Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 19:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe
Resource
win7-20250207-en
windows7-x64
7 signatures
150 seconds
General
-
Target
49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe
-
Size
456KB
-
MD5
aa11e7d4cfcd5c995438fa4704ece465
-
SHA1
014c94e41baabb3f428f36c2d502bfde3607f73b
-
SHA256
49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01
-
SHA512
9d1dc841aa7c01670ab0982c2ee00575bf97114b99704bb906319e28a37e38bd5ea631f6f15d820b7377a0681b3ed289a064a2654ceed3331cac3235a20740e5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4184-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5668-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5156-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5452-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5200-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5480-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5996-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6096-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5308-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5464-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5404-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5232-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6112-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5332-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5372-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-1136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-1494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-1583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-1865-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-1950-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5064 6220420.exe 4112 06042.exe 552 664266.exe 4204 0282626.exe 3980 vddjp.exe 2488 06826.exe 5668 4864848.exe 64 044882.exe 1412 864282.exe 5156 c282660.exe 4484 4602662.exe 4100 884404.exe 5452 o826048.exe 6096 04444.exe 4208 88004.exe 1300 q68826.exe 5480 rfllfff.exe 5200 4448260.exe 5996 826006.exe 4076 g0048.exe 4800 o008260.exe 5216 488822.exe 1576 880400.exe 5596 ddjjd.exe 3096 06260.exe 4968 xrrfxrr.exe 2812 0400488.exe 1388 422866.exe 2476 o626048.exe 5308 48088.exe 5284 86660.exe 4252 6044000.exe 1096 hnhhbb.exe 1888 6044882.exe 5376 408260.exe 2416 dpjdv.exe 964 dvpjd.exe 4612 5bbtnh.exe 2660 28604.exe 3812 262044.exe 5428 tthbhh.exe 5464 84604.exe 3404 ppppj.exe 2480 k62260.exe 2540 bthhbn.exe 1536 frxfxfx.exe 5404 pjpjd.exe 848 0860006.exe 3684 484400.exe 2836 dddpp.exe 612 xllrlrx.exe 5708 xrrlffl.exe 4992 bbthtt.exe 1408 xrrlllr.exe 5408 a2268.exe 756 tnnhhh.exe 4784 jvjdv.exe 1892 8022660.exe 5612 88622.exe 1600 nnbbnn.exe 1620 dvppd.exe 1124 42088.exe 700 rrfxllx.exe 5348 400048.exe -
resource yara_rule behavioral2/memory/4184-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5668-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5156-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5156-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5452-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5200-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5480-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5996-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6096-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5308-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5464-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5404-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5232-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6112-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5332-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5332-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5992-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5372-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-498-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4460482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6248260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxxxl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4184 wrote to memory of 5064 4184 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 86 PID 4184 wrote to memory of 5064 4184 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 86 PID 4184 wrote to memory of 5064 4184 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 86 PID 5064 wrote to memory of 4112 5064 6220420.exe 87 PID 5064 wrote to memory of 4112 5064 6220420.exe 87 PID 5064 wrote to memory of 4112 5064 6220420.exe 87 PID 4112 wrote to memory of 552 4112 06042.exe 88 PID 4112 wrote to memory of 552 4112 06042.exe 88 PID 4112 wrote to memory of 552 4112 06042.exe 88 PID 552 wrote to memory of 4204 552 664266.exe 89 PID 552 wrote to memory of 4204 552 664266.exe 89 PID 552 wrote to memory of 4204 552 664266.exe 89 PID 4204 wrote to memory of 3980 4204 0282626.exe 90 PID 4204 wrote to memory of 3980 4204 0282626.exe 90 PID 4204 wrote to memory of 3980 4204 0282626.exe 90 PID 3980 wrote to memory of 2488 3980 vddjp.exe 91 PID 3980 wrote to memory of 2488 3980 vddjp.exe 91 PID 3980 wrote to memory of 2488 3980 vddjp.exe 91 PID 2488 wrote to memory of 5668 2488 06826.exe 93 PID 2488 wrote to memory of 5668 2488 06826.exe 93 PID 2488 wrote to memory of 5668 2488 06826.exe 93 PID 5668 wrote to memory of 64 5668 4864848.exe 95 PID 5668 wrote to memory of 64 5668 4864848.exe 95 PID 5668 wrote to memory of 64 5668 4864848.exe 95 PID 64 wrote to memory of 1412 64 044882.exe 96 PID 64 wrote to memory of 1412 64 044882.exe 96 PID 64 wrote to memory of 1412 64 044882.exe 96 PID 1412 wrote to memory of 5156 1412 864282.exe 97 PID 1412 wrote to memory of 5156 1412 864282.exe 97 PID 1412 wrote to memory of 5156 1412 864282.exe 97 PID 5156 wrote to memory of 4484 5156 c282660.exe 99 PID 5156 wrote to memory of 4484 5156 c282660.exe 99 PID 5156 wrote to memory of 4484 5156 c282660.exe 99 PID 4484 wrote to memory of 4100 4484 4602662.exe 100 PID 4484 wrote to memory of 4100 4484 4602662.exe 100 PID 4484 wrote to memory of 4100 4484 4602662.exe 100 PID 4100 wrote to memory of 5452 4100 884404.exe 101 PID 4100 wrote to memory of 5452 4100 884404.exe 101 PID 4100 wrote to memory of 5452 4100 884404.exe 101 PID 5452 wrote to memory of 6096 5452 o826048.exe 102 PID 5452 wrote to memory of 6096 5452 o826048.exe 102 PID 5452 wrote to memory of 6096 5452 o826048.exe 102 PID 6096 wrote to memory of 4208 6096 04444.exe 103 PID 6096 wrote to memory of 4208 6096 04444.exe 103 PID 6096 wrote to memory of 4208 6096 04444.exe 103 PID 4208 wrote to memory of 1300 4208 88004.exe 104 PID 4208 wrote to memory of 1300 4208 88004.exe 104 PID 4208 wrote to memory of 1300 4208 88004.exe 104 PID 1300 wrote to memory of 5480 1300 q68826.exe 105 PID 1300 wrote to memory of 5480 1300 q68826.exe 105 PID 1300 wrote to memory of 5480 1300 q68826.exe 105 PID 5480 wrote to memory of 5200 5480 rfllfff.exe 106 PID 5480 wrote to memory of 5200 5480 rfllfff.exe 106 PID 5480 wrote to memory of 5200 5480 rfllfff.exe 106 PID 5200 wrote to memory of 5996 5200 4448260.exe 107 PID 5200 wrote to memory of 5996 5200 4448260.exe 107 PID 5200 wrote to memory of 5996 5200 4448260.exe 107 PID 5996 wrote to memory of 4076 5996 826006.exe 108 PID 5996 wrote to memory of 4076 5996 826006.exe 108 PID 5996 wrote to memory of 4076 5996 826006.exe 108 PID 4076 wrote to memory of 4800 4076 g0048.exe 109 PID 4076 wrote to memory of 4800 4076 g0048.exe 109 PID 4076 wrote to memory of 4800 4076 g0048.exe 109 PID 4800 wrote to memory of 5216 4800 o008260.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe"C:\Users\Admin\AppData\Local\Temp\49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\6220420.exec:\6220420.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\06042.exec:\06042.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\664266.exec:\664266.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\0282626.exec:\0282626.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\vddjp.exec:\vddjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\06826.exec:\06826.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\4864848.exec:\4864848.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5668 -
\??\c:\044882.exec:\044882.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\864282.exec:\864282.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\c282660.exec:\c282660.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5156 -
\??\c:\4602662.exec:\4602662.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\884404.exec:\884404.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\o826048.exec:\o826048.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5452 -
\??\c:\04444.exec:\04444.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6096 -
\??\c:\88004.exec:\88004.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\q68826.exec:\q68826.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\rfllfff.exec:\rfllfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5480 -
\??\c:\4448260.exec:\4448260.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5200 -
\??\c:\826006.exec:\826006.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5996 -
\??\c:\g0048.exec:\g0048.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\o008260.exec:\o008260.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\488822.exec:\488822.exe23⤵
- Executes dropped EXE
PID:5216 -
\??\c:\880400.exec:\880400.exe24⤵
- Executes dropped EXE
PID:1576 -
\??\c:\ddjjd.exec:\ddjjd.exe25⤵
- Executes dropped EXE
PID:5596 -
\??\c:\06260.exec:\06260.exe26⤵
- Executes dropped EXE
PID:3096 -
\??\c:\xrrfxrr.exec:\xrrfxrr.exe27⤵
- Executes dropped EXE
PID:4968 -
\??\c:\0400488.exec:\0400488.exe28⤵
- Executes dropped EXE
PID:2812 -
\??\c:\422866.exec:\422866.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1388 -
\??\c:\o626048.exec:\o626048.exe30⤵
- Executes dropped EXE
PID:2476 -
\??\c:\48088.exec:\48088.exe31⤵
- Executes dropped EXE
PID:5308 -
\??\c:\86660.exec:\86660.exe32⤵
- Executes dropped EXE
PID:5284 -
\??\c:\6044000.exec:\6044000.exe33⤵
- Executes dropped EXE
PID:4252 -
\??\c:\hnhhbb.exec:\hnhhbb.exe34⤵
- Executes dropped EXE
PID:1096 -
\??\c:\6044882.exec:\6044882.exe35⤵
- Executes dropped EXE
PID:1888 -
\??\c:\408260.exec:\408260.exe36⤵
- Executes dropped EXE
PID:5376 -
\??\c:\dpjdv.exec:\dpjdv.exe37⤵
- Executes dropped EXE
PID:2416 -
\??\c:\dvpjd.exec:\dvpjd.exe38⤵
- Executes dropped EXE
PID:964 -
\??\c:\5bbtnh.exec:\5bbtnh.exe39⤵
- Executes dropped EXE
PID:4612 -
\??\c:\28604.exec:\28604.exe40⤵
- Executes dropped EXE
PID:2660 -
\??\c:\262044.exec:\262044.exe41⤵
- Executes dropped EXE
PID:3812 -
\??\c:\tthbhh.exec:\tthbhh.exe42⤵
- Executes dropped EXE
PID:5428 -
\??\c:\84604.exec:\84604.exe43⤵
- Executes dropped EXE
PID:5464 -
\??\c:\ppppj.exec:\ppppj.exe44⤵
- Executes dropped EXE
PID:3404 -
\??\c:\k62260.exec:\k62260.exe45⤵
- Executes dropped EXE
PID:2480 -
\??\c:\bthhbn.exec:\bthhbn.exe46⤵
- Executes dropped EXE
PID:2540 -
\??\c:\frxfxfx.exec:\frxfxfx.exe47⤵
- Executes dropped EXE
PID:1536 -
\??\c:\pjpjd.exec:\pjpjd.exe48⤵
- Executes dropped EXE
PID:5404 -
\??\c:\0860006.exec:\0860006.exe49⤵
- Executes dropped EXE
PID:848 -
\??\c:\484400.exec:\484400.exe50⤵
- Executes dropped EXE
PID:3684 -
\??\c:\dddpp.exec:\dddpp.exe51⤵
- Executes dropped EXE
PID:2836 -
\??\c:\xllrlrx.exec:\xllrlrx.exe52⤵
- Executes dropped EXE
PID:612 -
\??\c:\xrrlffl.exec:\xrrlffl.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5708 -
\??\c:\bbthtt.exec:\bbthtt.exe54⤵
- Executes dropped EXE
PID:4992 -
\??\c:\xrrlllr.exec:\xrrlllr.exe55⤵
- Executes dropped EXE
PID:1408 -
\??\c:\a2268.exec:\a2268.exe56⤵
- Executes dropped EXE
PID:5408 -
\??\c:\tnnhhh.exec:\tnnhhh.exe57⤵
- Executes dropped EXE
PID:756 -
\??\c:\jvjdv.exec:\jvjdv.exe58⤵
- Executes dropped EXE
PID:4784 -
\??\c:\8022660.exec:\8022660.exe59⤵
- Executes dropped EXE
PID:1892 -
\??\c:\88622.exec:\88622.exe60⤵
- Executes dropped EXE
PID:5612 -
\??\c:\nnbbnn.exec:\nnbbnn.exe61⤵
- Executes dropped EXE
PID:1600 -
\??\c:\dvppd.exec:\dvppd.exe62⤵
- Executes dropped EXE
PID:1620 -
\??\c:\42088.exec:\42088.exe63⤵
- Executes dropped EXE
PID:1124 -
\??\c:\rrfxllx.exec:\rrfxllx.exe64⤵
- Executes dropped EXE
PID:700 -
\??\c:\400048.exec:\400048.exe65⤵
- Executes dropped EXE
PID:5348 -
\??\c:\8848226.exec:\8848226.exe66⤵PID:4816
-
\??\c:\frrlfxr.exec:\frrlfxr.exe67⤵PID:2944
-
\??\c:\bntnhn.exec:\bntnhn.exe68⤵PID:4552
-
\??\c:\06204.exec:\06204.exe69⤵PID:2588
-
\??\c:\nttbhh.exec:\nttbhh.exe70⤵PID:4244
-
\??\c:\bbbtnh.exec:\bbbtnh.exe71⤵PID:2900
-
\??\c:\pdpdj.exec:\pdpdj.exe72⤵PID:5080
-
\??\c:\hhhbtn.exec:\hhhbtn.exe73⤵PID:4128
-
\??\c:\k24262.exec:\k24262.exe74⤵PID:552
-
\??\c:\8666226.exec:\8666226.exe75⤵PID:2916
-
\??\c:\488826.exec:\488826.exe76⤵PID:4988
-
\??\c:\2622822.exec:\2622822.exe77⤵PID:5232
-
\??\c:\080048.exec:\080048.exe78⤵PID:4116
-
\??\c:\884208.exec:\884208.exe79⤵PID:3372
-
\??\c:\jddpj.exec:\jddpj.exe80⤵PID:1416
-
\??\c:\m4260.exec:\m4260.exe81⤵PID:2192
-
\??\c:\68600.exec:\68600.exe82⤵PID:5076
-
\??\c:\462260.exec:\462260.exe83⤵PID:2296
-
\??\c:\2800008.exec:\2800008.exe84⤵PID:4724
-
\??\c:\4066022.exec:\4066022.exe85⤵PID:3160
-
\??\c:\pjpjd.exec:\pjpjd.exe86⤵PID:2504
-
\??\c:\00240.exec:\00240.exe87⤵PID:4952
-
\??\c:\djpjp.exec:\djpjp.exe88⤵PID:4756
-
\??\c:\dvvpp.exec:\dvvpp.exe89⤵PID:5704
-
\??\c:\a8604.exec:\a8604.exe90⤵PID:2932
-
\??\c:\llxxxlr.exec:\llxxxlr.exe91⤵PID:6096
-
\??\c:\4840044.exec:\4840044.exe92⤵PID:6112
-
\??\c:\lrrrxlf.exec:\lrrrxlf.exe93⤵PID:5492
-
\??\c:\tttbnn.exec:\tttbnn.exe94⤵PID:5332
-
\??\c:\464264.exec:\464264.exe95⤵PID:4348
-
\??\c:\rlrlxxr.exec:\rlrlxxr.exe96⤵PID:4624
-
\??\c:\0820404.exec:\0820404.exe97⤵PID:5216
-
\??\c:\6282600.exec:\6282600.exe98⤵PID:2600
-
\??\c:\46820.exec:\46820.exe99⤵PID:3044
-
\??\c:\u026004.exec:\u026004.exe100⤵PID:2336
-
\??\c:\628882.exec:\628882.exe101⤵PID:5388
-
\??\c:\rflfrrl.exec:\rflfrrl.exe102⤵PID:3112
-
\??\c:\q28248.exec:\q28248.exe103⤵PID:2436
-
\??\c:\nntnnn.exec:\nntnnn.exe104⤵PID:3648
-
\??\c:\nbhhbb.exec:\nbhhbb.exe105⤵PID:5896
-
\??\c:\26822.exec:\26822.exe106⤵PID:5104
-
\??\c:\lllfxxx.exec:\lllfxxx.exe107⤵
- System Location Discovery: System Language Discovery
PID:5308 -
\??\c:\9fxrxxl.exec:\9fxrxxl.exe108⤵PID:1276
-
\??\c:\86828.exec:\86828.exe109⤵PID:2464
-
\??\c:\nntnhh.exec:\nntnhh.exe110⤵PID:5992
-
\??\c:\dddvp.exec:\dddvp.exe111⤵PID:3208
-
\??\c:\jvpjj.exec:\jvpjj.exe112⤵PID:1324
-
\??\c:\9btnhh.exec:\9btnhh.exe113⤵PID:4748
-
\??\c:\nhbbbh.exec:\nhbbbh.exe114⤵PID:4632
-
\??\c:\ppvpj.exec:\ppvpj.exe115⤵PID:1308
-
\??\c:\w84822.exec:\w84822.exe116⤵PID:2420
-
\??\c:\djpjv.exec:\djpjv.exe117⤵PID:1036
-
\??\c:\hhhbtt.exec:\hhhbtt.exe118⤵PID:404
-
\??\c:\rllfxfx.exec:\rllfxfx.exe119⤵PID:4964
-
\??\c:\a0822.exec:\a0822.exe120⤵PID:6044
-
\??\c:\4066044.exec:\4066044.exe121⤵PID:5372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-