Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
25dc301dea72954956a5151efbbfffdd6604a270ba184e4f930f6f791ac3c3a4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
25dc301dea72954956a5151efbbfffdd6604a270ba184e4f930f6f791ac3c3a4.exe
-
Size
454KB
-
MD5
d58556a689f9cccc9298ff27191f07e5
-
SHA1
1514a627a87a15cadb619fa89f67510646c837cb
-
SHA256
25dc301dea72954956a5151efbbfffdd6604a270ba184e4f930f6f791ac3c3a4
-
SHA512
1debade0d6063e52bd581915b5768256b5f3263f47cd2727d46111444b14f49fb4adf188f66fbdab45b89cb08a81d7ce38f6ad75b0ea36544ff371cfb4ea95d9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4460-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-1104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-1118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-1152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3764 488266.exe 3096 0460062.exe 1168 26824.exe 4016 llxrrrr.exe 4492 642424.exe 116 rrlfxxx.exe 2424 w24266.exe 4456 tnttbb.exe 2816 thhttb.exe 3844 xlflxlf.exe 5080 60600.exe 2316 600044.exe 1912 0486000.exe 4772 lxlfffx.exe 2232 jjvvj.exe 2948 8228802.exe 3576 thhbtn.exe 2608 604882.exe 3332 0802604.exe 696 e40404.exe 868 268844.exe 2512 44260.exe 4904 7vjdj.exe 4560 2222660.exe 2940 266666.exe 2456 406004.exe 4960 662600.exe 5112 bbhbtt.exe 3380 rlrlffx.exe 3992 nbnhhh.exe 1732 dpvpd.exe 2964 5llrlrr.exe 1464 5ntntt.exe 532 62882.exe 2552 fxfxrrx.exe 3192 rrxxllf.exe 960 rrfxffl.exe 4564 1llfrrl.exe 3940 dvdvp.exe 3984 8626000.exe 4024 824466.exe 4596 4644222.exe 3616 xrrlffx.exe 3520 vjdpd.exe 5056 fxfxrrl.exe 4364 6666048.exe 3736 rxflrfl.exe 4460 2280460.exe 3768 466626.exe 1144 hhhtnn.exe 3328 rffxrxx.exe 4916 86484.exe 2164 nntttt.exe 2076 48222.exe 3852 vpddv.exe 2288 6226000.exe 2904 xxxrfff.exe 3132 w20048.exe 2424 jvdvv.exe 1140 246004.exe 4828 604026.exe 3224 5jpjd.exe 4956 tbhthb.exe 2664 5pvjj.exe -
resource yara_rule behavioral2/memory/3764-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-803-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c684040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4244288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8462004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6028440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8282660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q02660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u684808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266266.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4460 wrote to memory of 3764 4460 25dc301dea72954956a5151efbbfffdd6604a270ba184e4f930f6f791ac3c3a4.exe 83 PID 4460 wrote to memory of 3764 4460 25dc301dea72954956a5151efbbfffdd6604a270ba184e4f930f6f791ac3c3a4.exe 83 PID 4460 wrote to memory of 3764 4460 25dc301dea72954956a5151efbbfffdd6604a270ba184e4f930f6f791ac3c3a4.exe 83 PID 3764 wrote to memory of 3096 3764 488266.exe 84 PID 3764 wrote to memory of 3096 3764 488266.exe 84 PID 3764 wrote to memory of 3096 3764 488266.exe 84 PID 3096 wrote to memory of 1168 3096 0460062.exe 85 PID 3096 wrote to memory of 1168 3096 0460062.exe 85 PID 3096 wrote to memory of 1168 3096 0460062.exe 85 PID 1168 wrote to memory of 4016 1168 26824.exe 86 PID 1168 wrote to memory of 4016 1168 26824.exe 86 PID 1168 wrote to memory of 4016 1168 26824.exe 86 PID 4016 wrote to memory of 4492 4016 llxrrrr.exe 87 PID 4016 wrote to memory of 4492 4016 llxrrrr.exe 87 PID 4016 wrote to memory of 4492 4016 llxrrrr.exe 87 PID 4492 wrote to memory of 116 4492 642424.exe 88 PID 4492 wrote to memory of 116 4492 642424.exe 88 PID 4492 wrote to memory of 116 4492 642424.exe 88 PID 116 wrote to memory of 2424 116 rrlfxxx.exe 89 PID 116 wrote to memory of 2424 116 rrlfxxx.exe 89 PID 116 wrote to memory of 2424 116 rrlfxxx.exe 89 PID 2424 wrote to memory of 4456 2424 w24266.exe 90 PID 2424 wrote to memory of 4456 2424 w24266.exe 90 PID 2424 wrote to memory of 4456 2424 w24266.exe 90 PID 4456 wrote to memory of 2816 4456 tnttbb.exe 91 PID 4456 wrote to memory of 2816 4456 tnttbb.exe 91 PID 4456 wrote to memory of 2816 4456 tnttbb.exe 91 PID 2816 wrote to memory of 3844 2816 thhttb.exe 92 PID 2816 wrote to memory of 3844 2816 thhttb.exe 92 PID 2816 wrote to memory of 3844 2816 thhttb.exe 92 PID 3844 wrote to memory of 5080 3844 xlflxlf.exe 93 PID 3844 wrote to memory of 5080 3844 xlflxlf.exe 93 PID 3844 wrote to memory of 5080 3844 xlflxlf.exe 93 PID 5080 wrote to memory of 2316 5080 60600.exe 94 PID 5080 wrote to memory of 2316 5080 60600.exe 94 PID 5080 wrote to memory of 2316 5080 60600.exe 94 PID 2316 wrote to memory of 1912 2316 600044.exe 95 PID 2316 wrote to memory of 1912 2316 600044.exe 95 PID 2316 wrote to memory of 1912 2316 600044.exe 95 PID 1912 wrote to memory of 4772 1912 0486000.exe 96 PID 1912 wrote to memory of 4772 1912 0486000.exe 96 PID 1912 wrote to memory of 4772 1912 0486000.exe 96 PID 4772 wrote to memory of 2232 4772 lxlfffx.exe 97 PID 4772 wrote to memory of 2232 4772 lxlfffx.exe 97 PID 4772 wrote to memory of 2232 4772 lxlfffx.exe 97 PID 2232 wrote to memory of 2948 2232 jjvvj.exe 98 PID 2232 wrote to memory of 2948 2232 jjvvj.exe 98 PID 2232 wrote to memory of 2948 2232 jjvvj.exe 98 PID 2948 wrote to memory of 3576 2948 8228802.exe 99 PID 2948 wrote to memory of 3576 2948 8228802.exe 99 PID 2948 wrote to memory of 3576 2948 8228802.exe 99 PID 3576 wrote to memory of 2608 3576 thhbtn.exe 100 PID 3576 wrote to memory of 2608 3576 thhbtn.exe 100 PID 3576 wrote to memory of 2608 3576 thhbtn.exe 100 PID 2608 wrote to memory of 3332 2608 604882.exe 101 PID 2608 wrote to memory of 3332 2608 604882.exe 101 PID 2608 wrote to memory of 3332 2608 604882.exe 101 PID 3332 wrote to memory of 696 3332 0802604.exe 102 PID 3332 wrote to memory of 696 3332 0802604.exe 102 PID 3332 wrote to memory of 696 3332 0802604.exe 102 PID 696 wrote to memory of 868 696 e40404.exe 103 PID 696 wrote to memory of 868 696 e40404.exe 103 PID 696 wrote to memory of 868 696 e40404.exe 103 PID 868 wrote to memory of 2512 868 268844.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\25dc301dea72954956a5151efbbfffdd6604a270ba184e4f930f6f791ac3c3a4.exe"C:\Users\Admin\AppData\Local\Temp\25dc301dea72954956a5151efbbfffdd6604a270ba184e4f930f6f791ac3c3a4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\488266.exec:\488266.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\0460062.exec:\0460062.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\26824.exec:\26824.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\llxrrrr.exec:\llxrrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\642424.exec:\642424.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\rrlfxxx.exec:\rrlfxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\w24266.exec:\w24266.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\tnttbb.exec:\tnttbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\thhttb.exec:\thhttb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\xlflxlf.exec:\xlflxlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\60600.exec:\60600.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\600044.exec:\600044.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\0486000.exec:\0486000.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\lxlfffx.exec:\lxlfffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\jjvvj.exec:\jjvvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\8228802.exec:\8228802.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\thhbtn.exec:\thhbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\604882.exec:\604882.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\0802604.exec:\0802604.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\e40404.exec:\e40404.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\268844.exec:\268844.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\44260.exec:\44260.exe23⤵
- Executes dropped EXE
PID:2512 -
\??\c:\7vjdj.exec:\7vjdj.exe24⤵
- Executes dropped EXE
PID:4904 -
\??\c:\2222660.exec:\2222660.exe25⤵
- Executes dropped EXE
PID:4560 -
\??\c:\266666.exec:\266666.exe26⤵
- Executes dropped EXE
PID:2940 -
\??\c:\406004.exec:\406004.exe27⤵
- Executes dropped EXE
PID:2456 -
\??\c:\662600.exec:\662600.exe28⤵
- Executes dropped EXE
PID:4960 -
\??\c:\bbhbtt.exec:\bbhbtt.exe29⤵
- Executes dropped EXE
PID:5112 -
\??\c:\rlrlffx.exec:\rlrlffx.exe30⤵
- Executes dropped EXE
PID:3380 -
\??\c:\nbnhhh.exec:\nbnhhh.exe31⤵
- Executes dropped EXE
PID:3992 -
\??\c:\dpvpd.exec:\dpvpd.exe32⤵
- Executes dropped EXE
PID:1732 -
\??\c:\5llrlrr.exec:\5llrlrr.exe33⤵
- Executes dropped EXE
PID:2964 -
\??\c:\5ntntt.exec:\5ntntt.exe34⤵
- Executes dropped EXE
PID:1464 -
\??\c:\62882.exec:\62882.exe35⤵
- Executes dropped EXE
PID:532 -
\??\c:\fxfxrrx.exec:\fxfxrrx.exe36⤵
- Executes dropped EXE
PID:2552 -
\??\c:\rrxxllf.exec:\rrxxllf.exe37⤵
- Executes dropped EXE
PID:3192 -
\??\c:\rrfxffl.exec:\rrfxffl.exe38⤵
- Executes dropped EXE
PID:960 -
\??\c:\1llfrrl.exec:\1llfrrl.exe39⤵
- Executes dropped EXE
PID:4564 -
\??\c:\dvdvp.exec:\dvdvp.exe40⤵
- Executes dropped EXE
PID:3940 -
\??\c:\8626000.exec:\8626000.exe41⤵
- Executes dropped EXE
PID:3984 -
\??\c:\824466.exec:\824466.exe42⤵
- Executes dropped EXE
PID:4024 -
\??\c:\4644222.exec:\4644222.exe43⤵
- Executes dropped EXE
PID:4596 -
\??\c:\xrrlffx.exec:\xrrlffx.exe44⤵
- Executes dropped EXE
PID:3616 -
\??\c:\vjdpd.exec:\vjdpd.exe45⤵
- Executes dropped EXE
PID:3520 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe46⤵
- Executes dropped EXE
PID:5056 -
\??\c:\6666048.exec:\6666048.exe47⤵
- Executes dropped EXE
PID:4364 -
\??\c:\rxflrfl.exec:\rxflrfl.exe48⤵
- Executes dropped EXE
PID:3736 -
\??\c:\2280460.exec:\2280460.exe49⤵
- Executes dropped EXE
PID:4460 -
\??\c:\466626.exec:\466626.exe50⤵
- Executes dropped EXE
PID:3768 -
\??\c:\hhhtnn.exec:\hhhtnn.exe51⤵
- Executes dropped EXE
PID:1144 -
\??\c:\rffxrxx.exec:\rffxrxx.exe52⤵
- Executes dropped EXE
PID:3328 -
\??\c:\86484.exec:\86484.exe53⤵
- Executes dropped EXE
PID:4916 -
\??\c:\nntttt.exec:\nntttt.exe54⤵
- Executes dropped EXE
PID:2164 -
\??\c:\48222.exec:\48222.exe55⤵
- Executes dropped EXE
PID:2076 -
\??\c:\vpddv.exec:\vpddv.exe56⤵
- Executes dropped EXE
PID:3852 -
\??\c:\6226000.exec:\6226000.exe57⤵
- Executes dropped EXE
PID:2288 -
\??\c:\xxxrfff.exec:\xxxrfff.exe58⤵
- Executes dropped EXE
PID:2904 -
\??\c:\w20048.exec:\w20048.exe59⤵
- Executes dropped EXE
PID:3132 -
\??\c:\jvdvv.exec:\jvdvv.exe60⤵
- Executes dropped EXE
PID:2424 -
\??\c:\246004.exec:\246004.exe61⤵
- Executes dropped EXE
PID:1140 -
\??\c:\604026.exec:\604026.exe62⤵
- Executes dropped EXE
PID:4828 -
\??\c:\5jpjd.exec:\5jpjd.exe63⤵
- Executes dropped EXE
PID:3224 -
\??\c:\tbhthb.exec:\tbhthb.exe64⤵
- Executes dropped EXE
PID:4956 -
\??\c:\5pvjj.exec:\5pvjj.exe65⤵
- Executes dropped EXE
PID:2664 -
\??\c:\htnbbt.exec:\htnbbt.exe66⤵PID:1164
-
\??\c:\5ffxxrx.exec:\5ffxxrx.exe67⤵PID:1860
-
\??\c:\868826.exec:\868826.exe68⤵PID:3840
-
\??\c:\3xxlxrx.exec:\3xxlxrx.exe69⤵PID:4088
-
\??\c:\fxlxrlx.exec:\fxlxrlx.exe70⤵PID:3472
-
\??\c:\w62660.exec:\w62660.exe71⤵PID:2112
-
\??\c:\9xrlflx.exec:\9xrlflx.exe72⤵PID:1356
-
\??\c:\8400482.exec:\8400482.exe73⤵PID:404
-
\??\c:\jvdjj.exec:\jvdjj.exe74⤵PID:556
-
\??\c:\lrxlrlf.exec:\lrxlrlf.exe75⤵PID:1936
-
\??\c:\246282.exec:\246282.exe76⤵PID:1136
-
\??\c:\1rlfrlr.exec:\1rlfrlr.exe77⤵PID:1540
-
\??\c:\frrrlfx.exec:\frrrlfx.exe78⤵PID:2732
-
\??\c:\068444.exec:\068444.exe79⤵PID:1940
-
\??\c:\pjpjd.exec:\pjpjd.exe80⤵PID:956
-
\??\c:\xfrfxxl.exec:\xfrfxxl.exe81⤵PID:4960
-
\??\c:\1lrfxxl.exec:\1lrfxxl.exe82⤵PID:652
-
\??\c:\1rxfrrr.exec:\1rxfrrr.exe83⤵PID:3740
-
\??\c:\o460848.exec:\o460848.exe84⤵PID:2764
-
\??\c:\pdpjj.exec:\pdpjj.exe85⤵PID:1732
-
\??\c:\846600.exec:\846600.exe86⤵PID:4424
-
\??\c:\246000.exec:\246000.exe87⤵PID:1404
-
\??\c:\8288080.exec:\8288080.exe88⤵PID:2896
-
\??\c:\600448.exec:\600448.exe89⤵PID:1132
-
\??\c:\lfllxxx.exec:\lfllxxx.exe90⤵PID:4576
-
\??\c:\c688440.exec:\c688440.exe91⤵PID:3724
-
\??\c:\846626.exec:\846626.exe92⤵PID:1088
-
\??\c:\206200.exec:\206200.exe93⤵PID:1468
-
\??\c:\bthhhh.exec:\bthhhh.exe94⤵PID:908
-
\??\c:\8888884.exec:\8888884.exe95⤵PID:1536
-
\??\c:\2404882.exec:\2404882.exe96⤵PID:912
-
\??\c:\602288.exec:\602288.exe97⤵PID:5096
-
\??\c:\xfllxrf.exec:\xfllxrf.exe98⤵PID:4524
-
\??\c:\hbnntt.exec:\hbnntt.exe99⤵PID:2864
-
\??\c:\xlrlfff.exec:\xlrlfff.exe100⤵PID:3664
-
\??\c:\jvdvp.exec:\jvdvp.exe101⤵PID:5076
-
\??\c:\44448.exec:\44448.exe102⤵PID:4168
-
\??\c:\c026004.exec:\c026004.exe103⤵PID:924
-
\??\c:\8226602.exec:\8226602.exe104⤵PID:1580
-
\??\c:\bttnhh.exec:\bttnhh.exe105⤵PID:2444
-
\??\c:\jddvp.exec:\jddvp.exe106⤵PID:1120
-
\??\c:\rlxrlff.exec:\rlxrlff.exe107⤵PID:512
-
\??\c:\frfffxx.exec:\frfffxx.exe108⤵PID:2076
-
\??\c:\nhnntt.exec:\nhnntt.exe109⤵PID:4924
-
\??\c:\xxrlllr.exec:\xxrlllr.exe110⤵PID:3552
-
\??\c:\480066.exec:\480066.exe111⤵PID:1908
-
\??\c:\7btnhn.exec:\7btnhn.exe112⤵PID:1780
-
\??\c:\ffxxrrr.exec:\ffxxrrr.exe113⤵PID:3012
-
\??\c:\62822.exec:\62822.exe114⤵PID:2624
-
\??\c:\4066682.exec:\4066682.exe115⤵PID:708
-
\??\c:\06822.exec:\06822.exe116⤵PID:2424
-
\??\c:\ntbnbt.exec:\ntbnbt.exe117⤵PID:1824
-
\??\c:\3frlffx.exec:\3frlffx.exe118⤵PID:2816
-
\??\c:\2448444.exec:\2448444.exe119⤵PID:4748
-
\??\c:\nthhnb.exec:\nthhnb.exe120⤵PID:2840
-
\??\c:\000204.exec:\000204.exe121⤵PID:1100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-