Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 02:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a356dfe3a5594640100a00c16eec53a256490e8f1cc4d8b57c0bceb70ad17c77.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a356dfe3a5594640100a00c16eec53a256490e8f1cc4d8b57c0bceb70ad17c77.exe
-
Size
453KB
-
MD5
a1039cf0eb1eecbeaaf940c4fb352bb7
-
SHA1
6024cf0c5bc3b3c404f59585cf0a3db914e1735f
-
SHA256
a356dfe3a5594640100a00c16eec53a256490e8f1cc4d8b57c0bceb70ad17c77
-
SHA512
3eb69182d18322f126f2ddfe643a904d76a6a95126565f98499f695a33ae730198865f9d1aafa47588e943d7ca68827d17c8813e5a9e69ec9202c9906c02b870
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeh:q7Tc2NYHUrAwfMp3CDh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/812-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-804-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-1100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-1749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-1915-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4456 062204.exe 4980 vpjvj.exe 2276 lfxlffr.exe 4884 c260486.exe 888 frfxxrr.exe 1344 nhhbbt.exe 4576 xxlfrlr.exe 400 2240886.exe 3868 20086.exe 4952 662062.exe 5084 fffrlfr.exe 2564 lxlffff.exe 3036 6406442.exe 2712 822004.exe 748 6620486.exe 2616 6620404.exe 3712 vjdpd.exe 372 bhnnbt.exe 1680 4600848.exe 3860 ffrxlff.exe 5052 444264.exe 4872 64486.exe 1608 5jvjv.exe 1660 6622266.exe 1588 a6864.exe 3708 0040802.exe 452 lfrfrlf.exe 4864 nhbnhb.exe 4620 8288486.exe 3512 fxfrffx.exe 2148 066482.exe 5008 1xxlrlf.exe 4948 40660.exe 2344 068648.exe 2940 7xrlxrl.exe 1788 206004.exe 2300 dpvjj.exe 396 8226048.exe 4200 flfrrlf.exe 2504 204426.exe 2084 ppjdp.exe 4540 844208.exe 844 dvvpd.exe 3804 dpvjp.exe 2364 hnbtnh.exe 4672 q26262.exe 4484 8048620.exe 548 0882004.exe 936 0060264.exe 3148 i004448.exe 4684 vdjdd.exe 3908 s8486.exe 4212 1bbthb.exe 1876 djjvj.exe 3312 xllfrlx.exe 3296 2022262.exe 2236 dvpdp.exe 3060 7xrlxrx.exe 3540 22880.exe 380 hbthtn.exe 4348 5hhtnh.exe 4232 440426.exe 2532 vjdvp.exe 768 i404480.exe -
resource yara_rule behavioral2/memory/812-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-788-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-61-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e60860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e26220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q88648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w84406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 812 wrote to memory of 4456 812 a356dfe3a5594640100a00c16eec53a256490e8f1cc4d8b57c0bceb70ad17c77.exe 84 PID 812 wrote to memory of 4456 812 a356dfe3a5594640100a00c16eec53a256490e8f1cc4d8b57c0bceb70ad17c77.exe 84 PID 812 wrote to memory of 4456 812 a356dfe3a5594640100a00c16eec53a256490e8f1cc4d8b57c0bceb70ad17c77.exe 84 PID 4456 wrote to memory of 4980 4456 062204.exe 294 PID 4456 wrote to memory of 4980 4456 062204.exe 294 PID 4456 wrote to memory of 4980 4456 062204.exe 294 PID 4980 wrote to memory of 2276 4980 vpjvj.exe 237 PID 4980 wrote to memory of 2276 4980 vpjvj.exe 237 PID 4980 wrote to memory of 2276 4980 vpjvj.exe 237 PID 2276 wrote to memory of 4884 2276 lfxlffr.exe 87 PID 2276 wrote to memory of 4884 2276 lfxlffr.exe 87 PID 2276 wrote to memory of 4884 2276 lfxlffr.exe 87 PID 4884 wrote to memory of 888 4884 c260486.exe 88 PID 4884 wrote to memory of 888 4884 c260486.exe 88 PID 4884 wrote to memory of 888 4884 c260486.exe 88 PID 888 wrote to memory of 1344 888 frfxxrr.exe 89 PID 888 wrote to memory of 1344 888 frfxxrr.exe 89 PID 888 wrote to memory of 1344 888 frfxxrr.exe 89 PID 1344 wrote to memory of 4576 1344 nhhbbt.exe 90 PID 1344 wrote to memory of 4576 1344 nhhbbt.exe 90 PID 1344 wrote to memory of 4576 1344 nhhbbt.exe 90 PID 4576 wrote to memory of 400 4576 xxlfrlr.exe 91 PID 4576 wrote to memory of 400 4576 xxlfrlr.exe 91 PID 4576 wrote to memory of 400 4576 xxlfrlr.exe 91 PID 400 wrote to memory of 3868 400 2240886.exe 92 PID 400 wrote to memory of 3868 400 2240886.exe 92 PID 400 wrote to memory of 3868 400 2240886.exe 92 PID 3868 wrote to memory of 4952 3868 20086.exe 93 PID 3868 wrote to memory of 4952 3868 20086.exe 93 PID 3868 wrote to memory of 4952 3868 20086.exe 93 PID 4952 wrote to memory of 5084 4952 662062.exe 94 PID 4952 wrote to memory of 5084 4952 662062.exe 94 PID 4952 wrote to memory of 5084 4952 662062.exe 94 PID 5084 wrote to memory of 2564 5084 fffrlfr.exe 95 PID 5084 wrote to memory of 2564 5084 fffrlfr.exe 95 PID 5084 wrote to memory of 2564 5084 fffrlfr.exe 95 PID 2564 wrote to memory of 3036 2564 lxlffff.exe 96 PID 2564 wrote to memory of 3036 2564 lxlffff.exe 96 PID 2564 wrote to memory of 3036 2564 lxlffff.exe 96 PID 3036 wrote to memory of 2712 3036 6406442.exe 97 PID 3036 wrote to memory of 2712 3036 6406442.exe 97 PID 3036 wrote to memory of 2712 3036 6406442.exe 97 PID 2712 wrote to memory of 748 2712 822004.exe 98 PID 2712 wrote to memory of 748 2712 822004.exe 98 PID 2712 wrote to memory of 748 2712 822004.exe 98 PID 748 wrote to memory of 2616 748 6620486.exe 99 PID 748 wrote to memory of 2616 748 6620486.exe 99 PID 748 wrote to memory of 2616 748 6620486.exe 99 PID 2616 wrote to memory of 3712 2616 6620404.exe 100 PID 2616 wrote to memory of 3712 2616 6620404.exe 100 PID 2616 wrote to memory of 3712 2616 6620404.exe 100 PID 3712 wrote to memory of 372 3712 vjdpd.exe 101 PID 3712 wrote to memory of 372 3712 vjdpd.exe 101 PID 3712 wrote to memory of 372 3712 vjdpd.exe 101 PID 372 wrote to memory of 1680 372 bhnnbt.exe 102 PID 372 wrote to memory of 1680 372 bhnnbt.exe 102 PID 372 wrote to memory of 1680 372 bhnnbt.exe 102 PID 1680 wrote to memory of 3860 1680 4600848.exe 103 PID 1680 wrote to memory of 3860 1680 4600848.exe 103 PID 1680 wrote to memory of 3860 1680 4600848.exe 103 PID 3860 wrote to memory of 5052 3860 ffrxlff.exe 104 PID 3860 wrote to memory of 5052 3860 ffrxlff.exe 104 PID 3860 wrote to memory of 5052 3860 ffrxlff.exe 104 PID 5052 wrote to memory of 4872 5052 444264.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\a356dfe3a5594640100a00c16eec53a256490e8f1cc4d8b57c0bceb70ad17c77.exe"C:\Users\Admin\AppData\Local\Temp\a356dfe3a5594640100a00c16eec53a256490e8f1cc4d8b57c0bceb70ad17c77.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\062204.exec:\062204.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\vpjvj.exec:\vpjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\lfxlffr.exec:\lfxlffr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\c260486.exec:\c260486.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\frfxxrr.exec:\frfxxrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
\??\c:\nhhbbt.exec:\nhhbbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\xxlfrlr.exec:\xxlfrlr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\2240886.exec:\2240886.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\20086.exec:\20086.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\662062.exec:\662062.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\fffrlfr.exec:\fffrlfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\lxlffff.exec:\lxlffff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\6406442.exec:\6406442.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\822004.exec:\822004.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\6620486.exec:\6620486.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\6620404.exec:\6620404.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\vjdpd.exec:\vjdpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\bhnnbt.exec:\bhnnbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\4600848.exec:\4600848.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\ffrxlff.exec:\ffrxlff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\444264.exec:\444264.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\64486.exec:\64486.exe23⤵
- Executes dropped EXE
PID:4872 -
\??\c:\5jvjv.exec:\5jvjv.exe24⤵
- Executes dropped EXE
PID:1608 -
\??\c:\6622266.exec:\6622266.exe25⤵
- Executes dropped EXE
PID:1660 -
\??\c:\a6864.exec:\a6864.exe26⤵
- Executes dropped EXE
PID:1588 -
\??\c:\0040802.exec:\0040802.exe27⤵
- Executes dropped EXE
PID:3708 -
\??\c:\lfrfrlf.exec:\lfrfrlf.exe28⤵
- Executes dropped EXE
PID:452 -
\??\c:\nhbnhb.exec:\nhbnhb.exe29⤵
- Executes dropped EXE
PID:4864 -
\??\c:\8288486.exec:\8288486.exe30⤵
- Executes dropped EXE
PID:4620 -
\??\c:\fxfrffx.exec:\fxfrffx.exe31⤵
- Executes dropped EXE
PID:3512 -
\??\c:\066482.exec:\066482.exe32⤵
- Executes dropped EXE
PID:2148 -
\??\c:\1xxlrlf.exec:\1xxlrlf.exe33⤵
- Executes dropped EXE
PID:5008 -
\??\c:\40660.exec:\40660.exe34⤵
- Executes dropped EXE
PID:4948 -
\??\c:\068648.exec:\068648.exe35⤵
- Executes dropped EXE
PID:2344 -
\??\c:\7xrlxrl.exec:\7xrlxrl.exe36⤵
- Executes dropped EXE
PID:2940 -
\??\c:\206004.exec:\206004.exe37⤵
- Executes dropped EXE
PID:1788 -
\??\c:\dpvjj.exec:\dpvjj.exe38⤵
- Executes dropped EXE
PID:2300 -
\??\c:\8226048.exec:\8226048.exe39⤵
- Executes dropped EXE
PID:396 -
\??\c:\flfrrlf.exec:\flfrrlf.exe40⤵
- Executes dropped EXE
PID:4200 -
\??\c:\204426.exec:\204426.exe41⤵
- Executes dropped EXE
PID:2504 -
\??\c:\ppjdp.exec:\ppjdp.exe42⤵
- Executes dropped EXE
PID:2084 -
\??\c:\844208.exec:\844208.exe43⤵
- Executes dropped EXE
PID:4540 -
\??\c:\dvvpd.exec:\dvvpd.exe44⤵
- Executes dropped EXE
PID:844 -
\??\c:\dpvjp.exec:\dpvjp.exe45⤵
- Executes dropped EXE
PID:3804 -
\??\c:\hnbtnh.exec:\hnbtnh.exe46⤵
- Executes dropped EXE
PID:2364 -
\??\c:\q26262.exec:\q26262.exe47⤵
- Executes dropped EXE
PID:4672 -
\??\c:\8048620.exec:\8048620.exe48⤵
- Executes dropped EXE
PID:4484 -
\??\c:\0882004.exec:\0882004.exe49⤵
- Executes dropped EXE
PID:548 -
\??\c:\0060264.exec:\0060264.exe50⤵
- Executes dropped EXE
PID:936 -
\??\c:\i004448.exec:\i004448.exe51⤵
- Executes dropped EXE
PID:3148 -
\??\c:\vdjdd.exec:\vdjdd.exe52⤵
- Executes dropped EXE
PID:4684 -
\??\c:\s8486.exec:\s8486.exe53⤵
- Executes dropped EXE
PID:3908 -
\??\c:\1bbthb.exec:\1bbthb.exe54⤵
- Executes dropped EXE
PID:4212 -
\??\c:\djjvj.exec:\djjvj.exe55⤵
- Executes dropped EXE
PID:1876 -
\??\c:\xllfrlx.exec:\xllfrlx.exe56⤵
- Executes dropped EXE
PID:3312 -
\??\c:\2022262.exec:\2022262.exe57⤵
- Executes dropped EXE
PID:3296 -
\??\c:\dvpdp.exec:\dvpdp.exe58⤵
- Executes dropped EXE
PID:2236 -
\??\c:\7xrlxrx.exec:\7xrlxrx.exe59⤵
- Executes dropped EXE
PID:3060 -
\??\c:\22880.exec:\22880.exe60⤵
- Executes dropped EXE
PID:3540 -
\??\c:\hbthtn.exec:\hbthtn.exe61⤵
- Executes dropped EXE
PID:380 -
\??\c:\5hhtnh.exec:\5hhtnh.exe62⤵
- Executes dropped EXE
PID:4348 -
\??\c:\440426.exec:\440426.exe63⤵
- Executes dropped EXE
PID:4232 -
\??\c:\vjdvp.exec:\vjdvp.exe64⤵
- Executes dropped EXE
PID:2532 -
\??\c:\i404480.exec:\i404480.exe65⤵
- Executes dropped EXE
PID:768 -
\??\c:\djpdv.exec:\djpdv.exe66⤵PID:1464
-
\??\c:\880822.exec:\880822.exe67⤵PID:4396
-
\??\c:\nbbntn.exec:\nbbntn.exe68⤵PID:5108
-
\??\c:\xxxflrr.exec:\xxxflrr.exe69⤵PID:1384
-
\??\c:\040044.exec:\040044.exe70⤵PID:2428
-
\??\c:\nhhbnh.exec:\nhhbnh.exe71⤵PID:1004
-
\??\c:\64288.exec:\64288.exe72⤵PID:5052
-
\??\c:\4060044.exec:\4060044.exe73⤵PID:3292
-
\??\c:\nbtbnh.exec:\nbtbnh.exe74⤵PID:4372
-
\??\c:\bhnhtt.exec:\bhnhtt.exe75⤵PID:1656
-
\??\c:\9tbtbn.exec:\9tbtbn.exe76⤵PID:3632
-
\??\c:\pjvvp.exec:\pjvvp.exe77⤵PID:2268
-
\??\c:\a2260.exec:\a2260.exe78⤵PID:4476
-
\??\c:\0048260.exec:\0048260.exe79⤵PID:2628
-
\??\c:\9rlfrrl.exec:\9rlfrrl.exe80⤵PID:4864
-
\??\c:\42604.exec:\42604.exe81⤵PID:4892
-
\??\c:\884822.exec:\884822.exe82⤵PID:4036
-
\??\c:\2048260.exec:\2048260.exe83⤵PID:4044
-
\??\c:\fxrxxxx.exec:\fxrxxxx.exe84⤵PID:4556
-
\??\c:\0282262.exec:\0282262.exe85⤵PID:3924
-
\??\c:\bhnhbt.exec:\bhnhbt.exe86⤵PID:4784
-
\??\c:\4224844.exec:\4224844.exe87⤵PID:2940
-
\??\c:\a0642.exec:\a0642.exe88⤵PID:1788
-
\??\c:\nhnnhh.exec:\nhnnhh.exe89⤵PID:2300
-
\??\c:\228604.exec:\228604.exe90⤵PID:396
-
\??\c:\7vpdd.exec:\7vpdd.exe91⤵PID:4536
-
\??\c:\266266.exec:\266266.exe92⤵PID:4968
-
\??\c:\022640.exec:\022640.exe93⤵PID:720
-
\??\c:\lfrflfl.exec:\lfrflfl.exe94⤵PID:3288
-
\??\c:\xflxlfx.exec:\xflxlfx.exe95⤵PID:404
-
\??\c:\hbnhtn.exec:\hbnhtn.exe96⤵PID:1676
-
\??\c:\lllxlxl.exec:\lllxlxl.exe97⤵PID:624
-
\??\c:\flxrllf.exec:\flxrllf.exe98⤵PID:4156
-
\??\c:\djpdv.exec:\djpdv.exe99⤵PID:1912
-
\??\c:\7bhhnn.exec:\7bhhnn.exe100⤵PID:4092
-
\??\c:\640488.exec:\640488.exe101⤵PID:548
-
\??\c:\2084264.exec:\2084264.exe102⤵PID:4692
-
\??\c:\rlrxfxf.exec:\rlrxfxf.exe103⤵PID:952
-
\??\c:\fffxxxr.exec:\fffxxxr.exe104⤵PID:468
-
\??\c:\0844006.exec:\0844006.exe105⤵PID:2116
-
\??\c:\hhbtnh.exec:\hhbtnh.exe106⤵PID:2380
-
\??\c:\hthbtn.exec:\hthbtn.exe107⤵PID:2516
-
\??\c:\62680.exec:\62680.exe108⤵PID:5084
-
\??\c:\pvpdj.exec:\pvpdj.exe109⤵PID:3248
-
\??\c:\ntnbnh.exec:\ntnbnh.exe110⤵PID:2032
-
\??\c:\g0600.exec:\g0600.exe111⤵PID:3124
-
\??\c:\e60268.exec:\e60268.exe112⤵PID:4336
-
\??\c:\46264.exec:\46264.exe113⤵PID:2476
-
\??\c:\q02000.exec:\q02000.exe114⤵PID:4972
-
\??\c:\5djvj.exec:\5djvj.exe115⤵PID:3996
-
\??\c:\bhnbnh.exec:\bhnbnh.exe116⤵PID:224
-
\??\c:\062660.exec:\062660.exe117⤵PID:5088
-
\??\c:\nbhhtn.exec:\nbhhtn.exe118⤵PID:4688
-
\??\c:\pvppd.exec:\pvppd.exe119⤵PID:4000
-
\??\c:\6426486.exec:\6426486.exe120⤵PID:2944
-
\??\c:\266066.exec:\266066.exe121⤵PID:388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-