Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 19:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
325624d8b88367a32c84160ba60c3dd877ad6d9f8331b0049202e37fa7e89a4b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
325624d8b88367a32c84160ba60c3dd877ad6d9f8331b0049202e37fa7e89a4b.exe
-
Size
454KB
-
MD5
6a829c2cca9bad48df121cd5598df5d3
-
SHA1
d8bba79f523fe09c255f35b2f85eff0ff79c0a45
-
SHA256
325624d8b88367a32c84160ba60c3dd877ad6d9f8331b0049202e37fa7e89a4b
-
SHA512
75a085c854836aa4a298fa55b07b5eb6f8ff9fbff6b0634b0df531db87e9b5a43a0f9146b58a3d03bdcc38223a0505c9876b3f25bed3f27732106739cf4ff1f5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1064-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-1451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-1495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2236 m0682.exe 1304 688686.exe 1248 s0086.exe 2828 3rlxflx.exe 3540 pdvjv.exe 3784 bhhtbt.exe 2848 406820.exe 3844 426426.exe 180 frrflfx.exe 4652 m4082.exe 4168 pdjvv.exe 2908 bhnbnh.exe 4432 jdjjv.exe 4820 204824.exe 3880 dddpd.exe 2576 004260.exe 2412 6282862.exe 3648 w44648.exe 4952 66288.exe 4416 426088.exe 2088 2620042.exe 3904 vvvjv.exe 4604 m8260.exe 4792 5ththt.exe 4076 64844.exe 4160 rffxrrl.exe 1436 4242484.exe 4960 822604.exe 1840 nhttbb.exe 640 c460482.exe 1172 02448.exe 2508 djpjd.exe 3888 dpdvd.exe 404 242200.exe 4456 hnnnhh.exe 800 3rlfrrl.exe 2028 bnbtnn.exe 4192 nbnbtt.exe 1504 a6226.exe 2092 40286.exe 4956 2022264.exe 4512 62004.exe 1368 lxlxfxf.exe 2004 060088.exe 3504 xllfrlf.exe 3148 jjvjj.exe 1824 rlfrlfx.exe 3928 28042.exe 1940 7ttnnn.exe 3784 vjdpj.exe 2848 420064.exe 544 804204.exe 5024 nnnbnt.exe 2868 tbnbnh.exe 4716 4448260.exe 3216 602280.exe 3584 a2426.exe 1112 5vdvp.exe 2296 hhthhb.exe 4124 242642.exe 760 hbhbtt.exe 4820 60082.exe 4904 thhthb.exe 3648 httnbt.exe -
resource yara_rule behavioral2/memory/1064-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-641-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0020448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q22044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2004466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q68660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2884402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q66082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4848440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 440864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8060482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthnt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 2236 1064 325624d8b88367a32c84160ba60c3dd877ad6d9f8331b0049202e37fa7e89a4b.exe 83 PID 1064 wrote to memory of 2236 1064 325624d8b88367a32c84160ba60c3dd877ad6d9f8331b0049202e37fa7e89a4b.exe 83 PID 1064 wrote to memory of 2236 1064 325624d8b88367a32c84160ba60c3dd877ad6d9f8331b0049202e37fa7e89a4b.exe 83 PID 2236 wrote to memory of 1304 2236 m0682.exe 84 PID 2236 wrote to memory of 1304 2236 m0682.exe 84 PID 2236 wrote to memory of 1304 2236 m0682.exe 84 PID 1304 wrote to memory of 1248 1304 688686.exe 85 PID 1304 wrote to memory of 1248 1304 688686.exe 85 PID 1304 wrote to memory of 1248 1304 688686.exe 85 PID 1248 wrote to memory of 2828 1248 s0086.exe 86 PID 1248 wrote to memory of 2828 1248 s0086.exe 86 PID 1248 wrote to memory of 2828 1248 s0086.exe 86 PID 2828 wrote to memory of 3540 2828 3rlxflx.exe 87 PID 2828 wrote to memory of 3540 2828 3rlxflx.exe 87 PID 2828 wrote to memory of 3540 2828 3rlxflx.exe 87 PID 3540 wrote to memory of 3784 3540 pdvjv.exe 88 PID 3540 wrote to memory of 3784 3540 pdvjv.exe 88 PID 3540 wrote to memory of 3784 3540 pdvjv.exe 88 PID 3784 wrote to memory of 2848 3784 bhhtbt.exe 89 PID 3784 wrote to memory of 2848 3784 bhhtbt.exe 89 PID 3784 wrote to memory of 2848 3784 bhhtbt.exe 89 PID 2848 wrote to memory of 3844 2848 406820.exe 90 PID 2848 wrote to memory of 3844 2848 406820.exe 90 PID 2848 wrote to memory of 3844 2848 406820.exe 90 PID 3844 wrote to memory of 180 3844 426426.exe 91 PID 3844 wrote to memory of 180 3844 426426.exe 91 PID 3844 wrote to memory of 180 3844 426426.exe 91 PID 180 wrote to memory of 4652 180 frrflfx.exe 92 PID 180 wrote to memory of 4652 180 frrflfx.exe 92 PID 180 wrote to memory of 4652 180 frrflfx.exe 92 PID 4652 wrote to memory of 4168 4652 m4082.exe 93 PID 4652 wrote to memory of 4168 4652 m4082.exe 93 PID 4652 wrote to memory of 4168 4652 m4082.exe 93 PID 4168 wrote to memory of 2908 4168 pdjvv.exe 94 PID 4168 wrote to memory of 2908 4168 pdjvv.exe 94 PID 4168 wrote to memory of 2908 4168 pdjvv.exe 94 PID 2908 wrote to memory of 4432 2908 bhnbnh.exe 95 PID 2908 wrote to memory of 4432 2908 bhnbnh.exe 95 PID 2908 wrote to memory of 4432 2908 bhnbnh.exe 95 PID 4432 wrote to memory of 4820 4432 jdjjv.exe 96 PID 4432 wrote to memory of 4820 4432 jdjjv.exe 96 PID 4432 wrote to memory of 4820 4432 jdjjv.exe 96 PID 4820 wrote to memory of 3880 4820 204824.exe 97 PID 4820 wrote to memory of 3880 4820 204824.exe 97 PID 4820 wrote to memory of 3880 4820 204824.exe 97 PID 3880 wrote to memory of 2576 3880 dddpd.exe 98 PID 3880 wrote to memory of 2576 3880 dddpd.exe 98 PID 3880 wrote to memory of 2576 3880 dddpd.exe 98 PID 2576 wrote to memory of 2412 2576 004260.exe 99 PID 2576 wrote to memory of 2412 2576 004260.exe 99 PID 2576 wrote to memory of 2412 2576 004260.exe 99 PID 2412 wrote to memory of 3648 2412 6282862.exe 100 PID 2412 wrote to memory of 3648 2412 6282862.exe 100 PID 2412 wrote to memory of 3648 2412 6282862.exe 100 PID 3648 wrote to memory of 4952 3648 w44648.exe 101 PID 3648 wrote to memory of 4952 3648 w44648.exe 101 PID 3648 wrote to memory of 4952 3648 w44648.exe 101 PID 4952 wrote to memory of 4416 4952 66288.exe 102 PID 4952 wrote to memory of 4416 4952 66288.exe 102 PID 4952 wrote to memory of 4416 4952 66288.exe 102 PID 4416 wrote to memory of 2088 4416 426088.exe 103 PID 4416 wrote to memory of 2088 4416 426088.exe 103 PID 4416 wrote to memory of 2088 4416 426088.exe 103 PID 2088 wrote to memory of 3904 2088 2620042.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\325624d8b88367a32c84160ba60c3dd877ad6d9f8331b0049202e37fa7e89a4b.exe"C:\Users\Admin\AppData\Local\Temp\325624d8b88367a32c84160ba60c3dd877ad6d9f8331b0049202e37fa7e89a4b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\m0682.exec:\m0682.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\688686.exec:\688686.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\s0086.exec:\s0086.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\3rlxflx.exec:\3rlxflx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\pdvjv.exec:\pdvjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\bhhtbt.exec:\bhhtbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\406820.exec:\406820.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\426426.exec:\426426.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\frrflfx.exec:\frrflfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
\??\c:\m4082.exec:\m4082.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\pdjvv.exec:\pdjvv.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\bhnbnh.exec:\bhnbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\jdjjv.exec:\jdjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\204824.exec:\204824.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\dddpd.exec:\dddpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\004260.exec:\004260.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\6282862.exec:\6282862.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\w44648.exec:\w44648.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\66288.exec:\66288.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\426088.exec:\426088.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\2620042.exec:\2620042.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\vvvjv.exec:\vvvjv.exe23⤵
- Executes dropped EXE
PID:3904 -
\??\c:\m8260.exec:\m8260.exe24⤵
- Executes dropped EXE
PID:4604 -
\??\c:\5ththt.exec:\5ththt.exe25⤵
- Executes dropped EXE
PID:4792 -
\??\c:\64844.exec:\64844.exe26⤵
- Executes dropped EXE
PID:4076 -
\??\c:\rffxrrl.exec:\rffxrrl.exe27⤵
- Executes dropped EXE
PID:4160 -
\??\c:\4242484.exec:\4242484.exe28⤵
- Executes dropped EXE
PID:1436 -
\??\c:\822604.exec:\822604.exe29⤵
- Executes dropped EXE
PID:4960 -
\??\c:\nhttbb.exec:\nhttbb.exe30⤵
- Executes dropped EXE
PID:1840 -
\??\c:\c460482.exec:\c460482.exe31⤵
- Executes dropped EXE
PID:640 -
\??\c:\02448.exec:\02448.exe32⤵
- Executes dropped EXE
PID:1172 -
\??\c:\djpjd.exec:\djpjd.exe33⤵
- Executes dropped EXE
PID:2508 -
\??\c:\dpdvd.exec:\dpdvd.exe34⤵
- Executes dropped EXE
PID:3888 -
\??\c:\242200.exec:\242200.exe35⤵
- Executes dropped EXE
PID:404 -
\??\c:\hnnnhh.exec:\hnnnhh.exe36⤵
- Executes dropped EXE
PID:4456 -
\??\c:\3rlfrrl.exec:\3rlfrrl.exe37⤵
- Executes dropped EXE
PID:800 -
\??\c:\bnbtnn.exec:\bnbtnn.exe38⤵
- Executes dropped EXE
PID:2028 -
\??\c:\nbnbtt.exec:\nbnbtt.exe39⤵
- Executes dropped EXE
PID:4192 -
\??\c:\a6226.exec:\a6226.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504 -
\??\c:\40286.exec:\40286.exe41⤵
- Executes dropped EXE
PID:2092 -
\??\c:\2022264.exec:\2022264.exe42⤵
- Executes dropped EXE
PID:4956 -
\??\c:\62004.exec:\62004.exe43⤵
- Executes dropped EXE
PID:4512 -
\??\c:\lxlxfxf.exec:\lxlxfxf.exe44⤵
- Executes dropped EXE
PID:1368 -
\??\c:\060088.exec:\060088.exe45⤵
- Executes dropped EXE
PID:2004 -
\??\c:\xllfrlf.exec:\xllfrlf.exe46⤵
- Executes dropped EXE
PID:3504 -
\??\c:\jjvjj.exec:\jjvjj.exe47⤵
- Executes dropped EXE
PID:3148 -
\??\c:\rlfrlfx.exec:\rlfrlfx.exe48⤵
- Executes dropped EXE
PID:1824 -
\??\c:\28042.exec:\28042.exe49⤵
- Executes dropped EXE
PID:3928 -
\??\c:\7ttnnn.exec:\7ttnnn.exe50⤵
- Executes dropped EXE
PID:1940 -
\??\c:\vjdpj.exec:\vjdpj.exe51⤵
- Executes dropped EXE
PID:3784 -
\??\c:\420064.exec:\420064.exe52⤵
- Executes dropped EXE
PID:2848 -
\??\c:\804204.exec:\804204.exe53⤵
- Executes dropped EXE
PID:544 -
\??\c:\nnnbnt.exec:\nnnbnt.exe54⤵
- Executes dropped EXE
PID:5024 -
\??\c:\tbnbnh.exec:\tbnbnh.exe55⤵
- Executes dropped EXE
PID:2868 -
\??\c:\4448260.exec:\4448260.exe56⤵
- Executes dropped EXE
PID:4716 -
\??\c:\602280.exec:\602280.exe57⤵
- Executes dropped EXE
PID:3216 -
\??\c:\a2426.exec:\a2426.exe58⤵
- Executes dropped EXE
PID:3584 -
\??\c:\5vdvp.exec:\5vdvp.exe59⤵
- Executes dropped EXE
PID:1112 -
\??\c:\hhthhb.exec:\hhthhb.exe60⤵
- Executes dropped EXE
PID:2296 -
\??\c:\242642.exec:\242642.exe61⤵
- Executes dropped EXE
PID:4124 -
\??\c:\hbhbtt.exec:\hbhbtt.exe62⤵
- Executes dropped EXE
PID:760 -
\??\c:\60082.exec:\60082.exe63⤵
- Executes dropped EXE
PID:4820 -
\??\c:\thhthb.exec:\thhthb.exe64⤵
- Executes dropped EXE
PID:4904 -
\??\c:\httnbt.exec:\httnbt.exe65⤵
- Executes dropped EXE
PID:3648 -
\??\c:\26204.exec:\26204.exe66⤵PID:4296
-
\??\c:\nbnhhh.exec:\nbnhhh.exe67⤵PID:4132
-
\??\c:\86002.exec:\86002.exe68⤵PID:4656
-
\??\c:\7jjjv.exec:\7jjjv.exe69⤵PID:4952
-
\??\c:\26828.exec:\26828.exe70⤵PID:4948
-
\??\c:\rlrfxrr.exec:\rlrfxrr.exe71⤵PID:1788
-
\??\c:\u442820.exec:\u442820.exe72⤵PID:3908
-
\??\c:\822082.exec:\822082.exe73⤵PID:4024
-
\??\c:\7rrlrfx.exec:\7rrlrfx.exe74⤵PID:4604
-
\??\c:\64840.exec:\64840.exe75⤵PID:1128
-
\??\c:\82886.exec:\82886.exe76⤵PID:1664
-
\??\c:\fflxxrx.exec:\fflxxrx.exe77⤵PID:2188
-
\??\c:\bbbtnn.exec:\bbbtnn.exe78⤵PID:4160
-
\??\c:\jvvpd.exec:\jvvpd.exe79⤵PID:1872
-
\??\c:\rxlxrlx.exec:\rxlxrlx.exe80⤵PID:2288
-
\??\c:\3bnbnh.exec:\3bnbnh.exe81⤵PID:2980
-
\??\c:\040440.exec:\040440.exe82⤵PID:1556
-
\??\c:\xllfxrl.exec:\xllfxrl.exe83⤵PID:432
-
\??\c:\86686.exec:\86686.exe84⤵PID:1172
-
\??\c:\lxxrllf.exec:\lxxrllf.exe85⤵PID:4760
-
\??\c:\28048.exec:\28048.exe86⤵PID:4140
-
\??\c:\446222.exec:\446222.exe87⤵PID:1388
-
\??\c:\5dvjj.exec:\5dvjj.exe88⤵PID:4612
-
\??\c:\20600.exec:\20600.exe89⤵PID:4456
-
\??\c:\846422.exec:\846422.exe90⤵PID:800
-
\??\c:\6242048.exec:\6242048.exe91⤵PID:4836
-
\??\c:\lxfxxrr.exec:\lxfxxrr.exe92⤵PID:4884
-
\??\c:\08260.exec:\08260.exe93⤵PID:3608
-
\??\c:\e06204.exec:\e06204.exe94⤵PID:4516
-
\??\c:\24266.exec:\24266.exe95⤵PID:4956
-
\??\c:\rllfxxr.exec:\rllfxxr.exe96⤵PID:3092
-
\??\c:\jddvp.exec:\jddvp.exe97⤵PID:1368
-
\??\c:\pjdvj.exec:\pjdvj.exe98⤵PID:1304
-
\??\c:\2004466.exec:\2004466.exe99⤵
- System Location Discovery: System Language Discovery
PID:1640 -
\??\c:\ddjjj.exec:\ddjjj.exe100⤵PID:1124
-
\??\c:\0206284.exec:\0206284.exe101⤵PID:896
-
\??\c:\9jdpd.exec:\9jdpd.exe102⤵PID:736
-
\??\c:\fxlflrr.exec:\fxlflrr.exe103⤵PID:3688
-
\??\c:\7thnbb.exec:\7thnbb.exe104⤵PID:3408
-
\??\c:\0680042.exec:\0680042.exe105⤵PID:3528
-
\??\c:\1pdpd.exec:\1pdpd.exe106⤵PID:4708
-
\??\c:\lxfxrll.exec:\lxfxrll.exe107⤵PID:2856
-
\??\c:\5jjdv.exec:\5jjdv.exe108⤵PID:3844
-
\??\c:\thnnnb.exec:\thnnnb.exe109⤵PID:2948
-
\??\c:\662600.exec:\662600.exe110⤵PID:1224
-
\??\c:\fxfrfxl.exec:\fxfrfxl.exe111⤵PID:2124
-
\??\c:\g0642.exec:\g0642.exe112⤵PID:3172
-
\??\c:\pvvpp.exec:\pvvpp.exe113⤵PID:3296
-
\??\c:\24424.exec:\24424.exe114⤵PID:2976
-
\??\c:\u860822.exec:\u860822.exe115⤵PID:384
-
\??\c:\8844888.exec:\8844888.exe116⤵PID:1648
-
\??\c:\frxxlfr.exec:\frxxlfr.exe117⤵PID:2036
-
\??\c:\dppdp.exec:\dppdp.exe118⤵PID:1112
-
\??\c:\lrxlxrl.exec:\lrxlxrl.exe119⤵PID:2296
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe120⤵PID:2120
-
\??\c:\2886086.exec:\2886086.exe121⤵PID:1632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-