Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 22:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef0d4d8a064846b26d721c991842a460b43b7eae39a0a31074d1a6b7eac8e06e.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ef0d4d8a064846b26d721c991842a460b43b7eae39a0a31074d1a6b7eac8e06e.exe
-
Size
453KB
-
MD5
27d85b26c41276175f9c95f15126d029
-
SHA1
855bc79a9d9d5e2b05accbb1aba43b302556cffa
-
SHA256
ef0d4d8a064846b26d721c991842a460b43b7eae39a0a31074d1a6b7eac8e06e
-
SHA512
21430efdea94a31f75d7ea99f60b9e00f6ace61aa1a2c1a465938c953b926b7ca1ce4d48fa58ade71f8da93ce324b42fa02549212d245f7529cf19852445e293
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3868-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-1434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2024 nhttnn.exe 4828 6084888.exe 4128 06606.exe 3492 488280.exe 2364 xllfxlf.exe 4552 88444.exe 5072 ppvpj.exe 1764 jpvpj.exe 3412 486888.exe 1812 fflxrrl.exe 2720 64608.exe 3376 jvvvp.exe 1128 xxfxffl.exe 4940 00268.exe 228 vdjpv.exe 2460 jppjd.exe 3780 0426442.exe 1016 000424.exe 4816 266004.exe 5100 i408644.exe 4932 xxfrfrl.exe 3920 880448.exe 1888 o608266.exe 4588 6848822.exe 5056 668266.exe 3408 840048.exe 4824 64644.exe 4820 4660002.exe 4544 o082604.exe 428 g4648.exe 2752 1djpd.exe 4880 jvdvd.exe 4744 262000.exe 2404 44828.exe 3236 48826.exe 3560 hntnnn.exe 552 8248024.exe 2696 i684484.exe 224 6448226.exe 1968 9ddpj.exe 4580 84644.exe 2868 7xxrfxx.exe 2296 rllfxxr.exe 1640 dvpjp.exe 3908 nntttt.exe 4512 htbbbt.exe 1600 4400004.exe 4480 5tnnhh.exe 5024 66826.exe 4352 vvdvp.exe 1616 622086.exe 4560 7rflxxl.exe 4828 84244.exe 4128 488224.exe 452 9ttnhb.exe 244 ddppj.exe 2796 0808626.exe 2972 w44222.exe 4552 428006.exe 624 bbtnhh.exe 1112 lffxrll.exe 2456 jdpdd.exe 1720 pvppp.exe 3036 888260.exe -
resource yara_rule behavioral2/memory/2024-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-648-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2460048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e88822.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3868 wrote to memory of 2024 3868 ef0d4d8a064846b26d721c991842a460b43b7eae39a0a31074d1a6b7eac8e06e.exe 83 PID 3868 wrote to memory of 2024 3868 ef0d4d8a064846b26d721c991842a460b43b7eae39a0a31074d1a6b7eac8e06e.exe 83 PID 3868 wrote to memory of 2024 3868 ef0d4d8a064846b26d721c991842a460b43b7eae39a0a31074d1a6b7eac8e06e.exe 83 PID 2024 wrote to memory of 4828 2024 nhttnn.exe 84 PID 2024 wrote to memory of 4828 2024 nhttnn.exe 84 PID 2024 wrote to memory of 4828 2024 nhttnn.exe 84 PID 4828 wrote to memory of 4128 4828 6084888.exe 85 PID 4828 wrote to memory of 4128 4828 6084888.exe 85 PID 4828 wrote to memory of 4128 4828 6084888.exe 85 PID 4128 wrote to memory of 3492 4128 06606.exe 86 PID 4128 wrote to memory of 3492 4128 06606.exe 86 PID 4128 wrote to memory of 3492 4128 06606.exe 86 PID 3492 wrote to memory of 2364 3492 488280.exe 87 PID 3492 wrote to memory of 2364 3492 488280.exe 87 PID 3492 wrote to memory of 2364 3492 488280.exe 87 PID 2364 wrote to memory of 4552 2364 xllfxlf.exe 88 PID 2364 wrote to memory of 4552 2364 xllfxlf.exe 88 PID 2364 wrote to memory of 4552 2364 xllfxlf.exe 88 PID 4552 wrote to memory of 5072 4552 88444.exe 89 PID 4552 wrote to memory of 5072 4552 88444.exe 89 PID 4552 wrote to memory of 5072 4552 88444.exe 89 PID 5072 wrote to memory of 1764 5072 ppvpj.exe 90 PID 5072 wrote to memory of 1764 5072 ppvpj.exe 90 PID 5072 wrote to memory of 1764 5072 ppvpj.exe 90 PID 1764 wrote to memory of 3412 1764 jpvpj.exe 91 PID 1764 wrote to memory of 3412 1764 jpvpj.exe 91 PID 1764 wrote to memory of 3412 1764 jpvpj.exe 91 PID 3412 wrote to memory of 1812 3412 486888.exe 92 PID 3412 wrote to memory of 1812 3412 486888.exe 92 PID 3412 wrote to memory of 1812 3412 486888.exe 92 PID 1812 wrote to memory of 2720 1812 fflxrrl.exe 93 PID 1812 wrote to memory of 2720 1812 fflxrrl.exe 93 PID 1812 wrote to memory of 2720 1812 fflxrrl.exe 93 PID 2720 wrote to memory of 3376 2720 64608.exe 94 PID 2720 wrote to memory of 3376 2720 64608.exe 94 PID 2720 wrote to memory of 3376 2720 64608.exe 94 PID 3376 wrote to memory of 1128 3376 jvvvp.exe 95 PID 3376 wrote to memory of 1128 3376 jvvvp.exe 95 PID 3376 wrote to memory of 1128 3376 jvvvp.exe 95 PID 1128 wrote to memory of 4940 1128 xxfxffl.exe 96 PID 1128 wrote to memory of 4940 1128 xxfxffl.exe 96 PID 1128 wrote to memory of 4940 1128 xxfxffl.exe 96 PID 4940 wrote to memory of 228 4940 00268.exe 97 PID 4940 wrote to memory of 228 4940 00268.exe 97 PID 4940 wrote to memory of 228 4940 00268.exe 97 PID 228 wrote to memory of 2460 228 vdjpv.exe 98 PID 228 wrote to memory of 2460 228 vdjpv.exe 98 PID 228 wrote to memory of 2460 228 vdjpv.exe 98 PID 2460 wrote to memory of 3780 2460 jppjd.exe 99 PID 2460 wrote to memory of 3780 2460 jppjd.exe 99 PID 2460 wrote to memory of 3780 2460 jppjd.exe 99 PID 3780 wrote to memory of 1016 3780 0426442.exe 100 PID 3780 wrote to memory of 1016 3780 0426442.exe 100 PID 3780 wrote to memory of 1016 3780 0426442.exe 100 PID 1016 wrote to memory of 4816 1016 000424.exe 101 PID 1016 wrote to memory of 4816 1016 000424.exe 101 PID 1016 wrote to memory of 4816 1016 000424.exe 101 PID 4816 wrote to memory of 5100 4816 266004.exe 102 PID 4816 wrote to memory of 5100 4816 266004.exe 102 PID 4816 wrote to memory of 5100 4816 266004.exe 102 PID 5100 wrote to memory of 4932 5100 i408644.exe 103 PID 5100 wrote to memory of 4932 5100 i408644.exe 103 PID 5100 wrote to memory of 4932 5100 i408644.exe 103 PID 4932 wrote to memory of 3920 4932 xxfrfrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef0d4d8a064846b26d721c991842a460b43b7eae39a0a31074d1a6b7eac8e06e.exe"C:\Users\Admin\AppData\Local\Temp\ef0d4d8a064846b26d721c991842a460b43b7eae39a0a31074d1a6b7eac8e06e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\nhttnn.exec:\nhttnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\6084888.exec:\6084888.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\06606.exec:\06606.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\488280.exec:\488280.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\xllfxlf.exec:\xllfxlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\88444.exec:\88444.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\ppvpj.exec:\ppvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\jpvpj.exec:\jpvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\486888.exec:\486888.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\fflxrrl.exec:\fflxrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\64608.exec:\64608.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\jvvvp.exec:\jvvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\xxfxffl.exec:\xxfxffl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\00268.exec:\00268.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\vdjpv.exec:\vdjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\jppjd.exec:\jppjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\0426442.exec:\0426442.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\000424.exec:\000424.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\266004.exec:\266004.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\i408644.exec:\i408644.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\xxfrfrl.exec:\xxfrfrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\880448.exec:\880448.exe23⤵
- Executes dropped EXE
PID:3920 -
\??\c:\o608266.exec:\o608266.exe24⤵
- Executes dropped EXE
PID:1888 -
\??\c:\6848822.exec:\6848822.exe25⤵
- Executes dropped EXE
PID:4588 -
\??\c:\668266.exec:\668266.exe26⤵
- Executes dropped EXE
PID:5056 -
\??\c:\840048.exec:\840048.exe27⤵
- Executes dropped EXE
PID:3408 -
\??\c:\64644.exec:\64644.exe28⤵
- Executes dropped EXE
PID:4824 -
\??\c:\4660002.exec:\4660002.exe29⤵
- Executes dropped EXE
PID:4820 -
\??\c:\o082604.exec:\o082604.exe30⤵
- Executes dropped EXE
PID:4544 -
\??\c:\g4648.exec:\g4648.exe31⤵
- Executes dropped EXE
PID:428 -
\??\c:\1djpd.exec:\1djpd.exe32⤵
- Executes dropped EXE
PID:2752 -
\??\c:\jvdvd.exec:\jvdvd.exe33⤵
- Executes dropped EXE
PID:4880 -
\??\c:\262000.exec:\262000.exe34⤵
- Executes dropped EXE
PID:4744 -
\??\c:\44828.exec:\44828.exe35⤵
- Executes dropped EXE
PID:2404 -
\??\c:\48826.exec:\48826.exe36⤵
- Executes dropped EXE
PID:3236 -
\??\c:\hntnnn.exec:\hntnnn.exe37⤵
- Executes dropped EXE
PID:3560 -
\??\c:\8248024.exec:\8248024.exe38⤵
- Executes dropped EXE
PID:552 -
\??\c:\i684484.exec:\i684484.exe39⤵
- Executes dropped EXE
PID:2696 -
\??\c:\6448226.exec:\6448226.exe40⤵
- Executes dropped EXE
PID:224 -
\??\c:\9ddpj.exec:\9ddpj.exe41⤵
- Executes dropped EXE
PID:1968 -
\??\c:\84644.exec:\84644.exe42⤵
- Executes dropped EXE
PID:4580 -
\??\c:\7xxrfxx.exec:\7xxrfxx.exe43⤵
- Executes dropped EXE
PID:2868 -
\??\c:\rllfxxr.exec:\rllfxxr.exe44⤵
- Executes dropped EXE
PID:2296 -
\??\c:\dvpjp.exec:\dvpjp.exe45⤵
- Executes dropped EXE
PID:1640 -
\??\c:\nntttt.exec:\nntttt.exe46⤵
- Executes dropped EXE
PID:3908 -
\??\c:\htbbbt.exec:\htbbbt.exe47⤵
- Executes dropped EXE
PID:4512 -
\??\c:\4400004.exec:\4400004.exe48⤵
- Executes dropped EXE
PID:1600 -
\??\c:\5tnnhh.exec:\5tnnhh.exe49⤵
- Executes dropped EXE
PID:4480 -
\??\c:\66826.exec:\66826.exe50⤵
- Executes dropped EXE
PID:5024 -
\??\c:\vvdvp.exec:\vvdvp.exe51⤵
- Executes dropped EXE
PID:4352 -
\??\c:\622086.exec:\622086.exe52⤵
- Executes dropped EXE
PID:1616 -
\??\c:\7rflxxl.exec:\7rflxxl.exe53⤵
- Executes dropped EXE
PID:4560 -
\??\c:\84244.exec:\84244.exe54⤵
- Executes dropped EXE
PID:4828 -
\??\c:\488224.exec:\488224.exe55⤵
- Executes dropped EXE
PID:4128 -
\??\c:\9ttnhb.exec:\9ttnhb.exe56⤵
- Executes dropped EXE
PID:452 -
\??\c:\ddppj.exec:\ddppj.exe57⤵
- Executes dropped EXE
PID:244 -
\??\c:\0808626.exec:\0808626.exe58⤵
- Executes dropped EXE
PID:2796 -
\??\c:\w44222.exec:\w44222.exe59⤵
- Executes dropped EXE
PID:2972 -
\??\c:\428006.exec:\428006.exe60⤵
- Executes dropped EXE
PID:4552 -
\??\c:\bbtnhh.exec:\bbtnhh.exe61⤵
- Executes dropped EXE
PID:624 -
\??\c:\lffxrll.exec:\lffxrll.exe62⤵
- Executes dropped EXE
PID:1112 -
\??\c:\jdpdd.exec:\jdpdd.exe63⤵
- Executes dropped EXE
PID:2456 -
\??\c:\pvppp.exec:\pvppp.exe64⤵
- Executes dropped EXE
PID:1720 -
\??\c:\888260.exec:\888260.exe65⤵
- Executes dropped EXE
PID:3036 -
\??\c:\hhnnth.exec:\hhnnth.exe66⤵PID:740
-
\??\c:\jdpdd.exec:\jdpdd.exe67⤵PID:1484
-
\??\c:\w68888.exec:\w68888.exe68⤵PID:3352
-
\??\c:\5ttntn.exec:\5ttntn.exe69⤵PID:32
-
\??\c:\bbnnhb.exec:\bbnnhb.exe70⤵PID:3368
-
\??\c:\5lffxxx.exec:\5lffxxx.exe71⤵PID:4924
-
\??\c:\4860000.exec:\4860000.exe72⤵PID:3760
-
\??\c:\208860.exec:\208860.exe73⤵PID:2308
-
\??\c:\222206.exec:\222206.exe74⤵PID:4088
-
\??\c:\066660.exec:\066660.exe75⤵PID:4516
-
\??\c:\026680.exec:\026680.exe76⤵PID:3612
-
\??\c:\2248882.exec:\2248882.exe77⤵PID:2384
-
\??\c:\40886.exec:\40886.exe78⤵PID:5100
-
\??\c:\5rxllrl.exec:\5rxllrl.exe79⤵PID:4500
-
\??\c:\840422.exec:\840422.exe80⤵PID:4932
-
\??\c:\2066044.exec:\2066044.exe81⤵PID:4156
-
\??\c:\082648.exec:\082648.exe82⤵PID:4808
-
\??\c:\lxlllrr.exec:\lxlllrr.exe83⤵PID:2536
-
\??\c:\hnbttn.exec:\hnbttn.exe84⤵PID:688
-
\??\c:\o226048.exec:\o226048.exe85⤵PID:2856
-
\??\c:\jdvpj.exec:\jdvpj.exe86⤵PID:1992
-
\??\c:\240488.exec:\240488.exe87⤵PID:3408
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe88⤵PID:1652
-
\??\c:\i226026.exec:\i226026.exe89⤵PID:4396
-
\??\c:\828408.exec:\828408.exe90⤵PID:3272
-
\??\c:\m6200.exec:\m6200.exe91⤵PID:3568
-
\??\c:\c466000.exec:\c466000.exe92⤵PID:1288
-
\??\c:\pdjdj.exec:\pdjdj.exe93⤵PID:1712
-
\??\c:\0060882.exec:\0060882.exe94⤵PID:664
-
\??\c:\88044.exec:\88044.exe95⤵PID:1816
-
\??\c:\66604.exec:\66604.exe96⤵PID:2172
-
\??\c:\xrrlfxx.exec:\xrrlfxx.exe97⤵PID:2076
-
\??\c:\xfrllff.exec:\xfrllff.exe98⤵PID:5116
-
\??\c:\hbbtnt.exec:\hbbtnt.exe99⤵PID:1924
-
\??\c:\5vppv.exec:\5vppv.exe100⤵PID:4788
-
\??\c:\jdvpj.exec:\jdvpj.exe101⤵PID:2696
-
\??\c:\lxffxxr.exec:\lxffxxr.exe102⤵PID:2620
-
\??\c:\240448.exec:\240448.exe103⤵PID:1968
-
\??\c:\7jjdd.exec:\7jjdd.exe104⤵PID:2600
-
\??\c:\dpjvp.exec:\dpjvp.exe105⤵PID:2868
-
\??\c:\q22200.exec:\q22200.exe106⤵PID:1308
-
\??\c:\42822.exec:\42822.exe107⤵PID:2872
-
\??\c:\2444066.exec:\2444066.exe108⤵PID:2188
-
\??\c:\rfflxfr.exec:\rfflxfr.exe109⤵PID:2624
-
\??\c:\jjjjp.exec:\jjjjp.exe110⤵PID:1604
-
\??\c:\840864.exec:\840864.exe111⤵PID:1524
-
\??\c:\m6208.exec:\m6208.exe112⤵PID:4344
-
\??\c:\xflrrfx.exec:\xflrrfx.exe113⤵PID:4348
-
\??\c:\s2260.exec:\s2260.exe114⤵PID:4400
-
\??\c:\lfxrfxr.exec:\lfxrfxr.exe115⤵PID:1936
-
\??\c:\6404820.exec:\6404820.exe116⤵PID:4736
-
\??\c:\bhnbnh.exec:\bhnbnh.exe117⤵PID:1424
-
\??\c:\6424048.exec:\6424048.exe118⤵PID:1892
-
\??\c:\lxxrrrr.exec:\lxxrrrr.exe119⤵PID:1136
-
\??\c:\lrrfxrf.exec:\lrrfxrf.exe120⤵PID:3240
-
\??\c:\6240860.exec:\6240860.exe121⤵PID:2972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-