Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 08:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f5fe62b5441935de42cb636dfa877d0817cfa702d028509dbab3be1140cf440bN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f5fe62b5441935de42cb636dfa877d0817cfa702d028509dbab3be1140cf440bN.exe
-
Size
455KB
-
MD5
29805fa41a039100f4c9a5550ffed390
-
SHA1
d6311bb6671dbc65a324b6daa2ee9f019eaa2428
-
SHA256
f5fe62b5441935de42cb636dfa877d0817cfa702d028509dbab3be1140cf440b
-
SHA512
8c903cc9bb859a35bb15ae1416b4cc2dc271b985af35b82c7354b258c3beab60f0039440eee3f40a273608b4657515598e64c877b9ec954369082ef4191b77c9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3808-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-793-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-950-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-1017-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-1117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3120 0084888.exe 4052 5dppj.exe 5028 vpppj.exe 1848 0460006.exe 1256 7lllxxl.exe 4456 flfxlxl.exe 3592 7llxfrx.exe 1960 bhbhth.exe 4808 lxfxrlf.exe 4236 7pvvd.exe 2564 vdvjd.exe 2744 lrxrllf.exe 4516 xxrlflr.exe 4340 bhnhhb.exe 5052 dvvpd.exe 3028 60606.exe 1268 044880.exe 4852 3jpjd.exe 4560 822604.exe 1968 802622.exe 3816 64488.exe 232 462604.exe 2224 3bntnb.exe 2072 i620048.exe 3504 22864.exe 2456 4848822.exe 2128 bbnhbh.exe 3420 84004.exe 4632 lrxrrxr.exe 3092 6666228.exe 1636 5llfxxx.exe 1804 xrlfxxr.exe 4360 nhnhhn.exe 5040 42822.exe 3556 rxllrxf.exe 1708 nbhbtt.exe 1512 rxrrlll.exe 1516 c444882.exe 4348 2848882.exe 1248 c688222.exe 5060 jpdvp.exe 2332 04888.exe 4768 24482.exe 2024 rfxrxxr.exe 1036 5nnnhh.exe 1440 nbnnnn.exe 548 lfrlllf.exe 376 6888226.exe 1220 400444.exe 4332 5lrrffr.exe 2788 c060226.exe 3908 ppddj.exe 4956 lxfxrrr.exe 3588 86826.exe 3744 424000.exe 3600 244444.exe 3044 9ttnnn.exe 772 ffrlffl.exe 4720 xlrlllf.exe 1896 lfffrrr.exe 1784 1lrrlrl.exe 1656 m0824.exe 4192 vjjjd.exe 1380 rllllfx.exe -
resource yara_rule behavioral2/memory/3808-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-950-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o408604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 246026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0444882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2404226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8884886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c622660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k24888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2060886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlflrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3808 wrote to memory of 3120 3808 f5fe62b5441935de42cb636dfa877d0817cfa702d028509dbab3be1140cf440bN.exe 83 PID 3808 wrote to memory of 3120 3808 f5fe62b5441935de42cb636dfa877d0817cfa702d028509dbab3be1140cf440bN.exe 83 PID 3808 wrote to memory of 3120 3808 f5fe62b5441935de42cb636dfa877d0817cfa702d028509dbab3be1140cf440bN.exe 83 PID 3120 wrote to memory of 4052 3120 0084888.exe 84 PID 3120 wrote to memory of 4052 3120 0084888.exe 84 PID 3120 wrote to memory of 4052 3120 0084888.exe 84 PID 4052 wrote to memory of 5028 4052 5dppj.exe 85 PID 4052 wrote to memory of 5028 4052 5dppj.exe 85 PID 4052 wrote to memory of 5028 4052 5dppj.exe 85 PID 5028 wrote to memory of 1848 5028 vpppj.exe 86 PID 5028 wrote to memory of 1848 5028 vpppj.exe 86 PID 5028 wrote to memory of 1848 5028 vpppj.exe 86 PID 1848 wrote to memory of 1256 1848 0460006.exe 87 PID 1848 wrote to memory of 1256 1848 0460006.exe 87 PID 1848 wrote to memory of 1256 1848 0460006.exe 87 PID 1256 wrote to memory of 4456 1256 7lllxxl.exe 88 PID 1256 wrote to memory of 4456 1256 7lllxxl.exe 88 PID 1256 wrote to memory of 4456 1256 7lllxxl.exe 88 PID 4456 wrote to memory of 3592 4456 flfxlxl.exe 89 PID 4456 wrote to memory of 3592 4456 flfxlxl.exe 89 PID 4456 wrote to memory of 3592 4456 flfxlxl.exe 89 PID 3592 wrote to memory of 1960 3592 7llxfrx.exe 90 PID 3592 wrote to memory of 1960 3592 7llxfrx.exe 90 PID 3592 wrote to memory of 1960 3592 7llxfrx.exe 90 PID 1960 wrote to memory of 4808 1960 bhbhth.exe 91 PID 1960 wrote to memory of 4808 1960 bhbhth.exe 91 PID 1960 wrote to memory of 4808 1960 bhbhth.exe 91 PID 4808 wrote to memory of 4236 4808 lxfxrlf.exe 92 PID 4808 wrote to memory of 4236 4808 lxfxrlf.exe 92 PID 4808 wrote to memory of 4236 4808 lxfxrlf.exe 92 PID 4236 wrote to memory of 2564 4236 7pvvd.exe 93 PID 4236 wrote to memory of 2564 4236 7pvvd.exe 93 PID 4236 wrote to memory of 2564 4236 7pvvd.exe 93 PID 2564 wrote to memory of 2744 2564 vdvjd.exe 94 PID 2564 wrote to memory of 2744 2564 vdvjd.exe 94 PID 2564 wrote to memory of 2744 2564 vdvjd.exe 94 PID 2744 wrote to memory of 4516 2744 lrxrllf.exe 95 PID 2744 wrote to memory of 4516 2744 lrxrllf.exe 95 PID 2744 wrote to memory of 4516 2744 lrxrllf.exe 95 PID 4516 wrote to memory of 4340 4516 xxrlflr.exe 96 PID 4516 wrote to memory of 4340 4516 xxrlflr.exe 96 PID 4516 wrote to memory of 4340 4516 xxrlflr.exe 96 PID 4340 wrote to memory of 5052 4340 bhnhhb.exe 97 PID 4340 wrote to memory of 5052 4340 bhnhhb.exe 97 PID 4340 wrote to memory of 5052 4340 bhnhhb.exe 97 PID 5052 wrote to memory of 3028 5052 dvvpd.exe 98 PID 5052 wrote to memory of 3028 5052 dvvpd.exe 98 PID 5052 wrote to memory of 3028 5052 dvvpd.exe 98 PID 3028 wrote to memory of 1268 3028 60606.exe 99 PID 3028 wrote to memory of 1268 3028 60606.exe 99 PID 3028 wrote to memory of 1268 3028 60606.exe 99 PID 1268 wrote to memory of 4852 1268 044880.exe 100 PID 1268 wrote to memory of 4852 1268 044880.exe 100 PID 1268 wrote to memory of 4852 1268 044880.exe 100 PID 4852 wrote to memory of 4560 4852 3jpjd.exe 101 PID 4852 wrote to memory of 4560 4852 3jpjd.exe 101 PID 4852 wrote to memory of 4560 4852 3jpjd.exe 101 PID 4560 wrote to memory of 1968 4560 822604.exe 102 PID 4560 wrote to memory of 1968 4560 822604.exe 102 PID 4560 wrote to memory of 1968 4560 822604.exe 102 PID 1968 wrote to memory of 3816 1968 802622.exe 103 PID 1968 wrote to memory of 3816 1968 802622.exe 103 PID 1968 wrote to memory of 3816 1968 802622.exe 103 PID 3816 wrote to memory of 232 3816 64488.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5fe62b5441935de42cb636dfa877d0817cfa702d028509dbab3be1140cf440bN.exe"C:\Users\Admin\AppData\Local\Temp\f5fe62b5441935de42cb636dfa877d0817cfa702d028509dbab3be1140cf440bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\0084888.exec:\0084888.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\5dppj.exec:\5dppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\vpppj.exec:\vpppj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\0460006.exec:\0460006.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\7lllxxl.exec:\7lllxxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\flfxlxl.exec:\flfxlxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\7llxfrx.exec:\7llxfrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\bhbhth.exec:\bhbhth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\lxfxrlf.exec:\lxfxrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\7pvvd.exec:\7pvvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\vdvjd.exec:\vdvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\lrxrllf.exec:\lrxrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\xxrlflr.exec:\xxrlflr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\bhnhhb.exec:\bhnhhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\dvvpd.exec:\dvvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\60606.exec:\60606.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\044880.exec:\044880.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\3jpjd.exec:\3jpjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\822604.exec:\822604.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\802622.exec:\802622.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\64488.exec:\64488.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\462604.exec:\462604.exe23⤵
- Executes dropped EXE
PID:232 -
\??\c:\3bntnb.exec:\3bntnb.exe24⤵
- Executes dropped EXE
PID:2224 -
\??\c:\i620048.exec:\i620048.exe25⤵
- Executes dropped EXE
PID:2072 -
\??\c:\22864.exec:\22864.exe26⤵
- Executes dropped EXE
PID:3504 -
\??\c:\4848822.exec:\4848822.exe27⤵
- Executes dropped EXE
PID:2456 -
\??\c:\bbnhbh.exec:\bbnhbh.exe28⤵
- Executes dropped EXE
PID:2128 -
\??\c:\84004.exec:\84004.exe29⤵
- Executes dropped EXE
PID:3420 -
\??\c:\lrxrrxr.exec:\lrxrrxr.exe30⤵
- Executes dropped EXE
PID:4632 -
\??\c:\6666228.exec:\6666228.exe31⤵
- Executes dropped EXE
PID:3092 -
\??\c:\5llfxxx.exec:\5llfxxx.exe32⤵
- Executes dropped EXE
PID:1636 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe33⤵
- Executes dropped EXE
PID:1804 -
\??\c:\nhnhhn.exec:\nhnhhn.exe34⤵
- Executes dropped EXE
PID:4360 -
\??\c:\42822.exec:\42822.exe35⤵
- Executes dropped EXE
PID:5040 -
\??\c:\rxllrxf.exec:\rxllrxf.exe36⤵
- Executes dropped EXE
PID:3556 -
\??\c:\nbhbtt.exec:\nbhbtt.exe37⤵
- Executes dropped EXE
PID:1708 -
\??\c:\rxrrlll.exec:\rxrrlll.exe38⤵
- Executes dropped EXE
PID:1512 -
\??\c:\c444882.exec:\c444882.exe39⤵
- Executes dropped EXE
PID:1516 -
\??\c:\2848882.exec:\2848882.exe40⤵
- Executes dropped EXE
PID:4348 -
\??\c:\c688222.exec:\c688222.exe41⤵
- Executes dropped EXE
PID:1248 -
\??\c:\jpdvp.exec:\jpdvp.exe42⤵
- Executes dropped EXE
PID:5060 -
\??\c:\04888.exec:\04888.exe43⤵
- Executes dropped EXE
PID:2332 -
\??\c:\24482.exec:\24482.exe44⤵
- Executes dropped EXE
PID:4768 -
\??\c:\rfxrxxr.exec:\rfxrxxr.exe45⤵
- Executes dropped EXE
PID:2024 -
\??\c:\5nnnhh.exec:\5nnnhh.exe46⤵
- Executes dropped EXE
PID:1036 -
\??\c:\nbnnnn.exec:\nbnnnn.exe47⤵
- Executes dropped EXE
PID:1440 -
\??\c:\lfrlllf.exec:\lfrlllf.exe48⤵
- Executes dropped EXE
PID:548 -
\??\c:\6888226.exec:\6888226.exe49⤵
- Executes dropped EXE
PID:376 -
\??\c:\400444.exec:\400444.exe50⤵
- Executes dropped EXE
PID:1220 -
\??\c:\5lrrffr.exec:\5lrrffr.exe51⤵
- Executes dropped EXE
PID:4332 -
\??\c:\c060226.exec:\c060226.exe52⤵
- Executes dropped EXE
PID:2788 -
\??\c:\ppddj.exec:\ppddj.exe53⤵
- Executes dropped EXE
PID:3908 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe54⤵
- Executes dropped EXE
PID:4956 -
\??\c:\86826.exec:\86826.exe55⤵
- Executes dropped EXE
PID:3588 -
\??\c:\424000.exec:\424000.exe56⤵
- Executes dropped EXE
PID:3744 -
\??\c:\244444.exec:\244444.exe57⤵
- Executes dropped EXE
PID:3600 -
\??\c:\9ttnnn.exec:\9ttnnn.exe58⤵
- Executes dropped EXE
PID:3044 -
\??\c:\ffrlffl.exec:\ffrlffl.exe59⤵
- Executes dropped EXE
PID:772 -
\??\c:\xlrlllf.exec:\xlrlllf.exe60⤵
- Executes dropped EXE
PID:4720 -
\??\c:\lfffrrr.exec:\lfffrrr.exe61⤵
- Executes dropped EXE
PID:1896 -
\??\c:\1lrrlrl.exec:\1lrrlrl.exe62⤵
- Executes dropped EXE
PID:1784 -
\??\c:\m0824.exec:\m0824.exe63⤵
- Executes dropped EXE
PID:1656 -
\??\c:\vjjjd.exec:\vjjjd.exe64⤵
- Executes dropped EXE
PID:4192 -
\??\c:\rllllfx.exec:\rllllfx.exe65⤵
- Executes dropped EXE
PID:1380 -
\??\c:\bbbbtt.exec:\bbbbtt.exe66⤵PID:2576
-
\??\c:\60602.exec:\60602.exe67⤵PID:1156
-
\??\c:\g8448.exec:\g8448.exe68⤵PID:2564
-
\??\c:\djjdv.exec:\djjdv.exe69⤵PID:3244
-
\??\c:\468820.exec:\468820.exe70⤵PID:2744
-
\??\c:\462266.exec:\462266.exe71⤵PID:1316
-
\??\c:\nbhbtn.exec:\nbhbtn.exe72⤵PID:5056
-
\??\c:\46826.exec:\46826.exe73⤵PID:4876
-
\??\c:\k28866.exec:\k28866.exe74⤵PID:3136
-
\??\c:\fxlxrrr.exec:\fxlxrrr.exe75⤵
- System Location Discovery: System Language Discovery
PID:4488 -
\??\c:\lfxrxxx.exec:\lfxrxxx.exe76⤵PID:1448
-
\??\c:\nhnhnh.exec:\nhnhnh.exe77⤵PID:4640
-
\??\c:\k24888.exec:\k24888.exe78⤵
- System Location Discovery: System Language Discovery
PID:2208 -
\??\c:\9jjdv.exec:\9jjdv.exe79⤵PID:2360
-
\??\c:\6028222.exec:\6028222.exe80⤵PID:2288
-
\??\c:\26260.exec:\26260.exe81⤵PID:3300
-
\??\c:\rffxrrl.exec:\rffxrrl.exe82⤵PID:5048
-
\??\c:\vdvdd.exec:\vdvdd.exe83⤵PID:3804
-
\??\c:\048866.exec:\048866.exe84⤵PID:532
-
\??\c:\rffxxxx.exec:\rffxxxx.exe85⤵PID:64
-
\??\c:\884888.exec:\884888.exe86⤵PID:2304
-
\??\c:\1hnthh.exec:\1hnthh.exe87⤵PID:2072
-
\??\c:\8226820.exec:\8226820.exe88⤵PID:1676
-
\??\c:\nbnhbb.exec:\nbnhbb.exe89⤵PID:2456
-
\??\c:\lxfrrlf.exec:\lxfrrlf.exe90⤵PID:2124
-
\??\c:\lflxlxl.exec:\lflxlxl.exe91⤵
- System Location Discovery: System Language Discovery
PID:3976 -
\??\c:\vdddp.exec:\vdddp.exe92⤵PID:1308
-
\??\c:\hthtnh.exec:\hthtnh.exe93⤵PID:1164
-
\??\c:\222086.exec:\222086.exe94⤵PID:1492
-
\??\c:\i400404.exec:\i400404.exe95⤵PID:4500
-
\??\c:\64824.exec:\64824.exe96⤵PID:2396
-
\??\c:\ppjvj.exec:\ppjvj.exe97⤵PID:3864
-
\??\c:\w22642.exec:\w22642.exe98⤵PID:4104
-
\??\c:\644822.exec:\644822.exe99⤵PID:4088
-
\??\c:\1nhbtt.exec:\1nhbtt.exe100⤵PID:3252
-
\??\c:\0848840.exec:\0848840.exe101⤵PID:3548
-
\??\c:\02448.exec:\02448.exe102⤵PID:1612
-
\??\c:\hhnttb.exec:\hhnttb.exe103⤵PID:1720
-
\??\c:\62288.exec:\62288.exe104⤵PID:4348
-
\??\c:\5pjvp.exec:\5pjvp.exe105⤵PID:4952
-
\??\c:\3rlfrlx.exec:\3rlfrlx.exe106⤵PID:2536
-
\??\c:\c886042.exec:\c886042.exe107⤵PID:2332
-
\??\c:\o886820.exec:\o886820.exe108⤵PID:4768
-
\??\c:\1ttnht.exec:\1ttnht.exe109⤵PID:2760
-
\??\c:\dpvjj.exec:\dpvjj.exe110⤵PID:4536
-
\??\c:\0444882.exec:\0444882.exe111⤵
- System Location Discovery: System Language Discovery
PID:3352 -
\??\c:\422604.exec:\422604.exe112⤵PID:2764
-
\??\c:\xflrfrx.exec:\xflrfrx.exe113⤵PID:4440
-
\??\c:\nbbthb.exec:\nbbthb.exe114⤵PID:4816
-
\??\c:\llffxxx.exec:\llffxxx.exe115⤵PID:4372
-
\??\c:\rxrfrlx.exec:\rxrfrlx.exe116⤵PID:4860
-
\??\c:\xffrxrl.exec:\xffrxrl.exe117⤵PID:5072
-
\??\c:\e08020.exec:\e08020.exe118⤵PID:1888
-
\??\c:\82864.exec:\82864.exe119⤵PID:4524
-
\??\c:\c808266.exec:\c808266.exe120⤵PID:468
-
\??\c:\rlrrlll.exec:\rlrrlll.exe121⤵PID:4048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-