Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe
-
Size
456KB
-
MD5
e91f5d4d855864c328e99d8e25a85c01
-
SHA1
f8f47a89ac1f3f845aa816e944ddb2220f59b124
-
SHA256
baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1
-
SHA512
addb76e00ae6566614d920419fd703d8632508db6ec5740d3309def0a7d9ed94cdb71c8b95bed2832c74945c18aa641ddec4eb3c5380a62c45af91523ae9b550
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRo:q7Tc2NYHUrAwfMp3CDRo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3332-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/416-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-872-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-1107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-1156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-1232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-1548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4292 22226.exe 3152 48626.exe 2796 u848226.exe 2632 60260.exe 976 640660.exe 3644 82426.exe 1196 k24826.exe 3344 82484.exe 1524 tbnhbb.exe 1348 i426262.exe 3656 4660482.exe 4832 rrlrllf.exe 4708 860640.exe 3180 tbhhhh.exe 1920 826448.exe 3864 6244844.exe 8 0846660.exe 1992 8822666.exe 3928 vpvpp.exe 1544 24044.exe 2140 e64282.exe 2812 tttnnn.exe 2316 i804268.exe 1224 dvpjd.exe 412 bhnbtt.exe 3128 806000.exe 3552 000628.exe 2568 dvvdd.exe 60 nnbbbt.exe 416 022222.exe 4624 dpppp.exe 1388 3pjjd.exe 3480 nbbnhn.exe 3684 pdjdv.exe 1464 hnhhbb.exe 3444 0282226.exe 5012 48226.exe 4648 82666.exe 3164 226000.exe 736 jdjjd.exe 4412 nntnnn.exe 1156 jdjdv.exe 4588 04606.exe 1376 rxfxllf.exe 4024 fxlffff.exe 1276 8400444.exe 1648 llxffll.exe 4536 84648.exe 4892 04044.exe 460 06844.exe 380 lrxrxxx.exe 3172 ddpjj.exe 4032 jpjjj.exe 2056 8400400.exe 2120 jdddp.exe 4576 46442.exe 4340 rflxfxf.exe 4276 w02086.exe 3708 40604.exe 224 5pvjj.exe 4492 04448.exe 4928 lrfxlrf.exe 4448 086408.exe 744 rlfrllx.exe -
resource yara_rule behavioral2/memory/3332-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/416-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-789-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k46444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8400440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c428848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxffll.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3332 wrote to memory of 4292 3332 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 83 PID 3332 wrote to memory of 4292 3332 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 83 PID 3332 wrote to memory of 4292 3332 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 83 PID 4292 wrote to memory of 3152 4292 22226.exe 84 PID 4292 wrote to memory of 3152 4292 22226.exe 84 PID 4292 wrote to memory of 3152 4292 22226.exe 84 PID 3152 wrote to memory of 2796 3152 48626.exe 85 PID 3152 wrote to memory of 2796 3152 48626.exe 85 PID 3152 wrote to memory of 2796 3152 48626.exe 85 PID 2796 wrote to memory of 2632 2796 u848226.exe 86 PID 2796 wrote to memory of 2632 2796 u848226.exe 86 PID 2796 wrote to memory of 2632 2796 u848226.exe 86 PID 2632 wrote to memory of 976 2632 60260.exe 87 PID 2632 wrote to memory of 976 2632 60260.exe 87 PID 2632 wrote to memory of 976 2632 60260.exe 87 PID 976 wrote to memory of 3644 976 640660.exe 88 PID 976 wrote to memory of 3644 976 640660.exe 88 PID 976 wrote to memory of 3644 976 640660.exe 88 PID 3644 wrote to memory of 1196 3644 82426.exe 89 PID 3644 wrote to memory of 1196 3644 82426.exe 89 PID 3644 wrote to memory of 1196 3644 82426.exe 89 PID 1196 wrote to memory of 3344 1196 k24826.exe 90 PID 1196 wrote to memory of 3344 1196 k24826.exe 90 PID 1196 wrote to memory of 3344 1196 k24826.exe 90 PID 3344 wrote to memory of 1524 3344 82484.exe 91 PID 3344 wrote to memory of 1524 3344 82484.exe 91 PID 3344 wrote to memory of 1524 3344 82484.exe 91 PID 1524 wrote to memory of 1348 1524 tbnhbb.exe 92 PID 1524 wrote to memory of 1348 1524 tbnhbb.exe 92 PID 1524 wrote to memory of 1348 1524 tbnhbb.exe 92 PID 1348 wrote to memory of 3656 1348 i426262.exe 93 PID 1348 wrote to memory of 3656 1348 i426262.exe 93 PID 1348 wrote to memory of 3656 1348 i426262.exe 93 PID 3656 wrote to memory of 4832 3656 4660482.exe 94 PID 3656 wrote to memory of 4832 3656 4660482.exe 94 PID 3656 wrote to memory of 4832 3656 4660482.exe 94 PID 4832 wrote to memory of 4708 4832 rrlrllf.exe 95 PID 4832 wrote to memory of 4708 4832 rrlrllf.exe 95 PID 4832 wrote to memory of 4708 4832 rrlrllf.exe 95 PID 4708 wrote to memory of 3180 4708 860640.exe 96 PID 4708 wrote to memory of 3180 4708 860640.exe 96 PID 4708 wrote to memory of 3180 4708 860640.exe 96 PID 3180 wrote to memory of 1920 3180 tbhhhh.exe 97 PID 3180 wrote to memory of 1920 3180 tbhhhh.exe 97 PID 3180 wrote to memory of 1920 3180 tbhhhh.exe 97 PID 1920 wrote to memory of 3864 1920 826448.exe 98 PID 1920 wrote to memory of 3864 1920 826448.exe 98 PID 1920 wrote to memory of 3864 1920 826448.exe 98 PID 3864 wrote to memory of 8 3864 6244844.exe 99 PID 3864 wrote to memory of 8 3864 6244844.exe 99 PID 3864 wrote to memory of 8 3864 6244844.exe 99 PID 8 wrote to memory of 1992 8 0846660.exe 100 PID 8 wrote to memory of 1992 8 0846660.exe 100 PID 8 wrote to memory of 1992 8 0846660.exe 100 PID 1992 wrote to memory of 3928 1992 8822666.exe 101 PID 1992 wrote to memory of 3928 1992 8822666.exe 101 PID 1992 wrote to memory of 3928 1992 8822666.exe 101 PID 3928 wrote to memory of 1544 3928 vpvpp.exe 102 PID 3928 wrote to memory of 1544 3928 vpvpp.exe 102 PID 3928 wrote to memory of 1544 3928 vpvpp.exe 102 PID 1544 wrote to memory of 2140 1544 24044.exe 103 PID 1544 wrote to memory of 2140 1544 24044.exe 103 PID 1544 wrote to memory of 2140 1544 24044.exe 103 PID 2140 wrote to memory of 2812 2140 e64282.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe"C:\Users\Admin\AppData\Local\Temp\baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\22226.exec:\22226.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\48626.exec:\48626.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\u848226.exec:\u848226.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\60260.exec:\60260.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\640660.exec:\640660.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\82426.exec:\82426.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\k24826.exec:\k24826.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\82484.exec:\82484.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\tbnhbb.exec:\tbnhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\i426262.exec:\i426262.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\4660482.exec:\4660482.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\rrlrllf.exec:\rrlrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\860640.exec:\860640.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\tbhhhh.exec:\tbhhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\826448.exec:\826448.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\6244844.exec:\6244844.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\0846660.exec:\0846660.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\8822666.exec:\8822666.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\vpvpp.exec:\vpvpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\24044.exec:\24044.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\e64282.exec:\e64282.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\tttnnn.exec:\tttnnn.exe23⤵
- Executes dropped EXE
PID:2812 -
\??\c:\i804268.exec:\i804268.exe24⤵
- Executes dropped EXE
PID:2316 -
\??\c:\dvpjd.exec:\dvpjd.exe25⤵
- Executes dropped EXE
PID:1224 -
\??\c:\bhnbtt.exec:\bhnbtt.exe26⤵
- Executes dropped EXE
PID:412 -
\??\c:\806000.exec:\806000.exe27⤵
- Executes dropped EXE
PID:3128 -
\??\c:\000628.exec:\000628.exe28⤵
- Executes dropped EXE
PID:3552 -
\??\c:\dvvdd.exec:\dvvdd.exe29⤵
- Executes dropped EXE
PID:2568 -
\??\c:\nnbbbt.exec:\nnbbbt.exe30⤵
- Executes dropped EXE
PID:60 -
\??\c:\022222.exec:\022222.exe31⤵
- Executes dropped EXE
PID:416 -
\??\c:\dpppp.exec:\dpppp.exe32⤵
- Executes dropped EXE
PID:4624 -
\??\c:\3pjjd.exec:\3pjjd.exe33⤵
- Executes dropped EXE
PID:1388 -
\??\c:\nbbnhn.exec:\nbbnhn.exe34⤵
- Executes dropped EXE
PID:3480 -
\??\c:\pdjdv.exec:\pdjdv.exe35⤵
- Executes dropped EXE
PID:3684 -
\??\c:\hnhhbb.exec:\hnhhbb.exe36⤵
- Executes dropped EXE
PID:1464 -
\??\c:\0282226.exec:\0282226.exe37⤵
- Executes dropped EXE
PID:3444 -
\??\c:\48226.exec:\48226.exe38⤵
- Executes dropped EXE
PID:5012 -
\??\c:\82666.exec:\82666.exe39⤵
- Executes dropped EXE
PID:4648 -
\??\c:\226000.exec:\226000.exe40⤵
- Executes dropped EXE
PID:3164 -
\??\c:\jdjjd.exec:\jdjjd.exe41⤵
- Executes dropped EXE
PID:736 -
\??\c:\nntnnn.exec:\nntnnn.exe42⤵
- Executes dropped EXE
PID:4412 -
\??\c:\jdjdv.exec:\jdjdv.exe43⤵
- Executes dropped EXE
PID:1156 -
\??\c:\04606.exec:\04606.exe44⤵
- Executes dropped EXE
PID:4588 -
\??\c:\rxfxllf.exec:\rxfxllf.exe45⤵
- Executes dropped EXE
PID:1376 -
\??\c:\fxlffff.exec:\fxlffff.exe46⤵
- Executes dropped EXE
PID:4024 -
\??\c:\8400444.exec:\8400444.exe47⤵
- Executes dropped EXE
PID:1276 -
\??\c:\llxffll.exec:\llxffll.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648 -
\??\c:\84648.exec:\84648.exe49⤵
- Executes dropped EXE
PID:4536 -
\??\c:\04044.exec:\04044.exe50⤵
- Executes dropped EXE
PID:4892 -
\??\c:\06844.exec:\06844.exe51⤵
- Executes dropped EXE
PID:460 -
\??\c:\lrxrxxx.exec:\lrxrxxx.exe52⤵
- Executes dropped EXE
PID:380 -
\??\c:\ddpjj.exec:\ddpjj.exe53⤵
- Executes dropped EXE
PID:3172 -
\??\c:\jpjjj.exec:\jpjjj.exe54⤵
- Executes dropped EXE
PID:4032 -
\??\c:\8400400.exec:\8400400.exe55⤵
- Executes dropped EXE
PID:2056 -
\??\c:\jdddp.exec:\jdddp.exe56⤵
- Executes dropped EXE
PID:2120 -
\??\c:\46442.exec:\46442.exe57⤵
- Executes dropped EXE
PID:4576 -
\??\c:\rflxfxf.exec:\rflxfxf.exe58⤵
- Executes dropped EXE
PID:4340 -
\??\c:\w02086.exec:\w02086.exe59⤵
- Executes dropped EXE
PID:4276 -
\??\c:\40604.exec:\40604.exe60⤵
- Executes dropped EXE
PID:3708 -
\??\c:\5pvjj.exec:\5pvjj.exe61⤵
- Executes dropped EXE
PID:224 -
\??\c:\04448.exec:\04448.exe62⤵
- Executes dropped EXE
PID:4492 -
\??\c:\lrfxlrf.exec:\lrfxlrf.exe63⤵
- Executes dropped EXE
PID:4928 -
\??\c:\086408.exec:\086408.exe64⤵
- Executes dropped EXE
PID:4448 -
\??\c:\rlfrllx.exec:\rlfrllx.exe65⤵
- Executes dropped EXE
PID:744 -
\??\c:\tnbtnt.exec:\tnbtnt.exe66⤵PID:2556
-
\??\c:\pjjdv.exec:\pjjdv.exe67⤵PID:3656
-
\??\c:\4804608.exec:\4804608.exe68⤵PID:4800
-
\??\c:\646082.exec:\646082.exe69⤵PID:2368
-
\??\c:\xfffrlf.exec:\xfffrlf.exe70⤵PID:5000
-
\??\c:\xxxlfxr.exec:\xxxlfxr.exe71⤵PID:2292
-
\??\c:\4248888.exec:\4248888.exe72⤵PID:3564
-
\??\c:\1tnhbb.exec:\1tnhbb.exe73⤵PID:2516
-
\??\c:\86266.exec:\86266.exe74⤵PID:404
-
\??\c:\04086.exec:\04086.exe75⤵PID:4100
-
\??\c:\btbtnn.exec:\btbtnn.exe76⤵PID:348
-
\??\c:\08402.exec:\08402.exe77⤵PID:1992
-
\??\c:\8222660.exec:\8222660.exe78⤵PID:4776
-
\??\c:\vvvvp.exec:\vvvvp.exe79⤵PID:1600
-
\??\c:\vvppj.exec:\vvppj.exe80⤵PID:2788
-
\??\c:\tnhbhh.exec:\tnhbhh.exe81⤵PID:440
-
\??\c:\046882.exec:\046882.exe82⤵PID:1048
-
\??\c:\60820.exec:\60820.exe83⤵PID:5112
-
\??\c:\rfxrffx.exec:\rfxrffx.exe84⤵PID:1560
-
\??\c:\6282266.exec:\6282266.exe85⤵PID:2676
-
\??\c:\lrlxrxf.exec:\lrlxrxf.exe86⤵PID:4780
-
\??\c:\28000.exec:\28000.exe87⤵PID:4116
-
\??\c:\hthbtt.exec:\hthbtt.exe88⤵PID:896
-
\??\c:\xlfrrxl.exec:\xlfrrxl.exe89⤵PID:4876
-
\??\c:\8640662.exec:\8640662.exe90⤵PID:1724
-
\??\c:\xxrrlrl.exec:\xxrrlrl.exe91⤵PID:4484
-
\??\c:\4444440.exec:\4444440.exe92⤵PID:1628
-
\??\c:\008288.exec:\008288.exe93⤵PID:2432
-
\??\c:\nnbtnt.exec:\nnbtnt.exe94⤵PID:3108
-
\??\c:\a0604.exec:\a0604.exe95⤵PID:3932
-
\??\c:\9nttnb.exec:\9nttnb.exe96⤵PID:1056
-
\??\c:\228226.exec:\228226.exe97⤵
- System Location Discovery: System Language Discovery
PID:5016 -
\??\c:\6860226.exec:\6860226.exe98⤵PID:5100
-
\??\c:\hnhnnt.exec:\hnhnnt.exe99⤵PID:4976
-
\??\c:\vpdpp.exec:\vpdpp.exe100⤵PID:1808
-
\??\c:\m2046.exec:\m2046.exe101⤵PID:4088
-
\??\c:\jjpjp.exec:\jjpjp.exe102⤵PID:3496
-
\??\c:\0408226.exec:\0408226.exe103⤵PID:3164
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe104⤵PID:3696
-
\??\c:\606048.exec:\606048.exe105⤵PID:3588
-
\??\c:\rrxlffl.exec:\rrxlffl.exe106⤵PID:816
-
\??\c:\26824.exec:\26824.exe107⤵PID:3812
-
\??\c:\04648.exec:\04648.exe108⤵PID:1376
-
\??\c:\hhhbnn.exec:\hhhbnn.exe109⤵PID:4024
-
\??\c:\jdvpp.exec:\jdvpp.exe110⤵PID:2476
-
\??\c:\w02604.exec:\w02604.exe111⤵PID:4672
-
\??\c:\048264.exec:\048264.exe112⤵PID:4536
-
\??\c:\4426440.exec:\4426440.exe113⤵PID:2612
-
\??\c:\m0200.exec:\m0200.exe114⤵PID:2908
-
\??\c:\lffxrrl.exec:\lffxrrl.exe115⤵PID:1780
-
\??\c:\fxxxffx.exec:\fxxxffx.exe116⤵PID:2444
-
\??\c:\8288882.exec:\8288882.exe117⤵PID:3032
-
\??\c:\6622064.exec:\6622064.exe118⤵PID:1336
-
\??\c:\666228.exec:\666228.exe119⤵PID:2120
-
\??\c:\48888.exec:\48888.exe120⤵PID:1552
-
\??\c:\pdvpp.exec:\pdvpp.exe121⤵PID:4340
-
\??\c:\48400.exec:\48400.exe122⤵PID:4276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-