Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
58ac7f9e3f872889c0c3e8b3500b5cd38e289ee4e10b450454548fc90bc05b61.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
58ac7f9e3f872889c0c3e8b3500b5cd38e289ee4e10b450454548fc90bc05b61.exe
-
Size
455KB
-
MD5
55046182ee9cc44c8d95de89c37ecc42
-
SHA1
a65d3c6075d43808d74027812a3a9574d7be4e04
-
SHA256
58ac7f9e3f872889c0c3e8b3500b5cd38e289ee4e10b450454548fc90bc05b61
-
SHA512
c4323504809397003d10817e02d51ac5bdc7291580a824dc03cc82e6efc6070ed650d4cc64fc6b924bf0d465c88cca1b49494102e59fd51d5eba6f4015772923
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1212-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-742-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-871-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-1037-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-1236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-1264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 532 7ffxrrr.exe 4932 g6204.exe 1624 0846668.exe 1240 08046.exe 1248 s2004.exe 3780 dpjdd.exe 3544 dvjpj.exe 4836 bbhhhb.exe 4088 tttntt.exe 216 lffxxrr.exe 3676 hnbttb.exe 4896 xrrfxfx.exe 1328 00604.exe 4196 4046004.exe 376 628266.exe 4760 44844.exe 4696 886006.exe 1828 06426.exe 3124 06266.exe 552 e06200.exe 3680 4266000.exe 4296 066660.exe 4208 k44044.exe 2292 jdpjd.exe 1996 o026004.exe 4080 vdjjd.exe 1132 vvvpj.exe 2868 0288882.exe 2552 bnbttt.exe 3136 hntnhh.exe 3060 268800.exe 3784 80282.exe 4668 604604.exe 4284 4242226.exe 2340 44466.exe 2720 2060666.exe 1136 022660.exe 1516 6400606.exe 1816 42006.exe 3952 ppddv.exe 1744 22264.exe 1628 ttbnbt.exe 3756 hthbhb.exe 4568 862426.exe 4464 dppjv.exe 960 pvvpj.exe 444 8686228.exe 4428 88486.exe 4356 w06866.exe 4908 bnnhtt.exe 4548 g8420.exe 4772 bhtnhn.exe 1820 lrrlxrl.exe 5052 pdjvj.exe 3600 bnhhhb.exe 3248 404048.exe 3856 2004264.exe 3696 frrlfxr.exe 2708 228608.exe 3780 0408260.exe 2816 u688226.exe 4412 fffxrrr.exe 1404 8288000.exe 4900 lxrxfxx.exe -
resource yara_rule behavioral2/memory/1212-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-788-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8208482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4046004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6882644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1212 wrote to memory of 532 1212 58ac7f9e3f872889c0c3e8b3500b5cd38e289ee4e10b450454548fc90bc05b61.exe 83 PID 1212 wrote to memory of 532 1212 58ac7f9e3f872889c0c3e8b3500b5cd38e289ee4e10b450454548fc90bc05b61.exe 83 PID 1212 wrote to memory of 532 1212 58ac7f9e3f872889c0c3e8b3500b5cd38e289ee4e10b450454548fc90bc05b61.exe 83 PID 532 wrote to memory of 4932 532 7ffxrrr.exe 84 PID 532 wrote to memory of 4932 532 7ffxrrr.exe 84 PID 532 wrote to memory of 4932 532 7ffxrrr.exe 84 PID 4932 wrote to memory of 1624 4932 g6204.exe 85 PID 4932 wrote to memory of 1624 4932 g6204.exe 85 PID 4932 wrote to memory of 1624 4932 g6204.exe 85 PID 1624 wrote to memory of 1240 1624 0846668.exe 86 PID 1624 wrote to memory of 1240 1624 0846668.exe 86 PID 1624 wrote to memory of 1240 1624 0846668.exe 86 PID 1240 wrote to memory of 1248 1240 08046.exe 87 PID 1240 wrote to memory of 1248 1240 08046.exe 87 PID 1240 wrote to memory of 1248 1240 08046.exe 87 PID 1248 wrote to memory of 3780 1248 s2004.exe 88 PID 1248 wrote to memory of 3780 1248 s2004.exe 88 PID 1248 wrote to memory of 3780 1248 s2004.exe 88 PID 3780 wrote to memory of 3544 3780 dpjdd.exe 89 PID 3780 wrote to memory of 3544 3780 dpjdd.exe 89 PID 3780 wrote to memory of 3544 3780 dpjdd.exe 89 PID 3544 wrote to memory of 4836 3544 dvjpj.exe 90 PID 3544 wrote to memory of 4836 3544 dvjpj.exe 90 PID 3544 wrote to memory of 4836 3544 dvjpj.exe 90 PID 4836 wrote to memory of 4088 4836 bbhhhb.exe 91 PID 4836 wrote to memory of 4088 4836 bbhhhb.exe 91 PID 4836 wrote to memory of 4088 4836 bbhhhb.exe 91 PID 4088 wrote to memory of 216 4088 tttntt.exe 92 PID 4088 wrote to memory of 216 4088 tttntt.exe 92 PID 4088 wrote to memory of 216 4088 tttntt.exe 92 PID 216 wrote to memory of 3676 216 lffxxrr.exe 93 PID 216 wrote to memory of 3676 216 lffxxrr.exe 93 PID 216 wrote to memory of 3676 216 lffxxrr.exe 93 PID 3676 wrote to memory of 4896 3676 hnbttb.exe 94 PID 3676 wrote to memory of 4896 3676 hnbttb.exe 94 PID 3676 wrote to memory of 4896 3676 hnbttb.exe 94 PID 4896 wrote to memory of 1328 4896 xrrfxfx.exe 95 PID 4896 wrote to memory of 1328 4896 xrrfxfx.exe 95 PID 4896 wrote to memory of 1328 4896 xrrfxfx.exe 95 PID 1328 wrote to memory of 4196 1328 00604.exe 96 PID 1328 wrote to memory of 4196 1328 00604.exe 96 PID 1328 wrote to memory of 4196 1328 00604.exe 96 PID 4196 wrote to memory of 376 4196 4046004.exe 97 PID 4196 wrote to memory of 376 4196 4046004.exe 97 PID 4196 wrote to memory of 376 4196 4046004.exe 97 PID 376 wrote to memory of 4760 376 628266.exe 98 PID 376 wrote to memory of 4760 376 628266.exe 98 PID 376 wrote to memory of 4760 376 628266.exe 98 PID 4760 wrote to memory of 4696 4760 44844.exe 99 PID 4760 wrote to memory of 4696 4760 44844.exe 99 PID 4760 wrote to memory of 4696 4760 44844.exe 99 PID 4696 wrote to memory of 1828 4696 886006.exe 100 PID 4696 wrote to memory of 1828 4696 886006.exe 100 PID 4696 wrote to memory of 1828 4696 886006.exe 100 PID 1828 wrote to memory of 3124 1828 06426.exe 101 PID 1828 wrote to memory of 3124 1828 06426.exe 101 PID 1828 wrote to memory of 3124 1828 06426.exe 101 PID 3124 wrote to memory of 552 3124 06266.exe 102 PID 3124 wrote to memory of 552 3124 06266.exe 102 PID 3124 wrote to memory of 552 3124 06266.exe 102 PID 552 wrote to memory of 3680 552 e06200.exe 103 PID 552 wrote to memory of 3680 552 e06200.exe 103 PID 552 wrote to memory of 3680 552 e06200.exe 103 PID 3680 wrote to memory of 4296 3680 4266000.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\58ac7f9e3f872889c0c3e8b3500b5cd38e289ee4e10b450454548fc90bc05b61.exe"C:\Users\Admin\AppData\Local\Temp\58ac7f9e3f872889c0c3e8b3500b5cd38e289ee4e10b450454548fc90bc05b61.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\7ffxrrr.exec:\7ffxrrr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\g6204.exec:\g6204.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\0846668.exec:\0846668.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\08046.exec:\08046.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\s2004.exec:\s2004.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\dpjdd.exec:\dpjdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\dvjpj.exec:\dvjpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\bbhhhb.exec:\bbhhhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\tttntt.exec:\tttntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\lffxxrr.exec:\lffxxrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\hnbttb.exec:\hnbttb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\xrrfxfx.exec:\xrrfxfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\00604.exec:\00604.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\4046004.exec:\4046004.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\628266.exec:\628266.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\44844.exec:\44844.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\886006.exec:\886006.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\06426.exec:\06426.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\06266.exec:\06266.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\e06200.exec:\e06200.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\4266000.exec:\4266000.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\066660.exec:\066660.exe23⤵
- Executes dropped EXE
PID:4296 -
\??\c:\k44044.exec:\k44044.exe24⤵
- Executes dropped EXE
PID:4208 -
\??\c:\jdpjd.exec:\jdpjd.exe25⤵
- Executes dropped EXE
PID:2292 -
\??\c:\o026004.exec:\o026004.exe26⤵
- Executes dropped EXE
PID:1996 -
\??\c:\vdjjd.exec:\vdjjd.exe27⤵
- Executes dropped EXE
PID:4080 -
\??\c:\vvvpj.exec:\vvvpj.exe28⤵
- Executes dropped EXE
PID:1132 -
\??\c:\0288882.exec:\0288882.exe29⤵
- Executes dropped EXE
PID:2868 -
\??\c:\bnbttt.exec:\bnbttt.exe30⤵
- Executes dropped EXE
PID:2552 -
\??\c:\hntnhh.exec:\hntnhh.exe31⤵
- Executes dropped EXE
PID:3136 -
\??\c:\268800.exec:\268800.exe32⤵
- Executes dropped EXE
PID:3060 -
\??\c:\80282.exec:\80282.exe33⤵
- Executes dropped EXE
PID:3784 -
\??\c:\604604.exec:\604604.exe34⤵
- Executes dropped EXE
PID:4668 -
\??\c:\4242226.exec:\4242226.exe35⤵
- Executes dropped EXE
PID:4284 -
\??\c:\44466.exec:\44466.exe36⤵
- Executes dropped EXE
PID:2340 -
\??\c:\2060666.exec:\2060666.exe37⤵
- Executes dropped EXE
PID:2720 -
\??\c:\022660.exec:\022660.exe38⤵
- Executes dropped EXE
PID:1136 -
\??\c:\6400606.exec:\6400606.exe39⤵
- Executes dropped EXE
PID:1516 -
\??\c:\42006.exec:\42006.exe40⤵
- Executes dropped EXE
PID:1816 -
\??\c:\ppddv.exec:\ppddv.exe41⤵
- Executes dropped EXE
PID:3952 -
\??\c:\22264.exec:\22264.exe42⤵
- Executes dropped EXE
PID:1744 -
\??\c:\ttbnbt.exec:\ttbnbt.exe43⤵
- Executes dropped EXE
PID:1628 -
\??\c:\hthbhb.exec:\hthbhb.exe44⤵
- Executes dropped EXE
PID:3756 -
\??\c:\862426.exec:\862426.exe45⤵
- Executes dropped EXE
PID:4568 -
\??\c:\dppjv.exec:\dppjv.exe46⤵
- Executes dropped EXE
PID:4464 -
\??\c:\pvvpj.exec:\pvvpj.exe47⤵
- Executes dropped EXE
PID:960 -
\??\c:\8686228.exec:\8686228.exe48⤵
- Executes dropped EXE
PID:444 -
\??\c:\88486.exec:\88486.exe49⤵
- Executes dropped EXE
PID:4428 -
\??\c:\w06866.exec:\w06866.exe50⤵
- Executes dropped EXE
PID:4356 -
\??\c:\bnnhtt.exec:\bnnhtt.exe51⤵
- Executes dropped EXE
PID:4908 -
\??\c:\g8420.exec:\g8420.exe52⤵
- Executes dropped EXE
PID:4548 -
\??\c:\bhtnhn.exec:\bhtnhn.exe53⤵
- Executes dropped EXE
PID:4772 -
\??\c:\lrrlxrl.exec:\lrrlxrl.exe54⤵
- Executes dropped EXE
PID:1820 -
\??\c:\pdjvj.exec:\pdjvj.exe55⤵
- Executes dropped EXE
PID:5052 -
\??\c:\bnhhhb.exec:\bnhhhb.exe56⤵
- Executes dropped EXE
PID:3600 -
\??\c:\404048.exec:\404048.exe57⤵
- Executes dropped EXE
PID:3248 -
\??\c:\2004264.exec:\2004264.exe58⤵
- Executes dropped EXE
PID:3856 -
\??\c:\frrlfxr.exec:\frrlfxr.exe59⤵
- Executes dropped EXE
PID:3696 -
\??\c:\228608.exec:\228608.exe60⤵
- Executes dropped EXE
PID:2708 -
\??\c:\0408260.exec:\0408260.exe61⤵
- Executes dropped EXE
PID:3780 -
\??\c:\u688226.exec:\u688226.exe62⤵
- Executes dropped EXE
PID:2816 -
\??\c:\fffxrrr.exec:\fffxrrr.exe63⤵
- Executes dropped EXE
PID:4412 -
\??\c:\8288000.exec:\8288000.exe64⤵
- Executes dropped EXE
PID:1404 -
\??\c:\lxrxfxx.exec:\lxrxfxx.exe65⤵
- Executes dropped EXE
PID:4900 -
\??\c:\00222.exec:\00222.exe66⤵PID:1468
-
\??\c:\pjpdp.exec:\pjpdp.exe67⤵PID:1672
-
\??\c:\k44446.exec:\k44446.exe68⤵PID:756
-
\??\c:\644660.exec:\644660.exe69⤵PID:1736
-
\??\c:\vjpvv.exec:\vjpvv.exe70⤵PID:4864
-
\??\c:\1rrfrlf.exec:\1rrfrlf.exe71⤵PID:1540
-
\??\c:\jdjjv.exec:\jdjjv.exe72⤵PID:4580
-
\??\c:\thtnhn.exec:\thtnhn.exe73⤵PID:5024
-
\??\c:\jvvpd.exec:\jvvpd.exe74⤵PID:432
-
\??\c:\bhnbnh.exec:\bhnbnh.exe75⤵PID:4920
-
\??\c:\xrxlrxr.exec:\xrxlrxr.exe76⤵PID:1968
-
\??\c:\6220268.exec:\6220268.exe77⤵PID:4032
-
\??\c:\5vvvj.exec:\5vvvj.exe78⤵PID:2880
-
\??\c:\3frlrxr.exec:\3frlrxr.exe79⤵PID:2608
-
\??\c:\pdvvj.exec:\pdvvj.exe80⤵PID:2164
-
\??\c:\8468608.exec:\8468608.exe81⤵PID:396
-
\??\c:\e44480.exec:\e44480.exe82⤵PID:2504
-
\??\c:\thhtbt.exec:\thhtbt.exe83⤵PID:1912
-
\??\c:\0060264.exec:\0060264.exe84⤵PID:4208
-
\??\c:\pdddv.exec:\pdddv.exe85⤵PID:2400
-
\??\c:\7jjdp.exec:\7jjdp.exe86⤵PID:1512
-
\??\c:\flfffrf.exec:\flfffrf.exe87⤵PID:3344
-
\??\c:\lxlxfxx.exec:\lxlxfxx.exe88⤵PID:4604
-
\??\c:\thbnht.exec:\thbnht.exe89⤵PID:3924
-
\??\c:\486486.exec:\486486.exe90⤵PID:2440
-
\??\c:\djjvd.exec:\djjvd.exe91⤵PID:2412
-
\??\c:\0408602.exec:\0408602.exe92⤵PID:2604
-
\??\c:\nbnttn.exec:\nbnttn.exe93⤵PID:2556
-
\??\c:\8226004.exec:\8226004.exe94⤵PID:4764
-
\??\c:\042640.exec:\042640.exe95⤵PID:1440
-
\??\c:\rfrflxr.exec:\rfrflxr.exe96⤵PID:4260
-
\??\c:\nhnbbt.exec:\nhnbbt.exe97⤵PID:4668
-
\??\c:\8286442.exec:\8286442.exe98⤵PID:2856
-
\??\c:\u068608.exec:\u068608.exe99⤵PID:3724
-
\??\c:\pjddv.exec:\pjddv.exe100⤵PID:2428
-
\??\c:\ppvpv.exec:\ppvpv.exe101⤵PID:1136
-
\??\c:\rffrlfx.exec:\rffrlfx.exe102⤵PID:1516
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe103⤵PID:1816
-
\??\c:\2868400.exec:\2868400.exe104⤵PID:1280
-
\??\c:\pddvv.exec:\pddvv.exe105⤵PID:4800
-
\??\c:\k84640.exec:\k84640.exe106⤵PID:3216
-
\??\c:\1lxlfff.exec:\1lxlfff.exe107⤵PID:1680
-
\??\c:\vdpdd.exec:\vdpdd.exe108⤵PID:4988
-
\??\c:\22848.exec:\22848.exe109⤵PID:4396
-
\??\c:\9lflxlf.exec:\9lflxlf.exe110⤵PID:5056
-
\??\c:\o448226.exec:\o448226.exe111⤵PID:2920
-
\??\c:\80664.exec:\80664.exe112⤵PID:4348
-
\??\c:\nhtbhn.exec:\nhtbhn.exe113⤵PID:1780
-
\??\c:\e00826.exec:\e00826.exe114⤵PID:1212
-
\??\c:\jvdvp.exec:\jvdvp.exe115⤵PID:900
-
\??\c:\xfrlxxx.exec:\xfrlxxx.exe116⤵PID:828
-
\??\c:\vvjjj.exec:\vvjjj.exe117⤵PID:5072
-
\??\c:\5xrfrlx.exec:\5xrfrlx.exe118⤵PID:3988
-
\??\c:\dppdv.exec:\dppdv.exe119⤵
- System Location Discovery: System Language Discovery
PID:5044 -
\??\c:\frflxrl.exec:\frflxrl.exe120⤵PID:4424
-
\??\c:\vddvj.exec:\vddvj.exe121⤵PID:868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-