Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe
-
Size
454KB
-
MD5
ebbc7ccdbe77302d85e1ce912f147110
-
SHA1
f13f4dbbe542c974c350108f4555338c979fa0b4
-
SHA256
4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61
-
SHA512
cf4ff1e1a631a3530905137fd709884ac0bab5b2f6d7850e0106cb224ce45ec8c52f393226ed61938dadabcd5250cb7092db60440933276d507f0a6a777d3239
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6i:q7Tc2NYHUrAwfMp3CD6i
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4232-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-1171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-1276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1260 e44466.exe 4384 o066004.exe 3180 7xfrllf.exe 1160 jddvp.exe 4448 fxflfff.exe 2436 djvvp.exe 3628 42888.exe 3536 pddvj.exe 2184 24848.exe 4024 flrrlfx.exe 4892 864400.exe 3680 8460862.exe 3528 i282266.exe 2888 2448226.exe 60 848202.exe 3204 66004.exe 2744 djdvv.exe 400 a8882.exe 4216 028604.exe 2768 rfxrrrx.exe 1676 06820.exe 5012 u604486.exe 2164 q80022.exe 2932 xfxfxxf.exe 4244 884826.exe 4596 rflfrxx.exe 2868 w22604.exe 916 44086.exe 4116 6808626.exe 1288 rrxrllf.exe 5048 2626626.exe 428 622226.exe 1488 04668.exe 404 406448.exe 4696 tttnhb.exe 4936 hbhhbt.exe 2340 646620.exe 1048 40660.exe 5104 vdvpj.exe 116 rrrrrrx.exe 2344 e08400.exe 4748 ttnntn.exe 2052 pjjdp.exe 2540 8060000.exe 4416 a8664.exe 2816 dpdjj.exe 1996 0842828.exe 3668 9jjdd.exe 636 262606.exe 1724 6228266.exe 3148 0060462.exe 1432 xrrlrll.exe 3552 0622222.exe 5060 6240246.exe 5108 xrxxfrr.exe 3060 ppdvv.exe 2184 hhnnnt.exe 3396 i286604.exe 1852 lxfxrrl.exe 1128 8466004.exe 3272 nnttnt.exe 4768 jvppp.exe 4932 4620024.exe 4756 28442.exe -
resource yara_rule behavioral2/memory/4232-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-698-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 848202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2626626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e06046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k48644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u024664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2026824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2842860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 024846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q80022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q88424.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4232 wrote to memory of 1260 4232 4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe 83 PID 4232 wrote to memory of 1260 4232 4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe 83 PID 4232 wrote to memory of 1260 4232 4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe 83 PID 1260 wrote to memory of 4384 1260 e44466.exe 84 PID 1260 wrote to memory of 4384 1260 e44466.exe 84 PID 1260 wrote to memory of 4384 1260 e44466.exe 84 PID 4384 wrote to memory of 3180 4384 o066004.exe 85 PID 4384 wrote to memory of 3180 4384 o066004.exe 85 PID 4384 wrote to memory of 3180 4384 o066004.exe 85 PID 3180 wrote to memory of 1160 3180 7xfrllf.exe 86 PID 3180 wrote to memory of 1160 3180 7xfrllf.exe 86 PID 3180 wrote to memory of 1160 3180 7xfrllf.exe 86 PID 1160 wrote to memory of 4448 1160 jddvp.exe 87 PID 1160 wrote to memory of 4448 1160 jddvp.exe 87 PID 1160 wrote to memory of 4448 1160 jddvp.exe 87 PID 4448 wrote to memory of 2436 4448 fxflfff.exe 88 PID 4448 wrote to memory of 2436 4448 fxflfff.exe 88 PID 4448 wrote to memory of 2436 4448 fxflfff.exe 88 PID 2436 wrote to memory of 3628 2436 djvvp.exe 89 PID 2436 wrote to memory of 3628 2436 djvvp.exe 89 PID 2436 wrote to memory of 3628 2436 djvvp.exe 89 PID 3628 wrote to memory of 3536 3628 42888.exe 90 PID 3628 wrote to memory of 3536 3628 42888.exe 90 PID 3628 wrote to memory of 3536 3628 42888.exe 90 PID 3536 wrote to memory of 2184 3536 pddvj.exe 91 PID 3536 wrote to memory of 2184 3536 pddvj.exe 91 PID 3536 wrote to memory of 2184 3536 pddvj.exe 91 PID 2184 wrote to memory of 4024 2184 24848.exe 92 PID 2184 wrote to memory of 4024 2184 24848.exe 92 PID 2184 wrote to memory of 4024 2184 24848.exe 92 PID 4024 wrote to memory of 4892 4024 flrrlfx.exe 93 PID 4024 wrote to memory of 4892 4024 flrrlfx.exe 93 PID 4024 wrote to memory of 4892 4024 flrrlfx.exe 93 PID 4892 wrote to memory of 3680 4892 864400.exe 94 PID 4892 wrote to memory of 3680 4892 864400.exe 94 PID 4892 wrote to memory of 3680 4892 864400.exe 94 PID 3680 wrote to memory of 3528 3680 8460862.exe 95 PID 3680 wrote to memory of 3528 3680 8460862.exe 95 PID 3680 wrote to memory of 3528 3680 8460862.exe 95 PID 3528 wrote to memory of 2888 3528 i282266.exe 96 PID 3528 wrote to memory of 2888 3528 i282266.exe 96 PID 3528 wrote to memory of 2888 3528 i282266.exe 96 PID 2888 wrote to memory of 60 2888 2448226.exe 97 PID 2888 wrote to memory of 60 2888 2448226.exe 97 PID 2888 wrote to memory of 60 2888 2448226.exe 97 PID 60 wrote to memory of 3204 60 848202.exe 98 PID 60 wrote to memory of 3204 60 848202.exe 98 PID 60 wrote to memory of 3204 60 848202.exe 98 PID 3204 wrote to memory of 2744 3204 66004.exe 99 PID 3204 wrote to memory of 2744 3204 66004.exe 99 PID 3204 wrote to memory of 2744 3204 66004.exe 99 PID 2744 wrote to memory of 400 2744 djdvv.exe 100 PID 2744 wrote to memory of 400 2744 djdvv.exe 100 PID 2744 wrote to memory of 400 2744 djdvv.exe 100 PID 400 wrote to memory of 4216 400 a8882.exe 101 PID 400 wrote to memory of 4216 400 a8882.exe 101 PID 400 wrote to memory of 4216 400 a8882.exe 101 PID 4216 wrote to memory of 2768 4216 028604.exe 102 PID 4216 wrote to memory of 2768 4216 028604.exe 102 PID 4216 wrote to memory of 2768 4216 028604.exe 102 PID 2768 wrote to memory of 1676 2768 rfxrrrx.exe 103 PID 2768 wrote to memory of 1676 2768 rfxrrrx.exe 103 PID 2768 wrote to memory of 1676 2768 rfxrrrx.exe 103 PID 1676 wrote to memory of 5012 1676 06820.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe"C:\Users\Admin\AppData\Local\Temp\4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\e44466.exec:\e44466.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\o066004.exec:\o066004.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\7xfrllf.exec:\7xfrllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\jddvp.exec:\jddvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\fxflfff.exec:\fxflfff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\djvvp.exec:\djvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\42888.exec:\42888.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\pddvj.exec:\pddvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\24848.exec:\24848.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\flrrlfx.exec:\flrrlfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\864400.exec:\864400.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\8460862.exec:\8460862.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\i282266.exec:\i282266.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\2448226.exec:\2448226.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\848202.exec:\848202.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\66004.exec:\66004.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\djdvv.exec:\djdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\a8882.exec:\a8882.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\028604.exec:\028604.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\rfxrrrx.exec:\rfxrrrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\06820.exec:\06820.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\u604486.exec:\u604486.exe23⤵
- Executes dropped EXE
PID:5012 -
\??\c:\q80022.exec:\q80022.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
\??\c:\xfxfxxf.exec:\xfxfxxf.exe25⤵
- Executes dropped EXE
PID:2932 -
\??\c:\884826.exec:\884826.exe26⤵
- Executes dropped EXE
PID:4244 -
\??\c:\rflfrxx.exec:\rflfrxx.exe27⤵
- Executes dropped EXE
PID:4596 -
\??\c:\w22604.exec:\w22604.exe28⤵
- Executes dropped EXE
PID:2868 -
\??\c:\44086.exec:\44086.exe29⤵
- Executes dropped EXE
PID:916 -
\??\c:\6808626.exec:\6808626.exe30⤵
- Executes dropped EXE
PID:4116 -
\??\c:\rrxrllf.exec:\rrxrllf.exe31⤵
- Executes dropped EXE
PID:1288 -
\??\c:\2626626.exec:\2626626.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5048 -
\??\c:\622226.exec:\622226.exe33⤵
- Executes dropped EXE
PID:428 -
\??\c:\04668.exec:\04668.exe34⤵
- Executes dropped EXE
PID:1488 -
\??\c:\406448.exec:\406448.exe35⤵
- Executes dropped EXE
PID:404 -
\??\c:\tttnhb.exec:\tttnhb.exe36⤵
- Executes dropped EXE
PID:4696 -
\??\c:\hbhhbt.exec:\hbhhbt.exe37⤵
- Executes dropped EXE
PID:4936 -
\??\c:\646620.exec:\646620.exe38⤵
- Executes dropped EXE
PID:2340 -
\??\c:\40660.exec:\40660.exe39⤵
- Executes dropped EXE
PID:1048 -
\??\c:\vdvpj.exec:\vdvpj.exe40⤵
- Executes dropped EXE
PID:5104 -
\??\c:\rrrrrrx.exec:\rrrrrrx.exe41⤵
- Executes dropped EXE
PID:116 -
\??\c:\e08400.exec:\e08400.exe42⤵
- Executes dropped EXE
PID:2344 -
\??\c:\ttnntn.exec:\ttnntn.exe43⤵
- Executes dropped EXE
PID:4748 -
\??\c:\pjjdp.exec:\pjjdp.exe44⤵
- Executes dropped EXE
PID:2052 -
\??\c:\8060000.exec:\8060000.exe45⤵
- Executes dropped EXE
PID:2540 -
\??\c:\a8664.exec:\a8664.exe46⤵
- Executes dropped EXE
PID:4416 -
\??\c:\dpdjj.exec:\dpdjj.exe47⤵
- Executes dropped EXE
PID:2816 -
\??\c:\0842828.exec:\0842828.exe48⤵
- Executes dropped EXE
PID:1996 -
\??\c:\9jjdd.exec:\9jjdd.exe49⤵
- Executes dropped EXE
PID:3668 -
\??\c:\262606.exec:\262606.exe50⤵
- Executes dropped EXE
PID:636 -
\??\c:\6228266.exec:\6228266.exe51⤵
- Executes dropped EXE
PID:1724 -
\??\c:\0060462.exec:\0060462.exe52⤵
- Executes dropped EXE
PID:3148 -
\??\c:\xrrlrll.exec:\xrrlrll.exe53⤵
- Executes dropped EXE
PID:1432 -
\??\c:\0622222.exec:\0622222.exe54⤵
- Executes dropped EXE
PID:3552 -
\??\c:\6240246.exec:\6240246.exe55⤵
- Executes dropped EXE
PID:5060 -
\??\c:\xrxxfrr.exec:\xrxxfrr.exe56⤵
- Executes dropped EXE
PID:5108 -
\??\c:\ppdvv.exec:\ppdvv.exe57⤵
- Executes dropped EXE
PID:3060 -
\??\c:\hhnnnt.exec:\hhnnnt.exe58⤵
- Executes dropped EXE
PID:2184 -
\??\c:\i286604.exec:\i286604.exe59⤵
- Executes dropped EXE
PID:3396 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe60⤵
- Executes dropped EXE
PID:1852 -
\??\c:\8466004.exec:\8466004.exe61⤵
- Executes dropped EXE
PID:1128 -
\??\c:\nnttnt.exec:\nnttnt.exe62⤵
- Executes dropped EXE
PID:3272 -
\??\c:\jvppp.exec:\jvppp.exe63⤵
- Executes dropped EXE
PID:4768 -
\??\c:\4620024.exec:\4620024.exe64⤵
- Executes dropped EXE
PID:4932 -
\??\c:\28442.exec:\28442.exe65⤵
- Executes dropped EXE
PID:4756 -
\??\c:\tnbntn.exec:\tnbntn.exe66⤵PID:532
-
\??\c:\84882.exec:\84882.exe67⤵PID:4408
-
\??\c:\00048.exec:\00048.exe68⤵PID:2936
-
\??\c:\m4044.exec:\m4044.exe69⤵PID:2820
-
\??\c:\0404484.exec:\0404484.exe70⤵PID:1760
-
\??\c:\02608.exec:\02608.exe71⤵PID:2164
-
\??\c:\htnntt.exec:\htnntt.exe72⤵PID:2932
-
\??\c:\jjpvj.exec:\jjpvj.exe73⤵PID:4940
-
\??\c:\nnnbbt.exec:\nnnbbt.exe74⤵PID:4680
-
\??\c:\88482.exec:\88482.exe75⤵PID:5040
-
\??\c:\8282266.exec:\8282266.exe76⤵PID:3752
-
\??\c:\2622288.exec:\2622288.exe77⤵PID:372
-
\??\c:\xfllrll.exec:\xfllrll.exe78⤵PID:2060
-
\??\c:\084042.exec:\084042.exe79⤵PID:4796
-
\??\c:\jpdvp.exec:\jpdvp.exe80⤵PID:4948
-
\??\c:\tbthbh.exec:\tbthbh.exe81⤵PID:5068
-
\??\c:\482800.exec:\482800.exe82⤵PID:2012
-
\??\c:\42820.exec:\42820.exe83⤵PID:3708
-
\??\c:\2682444.exec:\2682444.exe84⤵PID:5004
-
\??\c:\nbbnhh.exec:\nbbnhh.exe85⤵PID:4872
-
\??\c:\022202.exec:\022202.exe86⤵PID:3712
-
\??\c:\frfxrlf.exec:\frfxrlf.exe87⤵PID:692
-
\??\c:\88060.exec:\88060.exe88⤵PID:1860
-
\??\c:\206004.exec:\206004.exe89⤵PID:5080
-
\??\c:\fxrflxf.exec:\fxrflxf.exe90⤵PID:1484
-
\??\c:\200426.exec:\200426.exe91⤵PID:1336
-
\??\c:\vvjdv.exec:\vvjdv.exe92⤵PID:4312
-
\??\c:\xlrlxrl.exec:\xlrlxrl.exe93⤵PID:3840
-
\??\c:\20462.exec:\20462.exe94⤵PID:64
-
\??\c:\446884.exec:\446884.exe95⤵PID:4344
-
\??\c:\62260.exec:\62260.exe96⤵PID:2816
-
\??\c:\28488.exec:\28488.exe97⤵PID:1996
-
\??\c:\u022626.exec:\u022626.exe98⤵PID:3180
-
\??\c:\406040.exec:\406040.exe99⤵PID:3992
-
\??\c:\a4044.exec:\a4044.exe100⤵PID:4180
-
\??\c:\426008.exec:\426008.exe101⤵PID:5072
-
\??\c:\862600.exec:\862600.exe102⤵PID:1316
-
\??\c:\486284.exec:\486284.exe103⤵PID:4780
-
\??\c:\42826.exec:\42826.exe104⤵PID:4084
-
\??\c:\tnbbbb.exec:\tnbbbb.exe105⤵PID:3552
-
\??\c:\222262.exec:\222262.exe106⤵PID:1364
-
\??\c:\828666.exec:\828666.exe107⤵PID:2456
-
\??\c:\3tnhbt.exec:\3tnhbt.exe108⤵PID:4640
-
\??\c:\htbtnt.exec:\htbtnt.exe109⤵PID:3224
-
\??\c:\5hnhht.exec:\5hnhht.exe110⤵PID:1836
-
\??\c:\0288804.exec:\0288804.exe111⤵PID:3392
-
\??\c:\24408.exec:\24408.exe112⤵PID:3440
-
\??\c:\1tbtnn.exec:\1tbtnn.exe113⤵PID:3896
-
\??\c:\tntnbb.exec:\tntnbb.exe114⤵PID:2556
-
\??\c:\0448822.exec:\0448822.exe115⤵PID:452
-
\??\c:\28000.exec:\28000.exe116⤵PID:4488
-
\??\c:\1xrlfff.exec:\1xrlfff.exe117⤵PID:2920
-
\??\c:\hthtbn.exec:\hthtbn.exe118⤵PID:1688
-
\??\c:\i046024.exec:\i046024.exe119⤵PID:3520
-
\??\c:\vjjdd.exec:\vjjdd.exe120⤵PID:4480
-
\??\c:\q88424.exec:\q88424.exe121⤵
- System Location Discovery: System Language Discovery
PID:208 -
\??\c:\48866.exec:\48866.exe122⤵PID:4472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-