Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe
Resource
win7-20240708-en
7 signatures
150 seconds
General
-
Target
994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe
-
Size
453KB
-
MD5
c37686cf8d9cb5649bcb1c2b38416c61
-
SHA1
a8c7d8c3dd6585ec47265f95da1c57bcd294b30a
-
SHA256
994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9
-
SHA512
991db6eded496e924a2d209b4b4630409f56d3144bb1daa749c66ec54e52bf15f1c69b3e8dfa52ae8559479ae231823a8bef884a5e18c4e4b3319ded3db55bde
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeQ:q7Tc2NYHUrAwfMp3CDQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1216-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-887-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-1375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3716 vjpjp.exe 3308 xlffxxr.exe 4748 s6686.exe 1376 2484260.exe 2100 lrlrxxf.exe 3560 08000.exe 2684 rlrrfxl.exe 2536 284826.exe 3460 rrrfrlx.exe 2700 9ffxrlf.exe 4800 488200.exe 3592 u286008.exe 2104 xflxllx.exe 4076 ddvpj.exe 2308 ntthtn.exe 5040 frrlxrf.exe 2480 42660.exe 740 vpvjd.exe 2032 44046.exe 3632 44046.exe 4268 u404266.exe 4044 068048.exe 3076 bnbnht.exe 3640 7nbbth.exe 3448 20086.exe 2784 pppjv.exe 1816 g8208.exe 3932 hhbthb.exe 4000 djjdd.exe 3736 622082.exe 5080 ppvjd.exe 2348 1nnhtt.exe 3456 2008608.exe 5000 826600.exe 1864 jvddv.exe 2088 86822.exe 2232 04482.exe 4768 nnthbb.exe 2756 46260.exe 4908 2fxrrll.exe 4404 u808600.exe 2464 rlllfxx.exe 1216 jvjdd.exe 4524 284882.exe 4656 64004.exe 4352 btthnt.exe 4744 86260.exe 4212 20604.exe 4544 424826.exe 1940 40604.exe 384 tttnbt.exe 1672 8282228.exe 400 2060482.exe 2324 08042.exe 236 rfrrffx.exe 1392 xllllll.exe 4824 tbhhbb.exe 4444 084226.exe 4800 nntnhh.exe 4896 4022426.exe 2224 fxllfff.exe 2904 tntbbn.exe 4296 tbbtnn.exe 824 tnnhtt.exe -
resource yara_rule behavioral2/memory/1216-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-666-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6626262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i008260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4826082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8220222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02804.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1216 wrote to memory of 3716 1216 994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe 85 PID 1216 wrote to memory of 3716 1216 994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe 85 PID 1216 wrote to memory of 3716 1216 994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe 85 PID 3716 wrote to memory of 3308 3716 vjpjp.exe 86 PID 3716 wrote to memory of 3308 3716 vjpjp.exe 86 PID 3716 wrote to memory of 3308 3716 vjpjp.exe 86 PID 3308 wrote to memory of 4748 3308 xlffxxr.exe 87 PID 3308 wrote to memory of 4748 3308 xlffxxr.exe 87 PID 3308 wrote to memory of 4748 3308 xlffxxr.exe 87 PID 4748 wrote to memory of 1376 4748 s6686.exe 88 PID 4748 wrote to memory of 1376 4748 s6686.exe 88 PID 4748 wrote to memory of 1376 4748 s6686.exe 88 PID 1376 wrote to memory of 2100 1376 2484260.exe 89 PID 1376 wrote to memory of 2100 1376 2484260.exe 89 PID 1376 wrote to memory of 2100 1376 2484260.exe 89 PID 2100 wrote to memory of 3560 2100 lrlrxxf.exe 90 PID 2100 wrote to memory of 3560 2100 lrlrxxf.exe 90 PID 2100 wrote to memory of 3560 2100 lrlrxxf.exe 90 PID 3560 wrote to memory of 2684 3560 08000.exe 91 PID 3560 wrote to memory of 2684 3560 08000.exe 91 PID 3560 wrote to memory of 2684 3560 08000.exe 91 PID 2684 wrote to memory of 2536 2684 rlrrfxl.exe 92 PID 2684 wrote to memory of 2536 2684 rlrrfxl.exe 92 PID 2684 wrote to memory of 2536 2684 rlrrfxl.exe 92 PID 2536 wrote to memory of 3460 2536 284826.exe 93 PID 2536 wrote to memory of 3460 2536 284826.exe 93 PID 2536 wrote to memory of 3460 2536 284826.exe 93 PID 3460 wrote to memory of 2700 3460 rrrfrlx.exe 94 PID 3460 wrote to memory of 2700 3460 rrrfrlx.exe 94 PID 3460 wrote to memory of 2700 3460 rrrfrlx.exe 94 PID 2700 wrote to memory of 4800 2700 9ffxrlf.exe 95 PID 2700 wrote to memory of 4800 2700 9ffxrlf.exe 95 PID 2700 wrote to memory of 4800 2700 9ffxrlf.exe 95 PID 4800 wrote to memory of 3592 4800 488200.exe 96 PID 4800 wrote to memory of 3592 4800 488200.exe 96 PID 4800 wrote to memory of 3592 4800 488200.exe 96 PID 3592 wrote to memory of 2104 3592 u286008.exe 97 PID 3592 wrote to memory of 2104 3592 u286008.exe 97 PID 3592 wrote to memory of 2104 3592 u286008.exe 97 PID 2104 wrote to memory of 4076 2104 xflxllx.exe 98 PID 2104 wrote to memory of 4076 2104 xflxllx.exe 98 PID 2104 wrote to memory of 4076 2104 xflxllx.exe 98 PID 4076 wrote to memory of 2308 4076 ddvpj.exe 99 PID 4076 wrote to memory of 2308 4076 ddvpj.exe 99 PID 4076 wrote to memory of 2308 4076 ddvpj.exe 99 PID 2308 wrote to memory of 5040 2308 ntthtn.exe 100 PID 2308 wrote to memory of 5040 2308 ntthtn.exe 100 PID 2308 wrote to memory of 5040 2308 ntthtn.exe 100 PID 5040 wrote to memory of 2480 5040 frrlxrf.exe 101 PID 5040 wrote to memory of 2480 5040 frrlxrf.exe 101 PID 5040 wrote to memory of 2480 5040 frrlxrf.exe 101 PID 2480 wrote to memory of 740 2480 42660.exe 102 PID 2480 wrote to memory of 740 2480 42660.exe 102 PID 2480 wrote to memory of 740 2480 42660.exe 102 PID 740 wrote to memory of 2032 740 vpvjd.exe 103 PID 740 wrote to memory of 2032 740 vpvjd.exe 103 PID 740 wrote to memory of 2032 740 vpvjd.exe 103 PID 2032 wrote to memory of 3632 2032 44046.exe 104 PID 2032 wrote to memory of 3632 2032 44046.exe 104 PID 2032 wrote to memory of 3632 2032 44046.exe 104 PID 3632 wrote to memory of 4268 3632 44046.exe 105 PID 3632 wrote to memory of 4268 3632 44046.exe 105 PID 3632 wrote to memory of 4268 3632 44046.exe 105 PID 4268 wrote to memory of 4044 4268 u404266.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe"C:\Users\Admin\AppData\Local\Temp\994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\vjpjp.exec:\vjpjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\xlffxxr.exec:\xlffxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\s6686.exec:\s6686.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\2484260.exec:\2484260.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\lrlrxxf.exec:\lrlrxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\08000.exec:\08000.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\rlrrfxl.exec:\rlrrfxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\284826.exec:\284826.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\rrrfrlx.exec:\rrrfrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\9ffxrlf.exec:\9ffxrlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\488200.exec:\488200.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\u286008.exec:\u286008.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\xflxllx.exec:\xflxllx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\ddvpj.exec:\ddvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\ntthtn.exec:\ntthtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\frrlxrf.exec:\frrlxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\42660.exec:\42660.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\vpvjd.exec:\vpvjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\44046.exec:\44046.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\44046.exec:\44046.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\u404266.exec:\u404266.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\068048.exec:\068048.exe23⤵
- Executes dropped EXE
PID:4044 -
\??\c:\bnbnht.exec:\bnbnht.exe24⤵
- Executes dropped EXE
PID:3076 -
\??\c:\7nbbth.exec:\7nbbth.exe25⤵
- Executes dropped EXE
PID:3640 -
\??\c:\20086.exec:\20086.exe26⤵
- Executes dropped EXE
PID:3448 -
\??\c:\pppjv.exec:\pppjv.exe27⤵
- Executes dropped EXE
PID:2784 -
\??\c:\g8208.exec:\g8208.exe28⤵
- Executes dropped EXE
PID:1816 -
\??\c:\hhbthb.exec:\hhbthb.exe29⤵
- Executes dropped EXE
PID:3932 -
\??\c:\djjdd.exec:\djjdd.exe30⤵
- Executes dropped EXE
PID:4000 -
\??\c:\622082.exec:\622082.exe31⤵
- Executes dropped EXE
PID:3736 -
\??\c:\ppvjd.exec:\ppvjd.exe32⤵
- Executes dropped EXE
PID:5080 -
\??\c:\1nnhtt.exec:\1nnhtt.exe33⤵
- Executes dropped EXE
PID:2348 -
\??\c:\2008608.exec:\2008608.exe34⤵
- Executes dropped EXE
PID:3456 -
\??\c:\826600.exec:\826600.exe35⤵
- Executes dropped EXE
PID:5000 -
\??\c:\jvddv.exec:\jvddv.exe36⤵
- Executes dropped EXE
PID:1864 -
\??\c:\86822.exec:\86822.exe37⤵
- Executes dropped EXE
PID:2088 -
\??\c:\04482.exec:\04482.exe38⤵
- Executes dropped EXE
PID:2232 -
\??\c:\nnthbb.exec:\nnthbb.exe39⤵
- Executes dropped EXE
PID:4768 -
\??\c:\46260.exec:\46260.exe40⤵
- Executes dropped EXE
PID:2756 -
\??\c:\2fxrrll.exec:\2fxrrll.exe41⤵
- Executes dropped EXE
PID:4908 -
\??\c:\u808600.exec:\u808600.exe42⤵
- Executes dropped EXE
PID:4404 -
\??\c:\rlllfxx.exec:\rlllfxx.exe43⤵
- Executes dropped EXE
PID:2464 -
\??\c:\jvjdd.exec:\jvjdd.exe44⤵
- Executes dropped EXE
PID:1216 -
\??\c:\284882.exec:\284882.exe45⤵
- Executes dropped EXE
PID:4524 -
\??\c:\64004.exec:\64004.exe46⤵
- Executes dropped EXE
PID:4656 -
\??\c:\btthnt.exec:\btthnt.exe47⤵
- Executes dropped EXE
PID:4352 -
\??\c:\86260.exec:\86260.exe48⤵
- Executes dropped EXE
PID:4744 -
\??\c:\20604.exec:\20604.exe49⤵
- Executes dropped EXE
PID:4212 -
\??\c:\424826.exec:\424826.exe50⤵
- Executes dropped EXE
PID:4544 -
\??\c:\40604.exec:\40604.exe51⤵
- Executes dropped EXE
PID:1940 -
\??\c:\tttnbt.exec:\tttnbt.exe52⤵
- Executes dropped EXE
PID:384 -
\??\c:\8282228.exec:\8282228.exe53⤵
- Executes dropped EXE
PID:1672 -
\??\c:\2060482.exec:\2060482.exe54⤵
- Executes dropped EXE
PID:400 -
\??\c:\08042.exec:\08042.exe55⤵
- Executes dropped EXE
PID:2324 -
\??\c:\rfrrffx.exec:\rfrrffx.exe56⤵
- Executes dropped EXE
PID:236 -
\??\c:\xllllll.exec:\xllllll.exe57⤵
- Executes dropped EXE
PID:1392 -
\??\c:\tbhhbb.exec:\tbhhbb.exe58⤵
- Executes dropped EXE
PID:4824 -
\??\c:\084226.exec:\084226.exe59⤵
- Executes dropped EXE
PID:4444 -
\??\c:\nntnhh.exec:\nntnhh.exe60⤵
- Executes dropped EXE
PID:4800 -
\??\c:\4022426.exec:\4022426.exe61⤵
- Executes dropped EXE
PID:4896 -
\??\c:\fxllfff.exec:\fxllfff.exe62⤵
- Executes dropped EXE
PID:2224 -
\??\c:\tntbbn.exec:\tntbbn.exe63⤵
- Executes dropped EXE
PID:2904 -
\??\c:\tbbtnn.exec:\tbbtnn.exe64⤵
- Executes dropped EXE
PID:4296 -
\??\c:\tnnhtt.exec:\tnnhtt.exe65⤵
- Executes dropped EXE
PID:824 -
\??\c:\002600.exec:\002600.exe66⤵PID:2940
-
\??\c:\88408.exec:\88408.exe67⤵PID:700
-
\??\c:\40660.exec:\40660.exe68⤵PID:3148
-
\??\c:\4224480.exec:\4224480.exe69⤵PID:2380
-
\??\c:\rffrxlr.exec:\rffrxlr.exe70⤵PID:5032
-
\??\c:\dvvpj.exec:\dvvpj.exe71⤵PID:4012
-
\??\c:\1rrxlfr.exec:\1rrxlfr.exe72⤵PID:1232
-
\??\c:\0626048.exec:\0626048.exe73⤵PID:1296
-
\??\c:\200486.exec:\200486.exe74⤵PID:3452
-
\??\c:\2242042.exec:\2242042.exe75⤵PID:792
-
\??\c:\m6084.exec:\m6084.exe76⤵PID:2920
-
\??\c:\08260.exec:\08260.exe77⤵PID:4644
-
\??\c:\vvdjd.exec:\vvdjd.exe78⤵PID:3448
-
\??\c:\0888660.exec:\0888660.exe79⤵PID:4156
-
\??\c:\006426.exec:\006426.exe80⤵PID:2784
-
\??\c:\446048.exec:\446048.exe81⤵PID:5100
-
\??\c:\jvvjd.exec:\jvvjd.exe82⤵PID:2272
-
\??\c:\600422.exec:\600422.exe83⤵PID:3476
-
\??\c:\082664.exec:\082664.exe84⤵PID:1456
-
\??\c:\xlrlffx.exec:\xlrlffx.exe85⤵PID:3652
-
\??\c:\86008.exec:\86008.exe86⤵PID:1388
-
\??\c:\9rxxllf.exec:\9rxxllf.exe87⤵PID:4852
-
\??\c:\1fxlxrf.exec:\1fxlxrf.exe88⤵PID:3980
-
\??\c:\c002042.exec:\c002042.exe89⤵PID:732
-
\??\c:\rrxxrlx.exec:\rrxxrlx.exe90⤵PID:3144
-
\??\c:\bhnbnh.exec:\bhnbnh.exe91⤵PID:992
-
\??\c:\1lrrxrl.exec:\1lrrxrl.exe92⤵PID:2088
-
\??\c:\62426.exec:\62426.exe93⤵PID:2232
-
\??\c:\200404.exec:\200404.exe94⤵PID:4576
-
\??\c:\xllfrrl.exec:\xllfrrl.exe95⤵PID:4064
-
\??\c:\rrrflfx.exec:\rrrflfx.exe96⤵PID:4016
-
\??\c:\028482.exec:\028482.exe97⤵PID:4404
-
\??\c:\6442048.exec:\6442048.exe98⤵PID:2464
-
\??\c:\28486.exec:\28486.exe99⤵PID:1216
-
\??\c:\m4040.exec:\m4040.exe100⤵PID:4932
-
\??\c:\4204440.exec:\4204440.exe101⤵PID:2228
-
\??\c:\fxlffxx.exec:\fxlffxx.exe102⤵PID:728
-
\??\c:\0848660.exec:\0848660.exe103⤵PID:5104
-
\??\c:\84282.exec:\84282.exe104⤵PID:4212
-
\??\c:\9tbbbb.exec:\9tbbbb.exe105⤵PID:1068
-
\??\c:\rfxxfxx.exec:\rfxxfxx.exe106⤵PID:2616
-
\??\c:\jvpdv.exec:\jvpdv.exe107⤵PID:4664
-
\??\c:\xlrxxlf.exec:\xlrxxlf.exe108⤵PID:2924
-
\??\c:\80048.exec:\80048.exe109⤵PID:2280
-
\??\c:\044422.exec:\044422.exe110⤵PID:3104
-
\??\c:\i260662.exec:\i260662.exe111⤵PID:460
-
\??\c:\vpdvv.exec:\vpdvv.exe112⤵PID:1436
-
\??\c:\82888.exec:\82888.exe113⤵PID:4736
-
\??\c:\8288660.exec:\8288660.exe114⤵PID:4652
-
\??\c:\20020.exec:\20020.exe115⤵PID:596
-
\??\c:\a6860.exec:\a6860.exe116⤵PID:3592
-
\??\c:\28482.exec:\28482.exe117⤵PID:2488
-
\??\c:\422086.exec:\422086.exe118⤵PID:1624
-
\??\c:\pjjvp.exec:\pjjvp.exe119⤵PID:224
-
\??\c:\bhthtt.exec:\bhthtt.exe120⤵PID:4488
-
\??\c:\04064.exec:\04064.exe121⤵PID:1340
-
\??\c:\66220.exec:\66220.exe122⤵PID:2972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-