Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe
-
Size
456KB
-
MD5
3ffe60842436bfaf2ed6518cc3168a65
-
SHA1
ca384ddd1b715a366d8586e4147139e289922de8
-
SHA256
feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea
-
SHA512
3aa3437cbb0b124a8224306bce01bdeb85e677f7ca4a5181c85e0e7610d606da529be5886fcc640533d80ac8deec62726c89eee447efbaeabce089e65d2989f7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRV:q7Tc2NYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5096-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-727-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-816-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-863-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-985-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2344 fffffff.exe 3024 9vvjp.exe 1020 c042486.exe 4936 004204.exe 2020 2408042.exe 1588 82642.exe 3368 nnhtbt.exe 2624 8682086.exe 2960 lrlxrlx.exe 1432 1rxlrfr.exe 4180 0402642.exe 628 642080.exe 1860 004264.exe 4952 u886820.exe 5012 vdjvd.exe 1016 lxrlfff.exe 5000 g4048.exe 4376 868226.exe 3952 flflrfl.exe 1052 pdvdp.exe 3088 lxlrfrr.exe 4568 020864.exe 4468 jpjvj.exe 2588 66242.exe 3404 rllxxrf.exe 2572 60082.exe 4840 w26420.exe 3964 604200.exe 428 008242.exe 2096 9frfxlx.exe 3652 o820242.exe 1568 0008204.exe 1528 xfrfrlx.exe 3192 xfxlrlx.exe 4540 404264.exe 2748 048086.exe 4788 u442208.exe 4084 5jvjd.exe 5060 860886.exe 908 6486820.exe 3712 826420.exe 1104 ffrflxl.exe 1652 3nnbnn.exe 4364 3nbnth.exe 2444 w28682.exe 1872 406460.exe 4148 nnntth.exe 540 ntbhth.exe 2164 c486486.exe 1020 dppvj.exe 4584 228266.exe 5028 lrxrlrl.exe 2904 3lffrlx.exe 4076 s8482.exe 4280 m0424.exe 1696 vvvpd.exe 4956 nttbnb.exe 892 g4048.exe 1396 86002.exe 4548 804804.exe 528 jvpdj.exe 1516 hhhbnb.exe 1164 20082.exe 628 xrlrfxl.exe -
resource yara_rule behavioral2/memory/5096-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-755-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4888226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4220820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c064226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o820242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4220448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxflfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e00082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2804260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i006228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5096 wrote to memory of 2344 5096 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 83 PID 5096 wrote to memory of 2344 5096 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 83 PID 5096 wrote to memory of 2344 5096 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 83 PID 2344 wrote to memory of 3024 2344 fffffff.exe 84 PID 2344 wrote to memory of 3024 2344 fffffff.exe 84 PID 2344 wrote to memory of 3024 2344 fffffff.exe 84 PID 3024 wrote to memory of 1020 3024 9vvjp.exe 85 PID 3024 wrote to memory of 1020 3024 9vvjp.exe 85 PID 3024 wrote to memory of 1020 3024 9vvjp.exe 85 PID 1020 wrote to memory of 4936 1020 c042486.exe 86 PID 1020 wrote to memory of 4936 1020 c042486.exe 86 PID 1020 wrote to memory of 4936 1020 c042486.exe 86 PID 4936 wrote to memory of 2020 4936 004204.exe 87 PID 4936 wrote to memory of 2020 4936 004204.exe 87 PID 4936 wrote to memory of 2020 4936 004204.exe 87 PID 2020 wrote to memory of 1588 2020 2408042.exe 88 PID 2020 wrote to memory of 1588 2020 2408042.exe 88 PID 2020 wrote to memory of 1588 2020 2408042.exe 88 PID 1588 wrote to memory of 3368 1588 82642.exe 89 PID 1588 wrote to memory of 3368 1588 82642.exe 89 PID 1588 wrote to memory of 3368 1588 82642.exe 89 PID 3368 wrote to memory of 2624 3368 nnhtbt.exe 90 PID 3368 wrote to memory of 2624 3368 nnhtbt.exe 90 PID 3368 wrote to memory of 2624 3368 nnhtbt.exe 90 PID 2624 wrote to memory of 2960 2624 8682086.exe 91 PID 2624 wrote to memory of 2960 2624 8682086.exe 91 PID 2624 wrote to memory of 2960 2624 8682086.exe 91 PID 2960 wrote to memory of 1432 2960 lrlxrlx.exe 92 PID 2960 wrote to memory of 1432 2960 lrlxrlx.exe 92 PID 2960 wrote to memory of 1432 2960 lrlxrlx.exe 92 PID 1432 wrote to memory of 4180 1432 1rxlrfr.exe 93 PID 1432 wrote to memory of 4180 1432 1rxlrfr.exe 93 PID 1432 wrote to memory of 4180 1432 1rxlrfr.exe 93 PID 4180 wrote to memory of 628 4180 0402642.exe 94 PID 4180 wrote to memory of 628 4180 0402642.exe 94 PID 4180 wrote to memory of 628 4180 0402642.exe 94 PID 628 wrote to memory of 1860 628 642080.exe 95 PID 628 wrote to memory of 1860 628 642080.exe 95 PID 628 wrote to memory of 1860 628 642080.exe 95 PID 1860 wrote to memory of 4952 1860 004264.exe 96 PID 1860 wrote to memory of 4952 1860 004264.exe 96 PID 1860 wrote to memory of 4952 1860 004264.exe 96 PID 4952 wrote to memory of 5012 4952 u886820.exe 97 PID 4952 wrote to memory of 5012 4952 u886820.exe 97 PID 4952 wrote to memory of 5012 4952 u886820.exe 97 PID 5012 wrote to memory of 1016 5012 vdjvd.exe 98 PID 5012 wrote to memory of 1016 5012 vdjvd.exe 98 PID 5012 wrote to memory of 1016 5012 vdjvd.exe 98 PID 1016 wrote to memory of 5000 1016 lxrlfff.exe 99 PID 1016 wrote to memory of 5000 1016 lxrlfff.exe 99 PID 1016 wrote to memory of 5000 1016 lxrlfff.exe 99 PID 5000 wrote to memory of 4376 5000 g4048.exe 100 PID 5000 wrote to memory of 4376 5000 g4048.exe 100 PID 5000 wrote to memory of 4376 5000 g4048.exe 100 PID 4376 wrote to memory of 3952 4376 868226.exe 101 PID 4376 wrote to memory of 3952 4376 868226.exe 101 PID 4376 wrote to memory of 3952 4376 868226.exe 101 PID 3952 wrote to memory of 1052 3952 flflrfl.exe 102 PID 3952 wrote to memory of 1052 3952 flflrfl.exe 102 PID 3952 wrote to memory of 1052 3952 flflrfl.exe 102 PID 1052 wrote to memory of 3088 1052 pdvdp.exe 103 PID 1052 wrote to memory of 3088 1052 pdvdp.exe 103 PID 1052 wrote to memory of 3088 1052 pdvdp.exe 103 PID 3088 wrote to memory of 4568 3088 lxlrfrr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe"C:\Users\Admin\AppData\Local\Temp\feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\fffffff.exec:\fffffff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\9vvjp.exec:\9vvjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\c042486.exec:\c042486.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\004204.exec:\004204.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\2408042.exec:\2408042.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\82642.exec:\82642.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\nnhtbt.exec:\nnhtbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\8682086.exec:\8682086.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\lrlxrlx.exec:\lrlxrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\1rxlrfr.exec:\1rxlrfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\0402642.exec:\0402642.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\642080.exec:\642080.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\004264.exec:\004264.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\u886820.exec:\u886820.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\vdjvd.exec:\vdjvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\lxrlfff.exec:\lxrlfff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\g4048.exec:\g4048.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\868226.exec:\868226.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\flflrfl.exec:\flflrfl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\pdvdp.exec:\pdvdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\lxlrfrr.exec:\lxlrfrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\020864.exec:\020864.exe23⤵
- Executes dropped EXE
PID:4568 -
\??\c:\jpjvj.exec:\jpjvj.exe24⤵
- Executes dropped EXE
PID:4468 -
\??\c:\66242.exec:\66242.exe25⤵
- Executes dropped EXE
PID:2588 -
\??\c:\rllxxrf.exec:\rllxxrf.exe26⤵
- Executes dropped EXE
PID:3404 -
\??\c:\60082.exec:\60082.exe27⤵
- Executes dropped EXE
PID:2572 -
\??\c:\w26420.exec:\w26420.exe28⤵
- Executes dropped EXE
PID:4840 -
\??\c:\604200.exec:\604200.exe29⤵
- Executes dropped EXE
PID:3964 -
\??\c:\008242.exec:\008242.exe30⤵
- Executes dropped EXE
PID:428 -
\??\c:\9frfxlx.exec:\9frfxlx.exe31⤵
- Executes dropped EXE
PID:2096 -
\??\c:\o820242.exec:\o820242.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3652 -
\??\c:\0008204.exec:\0008204.exe33⤵
- Executes dropped EXE
PID:1568 -
\??\c:\xfrfrlx.exec:\xfrfrlx.exe34⤵
- Executes dropped EXE
PID:1528 -
\??\c:\xfxlrlx.exec:\xfxlrlx.exe35⤵
- Executes dropped EXE
PID:3192 -
\??\c:\404264.exec:\404264.exe36⤵
- Executes dropped EXE
PID:4540 -
\??\c:\048086.exec:\048086.exe37⤵
- Executes dropped EXE
PID:2748 -
\??\c:\u442208.exec:\u442208.exe38⤵
- Executes dropped EXE
PID:4788 -
\??\c:\5jvjd.exec:\5jvjd.exe39⤵
- Executes dropped EXE
PID:4084 -
\??\c:\860886.exec:\860886.exe40⤵
- Executes dropped EXE
PID:5060 -
\??\c:\6486820.exec:\6486820.exe41⤵
- Executes dropped EXE
PID:908 -
\??\c:\826420.exec:\826420.exe42⤵
- Executes dropped EXE
PID:3712 -
\??\c:\ffrflxl.exec:\ffrflxl.exe43⤵
- Executes dropped EXE
PID:1104 -
\??\c:\3nnbnn.exec:\3nnbnn.exe44⤵
- Executes dropped EXE
PID:1652 -
\??\c:\3nbnth.exec:\3nbnth.exe45⤵
- Executes dropped EXE
PID:4364 -
\??\c:\w28682.exec:\w28682.exe46⤵
- Executes dropped EXE
PID:2444 -
\??\c:\406460.exec:\406460.exe47⤵
- Executes dropped EXE
PID:1872 -
\??\c:\nnntth.exec:\nnntth.exe48⤵
- Executes dropped EXE
PID:4148 -
\??\c:\ntbhth.exec:\ntbhth.exe49⤵
- Executes dropped EXE
PID:540 -
\??\c:\c486486.exec:\c486486.exe50⤵
- Executes dropped EXE
PID:2164 -
\??\c:\dppvj.exec:\dppvj.exe51⤵
- Executes dropped EXE
PID:1020 -
\??\c:\228266.exec:\228266.exe52⤵
- Executes dropped EXE
PID:4584 -
\??\c:\lrxrlrl.exec:\lrxrlrl.exe53⤵
- Executes dropped EXE
PID:5028 -
\??\c:\3lffrlx.exec:\3lffrlx.exe54⤵
- Executes dropped EXE
PID:2904 -
\??\c:\s8482.exec:\s8482.exe55⤵
- Executes dropped EXE
PID:4076 -
\??\c:\m0424.exec:\m0424.exe56⤵
- Executes dropped EXE
PID:4280 -
\??\c:\vvvpd.exec:\vvvpd.exe57⤵
- Executes dropped EXE
PID:1696 -
\??\c:\nttbnb.exec:\nttbnb.exe58⤵
- Executes dropped EXE
PID:4956 -
\??\c:\g4048.exec:\g4048.exe59⤵
- Executes dropped EXE
PID:892 -
\??\c:\86002.exec:\86002.exe60⤵
- Executes dropped EXE
PID:1396 -
\??\c:\804804.exec:\804804.exe61⤵
- Executes dropped EXE
PID:4548 -
\??\c:\jvpdj.exec:\jvpdj.exe62⤵
- Executes dropped EXE
PID:528 -
\??\c:\hhhbnb.exec:\hhhbnb.exe63⤵
- Executes dropped EXE
PID:1516 -
\??\c:\20082.exec:\20082.exe64⤵
- Executes dropped EXE
PID:1164 -
\??\c:\xrlrfxl.exec:\xrlrfxl.exe65⤵
- Executes dropped EXE
PID:628 -
\??\c:\5bbntn.exec:\5bbntn.exe66⤵PID:4832
-
\??\c:\tthtbn.exec:\tthtbn.exe67⤵PID:944
-
\??\c:\4664862.exec:\4664862.exe68⤵PID:4088
-
\??\c:\dvpvj.exec:\dvpvj.exe69⤵PID:3204
-
\??\c:\4242644.exec:\4242644.exe70⤵PID:3468
-
\??\c:\244226.exec:\244226.exe71⤵PID:1356
-
\??\c:\jvdjd.exec:\jvdjd.exe72⤵PID:4572
-
\??\c:\nnnbbn.exec:\nnnbbn.exe73⤵PID:3332
-
\??\c:\000804.exec:\000804.exe74⤵PID:3148
-
\??\c:\686442.exec:\686442.exe75⤵PID:1708
-
\??\c:\2660004.exec:\2660004.exe76⤵PID:1936
-
\??\c:\lrxxrlf.exec:\lrxxrlf.exe77⤵PID:4904
-
\??\c:\xrfrfxl.exec:\xrfrfxl.exe78⤵PID:468
-
\??\c:\0042044.exec:\0042044.exe79⤵PID:668
-
\??\c:\9nbtbb.exec:\9nbtbb.exe80⤵PID:1940
-
\??\c:\llxfrrl.exec:\llxfrrl.exe81⤵PID:4960
-
\??\c:\w04248.exec:\w04248.exe82⤵PID:2640
-
\??\c:\00604.exec:\00604.exe83⤵PID:5112
-
\??\c:\g0660.exec:\g0660.exe84⤵PID:2572
-
\??\c:\4060260.exec:\4060260.exe85⤵PID:4840
-
\??\c:\w02082.exec:\w02082.exe86⤵PID:3104
-
\??\c:\vvvjp.exec:\vvvjp.exe87⤵PID:1732
-
\??\c:\bntbht.exec:\bntbht.exe88⤵PID:1100
-
\??\c:\lllxlxl.exec:\lllxlxl.exe89⤵PID:2964
-
\??\c:\tbhhtb.exec:\tbhhtb.exe90⤵PID:532
-
\??\c:\hnnbhb.exec:\hnnbhb.exe91⤵PID:4884
-
\??\c:\28408.exec:\28408.exe92⤵PID:1488
-
\??\c:\1xrrxlx.exec:\1xrrxlx.exe93⤵PID:408
-
\??\c:\3vpdp.exec:\3vpdp.exe94⤵PID:4564
-
\??\c:\226462.exec:\226462.exe95⤵PID:4540
-
\??\c:\btbnht.exec:\btbnht.exe96⤵PID:2748
-
\??\c:\666082.exec:\666082.exe97⤵PID:1348
-
\??\c:\jvvpj.exec:\jvvpj.exe98⤵PID:2012
-
\??\c:\btbnhb.exec:\btbnhb.exe99⤵PID:1060
-
\??\c:\4882660.exec:\4882660.exe100⤵PID:4724
-
\??\c:\hnhbnb.exec:\hnhbnb.exe101⤵PID:992
-
\??\c:\20226.exec:\20226.exe102⤵PID:5056
-
\??\c:\086046.exec:\086046.exe103⤵PID:4348
-
\??\c:\600066.exec:\600066.exe104⤵PID:3736
-
\??\c:\8608604.exec:\8608604.exe105⤵PID:3096
-
\??\c:\2804260.exec:\2804260.exe106⤵
- System Location Discovery: System Language Discovery
PID:2284 -
\??\c:\3vvjv.exec:\3vvjv.exe107⤵PID:4896
-
\??\c:\0682600.exec:\0682600.exe108⤵PID:1552
-
\??\c:\ntthnh.exec:\ntthnh.exe109⤵PID:4916
-
\??\c:\tbhbnh.exec:\tbhbnh.exe110⤵PID:2288
-
\??\c:\bntntt.exec:\bntntt.exe111⤵PID:1020
-
\??\c:\0408208.exec:\0408208.exe112⤵PID:4584
-
\??\c:\xlfxfxr.exec:\xlfxfxr.exe113⤵PID:5028
-
\??\c:\1jpdv.exec:\1jpdv.exe114⤵PID:1584
-
\??\c:\jdvdj.exec:\jdvdj.exe115⤵PID:796
-
\??\c:\c884228.exec:\c884228.exe116⤵PID:2816
-
\??\c:\hhnhnn.exec:\hhnhnn.exe117⤵PID:3528
-
\??\c:\ttthth.exec:\ttthth.exe118⤵PID:1084
-
\??\c:\k28642.exec:\k28642.exe119⤵PID:2624
-
\??\c:\lffrxxl.exec:\lffrxxl.exe120⤵PID:1952
-
\??\c:\htbntn.exec:\htbntn.exe121⤵PID:4828
-
\??\c:\c282266.exec:\c282266.exe122⤵PID:4192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-