Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:23
Behavioral task
behavioral1
Sample
bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe
-
Size
333KB
-
MD5
fda14bc2c50db6ed23e5edaecdf0ead2
-
SHA1
630d01d7d0a408fa390f0a6402511a30b91b226a
-
SHA256
bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6
-
SHA512
6cc9a8173bf5877067259d2e5ef304e5535f641cb307f229ca57147a3f7f2a1d6edf7ad981809f7b4266960fb087c5522da3d3769c5aa161ad289d76e1f60371
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbe2:R4wFHoSHYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2428-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/764-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4492-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1696-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1512-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4104-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1004-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4124-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2620-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5000-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2724-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1176-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3000-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3888-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2156-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2068-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3672-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4172-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1848-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2584-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3940-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1292-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4640-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4216-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3200-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3888-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3032-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3508-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1300-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1732-355-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3896-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3784-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4948-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3508-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4184-520-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2908-621-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-717-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2616-728-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3308-863-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4720-962-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2428 9vpdj.exe 764 i620444.exe 2204 442602.exe 4492 llxrffr.exe 4536 2682028.exe 1696 6888222.exe 1512 rxxrlll.exe 4404 htbttn.exe 4104 00066.exe 1004 frxfflx.exe 4124 e86868.exe 4392 nhtbtt.exe 2620 60046.exe 5000 828228.exe 2724 nbbnbn.exe 3064 lxfrfrf.exe 1176 446420.exe 3012 dvpjv.exe 4360 266622.exe 4512 lrxrlrr.exe 4216 4466002.exe 1852 04600.exe 2408 000088.exe 3000 m6828.exe 3576 4264282.exe 4352 pjdvp.exe 2608 00660.exe 3668 4622688.exe 4580 vjjpd.exe 3888 5hnnbh.exe 3236 028200.exe 2156 2660000.exe 1184 rrlffrr.exe 2068 624480.exe 1856 9nhthb.exe 3032 668204.exe 812 82480.exe 1016 048604.exe 3416 pvdvp.exe 3672 lxfrlfr.exe 4172 9hhthb.exe 4704 20206.exe 4688 xfxrlfx.exe 2612 8282664.exe 1848 8682042.exe 3568 tbhthb.exe 1736 lfrrflx.exe 4764 xxrlllx.exe 4448 7tnbnn.exe 5020 nnnbtn.exe 2908 8264826.exe 3860 8426448.exe 2576 fxlfrlx.exe 3808 bbbthb.exe 776 28264.exe 2036 pjvpd.exe 2584 hnnbnh.exe 4492 280448.exe 3476 bbbtnn.exe 1096 pvjpp.exe 3940 s8880.exe 4584 202082.exe 4472 hhnbnh.exe 324 222648.exe -
resource yara_rule behavioral2/memory/4868-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b0f-3.dat upx behavioral2/memory/2428-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4868-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b5f-9.dat upx behavioral2/files/0x000a000000023b64-11.dat upx behavioral2/memory/764-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b65-18.dat upx behavioral2/memory/2204-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b66-23.dat upx behavioral2/memory/4492-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b67-28.dat upx behavioral2/files/0x000a000000023b68-32.dat upx behavioral2/memory/1696-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1512-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4404-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6a-43.dat upx behavioral2/files/0x000a000000023b6b-47.dat upx behavioral2/memory/4104-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6c-54.dat upx behavioral2/memory/4124-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1004-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b69-38.dat upx behavioral2/memory/4124-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b60-58.dat upx behavioral2/files/0x000a000000023b6d-63.dat upx behavioral2/files/0x000a000000023b6e-67.dat upx behavioral2/memory/2620-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6f-72.dat upx behavioral2/memory/2724-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5000-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b71-79.dat upx behavioral2/memory/2724-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b72-83.dat upx behavioral2/memory/1176-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b73-88.dat upx behavioral2/files/0x000a000000023b74-93.dat upx behavioral2/files/0x000a000000023b75-96.dat upx behavioral2/memory/4512-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b76-101.dat upx behavioral2/files/0x000a000000023b77-105.dat upx behavioral2/files/0x000a000000023b78-109.dat upx behavioral2/files/0x000a000000023b79-114.dat upx behavioral2/memory/2408-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3000-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7a-119.dat upx behavioral2/files/0x000a000000023b7b-123.dat upx behavioral2/memory/3576-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2608-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7c-128.dat upx behavioral2/files/0x000a000000023b7d-133.dat upx behavioral2/memory/3668-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3668-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-139.dat upx behavioral2/files/0x000a000000023b7f-144.dat upx behavioral2/memory/4580-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3888-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-149.dat upx behavioral2/files/0x000a000000023b81-153.dat upx behavioral2/memory/2156-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2068-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3032-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3416-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3672-177-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 442602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2688484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4868 wrote to memory of 2428 4868 bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe 83 PID 4868 wrote to memory of 2428 4868 bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe 83 PID 4868 wrote to memory of 2428 4868 bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe 83 PID 2428 wrote to memory of 764 2428 9vpdj.exe 84 PID 2428 wrote to memory of 764 2428 9vpdj.exe 84 PID 2428 wrote to memory of 764 2428 9vpdj.exe 84 PID 764 wrote to memory of 2204 764 i620444.exe 85 PID 764 wrote to memory of 2204 764 i620444.exe 85 PID 764 wrote to memory of 2204 764 i620444.exe 85 PID 2204 wrote to memory of 4492 2204 442602.exe 86 PID 2204 wrote to memory of 4492 2204 442602.exe 86 PID 2204 wrote to memory of 4492 2204 442602.exe 86 PID 4492 wrote to memory of 4536 4492 llxrffr.exe 87 PID 4492 wrote to memory of 4536 4492 llxrffr.exe 87 PID 4492 wrote to memory of 4536 4492 llxrffr.exe 87 PID 4536 wrote to memory of 1696 4536 2682028.exe 88 PID 4536 wrote to memory of 1696 4536 2682028.exe 88 PID 4536 wrote to memory of 1696 4536 2682028.exe 88 PID 1696 wrote to memory of 1512 1696 6888222.exe 89 PID 1696 wrote to memory of 1512 1696 6888222.exe 89 PID 1696 wrote to memory of 1512 1696 6888222.exe 89 PID 1512 wrote to memory of 4404 1512 rxxrlll.exe 90 PID 1512 wrote to memory of 4404 1512 rxxrlll.exe 90 PID 1512 wrote to memory of 4404 1512 rxxrlll.exe 90 PID 4404 wrote to memory of 4104 4404 htbttn.exe 91 PID 4404 wrote to memory of 4104 4404 htbttn.exe 91 PID 4404 wrote to memory of 4104 4404 htbttn.exe 91 PID 4104 wrote to memory of 1004 4104 00066.exe 92 PID 4104 wrote to memory of 1004 4104 00066.exe 92 PID 4104 wrote to memory of 1004 4104 00066.exe 92 PID 1004 wrote to memory of 4124 1004 frxfflx.exe 93 PID 1004 wrote to memory of 4124 1004 frxfflx.exe 93 PID 1004 wrote to memory of 4124 1004 frxfflx.exe 93 PID 4124 wrote to memory of 4392 4124 e86868.exe 94 PID 4124 wrote to memory of 4392 4124 e86868.exe 94 PID 4124 wrote to memory of 4392 4124 e86868.exe 94 PID 4392 wrote to memory of 2620 4392 nhtbtt.exe 95 PID 4392 wrote to memory of 2620 4392 nhtbtt.exe 95 PID 4392 wrote to memory of 2620 4392 nhtbtt.exe 95 PID 2620 wrote to memory of 5000 2620 60046.exe 96 PID 2620 wrote to memory of 5000 2620 60046.exe 96 PID 2620 wrote to memory of 5000 2620 60046.exe 96 PID 5000 wrote to memory of 2724 5000 828228.exe 97 PID 5000 wrote to memory of 2724 5000 828228.exe 97 PID 5000 wrote to memory of 2724 5000 828228.exe 97 PID 2724 wrote to memory of 3064 2724 nbbnbn.exe 98 PID 2724 wrote to memory of 3064 2724 nbbnbn.exe 98 PID 2724 wrote to memory of 3064 2724 nbbnbn.exe 98 PID 3064 wrote to memory of 1176 3064 lxfrfrf.exe 99 PID 3064 wrote to memory of 1176 3064 lxfrfrf.exe 99 PID 3064 wrote to memory of 1176 3064 lxfrfrf.exe 99 PID 1176 wrote to memory of 3012 1176 446420.exe 100 PID 1176 wrote to memory of 3012 1176 446420.exe 100 PID 1176 wrote to memory of 3012 1176 446420.exe 100 PID 3012 wrote to memory of 4360 3012 dvpjv.exe 101 PID 3012 wrote to memory of 4360 3012 dvpjv.exe 101 PID 3012 wrote to memory of 4360 3012 dvpjv.exe 101 PID 4360 wrote to memory of 4512 4360 266622.exe 102 PID 4360 wrote to memory of 4512 4360 266622.exe 102 PID 4360 wrote to memory of 4512 4360 266622.exe 102 PID 4512 wrote to memory of 4216 4512 lrxrlrr.exe 103 PID 4512 wrote to memory of 4216 4512 lrxrlrr.exe 103 PID 4512 wrote to memory of 4216 4512 lrxrlrr.exe 103 PID 4216 wrote to memory of 1852 4216 4466002.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe"C:\Users\Admin\AppData\Local\Temp\bda28231edc44befa27475604d33cae54f850b5117928ff98b429c61c27bf6c6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\9vpdj.exec:\9vpdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\i620444.exec:\i620444.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\442602.exec:\442602.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\llxrffr.exec:\llxrffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\2682028.exec:\2682028.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\6888222.exec:\6888222.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\rxxrlll.exec:\rxxrlll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\htbttn.exec:\htbttn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\00066.exec:\00066.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\frxfflx.exec:\frxfflx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\e86868.exec:\e86868.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\nhtbtt.exec:\nhtbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\60046.exec:\60046.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\828228.exec:\828228.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\nbbnbn.exec:\nbbnbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\lxfrfrf.exec:\lxfrfrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\446420.exec:\446420.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\dvpjv.exec:\dvpjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\266622.exec:\266622.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\lrxrlrr.exec:\lrxrlrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\4466002.exec:\4466002.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\04600.exec:\04600.exe23⤵
- Executes dropped EXE
PID:1852 -
\??\c:\000088.exec:\000088.exe24⤵
- Executes dropped EXE
PID:2408 -
\??\c:\m6828.exec:\m6828.exe25⤵
- Executes dropped EXE
PID:3000 -
\??\c:\4264282.exec:\4264282.exe26⤵
- Executes dropped EXE
PID:3576 -
\??\c:\pjdvp.exec:\pjdvp.exe27⤵
- Executes dropped EXE
PID:4352 -
\??\c:\00660.exec:\00660.exe28⤵
- Executes dropped EXE
PID:2608 -
\??\c:\4622688.exec:\4622688.exe29⤵
- Executes dropped EXE
PID:3668 -
\??\c:\vjjpd.exec:\vjjpd.exe30⤵
- Executes dropped EXE
PID:4580 -
\??\c:\5hnnbh.exec:\5hnnbh.exe31⤵
- Executes dropped EXE
PID:3888 -
\??\c:\028200.exec:\028200.exe32⤵
- Executes dropped EXE
PID:3236 -
\??\c:\2660000.exec:\2660000.exe33⤵
- Executes dropped EXE
PID:2156 -
\??\c:\rrlffrr.exec:\rrlffrr.exe34⤵
- Executes dropped EXE
PID:1184 -
\??\c:\624480.exec:\624480.exe35⤵
- Executes dropped EXE
PID:2068 -
\??\c:\9nhthb.exec:\9nhthb.exe36⤵
- Executes dropped EXE
PID:1856 -
\??\c:\668204.exec:\668204.exe37⤵
- Executes dropped EXE
PID:3032 -
\??\c:\82480.exec:\82480.exe38⤵
- Executes dropped EXE
PID:812 -
\??\c:\048604.exec:\048604.exe39⤵
- Executes dropped EXE
PID:1016 -
\??\c:\pvdvp.exec:\pvdvp.exe40⤵
- Executes dropped EXE
PID:3416 -
\??\c:\lxfrlfr.exec:\lxfrlfr.exe41⤵
- Executes dropped EXE
PID:3672 -
\??\c:\9hhthb.exec:\9hhthb.exe42⤵
- Executes dropped EXE
PID:4172 -
\??\c:\20206.exec:\20206.exe43⤵
- Executes dropped EXE
PID:4704 -
\??\c:\xfxrlfx.exec:\xfxrlfx.exe44⤵
- Executes dropped EXE
PID:4688 -
\??\c:\8282664.exec:\8282664.exe45⤵
- Executes dropped EXE
PID:2612 -
\??\c:\8682042.exec:\8682042.exe46⤵
- Executes dropped EXE
PID:1848 -
\??\c:\tbhthb.exec:\tbhthb.exe47⤵
- Executes dropped EXE
PID:3568 -
\??\c:\lfrrflx.exec:\lfrrflx.exe48⤵
- Executes dropped EXE
PID:1736 -
\??\c:\xxrlllx.exec:\xxrlllx.exe49⤵
- Executes dropped EXE
PID:4764 -
\??\c:\7tnbnn.exec:\7tnbnn.exe50⤵
- Executes dropped EXE
PID:4448 -
\??\c:\nnnbtn.exec:\nnnbtn.exe51⤵
- Executes dropped EXE
PID:5020 -
\??\c:\8264826.exec:\8264826.exe52⤵
- Executes dropped EXE
PID:2908 -
\??\c:\8426448.exec:\8426448.exe53⤵
- Executes dropped EXE
PID:3860 -
\??\c:\fxlfrlx.exec:\fxlfrlx.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2576 -
\??\c:\bbbthb.exec:\bbbthb.exe55⤵
- Executes dropped EXE
PID:3808 -
\??\c:\28264.exec:\28264.exe56⤵
- Executes dropped EXE
PID:776 -
\??\c:\pjvpd.exec:\pjvpd.exe57⤵
- Executes dropped EXE
PID:2036 -
\??\c:\hnnbnh.exec:\hnnbnh.exe58⤵
- Executes dropped EXE
PID:2584 -
\??\c:\280448.exec:\280448.exe59⤵
- Executes dropped EXE
PID:4492 -
\??\c:\bbbtnn.exec:\bbbtnn.exe60⤵
- Executes dropped EXE
PID:3476 -
\??\c:\pvjpp.exec:\pvjpp.exe61⤵
- Executes dropped EXE
PID:1096 -
\??\c:\s8880.exec:\s8880.exe62⤵
- Executes dropped EXE
PID:3940 -
\??\c:\202082.exec:\202082.exe63⤵
- Executes dropped EXE
PID:4584 -
\??\c:\hhnbnh.exec:\hhnbnh.exe64⤵
- Executes dropped EXE
PID:4472 -
\??\c:\222648.exec:\222648.exe65⤵
- Executes dropped EXE
PID:324 -
\??\c:\644800.exec:\644800.exe66⤵PID:1292
-
\??\c:\vdjvj.exec:\vdjvj.exe67⤵PID:2872
-
\??\c:\u426820.exec:\u426820.exe68⤵PID:3652
-
\??\c:\208860.exec:\208860.exe69⤵PID:3172
-
\??\c:\jdjvv.exec:\jdjvv.exe70⤵PID:4640
-
\??\c:\608880.exec:\608880.exe71⤵PID:1828
-
\??\c:\i804862.exec:\i804862.exe72⤵PID:1604
-
\??\c:\0444260.exec:\0444260.exe73⤵PID:3100
-
\??\c:\40082.exec:\40082.exe74⤵PID:2444
-
\??\c:\xffxrlf.exec:\xffxrlf.exe75⤵PID:2620
-
\??\c:\fffrfxl.exec:\fffrfxl.exe76⤵PID:4864
-
\??\c:\c408484.exec:\c408484.exe77⤵PID:4956
-
\??\c:\hnthtn.exec:\hnthtn.exe78⤵PID:1688
-
\??\c:\2408048.exec:\2408048.exe79⤵PID:4528
-
\??\c:\s8484.exec:\s8484.exe80⤵PID:4904
-
\??\c:\o220424.exec:\o220424.exe81⤵PID:1176
-
\??\c:\7ttttb.exec:\7ttttb.exe82⤵PID:1328
-
\??\c:\nbnhtb.exec:\nbnhtb.exe83⤵PID:1720
-
\??\c:\vpvjd.exec:\vpvjd.exe84⤵PID:4360
-
\??\c:\7ddpd.exec:\7ddpd.exe85⤵PID:5040
-
\??\c:\84620.exec:\84620.exe86⤵PID:4532
-
\??\c:\hbbtht.exec:\hbbtht.exe87⤵PID:4216
-
\??\c:\9btnbb.exec:\9btnbb.exe88⤵PID:1620
-
\??\c:\bttnbh.exec:\bttnbh.exe89⤵PID:3200
-
\??\c:\244802.exec:\244802.exe90⤵PID:1188
-
\??\c:\o460088.exec:\o460088.exe91⤵PID:3000
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe92⤵PID:1384
-
\??\c:\206260.exec:\206260.exe93⤵PID:3104
-
\??\c:\6882048.exec:\6882048.exe94⤵PID:1464
-
\??\c:\1xxrfxl.exec:\1xxrfxl.exe95⤵PID:1352
-
\??\c:\vdjvp.exec:\vdjvp.exe96⤵PID:4012
-
\??\c:\3llfrlf.exec:\3llfrlf.exe97⤵PID:4552
-
\??\c:\frfxlfx.exec:\frfxlfx.exe98⤵PID:404
-
\??\c:\xffxlxr.exec:\xffxlxr.exe99⤵PID:4072
-
\??\c:\28004.exec:\28004.exe100⤵PID:3888
-
\??\c:\7vddp.exec:\7vddp.exe101⤵PID:5060
-
\??\c:\6286448.exec:\6286448.exe102⤵PID:3236
-
\??\c:\xfxrlfr.exec:\xfxrlfr.exe103⤵PID:3716
-
\??\c:\w26204.exec:\w26204.exe104⤵PID:1184
-
\??\c:\4844226.exec:\4844226.exe105⤵PID:2812
-
\??\c:\pdvpj.exec:\pdvpj.exe106⤵PID:3032
-
\??\c:\hbhbtt.exec:\hbhbtt.exe107⤵PID:3508
-
\??\c:\nthbbt.exec:\nthbbt.exe108⤵PID:1244
-
\??\c:\bhhtnn.exec:\bhhtnn.exe109⤵PID:1212
-
\??\c:\a2820.exec:\a2820.exe110⤵PID:836
-
\??\c:\86486.exec:\86486.exe111⤵PID:2988
-
\??\c:\4882048.exec:\4882048.exe112⤵PID:1440
-
\??\c:\9xxxrrl.exec:\9xxxrrl.exe113⤵PID:2144
-
\??\c:\444860.exec:\444860.exe114⤵PID:3536
-
\??\c:\044208.exec:\044208.exe115⤵PID:1300
-
\??\c:\vjvvv.exec:\vjvvv.exe116⤵PID:3392
-
\??\c:\406482.exec:\406482.exe117⤵PID:1732
-
\??\c:\268660.exec:\268660.exe118⤵PID:892
-
\??\c:\84666.exec:\84666.exe119⤵PID:2028
-
\??\c:\bnnnhh.exec:\bnnnhh.exe120⤵PID:816
-
\??\c:\2624486.exec:\2624486.exe121⤵PID:4332
-
\??\c:\xllxlfr.exec:\xllxlfr.exe122⤵PID:3516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-