Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe
-
Size
454KB
-
MD5
f586ee83258bf58dc0e8a2dddfd24ed8
-
SHA1
a11cdfa5c58e6c97220c228d9d3cb5ca5f612baf
-
SHA256
5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704
-
SHA512
860cfce80fd989ad8318d7c31e64bf32feec7ac1916941233441dc90452980308a438a7730abf7eb33938d7da45c89760ccb7cebc17380f64693d90ac055e86f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeET:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4304-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-1368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-1668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4304 60448.exe 3460 9ddjd.exe 1476 04088.exe 2840 9xfxrrl.exe 3420 1lrllll.exe 3384 dvpjd.exe 2812 jjppj.exe 4820 xrrrllf.exe 312 0022228.exe 1288 62204.exe 1300 468000.exe 2068 m0406.exe 1372 04084.exe 2120 664044.exe 1224 q80444.exe 2496 84660.exe 1760 9flfxff.exe 1684 hhnnhh.exe 2104 hntnbt.exe 1208 hbtnhb.exe 3916 84046.exe 4156 xxrlfxr.exe 4584 2020488.exe 4432 rflfrrl.exe 4872 226060.exe 932 nbbthh.exe 4032 64486.exe 2852 hnnttb.exe 2796 lfrlllx.exe 1232 jdvjv.exe 1216 frrlrrf.exe 1004 hnhnbh.exe 4212 flrlffx.exe 1864 60666.exe 4664 9rfrffx.exe 1536 6866206.exe 4484 5jpjp.exe 2028 4208422.exe 4136 nhbtbn.exe 1392 hntnbb.exe 960 jvvvv.exe 1992 4226622.exe 1528 hhtthh.exe 3180 dpvjj.exe 3764 xlxrlfx.exe 3504 nntttt.exe 4340 frrrrfl.exe 4324 rflrrlx.exe 1688 pdpjj.exe 2452 88626.exe 840 88868.exe 2788 646864.exe 4616 26844.exe 4712 rxlxrxx.exe 4360 c626004.exe 2212 0460808.exe 956 84044.exe 4836 06666.exe 3160 dpppj.exe 2656 9flxrrl.exe 3812 a8082.exe 4784 60660.exe 3368 nbhbbb.exe 1120 04048.exe -
resource yara_rule behavioral2/memory/4304-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-557-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k44866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c626004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2422666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6468844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2452 wrote to memory of 4304 2452 5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe 83 PID 2452 wrote to memory of 4304 2452 5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe 83 PID 2452 wrote to memory of 4304 2452 5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe 83 PID 4304 wrote to memory of 3460 4304 60448.exe 84 PID 4304 wrote to memory of 3460 4304 60448.exe 84 PID 4304 wrote to memory of 3460 4304 60448.exe 84 PID 3460 wrote to memory of 1476 3460 9ddjd.exe 85 PID 3460 wrote to memory of 1476 3460 9ddjd.exe 85 PID 3460 wrote to memory of 1476 3460 9ddjd.exe 85 PID 1476 wrote to memory of 2840 1476 04088.exe 86 PID 1476 wrote to memory of 2840 1476 04088.exe 86 PID 1476 wrote to memory of 2840 1476 04088.exe 86 PID 2840 wrote to memory of 3420 2840 9xfxrrl.exe 87 PID 2840 wrote to memory of 3420 2840 9xfxrrl.exe 87 PID 2840 wrote to memory of 3420 2840 9xfxrrl.exe 87 PID 3420 wrote to memory of 3384 3420 1lrllll.exe 88 PID 3420 wrote to memory of 3384 3420 1lrllll.exe 88 PID 3420 wrote to memory of 3384 3420 1lrllll.exe 88 PID 3384 wrote to memory of 2812 3384 dvpjd.exe 89 PID 3384 wrote to memory of 2812 3384 dvpjd.exe 89 PID 3384 wrote to memory of 2812 3384 dvpjd.exe 89 PID 2812 wrote to memory of 4820 2812 jjppj.exe 90 PID 2812 wrote to memory of 4820 2812 jjppj.exe 90 PID 2812 wrote to memory of 4820 2812 jjppj.exe 90 PID 4820 wrote to memory of 312 4820 xrrrllf.exe 91 PID 4820 wrote to memory of 312 4820 xrrrllf.exe 91 PID 4820 wrote to memory of 312 4820 xrrrllf.exe 91 PID 312 wrote to memory of 1288 312 0022228.exe 92 PID 312 wrote to memory of 1288 312 0022228.exe 92 PID 312 wrote to memory of 1288 312 0022228.exe 92 PID 1288 wrote to memory of 1300 1288 62204.exe 93 PID 1288 wrote to memory of 1300 1288 62204.exe 93 PID 1288 wrote to memory of 1300 1288 62204.exe 93 PID 1300 wrote to memory of 2068 1300 468000.exe 94 PID 1300 wrote to memory of 2068 1300 468000.exe 94 PID 1300 wrote to memory of 2068 1300 468000.exe 94 PID 2068 wrote to memory of 1372 2068 m0406.exe 95 PID 2068 wrote to memory of 1372 2068 m0406.exe 95 PID 2068 wrote to memory of 1372 2068 m0406.exe 95 PID 1372 wrote to memory of 2120 1372 04084.exe 96 PID 1372 wrote to memory of 2120 1372 04084.exe 96 PID 1372 wrote to memory of 2120 1372 04084.exe 96 PID 2120 wrote to memory of 1224 2120 664044.exe 97 PID 2120 wrote to memory of 1224 2120 664044.exe 97 PID 2120 wrote to memory of 1224 2120 664044.exe 97 PID 1224 wrote to memory of 2496 1224 q80444.exe 98 PID 1224 wrote to memory of 2496 1224 q80444.exe 98 PID 1224 wrote to memory of 2496 1224 q80444.exe 98 PID 2496 wrote to memory of 1760 2496 84660.exe 99 PID 2496 wrote to memory of 1760 2496 84660.exe 99 PID 2496 wrote to memory of 1760 2496 84660.exe 99 PID 1760 wrote to memory of 1684 1760 9flfxff.exe 100 PID 1760 wrote to memory of 1684 1760 9flfxff.exe 100 PID 1760 wrote to memory of 1684 1760 9flfxff.exe 100 PID 1684 wrote to memory of 2104 1684 hhnnhh.exe 101 PID 1684 wrote to memory of 2104 1684 hhnnhh.exe 101 PID 1684 wrote to memory of 2104 1684 hhnnhh.exe 101 PID 2104 wrote to memory of 1208 2104 hntnbt.exe 102 PID 2104 wrote to memory of 1208 2104 hntnbt.exe 102 PID 2104 wrote to memory of 1208 2104 hntnbt.exe 102 PID 1208 wrote to memory of 3916 1208 hbtnhb.exe 103 PID 1208 wrote to memory of 3916 1208 hbtnhb.exe 103 PID 1208 wrote to memory of 3916 1208 hbtnhb.exe 103 PID 3916 wrote to memory of 4156 3916 84046.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe"C:\Users\Admin\AppData\Local\Temp\5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\60448.exec:\60448.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\9ddjd.exec:\9ddjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\04088.exec:\04088.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\9xfxrrl.exec:\9xfxrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\1lrllll.exec:\1lrllll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\dvpjd.exec:\dvpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\jjppj.exec:\jjppj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\xrrrllf.exec:\xrrrllf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\0022228.exec:\0022228.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
\??\c:\62204.exec:\62204.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\468000.exec:\468000.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\m0406.exec:\m0406.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\04084.exec:\04084.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\664044.exec:\664044.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\q80444.exec:\q80444.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\84660.exec:\84660.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\9flfxff.exec:\9flfxff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\hhnnhh.exec:\hhnnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\hntnbt.exec:\hntnbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\hbtnhb.exec:\hbtnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\84046.exec:\84046.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\xxrlfxr.exec:\xxrlfxr.exe23⤵
- Executes dropped EXE
PID:4156 -
\??\c:\2020488.exec:\2020488.exe24⤵
- Executes dropped EXE
PID:4584 -
\??\c:\rflfrrl.exec:\rflfrrl.exe25⤵
- Executes dropped EXE
PID:4432 -
\??\c:\226060.exec:\226060.exe26⤵
- Executes dropped EXE
PID:4872 -
\??\c:\nbbthh.exec:\nbbthh.exe27⤵
- Executes dropped EXE
PID:932 -
\??\c:\64486.exec:\64486.exe28⤵
- Executes dropped EXE
PID:4032 -
\??\c:\hnnttb.exec:\hnnttb.exe29⤵
- Executes dropped EXE
PID:2852 -
\??\c:\lfrlllx.exec:\lfrlllx.exe30⤵
- Executes dropped EXE
PID:2796 -
\??\c:\jdvjv.exec:\jdvjv.exe31⤵
- Executes dropped EXE
PID:1232 -
\??\c:\frrlrrf.exec:\frrlrrf.exe32⤵
- Executes dropped EXE
PID:1216 -
\??\c:\hnhnbh.exec:\hnhnbh.exe33⤵
- Executes dropped EXE
PID:1004 -
\??\c:\flrlffx.exec:\flrlffx.exe34⤵
- Executes dropped EXE
PID:4212 -
\??\c:\60666.exec:\60666.exe35⤵
- Executes dropped EXE
PID:1864 -
\??\c:\9rfrffx.exec:\9rfrffx.exe36⤵
- Executes dropped EXE
PID:4664 -
\??\c:\6866206.exec:\6866206.exe37⤵
- Executes dropped EXE
PID:1536 -
\??\c:\5jpjp.exec:\5jpjp.exe38⤵
- Executes dropped EXE
PID:4484 -
\??\c:\4208422.exec:\4208422.exe39⤵
- Executes dropped EXE
PID:2028 -
\??\c:\nhbtbn.exec:\nhbtbn.exe40⤵
- Executes dropped EXE
PID:4136 -
\??\c:\hntnbb.exec:\hntnbb.exe41⤵
- Executes dropped EXE
PID:1392 -
\??\c:\jvvvv.exec:\jvvvv.exe42⤵
- Executes dropped EXE
PID:960 -
\??\c:\4226622.exec:\4226622.exe43⤵
- Executes dropped EXE
PID:1992 -
\??\c:\hhtthh.exec:\hhtthh.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528 -
\??\c:\dpvjj.exec:\dpvjj.exe45⤵
- Executes dropped EXE
PID:3180 -
\??\c:\xlxrlfx.exec:\xlxrlfx.exe46⤵
- Executes dropped EXE
PID:3764 -
\??\c:\nntttt.exec:\nntttt.exe47⤵
- Executes dropped EXE
PID:3504 -
\??\c:\frrrrfl.exec:\frrrrfl.exe48⤵
- Executes dropped EXE
PID:4340 -
\??\c:\rflrrlx.exec:\rflrrlx.exe49⤵
- Executes dropped EXE
PID:4324 -
\??\c:\pdpjj.exec:\pdpjj.exe50⤵
- Executes dropped EXE
PID:1688 -
\??\c:\88626.exec:\88626.exe51⤵
- Executes dropped EXE
PID:2452 -
\??\c:\88868.exec:\88868.exe52⤵
- Executes dropped EXE
PID:840 -
\??\c:\646864.exec:\646864.exe53⤵
- Executes dropped EXE
PID:2788 -
\??\c:\26844.exec:\26844.exe54⤵
- Executes dropped EXE
PID:4616 -
\??\c:\rxlxrxx.exec:\rxlxrxx.exe55⤵
- Executes dropped EXE
PID:4712 -
\??\c:\c626004.exec:\c626004.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4360 -
\??\c:\0460808.exec:\0460808.exe57⤵
- Executes dropped EXE
PID:2212 -
\??\c:\84044.exec:\84044.exe58⤵
- Executes dropped EXE
PID:956 -
\??\c:\06666.exec:\06666.exe59⤵
- Executes dropped EXE
PID:4836 -
\??\c:\dpppj.exec:\dpppj.exe60⤵
- Executes dropped EXE
PID:3160 -
\??\c:\9flxrrl.exec:\9flxrrl.exe61⤵
- Executes dropped EXE
PID:2656 -
\??\c:\a8082.exec:\a8082.exe62⤵
- Executes dropped EXE
PID:3812 -
\??\c:\60660.exec:\60660.exe63⤵
- Executes dropped EXE
PID:4784 -
\??\c:\nbhbbb.exec:\nbhbbb.exe64⤵
- Executes dropped EXE
PID:3368 -
\??\c:\04048.exec:\04048.exe65⤵
- Executes dropped EXE
PID:1120 -
\??\c:\0200448.exec:\0200448.exe66⤵PID:3960
-
\??\c:\hhtntn.exec:\hhtntn.exe67⤵PID:2380
-
\??\c:\g2204.exec:\g2204.exe68⤵PID:2780
-
\??\c:\rllxrrl.exec:\rllxrrl.exe69⤵PID:224
-
\??\c:\vpjvp.exec:\vpjvp.exe70⤵PID:4188
-
\??\c:\4226484.exec:\4226484.exe71⤵PID:2360
-
\??\c:\0820860.exec:\0820860.exe72⤵PID:2860
-
\??\c:\xlxlfxr.exec:\xlxlfxr.exe73⤵PID:2404
-
\??\c:\628200.exec:\628200.exe74⤵PID:5000
-
\??\c:\k62644.exec:\k62644.exe75⤵PID:116
-
\??\c:\066044.exec:\066044.exe76⤵PID:2436
-
\??\c:\q28204.exec:\q28204.exe77⤵PID:1368
-
\??\c:\nnhbth.exec:\nnhbth.exe78⤵PID:4792
-
\??\c:\2020444.exec:\2020444.exe79⤵PID:2292
-
\??\c:\tbhthb.exec:\tbhthb.exe80⤵PID:1020
-
\??\c:\xllxrlf.exec:\xllxrlf.exe81⤵PID:4744
-
\??\c:\vppjd.exec:\vppjd.exe82⤵
- System Location Discovery: System Language Discovery
PID:212 -
\??\c:\9nhbhb.exec:\9nhbhb.exe83⤵PID:924
-
\??\c:\04442.exec:\04442.exe84⤵PID:4420
-
\??\c:\u620886.exec:\u620886.exe85⤵PID:4432
-
\??\c:\nhnhtb.exec:\nhnhtb.exe86⤵PID:1180
-
\??\c:\804686.exec:\804686.exe87⤵PID:2208
-
\??\c:\086662.exec:\086662.exe88⤵PID:5048
-
\??\c:\46826.exec:\46826.exe89⤵PID:4032
-
\??\c:\jpdpp.exec:\jpdpp.exe90⤵PID:4984
-
\??\c:\3jjdp.exec:\3jjdp.exe91⤵PID:1136
-
\??\c:\pddvd.exec:\pddvd.exe92⤵PID:3888
-
\??\c:\ppdvj.exec:\ppdvj.exe93⤵PID:3220
-
\??\c:\4222604.exec:\4222604.exe94⤵PID:2024
-
\??\c:\9pjdv.exec:\9pjdv.exe95⤵PID:2632
-
\??\c:\vjjvj.exec:\vjjvj.exe96⤵PID:684
-
\??\c:\9pvjj.exec:\9pvjj.exe97⤵PID:2368
-
\??\c:\lxxlffx.exec:\lxxlffx.exe98⤵PID:4832
-
\??\c:\jjvpj.exec:\jjvpj.exe99⤵PID:3824
-
\??\c:\m2208.exec:\m2208.exe100⤵PID:3828
-
\??\c:\8026288.exec:\8026288.exe101⤵PID:1396
-
\??\c:\206426.exec:\206426.exe102⤵PID:2972
-
\??\c:\3bbnhb.exec:\3bbnhb.exe103⤵PID:4896
-
\??\c:\8844264.exec:\8844264.exe104⤵PID:2108
-
\??\c:\466048.exec:\466048.exe105⤵PID:5092
-
\??\c:\002040.exec:\002040.exe106⤵
- System Location Discovery: System Language Discovery
PID:1028 -
\??\c:\2000448.exec:\2000448.exe107⤵PID:4236
-
\??\c:\4082048.exec:\4082048.exe108⤵PID:4488
-
\??\c:\jpvvj.exec:\jpvvj.exe109⤵
- System Location Discovery: System Language Discovery
PID:2792 -
\??\c:\600426.exec:\600426.exe110⤵PID:232
-
\??\c:\7nthtt.exec:\7nthtt.exe111⤵PID:4324
-
\??\c:\q46600.exec:\q46600.exe112⤵PID:4808
-
\??\c:\s8440.exec:\s8440.exe113⤵PID:656
-
\??\c:\djjpj.exec:\djjpj.exe114⤵PID:736
-
\??\c:\frrlfxl.exec:\frrlfxl.exe115⤵PID:5012
-
\??\c:\686682.exec:\686682.exe116⤵PID:1036
-
\??\c:\pdpjv.exec:\pdpjv.exe117⤵PID:4244
-
\??\c:\frxrrlf.exec:\frxrrlf.exe118⤵PID:3684
-
\??\c:\804046.exec:\804046.exe119⤵PID:3420
-
\??\c:\000266.exec:\000266.exe120⤵PID:2940
-
\??\c:\06600.exec:\06600.exe121⤵PID:4468
-
\??\c:\4846820.exec:\4846820.exe122⤵PID:2996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-