Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 22:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2314ce19b6b4de5b58a8dc9bf78f460fdd07865856b6589ece188ee0b4281a57.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2314ce19b6b4de5b58a8dc9bf78f460fdd07865856b6589ece188ee0b4281a57.exe
-
Size
455KB
-
MD5
8b0b63ddbc9509733be91eb1ea52283f
-
SHA1
69331d6f01f6252fe7bf463603efd3ae91516bfb
-
SHA256
2314ce19b6b4de5b58a8dc9bf78f460fdd07865856b6589ece188ee0b4281a57
-
SHA512
861c3058288590cf034cb40ca821ea139fbc7d0d5799c1e585f07d26de8e8d15562a4449f265d9e9800d8368d5d23427cdf88a76b1d2b43b2246455ec77994f2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4572-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-1085-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-1111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-1181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-1315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3936 lfxxrxr.exe 2480 42864.exe 3516 80222.exe 4228 28264.exe 1400 2842044.exe 632 440482.exe 2972 lxxrfff.exe 4180 rxxlxrf.exe 1296 pvddp.exe 3228 3jjjd.exe 3304 nbhbbt.exe 2292 q22688.exe 5084 2828046.exe 3720 0008660.exe 2024 2826868.exe 2116 4848862.exe 3220 3ntbnn.exe 1536 840488.exe 3608 6248604.exe 2256 06860.exe 2688 222604.exe 4268 0860260.exe 3040 9jpjj.exe 1868 e00882.exe 3232 xlrlxxl.exe 4352 pddvp.exe 2396 jpppd.exe 1452 1ppjd.exe 2992 0626448.exe 4060 7xlfxrr.exe 1456 062606.exe 4868 006488.exe 2668 btthbb.exe 3948 rrffxfx.exe 4404 040828.exe 4388 28042.exe 4572 200848.exe 1656 82868.exe 1692 4408604.exe 2812 1pjdp.exe 4680 6482060.exe 3488 2620442.exe 2352 26604.exe 3752 8204888.exe 2648 rrxrrlr.exe 3728 rxxxrrr.exe 4488 4248682.exe 4460 82826.exe 3196 c042042.exe 2520 xllfxrl.exe 2832 frxrffx.exe 1496 1vvjj.exe 5080 822648.exe 5040 6626448.exe 1940 62208.exe 4084 8260088.exe 4988 402266.exe 3908 480448.exe 3276 88420.exe 4776 1lfrfxl.exe 1892 86648.exe 2116 662882.exe 776 pjpjp.exe 5076 xrfxrlr.exe -
resource yara_rule behavioral2/memory/4572-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-898-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4220826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0848882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0620820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6282082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8626640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6840202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q44422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4572 wrote to memory of 3936 4572 2314ce19b6b4de5b58a8dc9bf78f460fdd07865856b6589ece188ee0b4281a57.exe 85 PID 4572 wrote to memory of 3936 4572 2314ce19b6b4de5b58a8dc9bf78f460fdd07865856b6589ece188ee0b4281a57.exe 85 PID 4572 wrote to memory of 3936 4572 2314ce19b6b4de5b58a8dc9bf78f460fdd07865856b6589ece188ee0b4281a57.exe 85 PID 3936 wrote to memory of 2480 3936 lfxxrxr.exe 86 PID 3936 wrote to memory of 2480 3936 lfxxrxr.exe 86 PID 3936 wrote to memory of 2480 3936 lfxxrxr.exe 86 PID 2480 wrote to memory of 3516 2480 42864.exe 87 PID 2480 wrote to memory of 3516 2480 42864.exe 87 PID 2480 wrote to memory of 3516 2480 42864.exe 87 PID 3516 wrote to memory of 4228 3516 80222.exe 88 PID 3516 wrote to memory of 4228 3516 80222.exe 88 PID 3516 wrote to memory of 4228 3516 80222.exe 88 PID 4228 wrote to memory of 1400 4228 28264.exe 89 PID 4228 wrote to memory of 1400 4228 28264.exe 89 PID 4228 wrote to memory of 1400 4228 28264.exe 89 PID 1400 wrote to memory of 632 1400 2842044.exe 90 PID 1400 wrote to memory of 632 1400 2842044.exe 90 PID 1400 wrote to memory of 632 1400 2842044.exe 90 PID 632 wrote to memory of 2972 632 440482.exe 91 PID 632 wrote to memory of 2972 632 440482.exe 91 PID 632 wrote to memory of 2972 632 440482.exe 91 PID 2972 wrote to memory of 4180 2972 lxxrfff.exe 92 PID 2972 wrote to memory of 4180 2972 lxxrfff.exe 92 PID 2972 wrote to memory of 4180 2972 lxxrfff.exe 92 PID 4180 wrote to memory of 1296 4180 rxxlxrf.exe 93 PID 4180 wrote to memory of 1296 4180 rxxlxrf.exe 93 PID 4180 wrote to memory of 1296 4180 rxxlxrf.exe 93 PID 1296 wrote to memory of 3228 1296 pvddp.exe 94 PID 1296 wrote to memory of 3228 1296 pvddp.exe 94 PID 1296 wrote to memory of 3228 1296 pvddp.exe 94 PID 3228 wrote to memory of 3304 3228 3jjjd.exe 95 PID 3228 wrote to memory of 3304 3228 3jjjd.exe 95 PID 3228 wrote to memory of 3304 3228 3jjjd.exe 95 PID 3304 wrote to memory of 2292 3304 nbhbbt.exe 96 PID 3304 wrote to memory of 2292 3304 nbhbbt.exe 96 PID 3304 wrote to memory of 2292 3304 nbhbbt.exe 96 PID 2292 wrote to memory of 5084 2292 q22688.exe 97 PID 2292 wrote to memory of 5084 2292 q22688.exe 97 PID 2292 wrote to memory of 5084 2292 q22688.exe 97 PID 5084 wrote to memory of 3720 5084 2828046.exe 98 PID 5084 wrote to memory of 3720 5084 2828046.exe 98 PID 5084 wrote to memory of 3720 5084 2828046.exe 98 PID 3720 wrote to memory of 2024 3720 0008660.exe 99 PID 3720 wrote to memory of 2024 3720 0008660.exe 99 PID 3720 wrote to memory of 2024 3720 0008660.exe 99 PID 2024 wrote to memory of 2116 2024 2826868.exe 100 PID 2024 wrote to memory of 2116 2024 2826868.exe 100 PID 2024 wrote to memory of 2116 2024 2826868.exe 100 PID 2116 wrote to memory of 3220 2116 4848862.exe 101 PID 2116 wrote to memory of 3220 2116 4848862.exe 101 PID 2116 wrote to memory of 3220 2116 4848862.exe 101 PID 3220 wrote to memory of 1536 3220 3ntbnn.exe 102 PID 3220 wrote to memory of 1536 3220 3ntbnn.exe 102 PID 3220 wrote to memory of 1536 3220 3ntbnn.exe 102 PID 1536 wrote to memory of 3608 1536 840488.exe 103 PID 1536 wrote to memory of 3608 1536 840488.exe 103 PID 1536 wrote to memory of 3608 1536 840488.exe 103 PID 3608 wrote to memory of 2256 3608 6248604.exe 104 PID 3608 wrote to memory of 2256 3608 6248604.exe 104 PID 3608 wrote to memory of 2256 3608 6248604.exe 104 PID 2256 wrote to memory of 2688 2256 06860.exe 105 PID 2256 wrote to memory of 2688 2256 06860.exe 105 PID 2256 wrote to memory of 2688 2256 06860.exe 105 PID 2688 wrote to memory of 4268 2688 222604.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2314ce19b6b4de5b58a8dc9bf78f460fdd07865856b6589ece188ee0b4281a57.exe"C:\Users\Admin\AppData\Local\Temp\2314ce19b6b4de5b58a8dc9bf78f460fdd07865856b6589ece188ee0b4281a57.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\lfxxrxr.exec:\lfxxrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\42864.exec:\42864.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\80222.exec:\80222.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\28264.exec:\28264.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\2842044.exec:\2842044.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\440482.exec:\440482.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\lxxrfff.exec:\lxxrfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\rxxlxrf.exec:\rxxlxrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\pvddp.exec:\pvddp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\3jjjd.exec:\3jjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\nbhbbt.exec:\nbhbbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\q22688.exec:\q22688.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\2828046.exec:\2828046.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\0008660.exec:\0008660.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\2826868.exec:\2826868.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\4848862.exec:\4848862.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\3ntbnn.exec:\3ntbnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\840488.exec:\840488.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\6248604.exec:\6248604.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\06860.exec:\06860.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\222604.exec:\222604.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\0860260.exec:\0860260.exe23⤵
- Executes dropped EXE
PID:4268 -
\??\c:\9jpjj.exec:\9jpjj.exe24⤵
- Executes dropped EXE
PID:3040 -
\??\c:\e00882.exec:\e00882.exe25⤵
- Executes dropped EXE
PID:1868 -
\??\c:\xlrlxxl.exec:\xlrlxxl.exe26⤵
- Executes dropped EXE
PID:3232 -
\??\c:\pddvp.exec:\pddvp.exe27⤵
- Executes dropped EXE
PID:4352 -
\??\c:\jpppd.exec:\jpppd.exe28⤵
- Executes dropped EXE
PID:2396 -
\??\c:\1ppjd.exec:\1ppjd.exe29⤵
- Executes dropped EXE
PID:1452 -
\??\c:\0626448.exec:\0626448.exe30⤵
- Executes dropped EXE
PID:2992 -
\??\c:\7xlfxrr.exec:\7xlfxrr.exe31⤵
- Executes dropped EXE
PID:4060 -
\??\c:\062606.exec:\062606.exe32⤵
- Executes dropped EXE
PID:1456 -
\??\c:\006488.exec:\006488.exe33⤵
- Executes dropped EXE
PID:4868 -
\??\c:\btthbb.exec:\btthbb.exe34⤵
- Executes dropped EXE
PID:2668 -
\??\c:\rrffxfx.exec:\rrffxfx.exe35⤵
- Executes dropped EXE
PID:3948 -
\??\c:\040828.exec:\040828.exe36⤵
- Executes dropped EXE
PID:4404 -
\??\c:\28042.exec:\28042.exe37⤵
- Executes dropped EXE
PID:4388 -
\??\c:\200848.exec:\200848.exe38⤵
- Executes dropped EXE
PID:4572 -
\??\c:\82868.exec:\82868.exe39⤵
- Executes dropped EXE
PID:1656 -
\??\c:\4408604.exec:\4408604.exe40⤵
- Executes dropped EXE
PID:1692 -
\??\c:\1pjdp.exec:\1pjdp.exe41⤵
- Executes dropped EXE
PID:2812 -
\??\c:\6482060.exec:\6482060.exe42⤵
- Executes dropped EXE
PID:4680 -
\??\c:\2620442.exec:\2620442.exe43⤵
- Executes dropped EXE
PID:3488 -
\??\c:\26604.exec:\26604.exe44⤵
- Executes dropped EXE
PID:2352 -
\??\c:\8204888.exec:\8204888.exe45⤵
- Executes dropped EXE
PID:3752 -
\??\c:\rrxrrlr.exec:\rrxrrlr.exe46⤵
- Executes dropped EXE
PID:2648 -
\??\c:\rxxxrrr.exec:\rxxxrrr.exe47⤵
- Executes dropped EXE
PID:3728 -
\??\c:\4248682.exec:\4248682.exe48⤵
- Executes dropped EXE
PID:4488 -
\??\c:\82826.exec:\82826.exe49⤵
- Executes dropped EXE
PID:4460 -
\??\c:\c042042.exec:\c042042.exe50⤵
- Executes dropped EXE
PID:3196 -
\??\c:\xllfxrl.exec:\xllfxrl.exe51⤵
- Executes dropped EXE
PID:2520 -
\??\c:\frxrffx.exec:\frxrffx.exe52⤵
- Executes dropped EXE
PID:2832 -
\??\c:\1vvjj.exec:\1vvjj.exe53⤵
- Executes dropped EXE
PID:1496 -
\??\c:\822648.exec:\822648.exe54⤵
- Executes dropped EXE
PID:5080 -
\??\c:\6626448.exec:\6626448.exe55⤵
- Executes dropped EXE
PID:5040 -
\??\c:\62208.exec:\62208.exe56⤵
- Executes dropped EXE
PID:1940 -
\??\c:\8260088.exec:\8260088.exe57⤵
- Executes dropped EXE
PID:4084 -
\??\c:\402266.exec:\402266.exe58⤵
- Executes dropped EXE
PID:4988 -
\??\c:\480448.exec:\480448.exe59⤵
- Executes dropped EXE
PID:3908 -
\??\c:\88420.exec:\88420.exe60⤵
- Executes dropped EXE
PID:3276 -
\??\c:\1lfrfxl.exec:\1lfrfxl.exe61⤵
- Executes dropped EXE
PID:4776 -
\??\c:\86648.exec:\86648.exe62⤵
- Executes dropped EXE
PID:1892 -
\??\c:\662882.exec:\662882.exe63⤵
- Executes dropped EXE
PID:2116 -
\??\c:\pjpjp.exec:\pjpjp.exe64⤵
- Executes dropped EXE
PID:776 -
\??\c:\xrfxrlr.exec:\xrfxrlr.exe65⤵
- Executes dropped EXE
PID:5076 -
\??\c:\htnbnn.exec:\htnbnn.exe66⤵PID:3696
-
\??\c:\044860.exec:\044860.exe67⤵PID:4104
-
\??\c:\0442640.exec:\0442640.exe68⤵PID:2392
-
\??\c:\s2808.exec:\s2808.exe69⤵PID:4672
-
\??\c:\22264.exec:\22264.exe70⤵PID:2312
-
\??\c:\hhhbnh.exec:\hhhbnh.exe71⤵PID:3108
-
\??\c:\084222.exec:\084222.exe72⤵PID:2208
-
\??\c:\s0608.exec:\s0608.exe73⤵PID:3788
-
\??\c:\806048.exec:\806048.exe74⤵PID:1060
-
\??\c:\rflxrlf.exec:\rflxrlf.exe75⤵PID:4128
-
\??\c:\vpdjp.exec:\vpdjp.exe76⤵PID:1836
-
\??\c:\llrrrlf.exec:\llrrrlf.exe77⤵PID:2740
-
\??\c:\486048.exec:\486048.exe78⤵PID:3248
-
\??\c:\nhnhbt.exec:\nhnhbt.exe79⤵PID:1248
-
\??\c:\648660.exec:\648660.exe80⤵PID:4692
-
\??\c:\5nnnnh.exec:\5nnnnh.exe81⤵PID:3700
-
\??\c:\040886.exec:\040886.exe82⤵PID:4996
-
\??\c:\nbhthn.exec:\nbhthn.exe83⤵PID:4624
-
\??\c:\9ppdp.exec:\9ppdp.exe84⤵PID:2680
-
\??\c:\888804.exec:\888804.exe85⤵PID:1784
-
\??\c:\tttbtn.exec:\tttbtn.exe86⤵PID:1504
-
\??\c:\i020848.exec:\i020848.exe87⤵PID:2660
-
\??\c:\22448.exec:\22448.exe88⤵PID:3988
-
\??\c:\lxxxrrl.exec:\lxxxrrl.exe89⤵PID:4404
-
\??\c:\vpvpd.exec:\vpvpd.exe90⤵PID:1952
-
\??\c:\488644.exec:\488644.exe91⤵PID:4152
-
\??\c:\4040484.exec:\4040484.exe92⤵PID:1712
-
\??\c:\1tnhbb.exec:\1tnhbb.exe93⤵PID:1700
-
\??\c:\ntttbh.exec:\ntttbh.exe94⤵PID:2480
-
\??\c:\ttnhtn.exec:\ttnhtn.exe95⤵PID:2652
-
\??\c:\4420684.exec:\4420684.exe96⤵PID:2376
-
\??\c:\044004.exec:\044004.exe97⤵PID:1384
-
\??\c:\pdpjj.exec:\pdpjj.exe98⤵PID:684
-
\??\c:\u446400.exec:\u446400.exe99⤵PID:720
-
\??\c:\nbbnhh.exec:\nbbnhh.exe100⤵PID:1684
-
\??\c:\04082.exec:\04082.exe101⤵PID:4300
-
\??\c:\08248.exec:\08248.exe102⤵PID:3496
-
\??\c:\428422.exec:\428422.exe103⤵PID:3556
-
\??\c:\llrxxrl.exec:\llrxxrl.exe104⤵PID:2384
-
\??\c:\84044.exec:\84044.exe105⤵PID:1120
-
\??\c:\3llxlfx.exec:\3llxlfx.exe106⤵PID:3564
-
\??\c:\02864.exec:\02864.exe107⤵PID:1008
-
\??\c:\5rlxlfx.exec:\5rlxlfx.exe108⤵PID:536
-
\??\c:\260860.exec:\260860.exe109⤵PID:1496
-
\??\c:\pjjvp.exec:\pjjvp.exe110⤵PID:3688
-
\??\c:\7btbnh.exec:\7btbnh.exe111⤵PID:2440
-
\??\c:\644208.exec:\644208.exe112⤵PID:2292
-
\??\c:\9bhthn.exec:\9bhthn.exe113⤵PID:4084
-
\??\c:\8806048.exec:\8806048.exe114⤵PID:3760
-
\??\c:\e84266.exec:\e84266.exe115⤵PID:3216
-
\??\c:\1hnhbt.exec:\1hnhbt.exe116⤵PID:2364
-
\??\c:\20826.exec:\20826.exe117⤵PID:2540
-
\??\c:\a4822.exec:\a4822.exe118⤵PID:2604
-
\??\c:\868288.exec:\868288.exe119⤵PID:3320
-
\??\c:\1ddvj.exec:\1ddvj.exe120⤵PID:2452
-
\??\c:\1bhtnh.exec:\1bhtnh.exe121⤵PID:1000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-