Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe
-
Size
455KB
-
MD5
bcd0f66fa1c1e3f79613b76df340bacc
-
SHA1
707fae71aa8138faa299a140e6962175c7524018
-
SHA256
998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31
-
SHA512
dd636eecf5e6047e601d5a981b231916191efd9478789f4bd45a40487780efe85699b47a44589ba1c7b6bef6e5dcda221e878886758e968d4a43d83123db4591
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1588-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4196 42260.exe 3932 jpppj.exe 4224 08028.exe 3480 rxrfrlx.exe 3080 u228828.exe 3568 2064826.exe 2160 06404.exe 3028 vdpvp.exe 1396 08846.exe 4536 htnthh.exe 2068 60048.exe 3752 q24826.exe 3956 xfxrllf.exe 3952 pvvpj.exe 4028 xrxrlfx.exe 3012 pvvjd.exe 2676 2662468.exe 2592 ttntnn.exe 1596 420260.exe 2188 hbbnbt.exe 2128 280826.exe 4064 048266.exe 2960 xlrfrlx.exe 5008 ppvjj.exe 2040 4408600.exe 2624 nhtnhb.exe 2028 84224.exe 2388 8400488.exe 4456 06820.exe 4268 htbbnh.exe 1460 44086.exe 3296 1hbtbt.exe 4964 4420606.exe 1672 82460.exe 1776 4404226.exe 876 022826.exe 3672 m0644.exe 1204 028600.exe 1020 3djvv.exe 3068 48804.exe 3156 1xllrlr.exe 2468 rxxrffx.exe 2768 44048.exe 2916 frrflll.exe 2804 8626448.exe 3924 hhhbtn.exe 1324 44426.exe 2912 68848.exe 384 42608.exe 2828 vpjdv.exe 4756 440040.exe 4488 24086.exe 456 thbnbt.exe 4068 frxxxrf.exe 1688 rllfrrf.exe 1852 dppdp.exe 2892 1bbnhn.exe 4480 2886408.exe 4896 422008.exe 3988 4064604.exe 3080 888608.exe 4492 0848262.exe 4000 o686082.exe 3444 4060482.exe -
resource yara_rule behavioral2/memory/1588-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-734-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2448660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0422448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0466884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0222048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lllxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6866000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1588 wrote to memory of 4196 1588 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 83 PID 1588 wrote to memory of 4196 1588 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 83 PID 1588 wrote to memory of 4196 1588 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 83 PID 4196 wrote to memory of 3932 4196 42260.exe 84 PID 4196 wrote to memory of 3932 4196 42260.exe 84 PID 4196 wrote to memory of 3932 4196 42260.exe 84 PID 3932 wrote to memory of 4224 3932 jpppj.exe 85 PID 3932 wrote to memory of 4224 3932 jpppj.exe 85 PID 3932 wrote to memory of 4224 3932 jpppj.exe 85 PID 4224 wrote to memory of 3480 4224 08028.exe 86 PID 4224 wrote to memory of 3480 4224 08028.exe 86 PID 4224 wrote to memory of 3480 4224 08028.exe 86 PID 3480 wrote to memory of 3080 3480 rxrfrlx.exe 87 PID 3480 wrote to memory of 3080 3480 rxrfrlx.exe 87 PID 3480 wrote to memory of 3080 3480 rxrfrlx.exe 87 PID 3080 wrote to memory of 3568 3080 u228828.exe 88 PID 3080 wrote to memory of 3568 3080 u228828.exe 88 PID 3080 wrote to memory of 3568 3080 u228828.exe 88 PID 3568 wrote to memory of 2160 3568 2064826.exe 89 PID 3568 wrote to memory of 2160 3568 2064826.exe 89 PID 3568 wrote to memory of 2160 3568 2064826.exe 89 PID 2160 wrote to memory of 3028 2160 06404.exe 90 PID 2160 wrote to memory of 3028 2160 06404.exe 90 PID 2160 wrote to memory of 3028 2160 06404.exe 90 PID 3028 wrote to memory of 1396 3028 vdpvp.exe 91 PID 3028 wrote to memory of 1396 3028 vdpvp.exe 91 PID 3028 wrote to memory of 1396 3028 vdpvp.exe 91 PID 1396 wrote to memory of 4536 1396 08846.exe 92 PID 1396 wrote to memory of 4536 1396 08846.exe 92 PID 1396 wrote to memory of 4536 1396 08846.exe 92 PID 4536 wrote to memory of 2068 4536 htnthh.exe 93 PID 4536 wrote to memory of 2068 4536 htnthh.exe 93 PID 4536 wrote to memory of 2068 4536 htnthh.exe 93 PID 2068 wrote to memory of 3752 2068 60048.exe 94 PID 2068 wrote to memory of 3752 2068 60048.exe 94 PID 2068 wrote to memory of 3752 2068 60048.exe 94 PID 3752 wrote to memory of 3956 3752 q24826.exe 95 PID 3752 wrote to memory of 3956 3752 q24826.exe 95 PID 3752 wrote to memory of 3956 3752 q24826.exe 95 PID 3956 wrote to memory of 3952 3956 xfxrllf.exe 154 PID 3956 wrote to memory of 3952 3956 xfxrllf.exe 154 PID 3956 wrote to memory of 3952 3956 xfxrllf.exe 154 PID 3952 wrote to memory of 4028 3952 pvvpj.exe 97 PID 3952 wrote to memory of 4028 3952 pvvpj.exe 97 PID 3952 wrote to memory of 4028 3952 pvvpj.exe 97 PID 4028 wrote to memory of 3012 4028 xrxrlfx.exe 98 PID 4028 wrote to memory of 3012 4028 xrxrlfx.exe 98 PID 4028 wrote to memory of 3012 4028 xrxrlfx.exe 98 PID 3012 wrote to memory of 2676 3012 pvvjd.exe 99 PID 3012 wrote to memory of 2676 3012 pvvjd.exe 99 PID 3012 wrote to memory of 2676 3012 pvvjd.exe 99 PID 2676 wrote to memory of 2592 2676 2662468.exe 100 PID 2676 wrote to memory of 2592 2676 2662468.exe 100 PID 2676 wrote to memory of 2592 2676 2662468.exe 100 PID 2592 wrote to memory of 1596 2592 ttntnn.exe 101 PID 2592 wrote to memory of 1596 2592 ttntnn.exe 101 PID 2592 wrote to memory of 1596 2592 ttntnn.exe 101 PID 1596 wrote to memory of 2188 1596 420260.exe 102 PID 1596 wrote to memory of 2188 1596 420260.exe 102 PID 1596 wrote to memory of 2188 1596 420260.exe 102 PID 2188 wrote to memory of 2128 2188 hbbnbt.exe 103 PID 2188 wrote to memory of 2128 2188 hbbnbt.exe 103 PID 2188 wrote to memory of 2128 2188 hbbnbt.exe 103 PID 2128 wrote to memory of 4064 2128 280826.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe"C:\Users\Admin\AppData\Local\Temp\998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\42260.exec:\42260.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\jpppj.exec:\jpppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\08028.exec:\08028.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\rxrfrlx.exec:\rxrfrlx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\u228828.exec:\u228828.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\2064826.exec:\2064826.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\06404.exec:\06404.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\vdpvp.exec:\vdpvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\08846.exec:\08846.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\htnthh.exec:\htnthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\60048.exec:\60048.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\q24826.exec:\q24826.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\xfxrllf.exec:\xfxrllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\pvvpj.exec:\pvvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\xrxrlfx.exec:\xrxrlfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\pvvjd.exec:\pvvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\2662468.exec:\2662468.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\ttntnn.exec:\ttntnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\420260.exec:\420260.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\hbbnbt.exec:\hbbnbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\280826.exec:\280826.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\048266.exec:\048266.exe23⤵
- Executes dropped EXE
PID:4064 -
\??\c:\xlrfrlx.exec:\xlrfrlx.exe24⤵
- Executes dropped EXE
PID:2960 -
\??\c:\ppvjj.exec:\ppvjj.exe25⤵
- Executes dropped EXE
PID:5008 -
\??\c:\4408600.exec:\4408600.exe26⤵
- Executes dropped EXE
PID:2040 -
\??\c:\nhtnhb.exec:\nhtnhb.exe27⤵
- Executes dropped EXE
PID:2624 -
\??\c:\84224.exec:\84224.exe28⤵
- Executes dropped EXE
PID:2028 -
\??\c:\8400488.exec:\8400488.exe29⤵
- Executes dropped EXE
PID:2388 -
\??\c:\06820.exec:\06820.exe30⤵
- Executes dropped EXE
PID:4456 -
\??\c:\htbbnh.exec:\htbbnh.exe31⤵
- Executes dropped EXE
PID:4268 -
\??\c:\44086.exec:\44086.exe32⤵
- Executes dropped EXE
PID:1460 -
\??\c:\1hbtbt.exec:\1hbtbt.exe33⤵
- Executes dropped EXE
PID:3296 -
\??\c:\4420606.exec:\4420606.exe34⤵
- Executes dropped EXE
PID:4964 -
\??\c:\82460.exec:\82460.exe35⤵
- Executes dropped EXE
PID:1672 -
\??\c:\4404226.exec:\4404226.exe36⤵
- Executes dropped EXE
PID:1776 -
\??\c:\022826.exec:\022826.exe37⤵
- Executes dropped EXE
PID:876 -
\??\c:\m0644.exec:\m0644.exe38⤵
- Executes dropped EXE
PID:3672 -
\??\c:\028600.exec:\028600.exe39⤵
- Executes dropped EXE
PID:1204 -
\??\c:\3djvv.exec:\3djvv.exe40⤵
- Executes dropped EXE
PID:1020 -
\??\c:\48804.exec:\48804.exe41⤵
- Executes dropped EXE
PID:3068 -
\??\c:\1xllrlr.exec:\1xllrlr.exe42⤵
- Executes dropped EXE
PID:3156 -
\??\c:\rxxrffx.exec:\rxxrffx.exe43⤵
- Executes dropped EXE
PID:2468 -
\??\c:\44048.exec:\44048.exe44⤵
- Executes dropped EXE
PID:2768 -
\??\c:\frrflll.exec:\frrflll.exe45⤵
- Executes dropped EXE
PID:2916 -
\??\c:\8626448.exec:\8626448.exe46⤵
- Executes dropped EXE
PID:2804 -
\??\c:\hhhbtn.exec:\hhhbtn.exe47⤵
- Executes dropped EXE
PID:3924 -
\??\c:\44426.exec:\44426.exe48⤵
- Executes dropped EXE
PID:1324 -
\??\c:\68848.exec:\68848.exe49⤵
- Executes dropped EXE
PID:2912 -
\??\c:\42608.exec:\42608.exe50⤵
- Executes dropped EXE
PID:384 -
\??\c:\vpjdv.exec:\vpjdv.exe51⤵
- Executes dropped EXE
PID:2828 -
\??\c:\440040.exec:\440040.exe52⤵
- Executes dropped EXE
PID:4756 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe53⤵PID:1608
-
\??\c:\24086.exec:\24086.exe54⤵
- Executes dropped EXE
PID:4488 -
\??\c:\thbnbt.exec:\thbnbt.exe55⤵
- Executes dropped EXE
PID:456 -
\??\c:\frxxxrf.exec:\frxxxrf.exe56⤵
- Executes dropped EXE
PID:4068 -
\??\c:\rllfrrf.exec:\rllfrrf.exe57⤵
- Executes dropped EXE
PID:1688 -
\??\c:\dppdp.exec:\dppdp.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1852 -
\??\c:\1bbnhn.exec:\1bbnhn.exe59⤵
- Executes dropped EXE
PID:2892 -
\??\c:\2886408.exec:\2886408.exe60⤵
- Executes dropped EXE
PID:4480 -
\??\c:\422008.exec:\422008.exe61⤵
- Executes dropped EXE
PID:4896 -
\??\c:\4064604.exec:\4064604.exe62⤵
- Executes dropped EXE
PID:3988 -
\??\c:\888608.exec:\888608.exe63⤵
- Executes dropped EXE
PID:3080 -
\??\c:\0848262.exec:\0848262.exe64⤵
- Executes dropped EXE
PID:4492 -
\??\c:\o686082.exec:\o686082.exe65⤵
- Executes dropped EXE
PID:4000 -
\??\c:\4060482.exec:\4060482.exe66⤵
- Executes dropped EXE
PID:3444 -
\??\c:\026484.exec:\026484.exe67⤵PID:2932
-
\??\c:\26208.exec:\26208.exe68⤵PID:436
-
\??\c:\6448266.exec:\6448266.exe69⤵PID:3940
-
\??\c:\vvddv.exec:\vvddv.exe70⤵PID:2628
-
\??\c:\tttnbb.exec:\tttnbb.exe71⤵PID:1992
-
\??\c:\nhhhbb.exec:\nhhhbb.exe72⤵PID:3960
-
\??\c:\406082.exec:\406082.exe73⤵PID:3952
-
\??\c:\08264.exec:\08264.exe74⤵PID:3016
-
\??\c:\q84204.exec:\q84204.exe75⤵PID:1528
-
\??\c:\4848482.exec:\4848482.exe76⤵PID:3520
-
\??\c:\o688826.exec:\o688826.exe77⤵PID:3604
-
\??\c:\w88822.exec:\w88822.exe78⤵PID:4812
-
\??\c:\k80284.exec:\k80284.exe79⤵PID:1940
-
\??\c:\2866604.exec:\2866604.exe80⤵PID:2488
-
\??\c:\2840004.exec:\2840004.exe81⤵PID:4808
-
\??\c:\hhnntb.exec:\hhnntb.exe82⤵PID:3044
-
\??\c:\844488.exec:\844488.exe83⤵PID:4952
-
\??\c:\08042.exec:\08042.exe84⤵PID:4900
-
\??\c:\480488.exec:\480488.exe85⤵PID:2596
-
\??\c:\2460004.exec:\2460004.exe86⤵PID:2388
-
\??\c:\5frllll.exec:\5frllll.exe87⤵PID:4456
-
\??\c:\80600.exec:\80600.exe88⤵PID:1292
-
\??\c:\7fxfflf.exec:\7fxfflf.exe89⤵PID:1460
-
\??\c:\u088480.exec:\u088480.exe90⤵PID:800
-
\??\c:\3fxxrrr.exec:\3fxxrrr.exe91⤵PID:5072
-
\??\c:\dvdvp.exec:\dvdvp.exe92⤵PID:2404
-
\??\c:\vjvvd.exec:\vjvvd.exe93⤵PID:4300
-
\??\c:\40644.exec:\40644.exe94⤵PID:4924
-
\??\c:\48662.exec:\48662.exe95⤵PID:5032
-
\??\c:\xflffff.exec:\xflffff.exe96⤵PID:1020
-
\??\c:\22820.exec:\22820.exe97⤵PID:1604
-
\??\c:\hnnbbt.exec:\hnnbbt.exe98⤵PID:2056
-
\??\c:\btbthh.exec:\btbthh.exe99⤵PID:2280
-
\??\c:\nntnnn.exec:\nntnnn.exe100⤵PID:5036
-
\??\c:\82866.exec:\82866.exe101⤵PID:3796
-
\??\c:\i600826.exec:\i600826.exe102⤵PID:2372
-
\??\c:\2868424.exec:\2868424.exe103⤵PID:1600
-
\??\c:\dpdvp.exec:\dpdvp.exe104⤵PID:5012
-
\??\c:\jppdv.exec:\jppdv.exe105⤵PID:1640
-
\??\c:\dvdvp.exec:\dvdvp.exe106⤵PID:3964
-
\??\c:\84862.exec:\84862.exe107⤵PID:4392
-
\??\c:\824466.exec:\824466.exe108⤵PID:624
-
\??\c:\840824.exec:\840824.exe109⤵PID:2232
-
\??\c:\48440.exec:\48440.exe110⤵PID:4136
-
\??\c:\2000482.exec:\2000482.exe111⤵PID:3728
-
\??\c:\vdvjj.exec:\vdvjj.exe112⤵PID:4068
-
\??\c:\5bhbhb.exec:\5bhbhb.exe113⤵PID:4328
-
\??\c:\hbtnbt.exec:\hbtnbt.exe114⤵PID:4120
-
\??\c:\64860.exec:\64860.exe115⤵PID:1188
-
\??\c:\fflfffr.exec:\fflfffr.exe116⤵PID:4660
-
\??\c:\hbnnhh.exec:\hbnnhh.exe117⤵PID:3892
-
\??\c:\tntnhh.exec:\tntnhh.exe118⤵
- System Location Discovery: System Language Discovery
PID:3260 -
\??\c:\0826004.exec:\0826004.exe119⤵PID:3676
-
\??\c:\2682046.exec:\2682046.exe120⤵PID:4824
-
\??\c:\tnnnbb.exec:\tnnnbb.exe121⤵PID:4420
-
\??\c:\046622.exec:\046622.exe122⤵PID:3080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-