Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ae592a168b5ea08cebf3bb5a17eaaa89369eb300fa4a849a7efb8f7e65a03678.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ae592a168b5ea08cebf3bb5a17eaaa89369eb300fa4a849a7efb8f7e65a03678.exe
-
Size
454KB
-
MD5
34cd1863be9d6312e65dea806126112d
-
SHA1
8442565f46a1e04be775c81bf36f94e252322619
-
SHA256
ae592a168b5ea08cebf3bb5a17eaaa89369eb300fa4a849a7efb8f7e65a03678
-
SHA512
7e06db0c05569305711c9826bb91eb4fdbe4179b0c5f7261204d77fdf24a430d92d617119d6113060f9ec89f0d8aaf9e3548f72dd4540db6111ca9f1c6ee945a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4944-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-875-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-945-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-1721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1764 0468642.exe 5044 xflfxxr.exe 4720 m4204.exe 4716 fxfrxfl.exe 1416 2200444.exe 4180 lxfrlxf.exe 2224 48048.exe 4068 8660480.exe 4896 46800.exe 1496 84048.exe 2756 42086.exe 408 20448.exe 4272 8626008.exe 5032 7htnnn.exe 5016 bbhbtt.exe 1812 5jpjj.exe 3936 828268.exe 4872 6468002.exe 5080 rlflrxf.exe 4864 5vvpv.exe 2444 thbthb.exe 2320 624400.exe 916 7vpvv.exe 3908 3jpjj.exe 2160 284882.exe 976 tthbth.exe 4460 06266.exe 644 c826026.exe 4984 dvppj.exe 4528 8404444.exe 4140 268002.exe 3396 dvjjd.exe 5092 7llrfff.exe 1620 nnbbtt.exe 4844 4460004.exe 1412 86262.exe 4856 xrrfrfx.exe 3256 40884.exe 392 820868.exe 1528 084428.exe 1380 6288400.exe 2752 xlfxrxf.exe 452 ddpvj.exe 4676 040484.exe 440 ntnbbb.exe 4696 64262.exe 4424 xlrlrrr.exe 4356 ffxxrrr.exe 4496 208484.exe 3096 2082884.exe 4820 488280.exe 1124 nbnhbh.exe 1616 3llflrx.exe 4764 800022.exe 1776 4626662.exe 632 286466.exe 3068 6460460.exe 4204 vppjj.exe 464 o466442.exe 3024 lxxxrxx.exe 4304 840460.exe 428 o448248.exe 2976 nnbbbb.exe 3204 8244442.exe -
resource yara_rule behavioral2/memory/4944-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-852-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4006044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6844882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8444888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6460460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0622604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o408604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4944 wrote to memory of 1764 4944 ae592a168b5ea08cebf3bb5a17eaaa89369eb300fa4a849a7efb8f7e65a03678.exe 85 PID 4944 wrote to memory of 1764 4944 ae592a168b5ea08cebf3bb5a17eaaa89369eb300fa4a849a7efb8f7e65a03678.exe 85 PID 4944 wrote to memory of 1764 4944 ae592a168b5ea08cebf3bb5a17eaaa89369eb300fa4a849a7efb8f7e65a03678.exe 85 PID 1764 wrote to memory of 5044 1764 0468642.exe 86 PID 1764 wrote to memory of 5044 1764 0468642.exe 86 PID 1764 wrote to memory of 5044 1764 0468642.exe 86 PID 5044 wrote to memory of 4720 5044 xflfxxr.exe 87 PID 5044 wrote to memory of 4720 5044 xflfxxr.exe 87 PID 5044 wrote to memory of 4720 5044 xflfxxr.exe 87 PID 4720 wrote to memory of 4716 4720 m4204.exe 88 PID 4720 wrote to memory of 4716 4720 m4204.exe 88 PID 4720 wrote to memory of 4716 4720 m4204.exe 88 PID 4716 wrote to memory of 1416 4716 fxfrxfl.exe 89 PID 4716 wrote to memory of 1416 4716 fxfrxfl.exe 89 PID 4716 wrote to memory of 1416 4716 fxfrxfl.exe 89 PID 1416 wrote to memory of 4180 1416 2200444.exe 90 PID 1416 wrote to memory of 4180 1416 2200444.exe 90 PID 1416 wrote to memory of 4180 1416 2200444.exe 90 PID 4180 wrote to memory of 2224 4180 lxfrlxf.exe 91 PID 4180 wrote to memory of 2224 4180 lxfrlxf.exe 91 PID 4180 wrote to memory of 2224 4180 lxfrlxf.exe 91 PID 2224 wrote to memory of 4068 2224 48048.exe 92 PID 2224 wrote to memory of 4068 2224 48048.exe 92 PID 2224 wrote to memory of 4068 2224 48048.exe 92 PID 4068 wrote to memory of 4896 4068 8660480.exe 93 PID 4068 wrote to memory of 4896 4068 8660480.exe 93 PID 4068 wrote to memory of 4896 4068 8660480.exe 93 PID 4896 wrote to memory of 1496 4896 46800.exe 94 PID 4896 wrote to memory of 1496 4896 46800.exe 94 PID 4896 wrote to memory of 1496 4896 46800.exe 94 PID 1496 wrote to memory of 2756 1496 84048.exe 95 PID 1496 wrote to memory of 2756 1496 84048.exe 95 PID 1496 wrote to memory of 2756 1496 84048.exe 95 PID 2756 wrote to memory of 408 2756 42086.exe 96 PID 2756 wrote to memory of 408 2756 42086.exe 96 PID 2756 wrote to memory of 408 2756 42086.exe 96 PID 408 wrote to memory of 4272 408 20448.exe 97 PID 408 wrote to memory of 4272 408 20448.exe 97 PID 408 wrote to memory of 4272 408 20448.exe 97 PID 4272 wrote to memory of 5032 4272 8626008.exe 98 PID 4272 wrote to memory of 5032 4272 8626008.exe 98 PID 4272 wrote to memory of 5032 4272 8626008.exe 98 PID 5032 wrote to memory of 5016 5032 7htnnn.exe 99 PID 5032 wrote to memory of 5016 5032 7htnnn.exe 99 PID 5032 wrote to memory of 5016 5032 7htnnn.exe 99 PID 5016 wrote to memory of 1812 5016 bbhbtt.exe 100 PID 5016 wrote to memory of 1812 5016 bbhbtt.exe 100 PID 5016 wrote to memory of 1812 5016 bbhbtt.exe 100 PID 1812 wrote to memory of 3936 1812 5jpjj.exe 101 PID 1812 wrote to memory of 3936 1812 5jpjj.exe 101 PID 1812 wrote to memory of 3936 1812 5jpjj.exe 101 PID 3936 wrote to memory of 4872 3936 828268.exe 102 PID 3936 wrote to memory of 4872 3936 828268.exe 102 PID 3936 wrote to memory of 4872 3936 828268.exe 102 PID 4872 wrote to memory of 5080 4872 6468002.exe 103 PID 4872 wrote to memory of 5080 4872 6468002.exe 103 PID 4872 wrote to memory of 5080 4872 6468002.exe 103 PID 5080 wrote to memory of 4864 5080 rlflrxf.exe 104 PID 5080 wrote to memory of 4864 5080 rlflrxf.exe 104 PID 5080 wrote to memory of 4864 5080 rlflrxf.exe 104 PID 4864 wrote to memory of 2444 4864 5vvpv.exe 105 PID 4864 wrote to memory of 2444 4864 5vvpv.exe 105 PID 4864 wrote to memory of 2444 4864 5vvpv.exe 105 PID 2444 wrote to memory of 2320 2444 thbthb.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae592a168b5ea08cebf3bb5a17eaaa89369eb300fa4a849a7efb8f7e65a03678.exe"C:\Users\Admin\AppData\Local\Temp\ae592a168b5ea08cebf3bb5a17eaaa89369eb300fa4a849a7efb8f7e65a03678.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\0468642.exec:\0468642.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\xflfxxr.exec:\xflfxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\m4204.exec:\m4204.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\fxfrxfl.exec:\fxfrxfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\2200444.exec:\2200444.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\lxfrlxf.exec:\lxfrlxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\48048.exec:\48048.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\8660480.exec:\8660480.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\46800.exec:\46800.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\84048.exec:\84048.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\42086.exec:\42086.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\20448.exec:\20448.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\8626008.exec:\8626008.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\7htnnn.exec:\7htnnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\bbhbtt.exec:\bbhbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\5jpjj.exec:\5jpjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\828268.exec:\828268.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\6468002.exec:\6468002.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\rlflrxf.exec:\rlflrxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\5vvpv.exec:\5vvpv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\thbthb.exec:\thbthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\624400.exec:\624400.exe23⤵
- Executes dropped EXE
PID:2320 -
\??\c:\7vpvv.exec:\7vpvv.exe24⤵
- Executes dropped EXE
PID:916 -
\??\c:\3jpjj.exec:\3jpjj.exe25⤵
- Executes dropped EXE
PID:3908 -
\??\c:\284882.exec:\284882.exe26⤵
- Executes dropped EXE
PID:2160 -
\??\c:\tthbth.exec:\tthbth.exe27⤵
- Executes dropped EXE
PID:976 -
\??\c:\06266.exec:\06266.exe28⤵
- Executes dropped EXE
PID:4460 -
\??\c:\c826026.exec:\c826026.exe29⤵
- Executes dropped EXE
PID:644 -
\??\c:\dvppj.exec:\dvppj.exe30⤵
- Executes dropped EXE
PID:4984 -
\??\c:\8404444.exec:\8404444.exe31⤵
- Executes dropped EXE
PID:4528 -
\??\c:\268002.exec:\268002.exe32⤵
- Executes dropped EXE
PID:4140 -
\??\c:\dvjjd.exec:\dvjjd.exe33⤵
- Executes dropped EXE
PID:3396 -
\??\c:\7llrfff.exec:\7llrfff.exe34⤵
- Executes dropped EXE
PID:5092 -
\??\c:\nnbbtt.exec:\nnbbtt.exe35⤵
- Executes dropped EXE
PID:1620 -
\??\c:\4460004.exec:\4460004.exe36⤵
- Executes dropped EXE
PID:4844 -
\??\c:\86262.exec:\86262.exe37⤵
- Executes dropped EXE
PID:1412 -
\??\c:\xrrfrfx.exec:\xrrfrfx.exe38⤵
- Executes dropped EXE
PID:4856 -
\??\c:\40884.exec:\40884.exe39⤵
- Executes dropped EXE
PID:3256 -
\??\c:\820868.exec:\820868.exe40⤵
- Executes dropped EXE
PID:392 -
\??\c:\084428.exec:\084428.exe41⤵
- Executes dropped EXE
PID:1528 -
\??\c:\6288400.exec:\6288400.exe42⤵
- Executes dropped EXE
PID:1380 -
\??\c:\xlfxrxf.exec:\xlfxrxf.exe43⤵
- Executes dropped EXE
PID:2752 -
\??\c:\ddpvj.exec:\ddpvj.exe44⤵
- Executes dropped EXE
PID:452 -
\??\c:\040484.exec:\040484.exe45⤵
- Executes dropped EXE
PID:4676 -
\??\c:\ntnbbb.exec:\ntnbbb.exe46⤵
- Executes dropped EXE
PID:440 -
\??\c:\64262.exec:\64262.exe47⤵
- Executes dropped EXE
PID:4696 -
\??\c:\xlrlrrr.exec:\xlrlrrr.exe48⤵
- Executes dropped EXE
PID:4424 -
\??\c:\ffxxrrr.exec:\ffxxrrr.exe49⤵
- Executes dropped EXE
PID:4356 -
\??\c:\208484.exec:\208484.exe50⤵
- Executes dropped EXE
PID:4496 -
\??\c:\2082884.exec:\2082884.exe51⤵
- Executes dropped EXE
PID:3096 -
\??\c:\488280.exec:\488280.exe52⤵
- Executes dropped EXE
PID:4820 -
\??\c:\nbnhbh.exec:\nbnhbh.exe53⤵
- Executes dropped EXE
PID:1124 -
\??\c:\3llflrx.exec:\3llflrx.exe54⤵
- Executes dropped EXE
PID:1616 -
\??\c:\800022.exec:\800022.exe55⤵
- Executes dropped EXE
PID:4764 -
\??\c:\4626662.exec:\4626662.exe56⤵
- Executes dropped EXE
PID:1776 -
\??\c:\286466.exec:\286466.exe57⤵
- Executes dropped EXE
PID:632 -
\??\c:\6460460.exec:\6460460.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068 -
\??\c:\vppjj.exec:\vppjj.exe59⤵
- Executes dropped EXE
PID:4204 -
\??\c:\o466442.exec:\o466442.exe60⤵
- Executes dropped EXE
PID:464 -
\??\c:\lxxxrxx.exec:\lxxxrxx.exe61⤵
- Executes dropped EXE
PID:3024 -
\??\c:\840460.exec:\840460.exe62⤵
- Executes dropped EXE
PID:4304 -
\??\c:\o448248.exec:\o448248.exe63⤵
- Executes dropped EXE
PID:428 -
\??\c:\nnbbbb.exec:\nnbbbb.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976 -
\??\c:\8244442.exec:\8244442.exe65⤵
- Executes dropped EXE
PID:3204 -
\??\c:\062260.exec:\062260.exe66⤵PID:1496
-
\??\c:\6268222.exec:\6268222.exe67⤵PID:3564
-
\??\c:\xlflrxf.exec:\xlflrxf.exe68⤵PID:3028
-
\??\c:\jvjpp.exec:\jvjpp.exe69⤵PID:2272
-
\??\c:\lxxxfrx.exec:\lxxxfrx.exe70⤵PID:3536
-
\??\c:\8444888.exec:\8444888.exe71⤵
- System Location Discovery: System Language Discovery
PID:4668 -
\??\c:\vpdvv.exec:\vpdvv.exe72⤵PID:3120
-
\??\c:\4048006.exec:\4048006.exe73⤵PID:3468
-
\??\c:\djpjv.exec:\djpjv.exe74⤵PID:812
-
\??\c:\884660.exec:\884660.exe75⤵
- System Location Discovery: System Language Discovery
PID:4872 -
\??\c:\6888286.exec:\6888286.exe76⤵PID:3324
-
\??\c:\42288.exec:\42288.exe77⤵PID:2476
-
\??\c:\482422.exec:\482422.exe78⤵PID:4228
-
\??\c:\vpjvp.exec:\vpjvp.exe79⤵PID:4448
-
\??\c:\662082.exec:\662082.exe80⤵PID:916
-
\??\c:\062202.exec:\062202.exe81⤵PID:4556
-
\??\c:\26260.exec:\26260.exe82⤵PID:1656
-
\??\c:\rfxlxlx.exec:\rfxlxlx.exe83⤵PID:4964
-
\??\c:\4260482.exec:\4260482.exe84⤵PID:4384
-
\??\c:\2466000.exec:\2466000.exe85⤵PID:1604
-
\??\c:\1hhhbn.exec:\1hhhbn.exe86⤵PID:4980
-
\??\c:\nhhhhh.exec:\nhhhhh.exe87⤵PID:404
-
\??\c:\rxrrxxx.exec:\rxrrxxx.exe88⤵PID:4728
-
\??\c:\1hnbtt.exec:\1hnbtt.exe89⤵PID:4912
-
\??\c:\frllxxx.exec:\frllxxx.exe90⤵PID:4540
-
\??\c:\ppddv.exec:\ppddv.exe91⤵PID:1396
-
\??\c:\flxrrrx.exec:\flxrrrx.exe92⤵PID:3628
-
\??\c:\rlxfxxl.exec:\rlxfxxl.exe93⤵PID:4616
-
\??\c:\62482.exec:\62482.exe94⤵PID:1660
-
\??\c:\tnnbbb.exec:\tnnbbb.exe95⤵PID:2896
-
\??\c:\ttbtnh.exec:\ttbtnh.exe96⤵PID:1060
-
\??\c:\68002.exec:\68002.exe97⤵PID:3492
-
\??\c:\2688262.exec:\2688262.exe98⤵PID:3252
-
\??\c:\frrllff.exec:\frrllff.exe99⤵PID:2072
-
\??\c:\1pvpj.exec:\1pvpj.exe100⤵PID:1188
-
\??\c:\tbbbhb.exec:\tbbbhb.exe101⤵PID:1072
-
\??\c:\284888.exec:\284888.exe102⤵PID:4224
-
\??\c:\3pvvp.exec:\3pvvp.exe103⤵PID:4396
-
\??\c:\2022660.exec:\2022660.exe104⤵PID:2448
-
\??\c:\e06448.exec:\e06448.exe105⤵PID:1012
-
\??\c:\3hhbnn.exec:\3hhbnn.exe106⤵PID:380
-
\??\c:\04008.exec:\04008.exe107⤵PID:4944
-
\??\c:\fxxxrfx.exec:\fxxxrfx.exe108⤵PID:1764
-
\??\c:\808888.exec:\808888.exe109⤵PID:5036
-
\??\c:\7vvvp.exec:\7vvvp.exe110⤵PID:4588
-
\??\c:\5rxrffr.exec:\5rxrffr.exe111⤵PID:1972
-
\??\c:\jdpvp.exec:\jdpvp.exe112⤵PID:2996
-
\??\c:\k84888.exec:\k84888.exe113⤵PID:624
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe114⤵PID:4416
-
\??\c:\28826.exec:\28826.exe115⤵PID:2760
-
\??\c:\666864.exec:\666864.exe116⤵PID:2388
-
\??\c:\bttbth.exec:\bttbth.exe117⤵PID:3436
-
\??\c:\hbbthh.exec:\hbbthh.exe118⤵PID:4420
-
\??\c:\m4604.exec:\m4604.exe119⤵PID:2892
-
\??\c:\rlrlflf.exec:\rlrlflf.exe120⤵PID:4468
-
\??\c:\i444888.exec:\i444888.exe121⤵PID:3440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-