Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 21:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5698484ea82c3111193fad5882f57b08ef7de12a7d6e42c1506f46a7ea2c6b4f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5698484ea82c3111193fad5882f57b08ef7de12a7d6e42c1506f46a7ea2c6b4f.exe
-
Size
457KB
-
MD5
66900a973f941e9a8af51fe715e4a112
-
SHA1
3903ee28689e8fad2d6bbc1a7b9363992929fafa
-
SHA256
5698484ea82c3111193fad5882f57b08ef7de12a7d6e42c1506f46a7ea2c6b4f
-
SHA512
a7b11736757d757570efe5cf50bdbe96ff13e314bf6e5203dcf6b9c300b3daf75916c85b8e3f9d5ea8e51a8f71f62da8ec05637056abb8a241b6288e586e7b95
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeSc:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4672-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-822-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-841-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-1736-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3336 u004884.exe 4852 frrfrff.exe 4508 0064220.exe 3912 o064282.exe 2224 088886.exe 3020 244204.exe 3720 htnnbb.exe 1768 dpjvj.exe 3272 jvppd.exe 4320 ntthnh.exe 4296 7bhntt.exe 1856 4688288.exe 1400 vvvpj.exe 2632 00082.exe 3176 rffxrlf.exe 1852 fxrrlll.exe 5032 5jdvd.exe 2444 8460844.exe 2888 5lfxrlf.exe 840 djppp.exe 1028 866606.exe 816 4282682.exe 4476 jvjdv.exe 1412 7bntbb.exe 968 nhnnnn.exe 5100 htbbtt.exe 1052 0040622.exe 3172 3xrrlrl.exe 700 4848606.exe 4836 w28822.exe 2588 40004.exe 2004 802660.exe 4864 86648.exe 3564 1jdpj.exe 1936 2864860.exe 3728 6464480.exe 3912 dvjvp.exe 2464 5xrfrlx.exe 3916 fllxlxr.exe 4696 200086.exe 2392 288642.exe 3168 846048.exe 5092 llfxlfl.exe 3112 bbthtn.exe 2948 flrfrlf.exe 3272 nnnhtn.exe 4320 9pjdj.exe 2484 u008608.exe 4896 i620486.exe 4860 1rfxllx.exe 512 xrrrlfx.exe 2872 xrxrllf.exe 2140 8226000.exe 2564 jjvjd.exe 3412 8848642.exe 3332 204082.exe 3860 jvpdp.exe 1604 400426.exe 988 s8088.exe 3460 tnnbtn.exe 1228 1nhbnh.exe 2748 nbhthb.exe 536 6224084.exe 1564 2844044.exe -
resource yara_rule behavioral2/memory/4672-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-662-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8862460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w66426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0408048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u442264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w26642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 662082.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4672 wrote to memory of 3336 4672 5698484ea82c3111193fad5882f57b08ef7de12a7d6e42c1506f46a7ea2c6b4f.exe 86 PID 4672 wrote to memory of 3336 4672 5698484ea82c3111193fad5882f57b08ef7de12a7d6e42c1506f46a7ea2c6b4f.exe 86 PID 4672 wrote to memory of 3336 4672 5698484ea82c3111193fad5882f57b08ef7de12a7d6e42c1506f46a7ea2c6b4f.exe 86 PID 3336 wrote to memory of 4852 3336 u004884.exe 87 PID 3336 wrote to memory of 4852 3336 u004884.exe 87 PID 3336 wrote to memory of 4852 3336 u004884.exe 87 PID 4852 wrote to memory of 4508 4852 frrfrff.exe 88 PID 4852 wrote to memory of 4508 4852 frrfrff.exe 88 PID 4852 wrote to memory of 4508 4852 frrfrff.exe 88 PID 4508 wrote to memory of 3912 4508 0064220.exe 89 PID 4508 wrote to memory of 3912 4508 0064220.exe 89 PID 4508 wrote to memory of 3912 4508 0064220.exe 89 PID 3912 wrote to memory of 2224 3912 o064282.exe 90 PID 3912 wrote to memory of 2224 3912 o064282.exe 90 PID 3912 wrote to memory of 2224 3912 o064282.exe 90 PID 2224 wrote to memory of 3020 2224 088886.exe 91 PID 2224 wrote to memory of 3020 2224 088886.exe 91 PID 2224 wrote to memory of 3020 2224 088886.exe 91 PID 3020 wrote to memory of 3720 3020 244204.exe 93 PID 3020 wrote to memory of 3720 3020 244204.exe 93 PID 3020 wrote to memory of 3720 3020 244204.exe 93 PID 3720 wrote to memory of 1768 3720 htnnbb.exe 94 PID 3720 wrote to memory of 1768 3720 htnnbb.exe 94 PID 3720 wrote to memory of 1768 3720 htnnbb.exe 94 PID 1768 wrote to memory of 3272 1768 dpjvj.exe 95 PID 1768 wrote to memory of 3272 1768 dpjvj.exe 95 PID 1768 wrote to memory of 3272 1768 dpjvj.exe 95 PID 3272 wrote to memory of 4320 3272 jvppd.exe 96 PID 3272 wrote to memory of 4320 3272 jvppd.exe 96 PID 3272 wrote to memory of 4320 3272 jvppd.exe 96 PID 4320 wrote to memory of 4296 4320 ntthnh.exe 97 PID 4320 wrote to memory of 4296 4320 ntthnh.exe 97 PID 4320 wrote to memory of 4296 4320 ntthnh.exe 97 PID 4296 wrote to memory of 1856 4296 7bhntt.exe 99 PID 4296 wrote to memory of 1856 4296 7bhntt.exe 99 PID 4296 wrote to memory of 1856 4296 7bhntt.exe 99 PID 1856 wrote to memory of 1400 1856 4688288.exe 100 PID 1856 wrote to memory of 1400 1856 4688288.exe 100 PID 1856 wrote to memory of 1400 1856 4688288.exe 100 PID 1400 wrote to memory of 2632 1400 vvvpj.exe 101 PID 1400 wrote to memory of 2632 1400 vvvpj.exe 101 PID 1400 wrote to memory of 2632 1400 vvvpj.exe 101 PID 2632 wrote to memory of 3176 2632 00082.exe 102 PID 2632 wrote to memory of 3176 2632 00082.exe 102 PID 2632 wrote to memory of 3176 2632 00082.exe 102 PID 3176 wrote to memory of 1852 3176 rffxrlf.exe 103 PID 3176 wrote to memory of 1852 3176 rffxrlf.exe 103 PID 3176 wrote to memory of 1852 3176 rffxrlf.exe 103 PID 1852 wrote to memory of 5032 1852 fxrrlll.exe 104 PID 1852 wrote to memory of 5032 1852 fxrrlll.exe 104 PID 1852 wrote to memory of 5032 1852 fxrrlll.exe 104 PID 5032 wrote to memory of 2444 5032 5jdvd.exe 105 PID 5032 wrote to memory of 2444 5032 5jdvd.exe 105 PID 5032 wrote to memory of 2444 5032 5jdvd.exe 105 PID 2444 wrote to memory of 2888 2444 8460844.exe 106 PID 2444 wrote to memory of 2888 2444 8460844.exe 106 PID 2444 wrote to memory of 2888 2444 8460844.exe 106 PID 2888 wrote to memory of 840 2888 5lfxrlf.exe 107 PID 2888 wrote to memory of 840 2888 5lfxrlf.exe 107 PID 2888 wrote to memory of 840 2888 5lfxrlf.exe 107 PID 840 wrote to memory of 1028 840 djppp.exe 108 PID 840 wrote to memory of 1028 840 djppp.exe 108 PID 840 wrote to memory of 1028 840 djppp.exe 108 PID 1028 wrote to memory of 816 1028 866606.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\5698484ea82c3111193fad5882f57b08ef7de12a7d6e42c1506f46a7ea2c6b4f.exe"C:\Users\Admin\AppData\Local\Temp\5698484ea82c3111193fad5882f57b08ef7de12a7d6e42c1506f46a7ea2c6b4f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\u004884.exec:\u004884.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\frrfrff.exec:\frrfrff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\0064220.exec:\0064220.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\o064282.exec:\o064282.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\088886.exec:\088886.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\244204.exec:\244204.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\htnnbb.exec:\htnnbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\dpjvj.exec:\dpjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\jvppd.exec:\jvppd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\ntthnh.exec:\ntthnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\7bhntt.exec:\7bhntt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\4688288.exec:\4688288.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\vvvpj.exec:\vvvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\00082.exec:\00082.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\rffxrlf.exec:\rffxrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\fxrrlll.exec:\fxrrlll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\5jdvd.exec:\5jdvd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\8460844.exec:\8460844.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\5lfxrlf.exec:\5lfxrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\djppp.exec:\djppp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\866606.exec:\866606.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\4282682.exec:\4282682.exe23⤵
- Executes dropped EXE
PID:816 -
\??\c:\jvjdv.exec:\jvjdv.exe24⤵
- Executes dropped EXE
PID:4476 -
\??\c:\7bntbb.exec:\7bntbb.exe25⤵
- Executes dropped EXE
PID:1412 -
\??\c:\nhnnnn.exec:\nhnnnn.exe26⤵
- Executes dropped EXE
PID:968 -
\??\c:\htbbtt.exec:\htbbtt.exe27⤵
- Executes dropped EXE
PID:5100 -
\??\c:\0040622.exec:\0040622.exe28⤵
- Executes dropped EXE
PID:1052 -
\??\c:\3xrrlrl.exec:\3xrrlrl.exe29⤵
- Executes dropped EXE
PID:3172 -
\??\c:\4848606.exec:\4848606.exe30⤵
- Executes dropped EXE
PID:700 -
\??\c:\w28822.exec:\w28822.exe31⤵
- Executes dropped EXE
PID:4836 -
\??\c:\40004.exec:\40004.exe32⤵
- Executes dropped EXE
PID:2588 -
\??\c:\802660.exec:\802660.exe33⤵
- Executes dropped EXE
PID:2004 -
\??\c:\86648.exec:\86648.exe34⤵
- Executes dropped EXE
PID:4864 -
\??\c:\1jdpj.exec:\1jdpj.exe35⤵
- Executes dropped EXE
PID:3564 -
\??\c:\2864860.exec:\2864860.exe36⤵
- Executes dropped EXE
PID:1936 -
\??\c:\6464480.exec:\6464480.exe37⤵
- Executes dropped EXE
PID:3728 -
\??\c:\dvjvp.exec:\dvjvp.exe38⤵
- Executes dropped EXE
PID:3912 -
\??\c:\5xrfrlx.exec:\5xrfrlx.exe39⤵
- Executes dropped EXE
PID:2464 -
\??\c:\fllxlxr.exec:\fllxlxr.exe40⤵
- Executes dropped EXE
PID:3916 -
\??\c:\200086.exec:\200086.exe41⤵
- Executes dropped EXE
PID:4696 -
\??\c:\288642.exec:\288642.exe42⤵
- Executes dropped EXE
PID:2392 -
\??\c:\846048.exec:\846048.exe43⤵
- Executes dropped EXE
PID:3168 -
\??\c:\llfxlfl.exec:\llfxlfl.exe44⤵
- Executes dropped EXE
PID:5092 -
\??\c:\bbthtn.exec:\bbthtn.exe45⤵
- Executes dropped EXE
PID:3112 -
\??\c:\flrfrlf.exec:\flrfrlf.exe46⤵
- Executes dropped EXE
PID:2948 -
\??\c:\nnnhtn.exec:\nnnhtn.exe47⤵
- Executes dropped EXE
PID:3272 -
\??\c:\9pjdj.exec:\9pjdj.exe48⤵
- Executes dropped EXE
PID:4320 -
\??\c:\u008608.exec:\u008608.exe49⤵
- Executes dropped EXE
PID:2484 -
\??\c:\i620486.exec:\i620486.exe50⤵
- Executes dropped EXE
PID:4896 -
\??\c:\1rfxllx.exec:\1rfxllx.exe51⤵
- Executes dropped EXE
PID:4860 -
\??\c:\xrrrlfx.exec:\xrrrlfx.exe52⤵
- Executes dropped EXE
PID:512 -
\??\c:\xrxrllf.exec:\xrxrllf.exe53⤵
- Executes dropped EXE
PID:2872 -
\??\c:\8226000.exec:\8226000.exe54⤵
- Executes dropped EXE
PID:2140 -
\??\c:\jjvjd.exec:\jjvjd.exe55⤵
- Executes dropped EXE
PID:2564 -
\??\c:\8848642.exec:\8848642.exe56⤵
- Executes dropped EXE
PID:3412 -
\??\c:\204082.exec:\204082.exe57⤵
- Executes dropped EXE
PID:3332 -
\??\c:\jvpdp.exec:\jvpdp.exe58⤵
- Executes dropped EXE
PID:3860 -
\??\c:\400426.exec:\400426.exe59⤵
- Executes dropped EXE
PID:1604 -
\??\c:\s8088.exec:\s8088.exe60⤵
- Executes dropped EXE
PID:988 -
\??\c:\tnnbtn.exec:\tnnbtn.exe61⤵
- Executes dropped EXE
PID:3460 -
\??\c:\1nhbnh.exec:\1nhbnh.exe62⤵
- Executes dropped EXE
PID:1228 -
\??\c:\nbhthb.exec:\nbhthb.exe63⤵
- Executes dropped EXE
PID:2748 -
\??\c:\6224084.exec:\6224084.exe64⤵
- Executes dropped EXE
PID:536 -
\??\c:\2844044.exec:\2844044.exe65⤵
- Executes dropped EXE
PID:1564 -
\??\c:\228604.exec:\228604.exe66⤵PID:780
-
\??\c:\vvjvv.exec:\vvjvv.exe67⤵PID:1396
-
\??\c:\606082.exec:\606082.exe68⤵PID:4440
-
\??\c:\q00860.exec:\q00860.exe69⤵PID:4108
-
\??\c:\0282822.exec:\0282822.exe70⤵PID:3828
-
\??\c:\868620.exec:\868620.exe71⤵PID:1112
-
\??\c:\xrrlrrr.exec:\xrrlrrr.exe72⤵PID:2856
-
\??\c:\8620022.exec:\8620022.exe73⤵PID:2584
-
\??\c:\pdvpd.exec:\pdvpd.exe74⤵PID:4680
-
\??\c:\jvpdj.exec:\jvpdj.exe75⤵PID:4524
-
\??\c:\pvdpv.exec:\pvdpv.exe76⤵PID:3936
-
\??\c:\2408608.exec:\2408608.exe77⤵PID:3788
-
\??\c:\66808.exec:\66808.exe78⤵PID:1620
-
\??\c:\07xlx.exec:\07xlx.exe79⤵PID:1120
-
\??\c:\08264.exec:\08264.exe80⤵PID:928
-
\??\c:\864826.exec:\864826.exe81⤵PID:3080
-
\??\c:\062048.exec:\062048.exe82⤵PID:4940
-
\??\c:\rffrfxl.exec:\rffrfxl.exe83⤵PID:1840
-
\??\c:\266426.exec:\266426.exe84⤵PID:2740
-
\??\c:\664862.exec:\664862.exe85⤵PID:3020
-
\??\c:\u226048.exec:\u226048.exe86⤵PID:2844
-
\??\c:\e68648.exec:\e68648.exe87⤵PID:112
-
\??\c:\rxllrff.exec:\rxllrff.exe88⤵PID:5016
-
\??\c:\1lrlfll.exec:\1lrlfll.exe89⤵PID:1700
-
\??\c:\40086.exec:\40086.exe90⤵PID:3840
-
\??\c:\fxfxxrx.exec:\fxfxxrx.exe91⤵PID:2288
-
\??\c:\lrfrfxr.exec:\lrfrfxr.exe92⤵PID:4296
-
\??\c:\0826648.exec:\0826648.exe93⤵PID:4916
-
\??\c:\e64826.exec:\e64826.exe94⤵PID:2100
-
\??\c:\002826.exec:\002826.exe95⤵PID:4860
-
\??\c:\9xrlxxx.exec:\9xrlxxx.exe96⤵PID:4016
-
\??\c:\xffrfxl.exec:\xffrfxl.exe97⤵PID:748
-
\??\c:\tbhtnb.exec:\tbhtnb.exe98⤵PID:5104
-
\??\c:\rflfrrf.exec:\rflfrrf.exe99⤵PID:1192
-
\??\c:\hbhthh.exec:\hbhthh.exe100⤵PID:4288
-
\??\c:\42642.exec:\42642.exe101⤵PID:1688
-
\??\c:\8848604.exec:\8848604.exe102⤵PID:1680
-
\??\c:\4664264.exec:\4664264.exe103⤵PID:1952
-
\??\c:\ttnnhn.exec:\ttnnhn.exe104⤵PID:1692
-
\??\c:\7jpjp.exec:\7jpjp.exe105⤵PID:2768
-
\??\c:\1pvpj.exec:\1pvpj.exe106⤵PID:1452
-
\??\c:\0020820.exec:\0020820.exe107⤵PID:2732
-
\??\c:\06264.exec:\06264.exe108⤵PID:2748
-
\??\c:\8842604.exec:\8842604.exe109⤵PID:4684
-
\??\c:\i664224.exec:\i664224.exe110⤵PID:704
-
\??\c:\60642.exec:\60642.exe111⤵PID:1128
-
\??\c:\08820.exec:\08820.exe112⤵PID:384
-
\??\c:\htthbn.exec:\htthbn.exe113⤵PID:4084
-
\??\c:\hnnbht.exec:\hnnbht.exe114⤵PID:1236
-
\??\c:\vjjvj.exec:\vjjvj.exe115⤵PID:4292
-
\??\c:\bbtthb.exec:\bbtthb.exe116⤵PID:2384
-
\??\c:\0460628.exec:\0460628.exe117⤵PID:4728
-
\??\c:\4222260.exec:\4222260.exe118⤵PID:764
-
\??\c:\a4248.exec:\a4248.exe119⤵PID:1052
-
\??\c:\40042.exec:\40042.exe120⤵PID:3108
-
\??\c:\tnbbth.exec:\tnbbth.exe121⤵PID:3936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-