppp.exe118⤵PID:2616
-
\??\c:\fxrfxrl.exec:\fxrfxrl.exe119⤵PID:3168
-
\??\c:\5tbbhn.exec:\5tbbhn.exe120⤵PID:1648
-
\??\c:\80208.exec:\80208.exe121⤵PID:4984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-