Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 00:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe
-
Size
453KB
-
MD5
40c8bde846d9ee11883b0e5098d0473f
-
SHA1
efc765918ed5d2c78f0dcf0d7b59cad7d86f7337
-
SHA256
af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00
-
SHA512
f16d0d791938bf77e66b1f52417e83b809c22319d74f0ee465616734e7e521e2af6f684a015957bdec42e38cdc790ec281d606ae4ebccb91ced8252c5a663fff
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAben:q7Tc2NYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1792-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/608-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-1116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-1231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-1530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-1645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4860 q02622.exe 2340 6004822.exe 1908 64482.exe 4928 fxxrlrl.exe 2040 20608.exe 1440 0224826.exe 216 682822.exe 4936 5bthbb.exe 1172 7thbhn.exe 740 44244.exe 1584 66228.exe 4880 0404822.exe 4004 xlfxrrl.exe 4028 s6842.exe 2916 s2826.exe 1920 8464242.exe 4584 0626604.exe 3292 bnhbtt.exe 608 2806004.exe 1656 480044.exe 2384 frxxrrl.exe 5076 426066.exe 4228 dvvpp.exe 1124 086262.exe 4724 jvvvp.exe 2280 62628.exe 3512 3ppjd.exe 4592 pvvpp.exe 2404 0442808.exe 4844 8660826.exe 2328 rrfxrfr.exe 2956 frrlfxx.exe 3848 xllxrlf.exe 4496 jdvdv.exe 2432 8000028.exe 3116 c842666.exe 4188 m8280.exe 3424 60220.exe 1220 hbhbbb.exe 5084 e24822.exe 4824 08664.exe 2996 w44044.exe 1996 428282.exe 2592 84204.exe 1072 ppdvp.exe 744 hnnnht.exe 4476 206060.exe 3620 828822.exe 5032 48024.exe 1592 8862844.exe 632 628828.exe 4736 642660.exe 2600 jvvpp.exe 3148 42604.exe 1924 66860.exe 5012 8808064.exe 2152 rxfxrfx.exe 2196 hbbnhb.exe 4172 a8820.exe 2804 q06488.exe 4512 8608266.exe 1296 dppdv.exe 4336 840826.exe 536 jvdpd.exe -
resource yara_rule behavioral2/memory/1792-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/608-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-1116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-1231-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2848848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 224646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8460006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1792 wrote to memory of 4860 1792 af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe 83 PID 1792 wrote to memory of 4860 1792 af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe 83 PID 1792 wrote to memory of 4860 1792 af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe 83 PID 4860 wrote to memory of 2340 4860 q02622.exe 84 PID 4860 wrote to memory of 2340 4860 q02622.exe 84 PID 4860 wrote to memory of 2340 4860 q02622.exe 84 PID 2340 wrote to memory of 1908 2340 6004822.exe 85 PID 2340 wrote to memory of 1908 2340 6004822.exe 85 PID 2340 wrote to memory of 1908 2340 6004822.exe 85 PID 1908 wrote to memory of 4928 1908 64482.exe 86 PID 1908 wrote to memory of 4928 1908 64482.exe 86 PID 1908 wrote to memory of 4928 1908 64482.exe 86 PID 4928 wrote to memory of 2040 4928 fxxrlrl.exe 87 PID 4928 wrote to memory of 2040 4928 fxxrlrl.exe 87 PID 4928 wrote to memory of 2040 4928 fxxrlrl.exe 87 PID 2040 wrote to memory of 1440 2040 20608.exe 88 PID 2040 wrote to memory of 1440 2040 20608.exe 88 PID 2040 wrote to memory of 1440 2040 20608.exe 88 PID 1440 wrote to memory of 216 1440 0224826.exe 89 PID 1440 wrote to memory of 216 1440 0224826.exe 89 PID 1440 wrote to memory of 216 1440 0224826.exe 89 PID 216 wrote to memory of 4936 216 682822.exe 90 PID 216 wrote to memory of 4936 216 682822.exe 90 PID 216 wrote to memory of 4936 216 682822.exe 90 PID 4936 wrote to memory of 1172 4936 5bthbb.exe 91 PID 4936 wrote to memory of 1172 4936 5bthbb.exe 91 PID 4936 wrote to memory of 1172 4936 5bthbb.exe 91 PID 1172 wrote to memory of 740 1172 7thbhn.exe 92 PID 1172 wrote to memory of 740 1172 7thbhn.exe 92 PID 1172 wrote to memory of 740 1172 7thbhn.exe 92 PID 740 wrote to memory of 1584 740 44244.exe 93 PID 740 wrote to memory of 1584 740 44244.exe 93 PID 740 wrote to memory of 1584 740 44244.exe 93 PID 1584 wrote to memory of 4880 1584 66228.exe 94 PID 1584 wrote to memory of 4880 1584 66228.exe 94 PID 1584 wrote to memory of 4880 1584 66228.exe 94 PID 4880 wrote to memory of 4004 4880 0404822.exe 95 PID 4880 wrote to memory of 4004 4880 0404822.exe 95 PID 4880 wrote to memory of 4004 4880 0404822.exe 95 PID 4004 wrote to memory of 4028 4004 xlfxrrl.exe 96 PID 4004 wrote to memory of 4028 4004 xlfxrrl.exe 96 PID 4004 wrote to memory of 4028 4004 xlfxrrl.exe 96 PID 4028 wrote to memory of 2916 4028 s6842.exe 97 PID 4028 wrote to memory of 2916 4028 s6842.exe 97 PID 4028 wrote to memory of 2916 4028 s6842.exe 97 PID 2916 wrote to memory of 1920 2916 s2826.exe 98 PID 2916 wrote to memory of 1920 2916 s2826.exe 98 PID 2916 wrote to memory of 1920 2916 s2826.exe 98 PID 1920 wrote to memory of 4584 1920 8464242.exe 99 PID 1920 wrote to memory of 4584 1920 8464242.exe 99 PID 1920 wrote to memory of 4584 1920 8464242.exe 99 PID 4584 wrote to memory of 3292 4584 0626604.exe 100 PID 4584 wrote to memory of 3292 4584 0626604.exe 100 PID 4584 wrote to memory of 3292 4584 0626604.exe 100 PID 3292 wrote to memory of 608 3292 bnhbtt.exe 101 PID 3292 wrote to memory of 608 3292 bnhbtt.exe 101 PID 3292 wrote to memory of 608 3292 bnhbtt.exe 101 PID 608 wrote to memory of 1656 608 2806004.exe 102 PID 608 wrote to memory of 1656 608 2806004.exe 102 PID 608 wrote to memory of 1656 608 2806004.exe 102 PID 1656 wrote to memory of 2384 1656 480044.exe 103 PID 1656 wrote to memory of 2384 1656 480044.exe 103 PID 1656 wrote to memory of 2384 1656 480044.exe 103 PID 2384 wrote to memory of 5076 2384 frxxrrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe"C:\Users\Admin\AppData\Local\Temp\af19fa484d85b08047d6ac8f59c5ce3c9dab790f34946c14c2243270b88d1d00.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\q02622.exec:\q02622.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\6004822.exec:\6004822.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\64482.exec:\64482.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\fxxrlrl.exec:\fxxrlrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\20608.exec:\20608.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\0224826.exec:\0224826.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\682822.exec:\682822.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\5bthbb.exec:\5bthbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\7thbhn.exec:\7thbhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\44244.exec:\44244.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\66228.exec:\66228.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\0404822.exec:\0404822.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\xlfxrrl.exec:\xlfxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\s6842.exec:\s6842.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\s2826.exec:\s2826.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\8464242.exec:\8464242.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\0626604.exec:\0626604.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\bnhbtt.exec:\bnhbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\2806004.exec:\2806004.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:608 -
\??\c:\480044.exec:\480044.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\frxxrrl.exec:\frxxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\426066.exec:\426066.exe23⤵
- Executes dropped EXE
PID:5076 -
\??\c:\dvvpp.exec:\dvvpp.exe24⤵
- Executes dropped EXE
PID:4228 -
\??\c:\086262.exec:\086262.exe25⤵
- Executes dropped EXE
PID:1124 -
\??\c:\jvvvp.exec:\jvvvp.exe26⤵
- Executes dropped EXE
PID:4724 -
\??\c:\62628.exec:\62628.exe27⤵
- Executes dropped EXE
PID:2280 -
\??\c:\3ppjd.exec:\3ppjd.exe28⤵
- Executes dropped EXE
PID:3512 -
\??\c:\pvvpp.exec:\pvvpp.exe29⤵
- Executes dropped EXE
PID:4592 -
\??\c:\0442808.exec:\0442808.exe30⤵
- Executes dropped EXE
PID:2404 -
\??\c:\8660826.exec:\8660826.exe31⤵
- Executes dropped EXE
PID:4844 -
\??\c:\rrfxrfr.exec:\rrfxrfr.exe32⤵
- Executes dropped EXE
PID:2328 -
\??\c:\frrlfxx.exec:\frrlfxx.exe33⤵
- Executes dropped EXE
PID:2956 -
\??\c:\xllxrlf.exec:\xllxrlf.exe34⤵
- Executes dropped EXE
PID:3848 -
\??\c:\jdvdv.exec:\jdvdv.exe35⤵
- Executes dropped EXE
PID:4496 -
\??\c:\8000028.exec:\8000028.exe36⤵
- Executes dropped EXE
PID:2432 -
\??\c:\c842666.exec:\c842666.exe37⤵
- Executes dropped EXE
PID:3116 -
\??\c:\m8280.exec:\m8280.exe38⤵
- Executes dropped EXE
PID:4188 -
\??\c:\60220.exec:\60220.exe39⤵
- Executes dropped EXE
PID:3424 -
\??\c:\hbhbbb.exec:\hbhbbb.exe40⤵
- Executes dropped EXE
PID:1220 -
\??\c:\e24822.exec:\e24822.exe41⤵
- Executes dropped EXE
PID:5084 -
\??\c:\08664.exec:\08664.exe42⤵
- Executes dropped EXE
PID:4824 -
\??\c:\w44044.exec:\w44044.exe43⤵
- Executes dropped EXE
PID:2996 -
\??\c:\428282.exec:\428282.exe44⤵
- Executes dropped EXE
PID:1996 -
\??\c:\84204.exec:\84204.exe45⤵
- Executes dropped EXE
PID:2592 -
\??\c:\ppdvp.exec:\ppdvp.exe46⤵
- Executes dropped EXE
PID:1072 -
\??\c:\hnnnht.exec:\hnnnht.exe47⤵
- Executes dropped EXE
PID:744 -
\??\c:\206060.exec:\206060.exe48⤵
- Executes dropped EXE
PID:4476 -
\??\c:\828822.exec:\828822.exe49⤵
- Executes dropped EXE
PID:3620 -
\??\c:\48024.exec:\48024.exe50⤵
- Executes dropped EXE
PID:5032 -
\??\c:\8862844.exec:\8862844.exe51⤵
- Executes dropped EXE
PID:1592 -
\??\c:\628828.exec:\628828.exe52⤵
- Executes dropped EXE
PID:632 -
\??\c:\642660.exec:\642660.exe53⤵
- Executes dropped EXE
PID:4736 -
\??\c:\jvvpp.exec:\jvvpp.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2600 -
\??\c:\42604.exec:\42604.exe55⤵
- Executes dropped EXE
PID:3148 -
\??\c:\66860.exec:\66860.exe56⤵
- Executes dropped EXE
PID:1924 -
\??\c:\8808064.exec:\8808064.exe57⤵
- Executes dropped EXE
PID:5012 -
\??\c:\rxfxrfx.exec:\rxfxrfx.exe58⤵
- Executes dropped EXE
PID:2152 -
\??\c:\hbbnhb.exec:\hbbnhb.exe59⤵
- Executes dropped EXE
PID:2196 -
\??\c:\a8820.exec:\a8820.exe60⤵
- Executes dropped EXE
PID:4172 -
\??\c:\q06488.exec:\q06488.exe61⤵
- Executes dropped EXE
PID:2804 -
\??\c:\8608266.exec:\8608266.exe62⤵
- Executes dropped EXE
PID:4512 -
\??\c:\dppdv.exec:\dppdv.exe63⤵
- Executes dropped EXE
PID:1296 -
\??\c:\840826.exec:\840826.exe64⤵
- Executes dropped EXE
PID:4336 -
\??\c:\jvdpd.exec:\jvdpd.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536 -
\??\c:\26220.exec:\26220.exe66⤵PID:3956
-
\??\c:\2066404.exec:\2066404.exe67⤵PID:1712
-
\??\c:\68262.exec:\68262.exe68⤵PID:2312
-
\??\c:\httbtn.exec:\httbtn.exe69⤵PID:4864
-
\??\c:\vvpjj.exec:\vvpjj.exe70⤵PID:4228
-
\??\c:\llfrllf.exec:\llfrllf.exe71⤵PID:2000
-
\??\c:\8222604.exec:\8222604.exe72⤵PID:4724
-
\??\c:\824266.exec:\824266.exe73⤵PID:3528
-
\??\c:\w28600.exec:\w28600.exe74⤵PID:1436
-
\??\c:\4666004.exec:\4666004.exe75⤵PID:4528
-
\??\c:\a2486.exec:\a2486.exe76⤵PID:4488
-
\??\c:\668204.exec:\668204.exe77⤵PID:4472
-
\??\c:\28480.exec:\28480.exe78⤵PID:3732
-
\??\c:\g8648.exec:\g8648.exe79⤵PID:3848
-
\??\c:\2688688.exec:\2688688.exe80⤵PID:3972
-
\??\c:\xfflrrx.exec:\xfflrrx.exe81⤵PID:1528
-
\??\c:\3pvpj.exec:\3pvpj.exe82⤵PID:3116
-
\??\c:\26844.exec:\26844.exe83⤵PID:5092
-
\??\c:\686422.exec:\686422.exe84⤵PID:4624
-
\??\c:\o466444.exec:\o466444.exe85⤵PID:1008
-
\??\c:\tntnbt.exec:\tntnbt.exe86⤵PID:2872
-
\??\c:\24044.exec:\24044.exe87⤵PID:2348
-
\??\c:\9ntntt.exec:\9ntntt.exe88⤵PID:2068
-
\??\c:\802604.exec:\802604.exe89⤵PID:964
-
\??\c:\6060448.exec:\6060448.exe90⤵PID:1128
-
\??\c:\jvdjp.exec:\jvdjp.exe91⤵PID:744
-
\??\c:\hhnntt.exec:\hhnntt.exe92⤵PID:4476
-
\??\c:\dpdpj.exec:\dpdpj.exe93⤵PID:4612
-
\??\c:\tthbhh.exec:\tthbhh.exe94⤵PID:1596
-
\??\c:\tnnhhh.exec:\tnnhhh.exe95⤵PID:4392
-
\??\c:\6082668.exec:\6082668.exe96⤵PID:3452
-
\??\c:\6000000.exec:\6000000.exe97⤵PID:3660
-
\??\c:\fxlrxrr.exec:\fxlrxrr.exe98⤵PID:2484
-
\??\c:\802248.exec:\802248.exe99⤵PID:1156
-
\??\c:\2828646.exec:\2828646.exe100⤵PID:3840
-
\??\c:\g6260.exec:\g6260.exe101⤵PID:1924
-
\??\c:\1xfrffr.exec:\1xfrffr.exe102⤵PID:5080
-
\??\c:\224820.exec:\224820.exe103⤵PID:4880
-
\??\c:\00008.exec:\00008.exe104⤵PID:2416
-
\??\c:\2002022.exec:\2002022.exe105⤵PID:2668
-
\??\c:\ttbnbt.exec:\ttbnbt.exe106⤵PID:1500
-
\??\c:\1nnbtn.exec:\1nnbtn.exe107⤵PID:3176
-
\??\c:\btbbnb.exec:\btbbnb.exe108⤵PID:2716
-
\??\c:\ffllrrx.exec:\ffllrrx.exe109⤵PID:1296
-
\??\c:\0086064.exec:\0086064.exe110⤵PID:2056
-
\??\c:\7htnhh.exec:\7htnhh.exe111⤵PID:464
-
\??\c:\64626.exec:\64626.exe112⤵PID:608
-
\??\c:\nhhbtn.exec:\nhhbtn.exe113⤵PID:2224
-
\??\c:\440482.exec:\440482.exe114⤵PID:5076
-
\??\c:\nhnhbb.exec:\nhnhbb.exe115⤵PID:4268
-
\??\c:\644602.exec:\644602.exe116⤵PID:2292
-
\??\c:\i428024.exec:\i428024.exe117⤵PID:220
-
\??\c:\462644.exec:\462644.exe118⤵PID:2108
-
\??\c:\flxxfxl.exec:\flxxfxl.exe119⤵PID:2000
-
\??\c:\2646004.exec:\2646004.exe120⤵PID:544
-
\??\c:\08248.exec:\08248.exe121⤵PID:4288
-
\??\c:\62842.exec:\62842.exe122⤵PID:2884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-