Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad18cb828a48236c67e087b966a35de8da5631fb9424a58d7a2bdf0ed8262cb4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ad18cb828a48236c67e087b966a35de8da5631fb9424a58d7a2bdf0ed8262cb4.exe
-
Size
457KB
-
MD5
5ebd3478d2b2a657810807d3aebec80c
-
SHA1
27f76a307d50cc96bc7df9fb93114197c9d883c8
-
SHA256
ad18cb828a48236c67e087b966a35de8da5631fb9424a58d7a2bdf0ed8262cb4
-
SHA512
375776a72e8b73c87606a432c041b96f063f947c2aa84184c3539284338286c8754b1ed10231e05514e939a2b4d8f75bcc5085f16b61ef098bd62e5cc4521d9a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1904-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-1045-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-1185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-1404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-1459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1904 a8486.exe 4520 4408082.exe 4716 fxfrxxf.exe 3968 008242.exe 3932 866048.exe 2276 rlrfxrl.exe 5072 3xfrlxr.exe 2612 84668.exe 3240 vpjvj.exe 944 1ffxxfx.exe 3664 1pdvd.exe 2988 jvpjv.exe 5040 206082.exe 3980 7hnhbb.exe 3420 pjvpp.exe 4732 2686222.exe 3148 e22086.exe 1016 tnnhtn.exe 4000 pvpdv.exe 3424 4024642.exe 4480 6482648.exe 4308 4424266.exe 5088 m6260.exe 2500 042020.exe 4628 k22080.exe 3956 6666482.exe 1380 w06482.exe 4712 6060400.exe 4888 vjvvp.exe 1852 04086.exe 1488 02668.exe 3184 jvjpv.exe 64 c482064.exe 2484 dpjdp.exe 1652 3tnhth.exe 2268 w44864.exe 4988 62262.exe 4316 c060864.exe 2408 860448.exe 3656 26226.exe 4536 e24882.exe 2412 tttnhh.exe 3676 0282666.exe 808 ffxxxxx.exe 3652 btnbbt.exe 1308 7xllllf.exe 2812 8288282.exe 1976 hhtthh.exe 4556 lfrlfff.exe 228 tbhhhn.exe 4700 5ttnht.exe 3660 802606.exe 4372 42200.exe 2064 fxfrxff.exe 3908 28004.exe 3820 xlrlffx.exe 3560 btbtnn.exe 4956 bbnntn.exe 2728 rllfxrr.exe 848 xrrrrrr.exe 2904 k66866.exe 1624 3rlllll.exe 3384 8026600.exe 3976 hhnhnn.exe -
resource yara_rule behavioral2/memory/1904-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-1045-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c668204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c024264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 066002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8866486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u622600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k80804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2660448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6040640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06082.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5068 wrote to memory of 1904 5068 ad18cb828a48236c67e087b966a35de8da5631fb9424a58d7a2bdf0ed8262cb4.exe 84 PID 5068 wrote to memory of 1904 5068 ad18cb828a48236c67e087b966a35de8da5631fb9424a58d7a2bdf0ed8262cb4.exe 84 PID 5068 wrote to memory of 1904 5068 ad18cb828a48236c67e087b966a35de8da5631fb9424a58d7a2bdf0ed8262cb4.exe 84 PID 1904 wrote to memory of 4520 1904 a8486.exe 85 PID 1904 wrote to memory of 4520 1904 a8486.exe 85 PID 1904 wrote to memory of 4520 1904 a8486.exe 85 PID 4520 wrote to memory of 4716 4520 4408082.exe 86 PID 4520 wrote to memory of 4716 4520 4408082.exe 86 PID 4520 wrote to memory of 4716 4520 4408082.exe 86 PID 4716 wrote to memory of 3968 4716 fxfrxxf.exe 87 PID 4716 wrote to memory of 3968 4716 fxfrxxf.exe 87 PID 4716 wrote to memory of 3968 4716 fxfrxxf.exe 87 PID 3968 wrote to memory of 3932 3968 008242.exe 88 PID 3968 wrote to memory of 3932 3968 008242.exe 88 PID 3968 wrote to memory of 3932 3968 008242.exe 88 PID 3932 wrote to memory of 2276 3932 866048.exe 89 PID 3932 wrote to memory of 2276 3932 866048.exe 89 PID 3932 wrote to memory of 2276 3932 866048.exe 89 PID 2276 wrote to memory of 5072 2276 rlrfxrl.exe 90 PID 2276 wrote to memory of 5072 2276 rlrfxrl.exe 90 PID 2276 wrote to memory of 5072 2276 rlrfxrl.exe 90 PID 5072 wrote to memory of 2612 5072 3xfrlxr.exe 91 PID 5072 wrote to memory of 2612 5072 3xfrlxr.exe 91 PID 5072 wrote to memory of 2612 5072 3xfrlxr.exe 91 PID 2612 wrote to memory of 3240 2612 84668.exe 92 PID 2612 wrote to memory of 3240 2612 84668.exe 92 PID 2612 wrote to memory of 3240 2612 84668.exe 92 PID 3240 wrote to memory of 944 3240 vpjvj.exe 93 PID 3240 wrote to memory of 944 3240 vpjvj.exe 93 PID 3240 wrote to memory of 944 3240 vpjvj.exe 93 PID 944 wrote to memory of 3664 944 1ffxxfx.exe 94 PID 944 wrote to memory of 3664 944 1ffxxfx.exe 94 PID 944 wrote to memory of 3664 944 1ffxxfx.exe 94 PID 3664 wrote to memory of 2988 3664 1pdvd.exe 95 PID 3664 wrote to memory of 2988 3664 1pdvd.exe 95 PID 3664 wrote to memory of 2988 3664 1pdvd.exe 95 PID 2988 wrote to memory of 5040 2988 jvpjv.exe 96 PID 2988 wrote to memory of 5040 2988 jvpjv.exe 96 PID 2988 wrote to memory of 5040 2988 jvpjv.exe 96 PID 5040 wrote to memory of 3980 5040 206082.exe 97 PID 5040 wrote to memory of 3980 5040 206082.exe 97 PID 5040 wrote to memory of 3980 5040 206082.exe 97 PID 3980 wrote to memory of 3420 3980 7hnhbb.exe 98 PID 3980 wrote to memory of 3420 3980 7hnhbb.exe 98 PID 3980 wrote to memory of 3420 3980 7hnhbb.exe 98 PID 3420 wrote to memory of 4732 3420 pjvpp.exe 99 PID 3420 wrote to memory of 4732 3420 pjvpp.exe 99 PID 3420 wrote to memory of 4732 3420 pjvpp.exe 99 PID 4732 wrote to memory of 3148 4732 2686222.exe 100 PID 4732 wrote to memory of 3148 4732 2686222.exe 100 PID 4732 wrote to memory of 3148 4732 2686222.exe 100 PID 3148 wrote to memory of 1016 3148 e22086.exe 101 PID 3148 wrote to memory of 1016 3148 e22086.exe 101 PID 3148 wrote to memory of 1016 3148 e22086.exe 101 PID 1016 wrote to memory of 4000 1016 tnnhtn.exe 102 PID 1016 wrote to memory of 4000 1016 tnnhtn.exe 102 PID 1016 wrote to memory of 4000 1016 tnnhtn.exe 102 PID 4000 wrote to memory of 3424 4000 pvpdv.exe 103 PID 4000 wrote to memory of 3424 4000 pvpdv.exe 103 PID 4000 wrote to memory of 3424 4000 pvpdv.exe 103 PID 3424 wrote to memory of 4480 3424 4024642.exe 104 PID 3424 wrote to memory of 4480 3424 4024642.exe 104 PID 3424 wrote to memory of 4480 3424 4024642.exe 104 PID 4480 wrote to memory of 4308 4480 6482648.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad18cb828a48236c67e087b966a35de8da5631fb9424a58d7a2bdf0ed8262cb4.exe"C:\Users\Admin\AppData\Local\Temp\ad18cb828a48236c67e087b966a35de8da5631fb9424a58d7a2bdf0ed8262cb4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\a8486.exec:\a8486.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\4408082.exec:\4408082.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\fxfrxxf.exec:\fxfrxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\008242.exec:\008242.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\866048.exec:\866048.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\rlrfxrl.exec:\rlrfxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\3xfrlxr.exec:\3xfrlxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\84668.exec:\84668.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\vpjvj.exec:\vpjvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\1ffxxfx.exec:\1ffxxfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\1pdvd.exec:\1pdvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\jvpjv.exec:\jvpjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\206082.exec:\206082.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\7hnhbb.exec:\7hnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\pjvpp.exec:\pjvpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\2686222.exec:\2686222.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\e22086.exec:\e22086.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\tnnhtn.exec:\tnnhtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\pvpdv.exec:\pvpdv.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\4024642.exec:\4024642.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\6482648.exec:\6482648.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\4424266.exec:\4424266.exe23⤵
- Executes dropped EXE
PID:4308 -
\??\c:\m6260.exec:\m6260.exe24⤵
- Executes dropped EXE
PID:5088 -
\??\c:\042020.exec:\042020.exe25⤵
- Executes dropped EXE
PID:2500 -
\??\c:\k22080.exec:\k22080.exe26⤵
- Executes dropped EXE
PID:4628 -
\??\c:\6666482.exec:\6666482.exe27⤵
- Executes dropped EXE
PID:3956 -
\??\c:\w06482.exec:\w06482.exe28⤵
- Executes dropped EXE
PID:1380 -
\??\c:\6060400.exec:\6060400.exe29⤵
- Executes dropped EXE
PID:4712 -
\??\c:\vjvvp.exec:\vjvvp.exe30⤵
- Executes dropped EXE
PID:4888 -
\??\c:\04086.exec:\04086.exe31⤵
- Executes dropped EXE
PID:1852 -
\??\c:\02668.exec:\02668.exe32⤵
- Executes dropped EXE
PID:1488 -
\??\c:\jvjpv.exec:\jvjpv.exe33⤵
- Executes dropped EXE
PID:3184 -
\??\c:\c482064.exec:\c482064.exe34⤵
- Executes dropped EXE
PID:64 -
\??\c:\dpjdp.exec:\dpjdp.exe35⤵
- Executes dropped EXE
PID:2484 -
\??\c:\3tnhth.exec:\3tnhth.exe36⤵
- Executes dropped EXE
PID:1652 -
\??\c:\w44864.exec:\w44864.exe37⤵
- Executes dropped EXE
PID:2268 -
\??\c:\62262.exec:\62262.exe38⤵
- Executes dropped EXE
PID:4988 -
\??\c:\c060864.exec:\c060864.exe39⤵
- Executes dropped EXE
PID:4316 -
\??\c:\860448.exec:\860448.exe40⤵
- Executes dropped EXE
PID:2408 -
\??\c:\26226.exec:\26226.exe41⤵
- Executes dropped EXE
PID:3656 -
\??\c:\e24882.exec:\e24882.exe42⤵
- Executes dropped EXE
PID:4536 -
\??\c:\tttnhh.exec:\tttnhh.exe43⤵
- Executes dropped EXE
PID:2412 -
\??\c:\0282666.exec:\0282666.exe44⤵
- Executes dropped EXE
PID:3676 -
\??\c:\ffxxxxx.exec:\ffxxxxx.exe45⤵
- Executes dropped EXE
PID:808 -
\??\c:\btnbbt.exec:\btnbbt.exe46⤵
- Executes dropped EXE
PID:3652 -
\??\c:\7xllllf.exec:\7xllllf.exe47⤵
- Executes dropped EXE
PID:1308 -
\??\c:\8288282.exec:\8288282.exe48⤵
- Executes dropped EXE
PID:2812 -
\??\c:\hhtthh.exec:\hhtthh.exe49⤵
- Executes dropped EXE
PID:1976 -
\??\c:\lfrlfff.exec:\lfrlfff.exe50⤵
- Executes dropped EXE
PID:4556 -
\??\c:\tbhhhn.exec:\tbhhhn.exe51⤵
- Executes dropped EXE
PID:228 -
\??\c:\5ttnht.exec:\5ttnht.exe52⤵
- Executes dropped EXE
PID:4700 -
\??\c:\802606.exec:\802606.exe53⤵
- Executes dropped EXE
PID:3660 -
\??\c:\42200.exec:\42200.exe54⤵
- Executes dropped EXE
PID:4372 -
\??\c:\fxfrxff.exec:\fxfrxff.exe55⤵
- Executes dropped EXE
PID:2064 -
\??\c:\28004.exec:\28004.exe56⤵
- Executes dropped EXE
PID:3908 -
\??\c:\xlrlffx.exec:\xlrlffx.exe57⤵
- Executes dropped EXE
PID:3820 -
\??\c:\btbtnn.exec:\btbtnn.exe58⤵
- Executes dropped EXE
PID:3560 -
\??\c:\bbnntn.exec:\bbnntn.exe59⤵
- Executes dropped EXE
PID:4956 -
\??\c:\rllfxrr.exec:\rllfxrr.exe60⤵
- Executes dropped EXE
PID:2728 -
\??\c:\xrrrrrr.exec:\xrrrrrr.exe61⤵
- Executes dropped EXE
PID:848 -
\??\c:\k66866.exec:\k66866.exe62⤵
- Executes dropped EXE
PID:2904 -
\??\c:\3rlllll.exec:\3rlllll.exe63⤵
- Executes dropped EXE
PID:1624 -
\??\c:\8026600.exec:\8026600.exe64⤵
- Executes dropped EXE
PID:3384 -
\??\c:\hhnhnn.exec:\hhnhnn.exe65⤵
- Executes dropped EXE
PID:3976 -
\??\c:\nntnhh.exec:\nntnhh.exe66⤵PID:3664
-
\??\c:\ttbnbn.exec:\ttbnbn.exe67⤵PID:4284
-
\??\c:\nnnhbt.exec:\nnnhbt.exe68⤵PID:4056
-
\??\c:\q28444.exec:\q28444.exe69⤵PID:1448
-
\??\c:\628822.exec:\628822.exe70⤵PID:5108
-
\??\c:\dvjpd.exec:\dvjpd.exe71⤵PID:5064
-
\??\c:\vpppj.exec:\vpppj.exe72⤵PID:464
-
\??\c:\lrrrllf.exec:\lrrrllf.exe73⤵PID:2636
-
\??\c:\420044.exec:\420044.exe74⤵PID:2736
-
\??\c:\fffxrrl.exec:\fffxrrl.exe75⤵PID:1016
-
\??\c:\ffrlrxr.exec:\ffrlrxr.exe76⤵PID:5112
-
\??\c:\6666060.exec:\6666060.exe77⤵PID:5084
-
\??\c:\hhhhnn.exec:\hhhhnn.exe78⤵PID:4740
-
\??\c:\e84422.exec:\e84422.exe79⤵PID:3368
-
\??\c:\06260.exec:\06260.exe80⤵PID:2856
-
\??\c:\60480.exec:\60480.exe81⤵PID:3488
-
\??\c:\s2482.exec:\s2482.exe82⤵PID:3244
-
\??\c:\62660.exec:\62660.exe83⤵PID:2236
-
\??\c:\48882.exec:\48882.exe84⤵PID:2632
-
\??\c:\djvpp.exec:\djvpp.exe85⤵PID:3864
-
\??\c:\m4048.exec:\m4048.exe86⤵PID:5008
-
\??\c:\ttbbtb.exec:\ttbbtb.exe87⤵PID:3600
-
\??\c:\g4600.exec:\g4600.exe88⤵PID:5104
-
\??\c:\hbhbth.exec:\hbhbth.exe89⤵PID:4192
-
\??\c:\nhthtt.exec:\nhthtt.exe90⤵PID:2940
-
\??\c:\24604.exec:\24604.exe91⤵PID:3596
-
\??\c:\tntnhb.exec:\tntnhb.exe92⤵PID:60
-
\??\c:\080220.exec:\080220.exe93⤵PID:676
-
\??\c:\s4266.exec:\s4266.exe94⤵PID:1944
-
\??\c:\fxfxxxf.exec:\fxfxxxf.exe95⤵PID:1176
-
\??\c:\6060482.exec:\6060482.exe96⤵PID:1564
-
\??\c:\thhhbb.exec:\thhhbb.exe97⤵PID:3708
-
\??\c:\tthnht.exec:\tthnht.exe98⤵PID:1416
-
\??\c:\rllxrrl.exec:\rllxrrl.exe99⤵PID:4328
-
\??\c:\w80482.exec:\w80482.exe100⤵PID:2824
-
\??\c:\68662.exec:\68662.exe101⤵PID:2164
-
\??\c:\nhthth.exec:\nhthth.exe102⤵PID:3032
-
\??\c:\i026262.exec:\i026262.exe103⤵PID:2396
-
\??\c:\pvppp.exec:\pvppp.exe104⤵PID:4960
-
\??\c:\tnnnhh.exec:\tnnnhh.exe105⤵PID:4504
-
\??\c:\60264.exec:\60264.exe106⤵PID:3972
-
\??\c:\e02868.exec:\e02868.exe107⤵PID:2960
-
\??\c:\02042.exec:\02042.exe108⤵PID:1308
-
\??\c:\rllxllf.exec:\rllxllf.exe109⤵PID:4692
-
\??\c:\6822604.exec:\6822604.exe110⤵PID:1976
-
\??\c:\228822.exec:\228822.exe111⤵PID:4472
-
\??\c:\5vvdv.exec:\5vvdv.exe112⤵PID:2644
-
\??\c:\4886426.exec:\4886426.exe113⤵PID:4700
-
\??\c:\pddvj.exec:\pddvj.exe114⤵PID:2304
-
\??\c:\4442608.exec:\4442608.exe115⤵PID:4456
-
\??\c:\2848604.exec:\2848604.exe116⤵PID:536
-
\??\c:\s0206.exec:\s0206.exe117⤵PID:4088
-
\??\c:\jvpdj.exec:\jvpdj.exe118⤵PID:4852
-
\??\c:\lllxlfr.exec:\lllxlfr.exe119⤵PID:3820
-
\??\c:\8008046.exec:\8008046.exe120⤵PID:2656
-
\??\c:\nhnhtn.exec:\nhnhtn.exe121⤵PID:1932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-