Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe
-
Size
454KB
-
MD5
077a90a0acacb4e6ae62b1f89f6a5a9c
-
SHA1
a40c636cb09249a0e5ea47909dd52c95cdd228f5
-
SHA256
be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59
-
SHA512
d23d7773dddbd7e2e3f9da9ef4ae8e5031493b3243e02219af35d4ceababa70dab1f445099f5e6cfbd877223de4c42f99c4db4731f8c3b0ed9ae2941ead07069
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4356-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-846-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-973-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-1155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-1171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-1185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-1385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4356 888644.exe 2352 7xrlxrl.exe 4948 8000404.exe 2680 jjvjd.exe 5060 lllfrfx.exe 4408 20008.exe 2592 rfxrfrl.exe 4448 646442.exe 2960 66482.exe 1948 bnnbnn.exe 1596 xlxlrlf.exe 4860 26488.exe 548 xrxlffl.exe 3900 xffxxrr.exe 2696 xfrxxxr.exe 4376 22828.exe 4904 dvdpj.exe 740 6242660.exe 1936 5djdj.exe 1460 dpvpj.exe 3568 vpjdv.exe 232 648648.exe 1544 860864.exe 3132 rrlrxlx.exe 4640 pjdpd.exe 2480 xlflrlr.exe 1088 i226042.exe 4496 6608608.exe 2576 44420.exe 2164 1hbhnh.exe 5056 666420.exe 384 9rfxlfr.exe 4180 frrfxlf.exe 1912 80020.exe 4672 g8264.exe 3492 64820.exe 3244 pvpdp.exe 4624 00608.exe 4872 686026.exe 2484 o664862.exe 5040 660804.exe 4020 8842086.exe 4012 rrrfrlx.exe 3884 3llxlfr.exe 4928 26428.exe 3120 888660.exe 5072 9xrllfx.exe 1980 9nhtht.exe 2260 pvvpd.exe 4328 7jdvj.exe 3240 06086.exe 4796 a6600.exe 208 0004264.exe 5068 bnthht.exe 5044 ddvjp.exe 1028 llrfffx.exe 3552 ttbnbt.exe 4972 6604264.exe 3204 5tthtn.exe 5084 xrlxlfr.exe 1860 rlxlxrl.exe 4388 000864.exe 2592 pvjdp.exe 4900 c006082.exe -
resource yara_rule behavioral2/memory/4356-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-846-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-863-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w40242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8606426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u466266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4864 wrote to memory of 4356 4864 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 85 PID 4864 wrote to memory of 4356 4864 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 85 PID 4864 wrote to memory of 4356 4864 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 85 PID 4356 wrote to memory of 2352 4356 888644.exe 86 PID 4356 wrote to memory of 2352 4356 888644.exe 86 PID 4356 wrote to memory of 2352 4356 888644.exe 86 PID 2352 wrote to memory of 4948 2352 7xrlxrl.exe 87 PID 2352 wrote to memory of 4948 2352 7xrlxrl.exe 87 PID 2352 wrote to memory of 4948 2352 7xrlxrl.exe 87 PID 4948 wrote to memory of 2680 4948 8000404.exe 88 PID 4948 wrote to memory of 2680 4948 8000404.exe 88 PID 4948 wrote to memory of 2680 4948 8000404.exe 88 PID 2680 wrote to memory of 5060 2680 jjvjd.exe 89 PID 2680 wrote to memory of 5060 2680 jjvjd.exe 89 PID 2680 wrote to memory of 5060 2680 jjvjd.exe 89 PID 5060 wrote to memory of 4408 5060 lllfrfx.exe 90 PID 5060 wrote to memory of 4408 5060 lllfrfx.exe 90 PID 5060 wrote to memory of 4408 5060 lllfrfx.exe 90 PID 4408 wrote to memory of 2592 4408 20008.exe 147 PID 4408 wrote to memory of 2592 4408 20008.exe 147 PID 4408 wrote to memory of 2592 4408 20008.exe 147 PID 2592 wrote to memory of 4448 2592 rfxrfrl.exe 92 PID 2592 wrote to memory of 4448 2592 rfxrfrl.exe 92 PID 2592 wrote to memory of 4448 2592 rfxrfrl.exe 92 PID 4448 wrote to memory of 2960 4448 646442.exe 93 PID 4448 wrote to memory of 2960 4448 646442.exe 93 PID 4448 wrote to memory of 2960 4448 646442.exe 93 PID 2960 wrote to memory of 1948 2960 66482.exe 151 PID 2960 wrote to memory of 1948 2960 66482.exe 151 PID 2960 wrote to memory of 1948 2960 66482.exe 151 PID 1948 wrote to memory of 1596 1948 bnnbnn.exe 95 PID 1948 wrote to memory of 1596 1948 bnnbnn.exe 95 PID 1948 wrote to memory of 1596 1948 bnnbnn.exe 95 PID 1596 wrote to memory of 4860 1596 xlxlrlf.exe 152 PID 1596 wrote to memory of 4860 1596 xlxlrlf.exe 152 PID 1596 wrote to memory of 4860 1596 xlxlrlf.exe 152 PID 4860 wrote to memory of 548 4860 26488.exe 97 PID 4860 wrote to memory of 548 4860 26488.exe 97 PID 4860 wrote to memory of 548 4860 26488.exe 97 PID 548 wrote to memory of 3900 548 xrxlffl.exe 98 PID 548 wrote to memory of 3900 548 xrxlffl.exe 98 PID 548 wrote to memory of 3900 548 xrxlffl.exe 98 PID 3900 wrote to memory of 2696 3900 xffxxrr.exe 99 PID 3900 wrote to memory of 2696 3900 xffxxrr.exe 99 PID 3900 wrote to memory of 2696 3900 xffxxrr.exe 99 PID 2696 wrote to memory of 4376 2696 xfrxxxr.exe 100 PID 2696 wrote to memory of 4376 2696 xfrxxxr.exe 100 PID 2696 wrote to memory of 4376 2696 xfrxxxr.exe 100 PID 4376 wrote to memory of 4904 4376 22828.exe 101 PID 4376 wrote to memory of 4904 4376 22828.exe 101 PID 4376 wrote to memory of 4904 4376 22828.exe 101 PID 4904 wrote to memory of 740 4904 dvdpj.exe 102 PID 4904 wrote to memory of 740 4904 dvdpj.exe 102 PID 4904 wrote to memory of 740 4904 dvdpj.exe 102 PID 740 wrote to memory of 1936 740 6242660.exe 103 PID 740 wrote to memory of 1936 740 6242660.exe 103 PID 740 wrote to memory of 1936 740 6242660.exe 103 PID 1936 wrote to memory of 1460 1936 5djdj.exe 104 PID 1936 wrote to memory of 1460 1936 5djdj.exe 104 PID 1936 wrote to memory of 1460 1936 5djdj.exe 104 PID 1460 wrote to memory of 3568 1460 dpvpj.exe 105 PID 1460 wrote to memory of 3568 1460 dpvpj.exe 105 PID 1460 wrote to memory of 3568 1460 dpvpj.exe 105 PID 3568 wrote to memory of 232 3568 vpjdv.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe"C:\Users\Admin\AppData\Local\Temp\be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\888644.exec:\888644.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\7xrlxrl.exec:\7xrlxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\8000404.exec:\8000404.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\jjvjd.exec:\jjvjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\lllfrfx.exec:\lllfrfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\20008.exec:\20008.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\rfxrfrl.exec:\rfxrfrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\646442.exec:\646442.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\66482.exec:\66482.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\bnnbnn.exec:\bnnbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\xlxlrlf.exec:\xlxlrlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\26488.exec:\26488.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\xrxlffl.exec:\xrxlffl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\xffxxrr.exec:\xffxxrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\xfrxxxr.exec:\xfrxxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\22828.exec:\22828.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\dvdpj.exec:\dvdpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\6242660.exec:\6242660.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\5djdj.exec:\5djdj.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\dpvpj.exec:\dpvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\vpjdv.exec:\vpjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\648648.exec:\648648.exe23⤵
- Executes dropped EXE
PID:232 -
\??\c:\860864.exec:\860864.exe24⤵
- Executes dropped EXE
PID:1544 -
\??\c:\rrlrxlx.exec:\rrlrxlx.exe25⤵
- Executes dropped EXE
PID:3132 -
\??\c:\pjdpd.exec:\pjdpd.exe26⤵
- Executes dropped EXE
PID:4640 -
\??\c:\xlflrlr.exec:\xlflrlr.exe27⤵
- Executes dropped EXE
PID:2480 -
\??\c:\i226042.exec:\i226042.exe28⤵
- Executes dropped EXE
PID:1088 -
\??\c:\6608608.exec:\6608608.exe29⤵
- Executes dropped EXE
PID:4496 -
\??\c:\44420.exec:\44420.exe30⤵
- Executes dropped EXE
PID:2576 -
\??\c:\1hbhnh.exec:\1hbhnh.exe31⤵
- Executes dropped EXE
PID:2164 -
\??\c:\666420.exec:\666420.exe32⤵
- Executes dropped EXE
PID:5056 -
\??\c:\9rfxlfr.exec:\9rfxlfr.exe33⤵
- Executes dropped EXE
PID:384 -
\??\c:\frrfxlf.exec:\frrfxlf.exe34⤵
- Executes dropped EXE
PID:4180 -
\??\c:\80020.exec:\80020.exe35⤵
- Executes dropped EXE
PID:1912 -
\??\c:\g8264.exec:\g8264.exe36⤵
- Executes dropped EXE
PID:4672 -
\??\c:\64820.exec:\64820.exe37⤵
- Executes dropped EXE
PID:3492 -
\??\c:\pvpdp.exec:\pvpdp.exe38⤵
- Executes dropped EXE
PID:3244 -
\??\c:\00608.exec:\00608.exe39⤵
- Executes dropped EXE
PID:4624 -
\??\c:\686026.exec:\686026.exe40⤵
- Executes dropped EXE
PID:4872 -
\??\c:\o664862.exec:\o664862.exe41⤵
- Executes dropped EXE
PID:2484 -
\??\c:\660804.exec:\660804.exe42⤵
- Executes dropped EXE
PID:5040 -
\??\c:\8842086.exec:\8842086.exe43⤵
- Executes dropped EXE
PID:4020 -
\??\c:\rrrfrlx.exec:\rrrfrlx.exe44⤵
- Executes dropped EXE
PID:4012 -
\??\c:\3llxlfr.exec:\3llxlfr.exe45⤵
- Executes dropped EXE
PID:3884 -
\??\c:\26428.exec:\26428.exe46⤵
- Executes dropped EXE
PID:4928 -
\??\c:\888660.exec:\888660.exe47⤵
- Executes dropped EXE
PID:3120 -
\??\c:\9xrllfx.exec:\9xrllfx.exe48⤵
- Executes dropped EXE
PID:5072 -
\??\c:\9nhtht.exec:\9nhtht.exe49⤵
- Executes dropped EXE
PID:1980 -
\??\c:\pvvpd.exec:\pvvpd.exe50⤵
- Executes dropped EXE
PID:2260 -
\??\c:\7jdvj.exec:\7jdvj.exe51⤵
- Executes dropped EXE
PID:4328 -
\??\c:\06086.exec:\06086.exe52⤵
- Executes dropped EXE
PID:3240 -
\??\c:\a6600.exec:\a6600.exe53⤵
- Executes dropped EXE
PID:4796 -
\??\c:\0004264.exec:\0004264.exe54⤵
- Executes dropped EXE
PID:208 -
\??\c:\bnthht.exec:\bnthht.exe55⤵
- Executes dropped EXE
PID:5068 -
\??\c:\ddvjp.exec:\ddvjp.exe56⤵
- Executes dropped EXE
PID:5044 -
\??\c:\llrfffx.exec:\llrfffx.exe57⤵
- Executes dropped EXE
PID:1028 -
\??\c:\ttbnbt.exec:\ttbnbt.exe58⤵
- Executes dropped EXE
PID:3552 -
\??\c:\6604264.exec:\6604264.exe59⤵
- Executes dropped EXE
PID:4972 -
\??\c:\5tthtn.exec:\5tthtn.exe60⤵
- Executes dropped EXE
PID:3204 -
\??\c:\xrlxlfr.exec:\xrlxlfr.exe61⤵
- Executes dropped EXE
PID:5084 -
\??\c:\rlxlxrl.exec:\rlxlxrl.exe62⤵
- Executes dropped EXE
PID:1860 -
\??\c:\000864.exec:\000864.exe63⤵
- Executes dropped EXE
PID:4388 -
\??\c:\pvjdp.exec:\pvjdp.exe64⤵
- Executes dropped EXE
PID:2592 -
\??\c:\c006082.exec:\c006082.exe65⤵
- Executes dropped EXE
PID:4900 -
\??\c:\44042.exec:\44042.exe66⤵PID:3172
-
\??\c:\nbthnh.exec:\nbthnh.exe67⤵PID:1396
-
\??\c:\6460820.exec:\6460820.exe68⤵PID:1948
-
\??\c:\1nhbtn.exec:\1nhbtn.exe69⤵PID:4860
-
\??\c:\jppjv.exec:\jppjv.exe70⤵PID:1300
-
\??\c:\4226486.exec:\4226486.exe71⤵PID:1164
-
\??\c:\682006.exec:\682006.exe72⤵PID:1644
-
\??\c:\86608.exec:\86608.exe73⤵PID:548
-
\??\c:\7jddp.exec:\7jddp.exe74⤵PID:4376
-
\??\c:\484848.exec:\484848.exe75⤵PID:4904
-
\??\c:\jvdpd.exec:\jvdpd.exe76⤵PID:752
-
\??\c:\86222.exec:\86222.exe77⤵PID:1936
-
\??\c:\ntnbnh.exec:\ntnbnh.exe78⤵PID:3524
-
\??\c:\btthbt.exec:\btthbt.exe79⤵PID:5096
-
\??\c:\nhhthb.exec:\nhhthb.exe80⤵PID:2572
-
\??\c:\644800.exec:\644800.exe81⤵PID:4916
-
\??\c:\2820826.exec:\2820826.exe82⤵PID:2480
-
\??\c:\s2828.exec:\s2828.exe83⤵PID:3032
-
\??\c:\7bnhhh.exec:\7bnhhh.exe84⤵PID:4496
-
\??\c:\jppdd.exec:\jppdd.exe85⤵PID:1480
-
\??\c:\ttnhbb.exec:\ttnhbb.exe86⤵PID:4996
-
\??\c:\bntnbb.exec:\bntnbb.exe87⤵PID:4892
-
\??\c:\pvjdd.exec:\pvjdd.exe88⤵PID:1664
-
\??\c:\hbbthh.exec:\hbbthh.exe89⤵PID:3636
-
\??\c:\0208660.exec:\0208660.exe90⤵PID:184
-
\??\c:\m4026.exec:\m4026.exe91⤵PID:1352
-
\??\c:\rxxrrrl.exec:\rxxrrrl.exe92⤵PID:996
-
\??\c:\860820.exec:\860820.exe93⤵PID:2484
-
\??\c:\g0002.exec:\g0002.exe94⤵PID:5040
-
\??\c:\dvvpd.exec:\dvvpd.exe95⤵PID:5048
-
\??\c:\6682048.exec:\6682048.exe96⤵PID:2468
-
\??\c:\s0046.exec:\s0046.exe97⤵PID:1548
-
\??\c:\nhhbhb.exec:\nhhbhb.exe98⤵PID:3708
-
\??\c:\lxxrxrl.exec:\lxxrxrl.exe99⤵PID:4280
-
\??\c:\4282284.exec:\4282284.exe100⤵PID:4000
-
\??\c:\ppvjd.exec:\ppvjd.exe101⤵PID:1980
-
\??\c:\w04422.exec:\w04422.exe102⤵PID:4764
-
\??\c:\08220.exec:\08220.exe103⤵PID:3240
-
\??\c:\4620424.exec:\4620424.exe104⤵PID:4600
-
\??\c:\lrfxlxl.exec:\lrfxlxl.exe105⤵PID:2348
-
\??\c:\rfxrfrl.exec:\rfxrfrl.exe106⤵PID:5068
-
\??\c:\044888.exec:\044888.exe107⤵PID:4308
-
\??\c:\i442042.exec:\i442042.exe108⤵PID:3552
-
\??\c:\424226.exec:\424226.exe109⤵PID:3192
-
\??\c:\o060484.exec:\o060484.exe110⤵PID:4356
-
\??\c:\q06048.exec:\q06048.exe111⤵PID:4236
-
\??\c:\4442082.exec:\4442082.exe112⤵PID:2352
-
\??\c:\888664.exec:\888664.exe113⤵PID:832
-
\??\c:\pdpvd.exec:\pdpvd.exe114⤵PID:1892
-
\??\c:\nbbnbt.exec:\nbbnbt.exe115⤵PID:3616
-
\??\c:\w62082.exec:\w62082.exe116⤵PID:4876
-
\??\c:\428240.exec:\428240.exe117⤵PID:4036
-
\??\c:\0826826.exec:\0826826.exe118⤵PID:4104
-
\??\c:\lxllxrl.exec:\lxllxrl.exe119⤵
- System Location Discovery: System Language Discovery
PID:3324 -
\??\c:\60466.exec:\60466.exe120⤵PID:5080
-
\??\c:\26220.exec:\26220.exe121⤵PID:2404
-
\??\c:\rffrfxl.exec:\rffrfxl.exe122⤵PID:4064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-