Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad84bc453d209c7ed23cc14769b88b3190602f9ff6b87951ee6fee181de4bd7b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ad84bc453d209c7ed23cc14769b88b3190602f9ff6b87951ee6fee181de4bd7b.exe
-
Size
454KB
-
MD5
192e94bf8caed39889841b95b7825e57
-
SHA1
2202e320316ff07d978cd91870fe53a2facd44ac
-
SHA256
ad84bc453d209c7ed23cc14769b88b3190602f9ff6b87951ee6fee181de4bd7b
-
SHA512
f91ce341c30bd5354dd7f8cd6efa520cea954ba9d0b7009c5dd2785c633d89858ee66b6f82a6b1a5462631b5f4784d49dd421c4cb52df0c74d0ef93f26bd2799
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3204-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-947-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-1161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-1339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-1349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 740 46260.exe 224 k22600.exe 1028 2804626.exe 2304 8888226.exe 3924 5ffxrrf.exe 4296 444006.exe 1676 7fxlfrl.exe 2196 djdjp.exe 1968 02660.exe 4372 264400.exe 4244 9tntbt.exe 4480 rlrlxxf.exe 3892 frrfxrl.exe 4864 084862.exe 4236 jjvjd.exe 4016 ttbtbt.exe 3432 m2204.exe 3960 9vvjp.exe 1468 fxlrflf.exe 5100 m8204.exe 2224 48868.exe 4856 pjpvj.exe 4776 htnhtn.exe 2724 rlflflx.exe 804 628048.exe 1916 48602.exe 4384 lrlfrlf.exe 2384 424226.exe 3356 thhbtt.exe 4436 ppvdp.exe 2288 pvddv.exe 4140 8404888.exe 2760 btbnhb.exe 2188 200426.exe 5020 488040.exe 3048 04682.exe 2184 806260.exe 4060 frlfffx.exe 2608 2626660.exe 4052 rfllfff.exe 4024 vjjjd.exe 3804 0682660.exe 1896 rlxrxrl.exe 2148 8282466.exe 2584 frfxfxx.exe 4208 rflfxfx.exe 3864 djppv.exe 2852 bttnbb.exe 4544 httnhh.exe 3940 nnbttb.exe 2876 24066.exe 1068 lxfrfrf.exe 1988 3jjvp.exe 1320 846664.exe 4716 44000.exe 4932 0626004.exe 1408 424882.exe 3920 hhbnbt.exe 2120 xxfxrrr.exe 4440 204860.exe 1392 88660.exe 3056 9vdpv.exe 1696 860208.exe 2400 bthnhb.exe -
resource yara_rule behavioral2/memory/3204-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-1161-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i626040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0626000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3204 wrote to memory of 740 3204 ad84bc453d209c7ed23cc14769b88b3190602f9ff6b87951ee6fee181de4bd7b.exe 83 PID 3204 wrote to memory of 740 3204 ad84bc453d209c7ed23cc14769b88b3190602f9ff6b87951ee6fee181de4bd7b.exe 83 PID 3204 wrote to memory of 740 3204 ad84bc453d209c7ed23cc14769b88b3190602f9ff6b87951ee6fee181de4bd7b.exe 83 PID 740 wrote to memory of 224 740 46260.exe 84 PID 740 wrote to memory of 224 740 46260.exe 84 PID 740 wrote to memory of 224 740 46260.exe 84 PID 224 wrote to memory of 1028 224 k22600.exe 85 PID 224 wrote to memory of 1028 224 k22600.exe 85 PID 224 wrote to memory of 1028 224 k22600.exe 85 PID 1028 wrote to memory of 2304 1028 2804626.exe 86 PID 1028 wrote to memory of 2304 1028 2804626.exe 86 PID 1028 wrote to memory of 2304 1028 2804626.exe 86 PID 2304 wrote to memory of 3924 2304 8888226.exe 87 PID 2304 wrote to memory of 3924 2304 8888226.exe 87 PID 2304 wrote to memory of 3924 2304 8888226.exe 87 PID 3924 wrote to memory of 4296 3924 5ffxrrf.exe 88 PID 3924 wrote to memory of 4296 3924 5ffxrrf.exe 88 PID 3924 wrote to memory of 4296 3924 5ffxrrf.exe 88 PID 4296 wrote to memory of 1676 4296 444006.exe 89 PID 4296 wrote to memory of 1676 4296 444006.exe 89 PID 4296 wrote to memory of 1676 4296 444006.exe 89 PID 1676 wrote to memory of 2196 1676 7fxlfrl.exe 90 PID 1676 wrote to memory of 2196 1676 7fxlfrl.exe 90 PID 1676 wrote to memory of 2196 1676 7fxlfrl.exe 90 PID 2196 wrote to memory of 1968 2196 djdjp.exe 91 PID 2196 wrote to memory of 1968 2196 djdjp.exe 91 PID 2196 wrote to memory of 1968 2196 djdjp.exe 91 PID 1968 wrote to memory of 4372 1968 02660.exe 92 PID 1968 wrote to memory of 4372 1968 02660.exe 92 PID 1968 wrote to memory of 4372 1968 02660.exe 92 PID 4372 wrote to memory of 4244 4372 264400.exe 93 PID 4372 wrote to memory of 4244 4372 264400.exe 93 PID 4372 wrote to memory of 4244 4372 264400.exe 93 PID 4244 wrote to memory of 4480 4244 9tntbt.exe 94 PID 4244 wrote to memory of 4480 4244 9tntbt.exe 94 PID 4244 wrote to memory of 4480 4244 9tntbt.exe 94 PID 4480 wrote to memory of 3892 4480 rlrlxxf.exe 95 PID 4480 wrote to memory of 3892 4480 rlrlxxf.exe 95 PID 4480 wrote to memory of 3892 4480 rlrlxxf.exe 95 PID 3892 wrote to memory of 4864 3892 frrfxrl.exe 96 PID 3892 wrote to memory of 4864 3892 frrfxrl.exe 96 PID 3892 wrote to memory of 4864 3892 frrfxrl.exe 96 PID 4864 wrote to memory of 4236 4864 084862.exe 97 PID 4864 wrote to memory of 4236 4864 084862.exe 97 PID 4864 wrote to memory of 4236 4864 084862.exe 97 PID 4236 wrote to memory of 4016 4236 jjvjd.exe 98 PID 4236 wrote to memory of 4016 4236 jjvjd.exe 98 PID 4236 wrote to memory of 4016 4236 jjvjd.exe 98 PID 4016 wrote to memory of 3432 4016 ttbtbt.exe 99 PID 4016 wrote to memory of 3432 4016 ttbtbt.exe 99 PID 4016 wrote to memory of 3432 4016 ttbtbt.exe 99 PID 3432 wrote to memory of 3960 3432 m2204.exe 100 PID 3432 wrote to memory of 3960 3432 m2204.exe 100 PID 3432 wrote to memory of 3960 3432 m2204.exe 100 PID 3960 wrote to memory of 1468 3960 9vvjp.exe 101 PID 3960 wrote to memory of 1468 3960 9vvjp.exe 101 PID 3960 wrote to memory of 1468 3960 9vvjp.exe 101 PID 1468 wrote to memory of 5100 1468 fxlrflf.exe 102 PID 1468 wrote to memory of 5100 1468 fxlrflf.exe 102 PID 1468 wrote to memory of 5100 1468 fxlrflf.exe 102 PID 5100 wrote to memory of 2224 5100 m8204.exe 103 PID 5100 wrote to memory of 2224 5100 m8204.exe 103 PID 5100 wrote to memory of 2224 5100 m8204.exe 103 PID 2224 wrote to memory of 4856 2224 48868.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad84bc453d209c7ed23cc14769b88b3190602f9ff6b87951ee6fee181de4bd7b.exe"C:\Users\Admin\AppData\Local\Temp\ad84bc453d209c7ed23cc14769b88b3190602f9ff6b87951ee6fee181de4bd7b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\46260.exec:\46260.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\k22600.exec:\k22600.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\2804626.exec:\2804626.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\8888226.exec:\8888226.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\5ffxrrf.exec:\5ffxrrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\444006.exec:\444006.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\7fxlfrl.exec:\7fxlfrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\djdjp.exec:\djdjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\02660.exec:\02660.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\264400.exec:\264400.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\9tntbt.exec:\9tntbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\rlrlxxf.exec:\rlrlxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\frrfxrl.exec:\frrfxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\084862.exec:\084862.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\jjvjd.exec:\jjvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\ttbtbt.exec:\ttbtbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\m2204.exec:\m2204.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\9vvjp.exec:\9vvjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\fxlrflf.exec:\fxlrflf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\m8204.exec:\m8204.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\48868.exec:\48868.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\pjpvj.exec:\pjpvj.exe23⤵
- Executes dropped EXE
PID:4856 -
\??\c:\htnhtn.exec:\htnhtn.exe24⤵
- Executes dropped EXE
PID:4776 -
\??\c:\rlflflx.exec:\rlflflx.exe25⤵
- Executes dropped EXE
PID:2724 -
\??\c:\628048.exec:\628048.exe26⤵
- Executes dropped EXE
PID:804 -
\??\c:\48602.exec:\48602.exe27⤵
- Executes dropped EXE
PID:1916 -
\??\c:\lrlfrlf.exec:\lrlfrlf.exe28⤵
- Executes dropped EXE
PID:4384 -
\??\c:\424226.exec:\424226.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
\??\c:\thhbtt.exec:\thhbtt.exe30⤵
- Executes dropped EXE
PID:3356 -
\??\c:\ppvdp.exec:\ppvdp.exe31⤵
- Executes dropped EXE
PID:4436 -
\??\c:\pvddv.exec:\pvddv.exe32⤵
- Executes dropped EXE
PID:2288 -
\??\c:\8404888.exec:\8404888.exe33⤵
- Executes dropped EXE
PID:4140 -
\??\c:\btbnhb.exec:\btbnhb.exe34⤵
- Executes dropped EXE
PID:2760 -
\??\c:\200426.exec:\200426.exe35⤵
- Executes dropped EXE
PID:2188 -
\??\c:\488040.exec:\488040.exe36⤵
- Executes dropped EXE
PID:5020 -
\??\c:\04682.exec:\04682.exe37⤵
- Executes dropped EXE
PID:3048 -
\??\c:\806260.exec:\806260.exe38⤵
- Executes dropped EXE
PID:2184 -
\??\c:\frlfffx.exec:\frlfffx.exe39⤵
- Executes dropped EXE
PID:4060 -
\??\c:\2626660.exec:\2626660.exe40⤵
- Executes dropped EXE
PID:2608 -
\??\c:\rfllfff.exec:\rfllfff.exe41⤵
- Executes dropped EXE
PID:4052 -
\??\c:\vjjjd.exec:\vjjjd.exe42⤵
- Executes dropped EXE
PID:4024 -
\??\c:\0682660.exec:\0682660.exe43⤵
- Executes dropped EXE
PID:3804 -
\??\c:\rlxrxrl.exec:\rlxrxrl.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896 -
\??\c:\2082000.exec:\2082000.exe45⤵PID:4608
-
\??\c:\8282466.exec:\8282466.exe46⤵
- Executes dropped EXE
PID:2148 -
\??\c:\frfxfxx.exec:\frfxfxx.exe47⤵
- Executes dropped EXE
PID:2584 -
\??\c:\rflfxfx.exec:\rflfxfx.exe48⤵
- Executes dropped EXE
PID:4208 -
\??\c:\djppv.exec:\djppv.exe49⤵
- Executes dropped EXE
PID:3864 -
\??\c:\bttnbb.exec:\bttnbb.exe50⤵
- Executes dropped EXE
PID:2852 -
\??\c:\httnhh.exec:\httnhh.exe51⤵
- Executes dropped EXE
PID:4544 -
\??\c:\nnbttb.exec:\nnbttb.exe52⤵
- Executes dropped EXE
PID:3940 -
\??\c:\24066.exec:\24066.exe53⤵
- Executes dropped EXE
PID:2876 -
\??\c:\lxfrfrf.exec:\lxfrfrf.exe54⤵
- Executes dropped EXE
PID:1068 -
\??\c:\3jjvp.exec:\3jjvp.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988 -
\??\c:\846664.exec:\846664.exe56⤵
- Executes dropped EXE
PID:1320 -
\??\c:\44000.exec:\44000.exe57⤵
- Executes dropped EXE
PID:4716 -
\??\c:\0626004.exec:\0626004.exe58⤵
- Executes dropped EXE
PID:4932 -
\??\c:\424882.exec:\424882.exe59⤵
- Executes dropped EXE
PID:1408 -
\??\c:\hhbnbt.exec:\hhbnbt.exe60⤵
- Executes dropped EXE
PID:3920 -
\??\c:\xxfxrrr.exec:\xxfxrrr.exe61⤵
- Executes dropped EXE
PID:2120 -
\??\c:\204860.exec:\204860.exe62⤵
- Executes dropped EXE
PID:4440 -
\??\c:\88660.exec:\88660.exe63⤵
- Executes dropped EXE
PID:1392 -
\??\c:\9vdpv.exec:\9vdpv.exe64⤵
- Executes dropped EXE
PID:3056 -
\??\c:\860208.exec:\860208.exe65⤵
- Executes dropped EXE
PID:1696 -
\??\c:\bthnhb.exec:\bthnhb.exe66⤵
- Executes dropped EXE
PID:2400 -
\??\c:\2622666.exec:\2622666.exe67⤵PID:5040
-
\??\c:\pppdp.exec:\pppdp.exe68⤵PID:2248
-
\??\c:\80260.exec:\80260.exe69⤵PID:3712
-
\??\c:\hthbhh.exec:\hthbhh.exe70⤵PID:1092
-
\??\c:\664804.exec:\664804.exe71⤵PID:3960
-
\??\c:\xlffrlx.exec:\xlffrlx.exe72⤵PID:3036
-
\??\c:\66420.exec:\66420.exe73⤵PID:1164
-
\??\c:\tnbthb.exec:\tnbthb.exe74⤵PID:3248
-
\??\c:\hnthhb.exec:\hnthhb.exe75⤵PID:4808
-
\??\c:\lrxrxxl.exec:\lrxrxxl.exe76⤵PID:2240
-
\??\c:\k62060.exec:\k62060.exe77⤵PID:2952
-
\??\c:\40860.exec:\40860.exe78⤵PID:1344
-
\??\c:\9xfrlxl.exec:\9xfrlxl.exe79⤵PID:4080
-
\??\c:\62826.exec:\62826.exe80⤵PID:388
-
\??\c:\htntbn.exec:\htntbn.exe81⤵PID:5044
-
\??\c:\08882.exec:\08882.exe82⤵PID:1640
-
\??\c:\1tnbhb.exec:\1tnbhb.exe83⤵PID:4400
-
\??\c:\dpvpv.exec:\dpvpv.exe84⤵PID:1992
-
\??\c:\7tnhbt.exec:\7tnhbt.exe85⤵PID:4036
-
\??\c:\bnhtnh.exec:\bnhtnh.exe86⤵PID:4600
-
\??\c:\084882.exec:\084882.exe87⤵PID:4620
-
\??\c:\lxrfrlf.exec:\lxrfrlf.exe88⤵PID:612
-
\??\c:\8842488.exec:\8842488.exe89⤵PID:3572
-
\??\c:\frxlffx.exec:\frxlffx.exe90⤵PID:5052
-
\??\c:\dpjvj.exec:\dpjvj.exe91⤵PID:4532
-
\??\c:\o408040.exec:\o408040.exe92⤵PID:628
-
\??\c:\8604260.exec:\8604260.exe93⤵PID:3224
-
\??\c:\0400826.exec:\0400826.exe94⤵PID:3668
-
\??\c:\frrfrlf.exec:\frrfrlf.exe95⤵PID:3396
-
\??\c:\jvpdd.exec:\jvpdd.exe96⤵PID:3828
-
\??\c:\xfllxrr.exec:\xfllxrr.exe97⤵PID:3132
-
\??\c:\dpdpp.exec:\dpdpp.exe98⤵PID:4316
-
\??\c:\tttnbt.exec:\tttnbt.exe99⤵PID:4428
-
\??\c:\hbbbtt.exec:\hbbbtt.exe100⤵PID:2212
-
\??\c:\006460.exec:\006460.exe101⤵PID:4056
-
\??\c:\22482.exec:\22482.exe102⤵PID:4516
-
\??\c:\bhbnbn.exec:\bhbnbn.exe103⤵
- System Location Discovery: System Language Discovery
PID:1028 -
\??\c:\pdjvp.exec:\pdjvp.exe104⤵PID:2716
-
\??\c:\026842.exec:\026842.exe105⤵PID:4296
-
\??\c:\8620046.exec:\8620046.exe106⤵PID:1560
-
\??\c:\6020200.exec:\6020200.exe107⤵PID:1676
-
\??\c:\lxfrfxl.exec:\lxfrfxl.exe108⤵
- System Location Discovery: System Language Discovery
PID:4240 -
\??\c:\1jvpd.exec:\1jvpd.exe109⤵PID:2196
-
\??\c:\htbbnt.exec:\htbbnt.exe110⤵PID:3244
-
\??\c:\lfrfxrl.exec:\lfrfxrl.exe111⤵PID:1408
-
\??\c:\lfxrfxr.exec:\lfxrfxr.exe112⤵PID:3896
-
\??\c:\5djvj.exec:\5djvj.exe113⤵PID:2992
-
\??\c:\lrxlflx.exec:\lrxlflx.exe114⤵PID:2424
-
\??\c:\rxfxrlf.exec:\rxfxrlf.exe115⤵PID:4480
-
\??\c:\i068260.exec:\i068260.exe116⤵PID:1696
-
\??\c:\lxfrxrx.exec:\lxfrxrx.exe117⤵PID:2260
-
\??\c:\btbnbt.exec:\btbnbt.exe118⤵PID:3080
-
\??\c:\lllfrlr.exec:\lllfrlr.exe119⤵PID:2248
-
\??\c:\40048.exec:\40048.exe120⤵
- System Location Discovery: System Language Discovery
PID:3436 -
\??\c:\0644422.exec:\0644422.exe121⤵PID:3960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-